87 lines
3.0 KiB
Markdown
87 lines
3.0 KiB
Markdown
|
|
## Intro
|
|
|
|
The customer Franke Rieger Architekten is currently using a Sophos XG 106 firewall. The firewall is not anymore supported in the future or simply broken.. I dont know and care.
|
|
The Sophos thingy should be replaced by a OPNsense solution. In order to do this we try to reproduce the Sophos configuration as neatly as possible. Although it will be very hard.
|
|
|
|
### Plugins
|
|
|
|
- os-OPNcentral
|
|
- os-squid
|
|
- os-clamav
|
|
- os-c-icap
|
|
- os-acme-client
|
|
|
|
## Sophos features to reproduce
|
|
|
|
### Network
|
|
|
|
- [x] LAN port has a static network of: 192.168.9.254/24
|
|
- [x] default dhcp at br-lan: from 192.168.9.123 - 192.168.9.127
|
|
- [ ] WAN port has a static ip of: 192.168.99.253/24 (Speedport before firewall)
|
|
- [ ] ipv4 gateway: Name: Speedport, IP: 192.168.99.254, Interface: WAN port, Health check: on
|
|
|
|
- [x] DNS request route configured : Host/domain name: ffr.local, Target Servers: frr-srv-dc02.frr.local. OPNsense analogue: UnboundDNS -> Query Forwarding. (this is a config required for ad integration)
|
|
- [x] DNS servers are: itself, and choose arbitrary monopolistic techgiant
|
|
|
|
- [ ] ssl cert via acme (http-challenge), needs only to be enabled in ui and cert issued
|
|
|
|
### Authentication
|
|
|
|
- [x] Require MFA for: user portal, web admin console
|
|
- [ ] setup ad as "server" in opnsense
|
|
- [ ] import users form ad!!! (I hope it works...)
|
|
|
|
#### Not required
|
|
|
|
- [y] Kerberos for authenticating non-AD users (web authentication??)
|
|
- [y] captive portal
|
|
|
|
### Miscellaneous
|
|
|
|
- [x] sophos antivirus alternative (clamav + c-icap + squid web proxy)
|
|
- [x] SSL VPN - Needs to be tested properly
|
|
- [x] using SSL/TLS inspection with squid (transparent web proxy)
|
|
|
|
## Firewall rules to reproduce
|
|
|
|
- [x] allow VPN access to LAN network (any service) (web proxy) (ips: general policy) (waf)
|
|
- [x] allow LAN access to WAN network (dhcp. dns. ftp. http. https. icmp. icmpv6. imap(s). Jimdo-Mail??. ntp. ping. pop3(s). smtp. smtp(s). Teamviewer. ) (scan http and decrypted https, scan ftp for malware, use web proxy) (ips: general policy) (waf)
|
|
- [ ] service alias for imap(s), jimdo-mail, pop3(s), smtps_465, Teamviewer
|
|
|
|
- [x] allow wan access over https and ssh only via office ip (213.160.17.158) (in sophos jargon: "local service ACL exception rule" )
|
|
|
|
|
|
## IPS
|
|
|
|
- [x] default general policies
|
|
- [x] built-in [suricata](https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/)
|
|
|
|
## Web Proxy
|
|
|
|
- [x] risky downloads, suspicious, nudity and adult content, not suitable for the office, bandwidth-heavy browsing, unproductive browsing, not suitable for schools
|
|
- [x] https encryption
|
|
- [x] managed TLS exclusion list (corresponds to "SSL no bump sites" under Services -> Squid Web Proxy -> Administration, General Forwarding Settings under Froward Proxy list)
|
|
|
|
### Optional
|
|
|
|
The following features are too complicated and thus only optional.
|
|
|
|
## Web application firewall
|
|
|
|
- [ ] too complicated
|
|
|
|
## Wireless
|
|
|
|
- [ ] does it need to be configured on opnsense???
|
|
|
|
## Mail protection
|
|
|
|
- [y] scan ~~outgoing~~ incoming mails for malware (why??)
|
|
|
|
## Web Server
|
|
|
|
- not used
|
|
|
|
|