Overview and Deployment Guide. Sophos UTM on AWS

Overview and Deployment Guide Sophos UTM on AWS Overview and Deployment Guide Document date: November 2014 1

Sophos UTM and AWS Contents 1 Amazon Web Services... 4 1.1 AMI (Amazon Machine Image)... 4 1.2 EC2 Instance... 4 1.3 VPC... 5 1.4 AWS Regions... 5 2 AWS Shared Security Model... 6 3 Sophos UTM on AWS... 6 UTM on AWS Common Use Cases... 6 3.1 Web Server Protection... 6 3.2 Augment or Replace AWS Firewall and Provide Detailed Reporting... 7 3.3 Intrusion Prevention System... 8 3.4 Remote VPN User Connectivity... 9 3.5 Branch Office Connectivity using RED... 9 3.6 Content Filtering for AWS Workspaces Virtual Desktops... 10 3.7 Secure VPC to VPC Connectivity... 10 3.8 Securely extend physical office to AWS Cloud... 11 4 Launching a UTM AMI on AWS... 11 Launch a UTM via AWS Marketplace... 11 4.1 Choose a Sophos AMI from the Marketplace... 12 4.1.1 Sophos UTM BYOL (Bring Your Own License) AMI... 12 4.1.2 Sophos UTM Hourly AMI... 12 4.2 Licensing Differences... 13 4.3 Sizing a UTM for your AWS Environment... 13 4.4 Choosing an AWS Instance Type... 14 4.5 Launch a UTM AMI as standalone or into a VPC... 15 4.6 Choose Region... 16 Launch a UTM via AWS Management Console... 16 5 Common Deployment Examples... 18 5.1 UTM with Single Interface Protecting Multiple VPC Subnets... 18 5.1.1 VPC Wizard... 18 2

Overview and Deployment Guide 5.1.2 Launch EC2 Instances... 19 5.1.3 Terminate the NAT Instance... 20 5.1.4 Change the Source/Destination Check setting... 20 5.1.5 Assign an Elastic IP to the UTM... 20 5.1.6 Modify VPC Route Tables... 21 5.2 UTM with Interfaces in Multiple Subnets... 22 5.3 UTM used to connect multiple VPC s... 22 6 Advanced Deployment Options... 23 CloudFormation... 23 UserData Field... 23 Avoiding Single Point of Failure... 24 7 Resources... 24 8 Legal notices... 25 3

Sophos UTM and AWS 1 Amazon Web Services Amazon Web Services is a collection of remote computing and web services that together make up the Amazon Cloud Computing platform. The services currently offered cover Storage & Content Delivery, Database, Mobile Services, Analytics, App Services, Deployment and Management, and Compute & Networking. Together these services allow businesses a way to reduce the time and efforts associated with deploying business applications, and provide a highly secure, scalable, flexible and redundant computing platform. These services along with the AWS pay as you go pricing model provide businesses a way to replace up front capital infrastructure investments with variable operating costs, and dramatically decrease the time and efforts associated with deployment. Discussion of all the available AWS services is outside the scope of this document. Instead we ll focus on those services and terms that relate to common Sophos UTM deployments. 1.1 AMI (Amazon Machine Image) An AMI is a special type of virtual appliance that is used in AWS. An AMI contains the information needed to launch an EC2 Instance. An AMI typically contains an operating system, launch permissions, storage details and often some type of application software. Some common AMI examples are Window Server and Linux AMI s that provide ready to go Operating Systems, or the Sophos UTM AMI that has a Linux OS already installed along with the UTM software. In either case these AMI s are available for general use, can be easily launched and will be ready in minutes. Custom AMI s of any type can also be created and shared, or kept private and used by only the account holder. 1.2 EC2 Instance One of the most common services to use in AWS is EC2 (Elastic Cloud Computing), which provides users resizable compute capabilities in the Cloud. The EC2 Management Console provides the ability to launch EC2 Instances, which are virtual machines of varying compute sizes, each of which has different associated pricing. These virtual machine configurations are used with your AMI s and together provide a customer most everything they need to run their applications in the Cloud. Users can create, launch, change, and terminate Instances as needed, and pay by the hour. EC2 also provides users with control over the geographical location of their instances, which allows for latency optimization, high levels of redundancy, and helps ensure compliance with data laws. http://aws.amazon.com/ec2/ 4

