UTM 9.705-3 SSL VPN Advanced Settings

VPN
1

I looked in Sophos’s community forums, and did a search in here, and could not find my answer. So i’m sorry if this has been covered before.

Now that my company has made the decision to embrace work from home on a regular basis, we are looking to strengthen our security and increase the performance of our VPN. It doesn’t look like Sophos releases any best practices for these settings. We are currently set with:

  • Encryption algorithm: AES-256-CBC
  • Authentication algorithm: SHA2 256
  • Key size: 1024 bit
  • Server certificate: Local x509 Cert
  • Key lifetime: 36000 seconds
  • Compress SSL VPN traffic: Enabled
  • Enable debug mode: Disabled

My questions about this are:

  1. Can i change these settings where our users will not have to pull down a new config from the User Portal?
  2. I have read that compression is the biggest culprit of a slow VPN. If we disabled compression, will we see a noticeable increase in performance?
  3. What are the best practices for these settings?

Thanks for your help!

2

  1. no, you can change the networks the clients are allowed in. The client will reconnect with the new networks/host when you click save

  2. depends. If you have lots of vpn connections you might overwhelm your firewalls cou (depends on model)

  3. they are fine. I personally would prefer a 2k key and less key lifetime … But its nothin you need - just disable compression if you have problems

Edit: some words

3

SSL VPN can be taxing on the CPU so hopefully you dont have heaps and heaps of users for your model you are using. Other than changing the key to 2k, its pretty good.

4

So if i understand you correctly, if i wanted to bump the key size to 2048, i would have to have our users update their config file?

We have about 150 total users, but usually only about 90 on the VPN at a time. Right now, with 81 users connected, we are only using about 7% of the appliances CPU. So i guess disabling compression wont make a huge difference there then.

I would love to reduce our lifetime, but apparently 8 hours was “too much trouble” for our users that work more than 8 hours, to have to reconnect. I pick the battles i fight wisely, this is not one of them. LOL

5

It’s an SG310, about 150 total users but only about 90 on average daily use it. Our the CPU rarely goes over 10% utilization, so I think we are good there.

I’d love to bump the key to 2k, but not happy about having to ask everyone to re-install or just swap their config file.

6

you can open the ovpn file (the provisioning file) with an editor (eg. notepad++) - all the thing configured in that file, are static.

routes, networks and allowed hosts/networks are delivered by the firewall upon connection.

Key Lifetime and Encryption is integral part of the ovpn file.

as it is basically openvpn, you can get more insight in how it is setup by looking at the guide from openvpn: https://openvpn.net/community-resources/how-to/

sophos uses that exact system - they just slapped a easy to use backend management on it.

7

Hmm… what kind of bandwidth are you going to push through it? How many concurrent users are you looking at? The key isn’t a huge huge deal but 2k is the standard now, either way, not the end of the world.

8

I think we’re good on the compression, since the CPU barely gets hit through the day.

Will probably plan to update the key to 2K this summer. Our business revolves around the school year and it’s not worth impacting our users during our busy time.

Thanks for your help!