Sophos

[pirateghost]

I will snag some application Control settings tomorrow

 

[ChriZ]

Hello, guys!
Interesting topic here... @joeschmuck : I hope it is OK with you to post a few questions here..
I currently have an ADSL connection 12Up/1Down. I am using a Linksys router with its firewall settings enabled, some NAT settings, etc. A few devices are connected to the router's onboard switch, and a cable travels to my home office where there is a different switch which connects to my windows machine and my servers. The ADSL router also has wireless which serves our smartphones and tablets. Having read this topic I think it is a good idea to utilize some additional security - primarily for the kids. Sophos looks nice. Now my questions:

1. I guess the "correct" way to go is to set the router to bridge mode, connect a cable from routers switch to sophos nic1 and configure it as wan port adding pppoE. The second sophos NIC will connect to a switch. On that switch I can connect an AP which will take care of smartphones and route a cable to the switch that goes to my home office. DHCP will be handled by sophos and all network traffic will pass through sophos that way. Are the above correct?
2. If I don't use an AP and let my router handle the wireless portion, then all wireless devices will not access internet through sophos, correct?
3. Can I install sophos in vbox in order to evaluate it, but use it as the primary gateway for a windows machine in order for it to be protected (like using sophos as web filtering/proxy)?

Thanks a lot in advance, guys!

 

[joeschmuck]

@pirateghost Thanks for the screenshots and information, I will look it over again when I get home from work and after I cut the lawn. After analyzing this, hopefully I'll be able to understand that that all means, which means the user guide will hopefully come in handy.

@ChriZ I don't mind, it's an off-topic forum. To answer your questions:
1) Yes, bridge mode and set your wireless to AP (you still need to setup the SSID and password on your wireless router). This will let the Sophos handle the internet, even for the wireless.
2) I wouldn't do that, if it's possible because it would be out on the open internet I'd think.
3) Yes, Sophos can be run in a VM, not just for evaluation. However you need to have several Ethernet ports, one for the WAN (ADSL modem), one for the LAN. I use VMWare workstation on my home computer and I do have two ehternet ports (one not normally used) on my machine. I could take that second port and connect it to the WAN and run up VMWare and create the Sophos system for evaluation. I personally prefer a dedicated piece of hardware, my wife would have my ass if every time I had to reboot my computer that the internet went down. But for evaluation, sure.

Know the hardware requirements as well, for a VM I'd use 4GB RAM, 20GB Hard drive, two cores for the CPU, and you machine should have a CPU in the 2GHz or better range. My advice, take it one step at a time and take good notes. Ensure that your basic firewall is up and running, something equivalent to your current router and make sure your network seems to work properly. You will make several changes and then a few hours later or worse, the next day you will notice you broke something. Good notes will help you figure out what you did. Of course if you're a firewall guru, maybe you can do this in your sleep but that is not me.

And I'm a fan of Sophos right now. And it is a steep learning curve.

 

[gpsguy]

As you get more familiarity with the product, you can create multiple web filtering profiles. For example, the profile for your IP might allow a broadened range of categories, whereas the kids might get a smaller subset of them.

Configure/enable the daily (or others) reports and look at the reporting data. You might discover that a good portion of your bandwidth is being consumed by a few advertising sites.

Having read this topic I think it is a good idea to utilize some additional security - primarily for the kids.

 

[ChriZ]

@joeschmuck, thank you very much for your answers!

My intention is to install it to a dedicated machine at the end and not keep it in virtualbox all the time. Vbox is just for a (p)review.
I have a vbox setup on an always-on linux server (Xeon CPU with 16GB Ram) at home, and gave it a go on my lunch brake. I assigned 2 CPUs, 8GB of Ram and 40GB HDD. The first impression was really positive, but I could not really play enough with it. (Lack of time, plus my home's uplink sucks and response was really slow)
But I hope I will look more into it when I get home in the afternoon ( if my kids allow me to, lol).
Will keep you posted... thanks again!!!

@gpsguy :

As you get more familiarity with the product, you can create multiple web filtering profiles. For example, the profile for your IP might allow a broadened range of categories, whereas the kids might get a smaller subset of them.
Configure/enable the daily (or others) reports and look at the reporting data. You might discover that a good portion of your bandwidth is being consumed by a few advertising sites.

Sweeeeet... This is a really nice feature, will make sure to check it out.
My older son is using a Nexus tablet. I set it up so that he is a normal user and he currently has no access to Google play and internet browser - only youtube. So his web access is somewhat "controlled".
My current router has some type of parental control and web filtering, but I always said to myself that when the time comes I will go for a real firewall... The time came, I suppose, and your conversation here reminded me of it...