1.3 VPC Overview and Deployment Guide Virtual Private Cloud (VPC) enables you to launch AWS Instances into a virtual network that you've defined and that you control. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS. This lets you launch and run EC2 Instances that are isolated from the rest of the AWS cloud community, and provides control over local routing, sub netting, IP addressing, and Access Control Lists. With this type of separation and control you could for example configure public and private subnets, and place your instances accordingly. The below graphic shows a common VPC example, and note that you can increase your security by deploying a Sophos UTM in place of the NAT instance so that all traffic going to and from the private subnet routes through the UTM and your configured security policies. http://docs.aws.amazon.com/amazonvpc/latest/userguide/vpc_introduction.html http://docs.aws.amazon.com/amazonvpc/latest/userguide/vpc_scenario2.html 1.4 AWS Regions AWS is located in 10 geographical Regions throughout the world, and includes a separate GovCloud in the United States that is only used for the U.S. Government. Each Region is contained within a single country and all services and data stay within that region. Each AWS Region is comprised of multiple Availability Zones, which are distinct data centers. Availability zones are isolated from each other to prevent outages from spreading, and certain services are designed to operate and/or replicate across Availability Zones to spread demand and to avoid downtime from failures. 5

Sophos UTM and AWS 2 AWS Shared Security Model AWS provides Infrastructure as a Service (IaaS), which allows customers to build systems on top of the secure AWS Cloud infrastructure. Providing such flexibility and control means that a shared security model is necessary. AWS puts great focus on securing the data centers they operate and they provide built in security tools to secure endpoints, encrypt data storage, and segregate customers virtual networks and instances. They also offer additional security options such as direct connection options from customer offices; dedicated hardware based crypto key storage, and the Trusted Advisor service. The customer is then responsible for using the supplied tools to properly secure access to their environments, configure security groups, and for the security of any applications running on their EC2 Instances. Additional products are also available to further secure AWS environments and applications and to provide layered security. 3 Sophos UTM on AWS The AWS Shared Security Model described above means that the customer must properly secure any systems or applications they install on top of the secure AWS platform, much as they would in a physical network. The Sophos UTM suite of integrated security applications allows customers to use the same Next Generation, layered protection they re used to in the real world, in the Cloud. Customers can use the UTM security features we offer to protect their AWS cloud servers, secure access between AWS and remote sites or between VPC s, provide remote VPN connectivity to users, provide content filtering and protection to AWS Virtual Desktops or servers, and the UTM can even manage remote wireless networks and Endpoint agents. All this can be done from a single intuitive Web Interface, which runs as another instance in your AWS environment. And since our UTM is modular, customers can pick and choose the functionality they want without having to pay for UTM features they don t need. UTM on AWS Common Use Cases The Sophos UTM that is offered as a pre- built AMI is identical in features to both the UTM hardware appliances and to the software ISO image that can be installed on any Intel compatible hardware. For a full overview of the Sophos UTM capabilities please see the UTM homepage at www.sophos.com/utm. Below we ve highlighted some of the most common use case examples of how customers are deploying the Sophos UTM on AWS. 3.1 Web Server Protection The UTM is installed in a customer s VPC where it provides protection for 1 or more web facing application servers via the Web Server Protection feature set. The UTM can either load balance inbound connections to multiple webservers, or an AWS Elastic Load Balancer (ELB) can be used. In either case the UTM acts as the gateway for any client requests destined for the Web Server or application, and provides security, protection and reporting. 6

Overview and Deployment Guide 3.2 Augment or Replace AWS Firewall and Provide Detailed Reporting Amazon Web Services provides both physical security for their datacenters, and the ability to protect AMI s with firewall rules that block/allow specific networks and ports. While this provides a base level of protection, it may not fully fit the needs of customers that require layered protection and the ability to block higher level exploits. The Sophos UTM Firewall provides both basic firewall capabilities as well as detailed reporting on network security events such as dropped packets destined for your Instances and where the attacks are coming from. The Sophos UTM can provide the visibility you need to monitor security events, troubleshoot issues, and displays information in both real time as well as historical format. Daily, Weekly, and Monthly summary reports can be automatically delivered via email, and IPS and Advanced Threat Protection event notifications can be sent via SMTP, Syslog, and SNMP for real time alerting. 7

