by
Etienne Liebetrau
One of the very first features of Sophos UTM that grabbed me as a seriously cool feature is the Sophos RED device integration.
The RED or Remote Ethernet Device is a small box you deploy to your remote sites, and it establishes a VPN back to your central Sophos UTM so that anything connected to the RED is seen as part of your network. The concept is not new, but the ease of implementing it, and the elimination of remote side configuration is what makes it really cool.
Once your RED is configured all of your devices on the remote site can be set to browse the Internet through your central UTM. This allows you to have a consistent user security profile across all of your sites. It also means all users, regardless of site can be reported on with the same infrastructure.
Unfortunately there are no virtual RED devices, so you have to get the hardware. The good thing is that they are relatively inexpensive. There are currently two models. The RED 10 and RED 50. They are purchased as a once off cost with no annual subscription required.
You also need an Internet break out at your remote site. Anything that can connect to the Internet and provide a DHCP address to the RED device plugged into it will do. This means you can theoretically use any router regardless of the medium such as a DSL, VSAT, T1, T3, ISDN, and 3G.
What is really nice here is that you can switch ISP or even the routers themselves, without needing to reconfigure anything on the RED or the UTM.
You need a central Sophos UTM that has a fixed public name and/or IP address, and a full guard license. This would typically be located at your head office or data center. To get a fixed public name even from a dynamic connection, read our article on Configuring Dynamic DNS on Sophos UTM.
The RED devices are design to be both tamper proof and fool proof. There are no buttons or configuration options on the box. The units are all solid-state components with no fans or moving parts and they have a sturdy steel case.
**A note on the internal network: ** If your site is small and you only need to connect 4 devices, you can patch them directly into the RED. If however you have multiple devices you can connect them to a standard switch and patch that into the RED. A personal favorite of mine is to extend the connectivity by using a Sophos Wi-Fi AP.
All of the settings for the RED are configured on your central Sophos UTM. That’s right, if you want to change something like DHCP on the remote site, the change is made on the UTM, and the RED simply inherits the configuration.
In the background, the configuration you just specified is uploaded to the Sophos provisioning cloud. When your RED device connects to the Internet, it will go to the Sophos cloud, identify itself with its unique RED ID and check for a configuration. It will then download it and configure itself according to the settings.
The RED device and the endpoint devices connected to it are now able to connect to your Sophos UTM, but not the internal network (yet). The reason is that you have not given the RED network any access to the rest of the private network.
You can be very specific about what you want to allow and deny, but let’s set up a rule where we explicitly trust our remote site and give them access to everything on the internal network.
In the Sophos UTM Web Admin, you will notice an additional interface now exists for the Sophos RED device. There is also a network definition for it auto created by the Sophos RED provisioning.
To grant access to the rest of the network perform the following steps.
A nice thing here is that any additional REDs that are added later can simply be added to this existing rule. You can, but you do not need to, define separate access rules per site.
If your Sophos UTM is the default gateway for your internal network, everything should be working. If it is not your default gateway, you need to define a masquerading rule. To do this:
In my testing, from the time the RED is first powered on, to when the tunnel is up and usable is about 8 minutes. During this time it will update it's firmware and configure itself. Again no actions are taken on the remote site other than having plugged the RED device in.
Subsequent reboots only take about 1-2 minutes before the tunnel up and running again.
When you connect a device to the RED it gets a DHCP address and it has access to the internal network!
You can check on the status of your RED by looking at the Overview tab in RED Management, and open the live log to look further into the actions being performed on the RED.
This has been a very brief introduction to the RED and how to get up and running. They are amazing little devices that allow you to reliably and securely expand you network by adding additional external sites. The fact that they can accommodate almost any Internet connection makes them a key component if you are considering expansion over a heterogeneous WAN.
Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.
Sophos RED 10 vs RED 50 - A Detailed Feature Comparison
How to Configure Multiple Site-to-Site SSL VPNs with Sophos UTM