Site icon Sophos News

Protecting the Cloud: Securing user remote access to Azure

Now, more than ever, many of us need the flexibility to access data, files, and private applications whenever and wherever we’re able to get work done.

Cloud providers like Microsoft Azure give you the flexibility to make your move to the cloud as temporary or permanent as you need. And while this is the right time to provide users with secure virtual desktop services and extend on-premises resources to the cloud, it’s also paved the way for attackers to maliciously gain access to your company’s confidential cloud resources.

Simple to deploy

Sophos XG Firewall can easily be deployed from Azure Marketplace to secure access to services hosted in Azure.

A typical deployment of XG Firewall in Azure may look like this. In this example, XG Firewall is deployed in a Resource Group using the Azure Marketplace. The resource group consists of port A (internal interface of XG Firewall), port B (public interface of XG Firewall), XG Firewall virtual machine, disk associated with the virtual machine, a security group, and public IP.

Configuration tips:

Greater visibility of network users and application using cloud resources

Once deployed, gaining visibility into network users and applications using cloud resources should be your first step, and it’s simple with XG Firewall’s  web-based console and out-of-the-box comprehensive reports.

The administrator for XG Firewall in Azure has complete visibility of remote users in the cloud. The firewall logs and reports clearly demonstrate the footprints of a remote user, and in the case of a suspicious event, the administrator can easily disconnect the remote user at any given point.

Specific policies and quotas can even be applied to individual remote users or groups of users where necessary.

Simple, secure remote access with Sophos XG Firewall

VPN connections are crucial to enabling secure remote working. Sophos XG Firewall can easily be deployed from Azure Marketplace to secure access to services hosted in Azure with a range of VPN options.

Option 1: SSL VPN

The major challenge when working from home are various unforeseeable restrictions by internet service providers, as some block standard ports such as IPSEC port 500 and port 4500.

The SSL VPN in XG Firewall provides the option to use port 8443 or a custom port for connecting remote users to the cloud infrastructure.

Configuration tips:

Option 2: Clientless VPN

A full tunnel configuration like SSL VPN allows remote users to upload and download content to and from the server. As this might prove to be a security concern for your organization, XG Firewall provides clientless VPN for more granular control. This option allows users to just view the contents of the internal resource without making any changes.

This configuration creates a bookmark on a permitted user’s XG Firewall user portal. The remote user logs into the user portal and clicks on the created bookmark to access the resource.

Configuration tips:

Option 3: Sophos Remote Ethernet Device (SD RED)

The Sophos SD RED (Remote Ethernet Device) is a network device which connects remote offices over the public internet via a secure tunnel. SD RED provides a zero-touch deployment and ensures that the device is ready to connect to the Sophos XG Firewall in Azure as soon as it is plugged in by the remote user.

The configurations for the device are managed by the Sophos XG Firewall without requiring any prior knowledge of the remote office network. The SD RED device downloads its configuration from the provisioning server over the internet and securely connects to the internal resources protected by the XG Firewall in Azure.

This option is especially useful for users that require constant uninterrupted connections to the internal resources from their home offices. More information about the SD-RED models can be found here.

Configuration tips:

Option 4: Sophos Remote Ethernet Device (SD RED) site-to-site tunnel

In addition to traditional site-to-site IPSEC tunnels, a Sophos SD RED tunnel can be used to connect remote users to internal resources. The advantage here over the other forms of remote access is the simplicity, speed of communication, and ease of configuration.

The site-to-site SD RED connection is formed between the XG Firewall on premises and the XG Firewall in Azure. In this scenario, the SD RED creates a Layer 2 tunnel between the two XG Firewalls. This mode of communication also adds web and email protection for remote users as part of the subscription.

Configuration tips:

Helpful Resources:

Exit mobile version