Sophos UTM and AWS 3.3 Intrusion Prevention System Acting as a critical component of the UTM layered protection feature set; the IPS solution protects servers located in a VPC behind the UTM, and reports and logs Intrusion attempts. The IPS pattern database is updated automatically on a continuous basis by Sophos Labs (http://www.sophos.com/en- us/threat- center/threat- analyses) which analyzes data in real- time, and provides pattern updates to the UTM via the up2date service. Administrators can easily protect critical application servers and use the real time and historical reporting information to monitor intrusion attempts, privilege escalation attempts, vulnerability exploit attempts, and protocol violations. 8

3.4 Remote VPN User Connectivity Overview and Deployment Guide The Sophos UTM offers multiple remote VPN user options that support a variety of operating systems and devices. Remote users can connect securely to the UTM VPN Gateway with the client of their choice or via an HTML 5 VPN portal which requires no client. Once connected to the UTM clients can access any AWS instances they have permissions to, or even their corporate network if using the VPC connector functionality. Administrators can easily manage end user access, and view connection details in both live and historical formats. 3.5 Branch Office Connectivity using RED The Sophos UTM can be hosted and on AWS while maintaining secure connections to physical offices and users via options such as RED, standard IPsec VPN tunnels, UTM remote access VPN options, and the UTM Endpoint agents. 9

Sophos UTM and AWS 3.6 Content Filtering for AWS Workspaces Virtual Desktops The Sophos UTM provides Next Generation content filtering and protection for any device connecting out to the Internet. The UTM Web Protection module provides real time malware scanning, reputation checking, Layer 7 application control, as well as dynamic content category control options. These features can be used to protect users on AWS Workspaces Virtual Desktops, or VPC server instances that connect out to remote locations for updates. In either case the UTM provides granular control and both real time and historical reporting and logging information. 3.7 Secure VPC to VPC Connectivity AWS VPC s in different Regions can be easily connected using Sophos UTM VPN s. Easily build layer 2 or Layer 3 VPN tunnels for secure access between Virtual Private Clouds. 10

3.8 Securely extend physical office to AWS Cloud Overview and Deployment Guide When creating an AWS VPC you are given the option to isolate your new network so that it is only accessible from a VPN tunnel. This allows you to ensure that any traffic to/from this virtual network passes through your corporate network. To do this AWS provides the ability to create and connect IPSEC VPN tunnels directly to your VPC. To ensure that your VPC is always reachable you are also given the option to create dual IPSEC VPN tunnels that use the BGP routing protocol for failover. To simplify the setup of the IPSEC tunnels and BGP, Sophos has created a 1 Touch configuration file option which allows you to simply download a VPC VPN configuration file from AWS which is then uploaded into your physical site UTM. The UTM will then build the redundant tunnels, rules, and routes needed for the connection, and monitor the traffic to ensure you always have a path. 4 Launching a UTM AMI on AWS Launch a UTM via AWS Marketplace The AWS Marketplace makes launching a UTM simple. Both the Sophos UTM and the Sophos UTM Manager products are available on the AWS marketplace where they can be used as stand- alone AMIs or as part of an Amazon Virtual Private Cloud (VPC). We also offer 2 different licensing options to fit different customer requirements. Which option is best depends on your needs and use case, but in either case the offered functionality is the same. To get started simply visit the AWS marketplace and search on Sophos. From there you simply need to choose the appropriate AMI for your needs (BYOL or Hourly), the Instance size, and then launch your UTM as either a standalone EC2 instance, or into a VPC. https://aws.amazon.com/marketplace/ 11

