AWS Prescriptive Guidance
Patterns

Deploy Sophos web proxy UTM and Outbound Gateway on AWS

R Type :ReHost

source :Security

target :Sophos web proxy UTM on AWS

tags :amazon ebs, amazon ec2, amazon vpc, auto scaling, firewall, intrusion prevention, web filtering, fault tolerance, policy enforcement, scalability

Summary

Amazon Elastic Compute Cloud (Amazon EC2) instances often require access to external resources, such as software repositories and web services. Many organizations require restricting internet connections to authorized websites. Web filtering proxies are commonly used to enforce web policies for internet access. 

This pattern uses the Sophos Unified Threat Management (UTM) virtual appliance, which is available in AWS Marketplace, to provide a transparent outbound proxy for EC2 instances. Alternative web proxy solutions may use open-source solutions such as Squid or Apache Traffic Server, which are beyond the scope of this pattern. 

Sophos UTM provides multiple security functions, including firewall, intrusion prevention system (IPS), virtual private network (VPN), and web filtering. Sophos Outbound Gateway provides a distributed, fault-tolerant architecture to provide visibility, policy enforcement, and elastic scalability to outbound web traffic. 

This pattern provides guidance for one use case: allowing AWS API calls from a virtual private cloud (VPC). This pattern does not cover general installation and software configuration tasks for Sophos UTM. For general guidance and best practices, consult the Sophos UTM on AWS Administration Guide

This pattern uses the following Sophos software: 

  • Sophos UTM 9 virtual appliance – Sophos UTM is a security platform that helps you secure your infrastructure in AWS. Sophos UTM provides multiple security tools, such as Next-Gen Firewall (NGFW), Web Application Firewall (WAF), Intrusion Prevention System (IPS), and Advanced Threat Protection (ATP).  

  • Sophos UTM Controller (Queen) – The Controller is a UTM instance that provides administrative control and configuration management for UTM Workers.  

  • Sophos UTM Workers – The UTM Workers terminate the Generic Routing Encapsulation (GRE) tunnels from the Outbound Gateways and proxy the traffic to the destination based on the policy configured within the Controller.  

  • Sophos Outbound Gateway (OGW) on AWS – The OGW is an instance that resides within an Availability Zone where clients need to connect out through the proxy.  

This pattern leverages the AWS Quick Start that was developed by Sophos in collaboration with AWS. Sophos is an AWS APN Partner

Assumptions and Prerequisites

Prerequisites

  • Determine the licensing model you want to use for Sophos UTM. Available options are hourly and Bring Your Own License Model (BYOL). If you’re using the BYOL option, you’ll need your license file.

  • Confirm that you have an active AWS account, and that your account limits allow you to provision two VPCs and one Elastic IP address.

  • Identify the CIDR ranges you want to use for the proxy and application VPCs and subnets.

  • In order to administer the Sophos UTM, you will need access to TCP port 4444 from your browser.

Outbound proxy solution considerations

Although outbound proxy solutions are widely used, there are implications that you should consider before you implement proxies in your architecture. The Sophos web filtering engine operates in transparent or standard mode. Regardless of the deployment mode, your client applications either need to support the Server Name Indicator (SNI) specification to securely access Secure Sockets Layer / Transport Layer Security (SSL/TLS) endpoints, or you will need to employ SSL decryption and distribute the signing certificate authority (CA) to your clients, as discussed in the Sophos Knowledge Base article. Additionally in standard mode, your client applications will need to be “proxy aware” and explicitly direct requests through the Sophos Outbound Gateway. Sophos provides additional options to control traffic, such as the ability to bypass filtering by source or destination IP. To learn more about this and other considerations, see the Sophos UTM Administration Guide.

Architecture

Source technology stack

  • On-premises Sophos web proxy UTM

Target technology stack

  • Sophos web proxy UTM on AWS 

Source and target architecture

This is a simple software relocation from an on-premises data center host to an EC2 instance. The following diagram shows how the Sophos Outbound Gateway uses GRE to tunnel outbound network traffic between VPCs. 

The following diagram provides a detailed view of the architecture on AWS. This pattern uses a highly available architecture that includes a Sophos UTM Controller, Sophos UTM Workers, and Sophos Outbound Gateways on AWS. In total, it deploys seven instances, including one Controller, two Workers in an Auto Scaling group, two Outbound Gateways, one bastion host, and one client test EC2 instance. To centralize the proxy service for the clients, the Controller and Workers are deployed into a dedicated VPC. 

This pattern utilizes one additional application VPC for proxy clients. The Outbound Gateway on AWS is also deployed into the application VPC to support the connections from the clients. Finally, the bastion host and tester instances are deployed into the application VPC. You can use these instances to test and become familiar with the outbound web proxy functionality. 

Tools Used

Epics

Assess and deploy the Quick Start

Tasks

Title Description Skills Predecessor
Launch the Quick Start, if it meets your needs. See the Quick Start deployment guide (see the References and Help section) for any pre-deployment instructions, and then launch the Quick Start from the link provided.
Customize and launch the Quick Start, if you have additional requirements. Download the AWS CloudFormation templates from the GitHub repository (see the References and Help section), modify them to meet your needs, and launch the customized templates.
Validate the deployment. See the Quick Start deployment guide for any post-deployment and testing instructions.

References and Help

References

Sophos

 AWS Quick Starts

Contact and help

Pattern Library Support: aws-mpl@amazon.com