 

[joeschmuck]

Just tell the kids that the internet is broken and daddy must fix it. Or do what my parents told me "Go outside and play in the street". Of course we always played outside, it was punishment to stay indoors. Times have changed!

 

[ChriZ]

Haha!!!
No, the kids won't bug me for the internet downtime... They want us to play all together and I don't really dare to go near the computers, lolllll
And to be honest I prefer to avoid it, too...
This way when there really is a reason for me to use the computer, they understand and give me some privacy
Regarding playing outside: I know what you mean... unfortunately yes, times have changed...:(

 

[joeschmuck]

@gpsguy Well the netflix rules suck and do not work (not your fault, many folks have this issue), there must be something blocked. I'm not going to sweat it, I can leave it in Standard mode. you know it's still much better than my old NAT firewall. I will still work on the issue but as I understand it, the issue is actually with Sophos, not Netflix. All these rules should not be required but hey, I've got a work-around, just leave it in standard mode and it's working fine.

 

[joeschmuck]

Sophos is great. To date I've for the most part configured Sophos to do everything except scan my email but I ran out of time before I went on a quick little vacation with the wife (needed a break from work).

My internet speed is 20mbps down/2.5mbps up so nothing remarkable from a hardware need so I reduced my RAM down to 8GB and was able to disconnect my CPU fan. My BIOS alarm set point is 60C (the lowest setting) but while downloading over 10 large items and ensuring my bandwidth is maxed out, my CPU usage is between 12% and 13% whilst my CPU temps do not exceed 51C. The normal CPU temp is 38C but that is while it sits in my computer room. Once I place it into the cool basement it will run cooler. The last thing is to check the power consumption but I'll do that once it's in the basement using my networked power meter.

I have not mastered creation of firewall rules but I'm catching on quickly. The Webfilter is a bit more complex but I'm learning that as well. I am down to 25 IPs according to the license. It took about a week for the old DHCP IPs to drop off the licensing, even after I manually cleared them out they came back the following day but waiting a week solved the issue.

The last thing I really need to get done before I can stick this into the basement is get the email scanning setup, setup my BIOS to turn the system on when power is applied, and relocate my cable modem, network switches, etc... into the basement which will be a nightmare since i need to cleanup the basement a bit before the relocation. The grandchildren will be here in a few months and the basement is the play spot so making a place off limits and where they can't screw it up is a priority.

 

[pirateghost]

The email scanning and setting up gmail was the hardest part of the whole configuration I did a few years back. Don't feel bad if you get stuck on email stuff and need help. Just ping me here and I will do my best to help out. I have had to help a couple of others out on setting that up too.

 

[joeschmuck]

The email scanning and setting up gmail was the hardest part of the whole configuration I did a few years back. Don't feel bad if you get stuck on email stuff and need help. Just ping me here and I will do my best to help out. I have had to help a couple of others out on setting that up too.

I appreciate it and gmail is one of my offenders plus hotmail (using "Exchange Activesync") so I may take you up on your offer but I will at least give it a shot myself first, it's the best way to learn it at least once. I'm sure I'll forget all about it later in about 6 months.

 

[Fraoch]

I just got my Sophos UTM up and running last week - @pirateghost pointed me in the right direction regarding bridge mode some time ago so I could continue using my Ubiquiti EdgeRouter Lite. My first attempt was a disaster, very little could connect but the worst part is my FreeNAS was blocked from the network entirely. I'm not sure what happened there but I tried again starting last week and I've finally got it where I'm not having to constantly tweak it. Really nice and it's opened my eyes to some funny business going on in my LAN (one rogue client I blocked which I still can't identify and a persistent connection to "server.gutterclutterbuster.com" which I've attempted to block completely). It's amazing how persistent Apple and Android devices are at sending out multicast packets and communication attempts with a whole series of hosts (there are lots of Apple iSomething servers out there).

I'm starting to like it more and more. I am most interested in using it to block ads at the network level.

I have yet to find anything to really load the CPU though (a Core i3-4370). It idles most of the time at less than 1%. I actually pushed it almost to 10% (!) while looking at the web filter access live log. I am very impressed with the CPU and the hardware, it idles at 10-15 W.

My connection is 30/5 and it seems to be easily handled by the hardware.

I may come here from time to time, that server.gutterclutterbuster.com rule doesn't seem to be working - I have all packets from and to blocked yet it still appears in my Top 10 Hosts in my Executive Report. Plus there's other minor niggles like my Executive Report not getting e-mailed, but no showstoppers at the moment.

 

[joeschmuck]

I'm really not one to give advice just yet about firewall rules but where is the rule located? Since it's a drop rule I would think it should be at the top of the list, rule #1.