Sophos UTM and AWS 4.1 Choose a Sophos AMI from the Marketplace 4.1.1 Sophos UTM BYOL (Bring Your Own License) AMI The BYOL option allows customers to purchase from an authorized Sophos reseller a standard UTM software license for 1, 2, or 3 years, and then apply and use it on their AWS Cloud UTM. This option allows customers to pick and choose which subscriptions and support options they would like to use with the UTM, and from Sophos perspective this is no different than a customer building and using a Software or Virtual appliance UTM. The difference to the customer is that they need to determine the instance size that they need to purchase from Amazon, and all billing for that, and support for the instance, is handled directly with AWS. If Sophos support is contacted to investigate issues they would only be able to advise about, and troubleshoot issues related to the Sophos products. It would be the responsibility of the customer and/or partner to manage anything related to AWS such as security groups, routing, and installation of the actual UTM AMI. 4.1.2 Sophos UTM Hourly AMI To satisfy the needs of existing AWS customers, Sophos designed an hourly priced UTM so that customers can bundle together the price of full UTM functionality with their chosen Instance type. This allows customers to Pay as you go rather than be locked into a 1,2 or 3 year subscription, and is especially useful for those that are securing testing and/or development environments which may not exist for long periods of time, or that may not be used often enough to justify a full time UTM subscription. Note that when choosing this option billing is done directly to the AWS account owner. Partners wishing to resell this option would have to own the AWS account for their customer and Amazon offers a reseller program to help with that. (http://aws.amazon.com/partners). Support for this hourly option is also not included except via the Sophos UTM User Bulletin Board (www.astaro.org) or via a Sophos partner. Customers and/or partners may purchase standard UTM support from an authorized reseller using standard channels. Note that AWS also now offers the option to purchase an Hourly UTM AMI for an Annual period. This can provide great savings to customers that wish to use the Hourly billing option. http://aws.amazon.com/partners/overview/consulting- partner/channel- reseller- program/ http://www.sophos.com/en- us/partners/partner- locator.aspx 12

Overview and Deployment Guide 4.2 Licensing Differences The Hourly On Demand licensing has the following Key differences from our BYOL license: Only Full Guard functionality is available (no per sub licensing when using hourly pricing). End Point Protection is not available right now. Pricing is simply x5 AMI pricing No support built in (though available for free via UTM UBB). Support contracts can be purchased via regular VAR channel 4.3 Sizing a UTM for your AWS Environment Sizing a UTM for use on the AWS Cloud is similar to sizing a UTM for use on your own Intel compatible hardware or when sizing a UTM physical appliance. The Sophos UTM solution offers many security features as well as both real time and historical reporting and logging tools. Which features are used, how much storage is needed, and what specific throughput requirements are needed are all factors that must be considered to properly size a UTM for your AWS environment. The UTM software simply uses what virtual resources are available based on the AWS instance size chosen, and though AWS offers the option to change the underlying instance size even after a UTM AMI has been launched, proper sizing is still recommended to properly calculate costs over time. When sizing a UTM the following steps should be taken: 1. Identify what UTM Features will be used The Sophos UTM offers many active security features such as malware scanning, IPS, Advanced Threat Protection, Next Generation FW scanning, Web content filtering, email scanning, and VPN gateway functionality. All of these features consume CPU processing power and RAM so must be identified for proper sizing and for licensing should the BYOL option be chosen. 2. Identify the number of protected Instances and/or the number or protected users that will be using UTM services. The UTM features may be used to protect servers located in 1 or more VPC s (e.g. IPS, WAF) and/or users (e.g. Next Generation Web Protection, remote VPN connections). This information is needed both to understand how much traffic will traverse the UTM, and for licensing purposes if the BYOL licensing AMI option is chosen. 3. Understand specific throughput requirements As mentioned above, the amount of traffic that a UTM can process is related to the resources available. Understanding how much throughput is required will help you decide on the appropriate sized instance. AWS instances offer different amount of throughput and so official AWS Instance documentation should be consulted to ensure your chosen option will support your throughput requirements. Once suggested way to size an AWS instance for a UTM would be to look at out UTM hardware appliance line performance numbers and Storage, and then look at what an equivalent virtual UTM would use for CPU and RAM. The CPU and RAM information can be used to identify an equivalent AWS instance type, and the Storage information can be used for guidance on what type of EBS storage would be appropriate. http://www.sophos.com/en- us/medialibrary/pdfs/factsheets/sophos- sg- series- appliances- brna.pdf?la=en.pdf 13

Sophos UTM and AWS 4.4 Choosing an AWS Instance Type AWS Instances come in a variety of sizes and configurations ranging from micro sized instances that provide a minimal amount of RAM and limited amount of computing power, up through Extra Large instances that contain large amounts of RAM and multiple computing cores. AWS also offers Instance types that offer enhanced networking performance, are compute and/or memory optimized, or that use dedicated hardware. 14

Overview and Deployment Guide Exact guidance on the which AWS Instance to choose is difficult to provide as there are many variables and AWS frequently improves on and adds to the types of available instances. A good place to start is with the M3 family of Instance types as they offer a good balance of compute, memory and network resources. Once your UTM Instance is launched you can use the built in resource monitoring tools to determine if the Instance size offers enough resources or not, and if not AWS allows you the ability to easily change your Instance type with just a few clicks. http://aws.amazon.com/ec2/instance- types/ Pricing guidance on AWS instances is also beyond the scope of this document, but Amazon offers documentation as well as online calculators to help understand and calculate costs. A good resource is the site listed below. http://calculator.s3.amazonaws.com/index.html 4.5 Launch a UTM AMI as standalone or into a VPC Once you ve chosen your UTM AMI and Instance type you ll need to install it into an AWS region, and choose whether it will be a standalone EC2 instance, or part of a VPC. Note that prior to launching, AWS calculates your monthly costs for either Instance only or Instance only plus UTM. If choosing VPC you can then choose to launch your UTM into an already created VPC, or you can choose to create a new VPC. 15

Sophos UTM and AWS 4.6 Choose Region As mentioned above AWS offers geographically distinct regions which can be used to host your AMI s. The right choice depends on your needs and location, and note that pricing will often vary depending on which region is chosen. Launch a UTM via AWS Management Console Deploying a UTM via your AWS Management Console is very similar to launching directly via AWS Marketplace. Once logged in navigate to EC2 from the services list, choose your Region from the Upper Right of the screen, and then click on the Launch Instance icon. Step 1: You ll now be presented with a screen showing you the available AMI s that you may launch. Navigate to the AWS Marketplace option and type Sophos into the search box to locate the UTM AMI s. 16

Overview and Deployment Guide Step 2: Select your desired UTM AMI type (Hourly or BYOL), and then proceed to the Choose an Instance Type screen. As noted above choosing the correct instance size for your deployment depends on many factors. Please refer to the above suggestions, which should help provide you enough information to make an initial decision. Fortunately AWS offers the option to quickly and easily change the chosen instance type at any time so if not all information is available for proper sizing, we would suggest choosing one of the m3 general- purpose instances as a starting point. Once launched the UTM WebGUI dashboards and reports will show resource utilization, which can be used to determine if a different instance size is needed. Step 3: Once an Instance size is chosen you re prompted to configure your Instance Details. Default Details will launch your UTM into EC2- Classic, which means as a standalone instance that is not part of a VPC. This option is of limited value in most production environments and its suggested that you instead choose an existing VPC or create a new one at this time. Please see the VPC section below for more information on configuring your UTM in a VPC. When choosing the VPC option you choose the subnet to launch your UTM into, and you may also configure the UTM Interface IP Address and add additional interfaces. Note that the Instance Type you choose limits the number of Interfaces you may add to a UTM. Please see the official AWS Instance Type Documentation for more details. http://docs.aws.amazon.com/awsec2/latest/userguide/using- eni.html This section also allows you to configure Advanced Details including User Data can be used to configure instance details at launch and can be very useful for automating some or all of your UTM deployment. Please see the User Data section below for additional information. Step 4: The UTM utilizes EBS volumes and the AMI s require at least 30 GB of either magnetic or SSD volume type. SSD volumes will provide greater I/O which may be useful in high traffic environments where large amounts of data will be generated and stored. Step 5: Tag your Instance for greater visibility. Step 6: Assign or create a security group for your new UTM Instance. By default the UTM AMI will offer to create a new Security Group that allows all traffic for both TCP and UDP protocols. These recommended settings will ensure that all traffic you send to the UTM will be allowed, and you may then rely on the UTM firewall and security policies to restrict or allow traffic destined to any protected instances in your VPC. You may of course create or use your own Security Group but please note that the UTM WebAdmin port requires TCP port 4444 by default and must be open for initial configuration. That setting can be changed once you have initially connected and please refer to the UTM Administrators guide for details on doing so. http://www.sophos.com/en- us/support/knowledgebase/119209.aspx Step 7: Review your Instance Launch details and note any AWS recommendations shown on screen. 17