I think the other thing is knowing if the issue is coming from one specific computer on your network (you have malware maybe) or if someone is trying to access your system. Maybe some extra info would help but that is what I'd be looking at myself.

 

[gpsguy]

I had a similar problem with demdex.net generating a ton of traffic on the corporate network. I had troubles blocking the site and worked with Astaro (Sophos) platinum support on the issue. In addition to a firewall rule, they suggested a DNAT rule as well. On occasion, even that didn't work and I finally resorted to adding an (127.0.0.1) entry in the affected users' hosts file.

It is eye-opening to see where the traffic is going. Originally, when my organization only had a single T1, the Executive Report showed a significant amount of traffic going to doubleclick.net. Besides being able to block ads (and an unwanted drain on bandwidth), etc. at the network level, it provides another layer of security. One's less likely to be affected by malvertising.

 

[Fraoch]

I'm really not one to give advice just yet about firewall rules but where is the rule located? Since it's a drop rule I would think it should be at the top of the list, rule #1.

I should really read the manual, this sounds like a good idea. Of course being a newly created firewall rule it's at the bottom of the list.

I think the other thing is knowing if the issue is coming from one specific computer on your network (you have malware maybe) or if someone is trying to access your system. Maybe some extra info would help but that is what I'd be looking at myself.

A whois search on the IP address shows it to be assigned to a company that runs lots of servers for other companies, a "server house" I think is the term. My feeling is that this IP was formerly assigned to server.gutterclutterbuster.com and is now assigned to another company/organization but the server house didn't update their whois record. With the amount of traffic going to it, it could be a weather server I'm sending weather data to...another hobby.

I have to get familiar with reading the logs. I'm not sure where everything is and since this traffic is passing through and not being blocked, it may not be in the logs.

 

[pirateghost]

I should really read the manual, this sounds like a good idea. Of course being a newly created firewall rule it's at the bottom of the list.



A whois search on the IP address shows it to be assigned to a company that runs lots of servers for other companies, a "server house" I think is the term. My feeling is that this IP was formerly assigned to server.gutterclutterbuster.com and is now assigned to another company/organization but the server house didn't update their whois record. With the amount of traffic going to it, it could be a weather server I'm sending weather data to...another hobby.

I have to get familiar with reading the logs. I'm not sure where everything is and since this traffic is passing through and not being blocked, it may not be in the logs.

When creating rules, you can select where in the list it shows up (drop down with rule numbers), and I always turn logging on in my LAN->internet rule so I can log everything.

 

[joeschmuck]

I have to get familiar with reading the logs. I'm not sure where everything is and since this traffic is passing through and not being blocked, it may not be in the logs.

I'm getting much better with the logs and it will come with time. As for not knowing where everything is, Sophos does have that one issue, it's a real pain to figure out where many settings are. Yesterday it took me about 10 minutes to locate the A/V scan file size limit and then finding it was 30MB, I left it alone for now, I'm not certain lowering it to 20MB will make any real impact on a home system.

 

[joeschmuck]

The email scanning and setting up gmail was the hardest part of the whole configuration I did a few years back. Don't feel bad if you get stuck on email stuff and need help. Just ping me here and I will do my best to help out. I have had to help a couple of others out on setting that up too.

Okay I give up! Setting up email protection for a GMAIL account is kicking my butt. I got POP3 working for a normal POP3 account, tested message blocking and being able to release it, but GMAIL is IMAP/SMTP. So far it looks like I may need to setup my own exchange server or something, my brain hurts! I also understand that my Hotmail accounts are not supported at all, well yet, so at least I don't have to spend more time on that effort.

So yes, I'll be happy to take you up on your offer and take your help. I'll PM you.

-Mark

 

[diedrichg]

I've been <popcorn> this thread since I'm going to head down this road by the end of the year. Your problems with Sophos so far would also be my problems and therefore a show stopper. I must have Netflix, Gmail and Hotmail running and yet protected. I would also need Amazon Prime and Hulu access as well as Emby. It makes me wonder if pfSense would be an easier setup even though it's more complex.

 

[pirateghost]

I've been <popcorn> this thread since I'm going to head down this road by the end of the year. Your problems with Sophos so far would also be my problems and therefore a show stopper. I must have Netflix, Gmail and Hotmail running and yet protected. I would also need Amazon Prime and Hulu access as well as Emby. It makes me wonder if pfSense would be an easier setup even though it's more complex.

Amazon, hulu, Netflix access are all possible.

Pfsense would be an easier setup if all you want is a router and firewall. If you want real filtering and AV, then sophos is the king.