Sophos UTM and AWS The final step before launching your UTM AMI is to create or choose a key pair for use with your new Instance. As the UTM is by default managed by the WebAdmin GUI a valid keypair is not needed for initial connection and configuration, and so if you wish you may choose to continue without one. Note though that it is suggested that you assign a key pair as you may need it later should you wish to connect to the UTM shell for advanced configuration. 5 Common Deployment Examples 5.1 UTM with Single Interface Protecting Multiple VPC Subnets Unlike in a physical network a UTM on AWS can function with just a single Interface that is used to route and control traffic into and out of private subnets. This is due to the built in AWS routing capabilities that can be controlled and managed by the AWS VPC administrator. Your VPC and UTM can be configured manually, via the command line tools, or by using the CloudFormation service, but for this example we ll use the VPC and EC2 Launch Wizards. 5.1.1 VPC Wizard Click on the Start VPC Wizard button to begin. You ll be shown a menu of options for configuring your VPC, and for this example we ll choose to create a VPC with Public and Private Subnets Once the Select button is chosen you ll be prompted to define your VPC details as shown below. For our example we re going to leave our IP CIDR block as the default 10.0.0.0/16, set my Public subnet to 10.0.0.0/24, and my Private Subnet to 10.0.10.0/24. Note that I have not specified a preference for Availability Zone though you may of course do that, and I have not changed other default details such as the subnet names, DNS hostname setting, hardware tenancy, or NAT details. The NAT instance will actually be replaced by the UTM once configured and terminated to save on the associated charges. Once details are configured click on the Create VPC button. 18

Overview and Deployment Guide 5.1.2 Launch EC2 Instances Once your VPC has been created you will launch your EC2 Instances. You can do so from either the link on the VPC Dashboard, or by navigating to the EC2 Dashboard and clicking the link there. Either way you ll then be presented with the same Quick Start menu as mentioned above in the Launching a UTM section. Click on the AWS Marketplace menu option, search on Sophos, and then choose your desired UTM AMI (BYOL or Hourly) from the options shown. After choosing your desired Instance type you ll be prompted to Configure Instance Details. Change the Network setting from the default EC2 to your configured VPC. As the UTM will be providing both inbound and outbound security for our AWS Instances, we ll launch it into our Public subnet. There are additional configuration options available and you can also manage the UTM IP address assignment by scrolling down the Network Interfaces. For our example we ll just use the default settings and continue by clicking Review and Launch. Note that if you don t wish to use the default settings for Storage, Security Group, or wish to give a Tag to your UTM Instance you may configure those settings by continuing on with the wizard or modifying the settings during the Review Instance Launch step. For clarity it s suggested to Tag your Instances, as it will make administration much easier. AS mentioned above you will be prompted to choose or create a Key Pair before launching your UTM. You may choose the option to Proceed without choosing but this is not recommended as you may need your Key Pair at some point in the future for more advanced Instance operations. 19

Sophos UTM and AWS 5.1.3 Terminate the NAT Instance Using the VPC Wizard results in a NAT instance with a public Elastic IP (EIP) that is not necessary for our example as the UTM can provide NAT services. To terminate your NAT instance simply right click on it from the EC2 Instances screen and choose Terminate. Note that as mentioned above, Tagging your Instances is suggested so you can tell them apart from each other. By default your NAT instance will not have a Tag assigned to it. If you have other untagged Instances and are unsure which is your NAT Instance you can confirm by looking a the Instance details section AMI ID information as shown below. When terminating your NAT Instance you will be shown a prompt, which asks if you want to release your Elastic IP. You may do so if you have another that you wish to use with your UTM, but if you are unsure or do not, simply proceed with the termination. 5.1.4 Change the Source/Destination Check setting To allow your UTM instance to function as a NAT device, you must change the Source/Destination setting. To do so simply right click on your UTM Instance and then choose the Change Source/Destination Check. You ll be prompted to confirm you wish to disable the setting as shown below. 5.1.5 Assign an Elastic IP to the UTM Click on the Network Security>Elastic IPs option located on the left side of your EC2 Management Console. If you did not release your EIP when terminating your NAT instance you should see it listed and available. Highlight and right click on the Elastic IP and then choose Associate Address from the options. A new screen will popup and you can click on the Instance field to see your available Instances. Choose the Sophos UTM Instance and then click Associate. 20

Overview and Deployment Guide 5.1.6 Modify VPC Route Tables Your UTM Instance should now be reachable via the Elastic IP and may be configured to protect and control inbound and outbound traffic. Before you can control outbound traffic though you need to tell your private VPC subnet to route traffic to your UTM for access to the Internet. To do so, navigate to the VPC Dashboard and click on Route Tables. You should see 2 route tables, one for each of your configured subnets. Click on each route table and the Routes tab for more details and to identify which is Public, and which is Private. Your Public route table will be the one that has the Internet Gateway listed as a target as shown below. You can leave this route table as is though it s always a good idea to Tag things in AWS to help with future administration. When you click on your other route table you ll see the Private route table details. Note that the 0.0.0.0/0 route in this table has a status of Blackhole. That s because the original VPC Wizard settings created this route and pointed it at your Terminated NAT instance. Edit the route table and delete the information shown in the Target column. When you do this it should list all available route targets including your Sophos UTM Instance. Choose the UTM as your new route target and save. Instances launched into the Private subnet will now have their traffic routed to the UTM, which can be used to control and monitor outbound traffic. Note that if you do not see your UTM as an available route target it may be due to the Source/Destination check not being setup properly on the UTM interface. If you ve checked that but still do not see the UTM try copying and pasting the UTM ENI information directly into the Target section. 21

Sophos UTM and AWS 5.2 UTM with Interfaces in Multiple Subnets In some cases you may wish to have your UTM configured similar to a physical deployment where you have a UTM interface configured for each subnet. AWS allows you to do this but how many UTM interfaces are possible depends on the Instance size chosen. Please see the official AWS Instance documentation for specifics on the number of available interfaces per type. To configure multiple UTM Interfaces simply follow the instructions above until you get to the Launch EC2 Instances step. At this point you ll create your primary Interface as outlined above, but before moving onto the next step you ll scroll down to the Network Interfaces section and click on the Add Device button. Choose the subnet you wish to create your new Interface in from the Subnet drop down and optionally assign an IP address. Note also that AWS will show a prompt stating that they can longer automatically assign an Elastic IP to your instance so you will have to do this manually once your UTM Instance has launched. 5.3 UTM used to connect multiple VPC s The Sophos UTM can be used to connect to multiple AWS VPC s for cross- region connectivity. Please see the below link to a detailed KB article provided by AWS. https://aws.amazon.com/articles/1909971399457482 22

Overview and Deployment Guide 6 Advanced Deployment Options CloudFormation The AWS CloudFormation service allows you to launch a stack which is a collection of AWS resources that are defined in a JSON file. Please see the AWS CloudFormation documentation for full details on using this powerful service. An example UTM CloudFormation Template can be found when launching a UTM via the Marketplace in the Version section. http://aws.amazon.com/cloudformation/ UserData Field The User Data Field option allows you to bootstrap your EC2 Instances while launching to set various configuration settings. The result is a UTM that contains pre- configured settings on launch. UserData can be set during manual EC2 Instance launching through both the management console and API, and UserData can be contained within a CloudFormation Template. Some simple examples of things you can set using the UserData option are UTM hostname, passwords, and basic setup data. You can also use the UserData option to import UTM backup and license files during launch. Below is a link to a very useful tool that can be used to generate properly formatted UserData. http://utmtools.com/awsuserdata 23

Sophos UTM and AWS Avoiding Single Point of Failure The standard UTM High Availability protocols do not work on AWS as they re based on the multicast protocol. To address this we re currently working on both a High Availability Failover solution as well as an Auto Scaling solution. High Availability will be available for beta testers mid November 2014, and Auto Scaling is targeted for early 2015. In the interim many customers are using a combination of stand alone UTM s, AWS services, the Sophos UTM Manager, and a 3 rd party reporting solution to ensure maximum uptime, and to achieve centralized UTM management and reporting. As the UTM is simply an EC2 Instance, it can be used with AWS tools and services such as CLoudwatch and Elastic Load Balancers to ensure that traffic can always flow to and from your AWS environments. 7 Resources http://www.sophos.com/aws http://aws.amazon.com/ http://aws.amazon.com/ec2/ http://aws.amazon.com/testdrive/ https://aws.amazon.com/marketplace/ http://aws.amazon.com/partners/overview/consulting- partner/channel- reseller- program/ http://docs.aws.amazon.com/amazonvpc/latest/userguide/vpc_introduction.html 24

8 Legal notices Overview and Deployment Guide Copyright 2014 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. Sophos, Sophos Anti- Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. 25