Sophos

[joeschmuck]

I haven't done any real work with pfSense so I'm not sure how it operates but the one thing I do like about Sophos is I do not have to add packages and really do any management once it's setup. To be honest, Sophos is doing all I originally wanted and adding email antivirus protection is just an extra bonus. I run Norton Internet Security on all my machines so they catch all the bad emails but if I can configure Sophos to do the same thing, maybe it will catch the one thing Norton fails to catch, although it's got some great marks for doing it's job correctly.

Setting up the rules was difficult because I had to learn how to, I'm not a networking guru. Once I figured it out it was simple. There will be a learning curve for either product.

To put netflix and the like into perspective... You can rule your WAN with an iron fist if you want but I feel it's easier to look at where I started with a simple NAT router and now I'm in the big leagues with Sophos because I can block countries and allow only what I want. Using the Standard vs. Transparent mode allows netflix to work without any special rules, however I guess Transparent mode is better overall, still not sure it really matters otherwise why would it even be an option. And the Netflix issue is a known problem in Sophos, hopefully to be fixed in the near future. Amazon already has pre-made rules and I'm not a member so I can't say if it works or not.

My advice would be to find yourself a spare computer with at least 4GB RAM, an 80GB hard drive (don't use a large drive, it will take a long time to format), and dual core CPU if you have it, and of course two LAN connections (I have made it work with a USB to Ethernet adapter but it was a USB 2.0 port and limited the bandwidth). Give it a try. My ISP provides two WAN IP addresses so it was easy for me to test my system out using a VM of Windows on a different network over the same LAN. I took a week or so before I trusted my setup and implemented it into my home network (no need to have the wife and daughter yelling at me). After playing with it, do the same with pfSense, the hardware requirements are similar. One difference is Sophos is Linux, pfSense is FreeBSD. The LAN drivers for Sophos appear to be very compatible with Realtek and you know how many motherboards come with Realtek. Both of my LAN adapters are Realtek and one a single hickup. Of course if I decide to order parts for a small form factor machine, I'll get Intel LAN ports if I can. But honestly, I'm drawing 52 watts of power with my current hardware and I haven't even started to lower the power consumption yet. The cost of a new system would still take me well over 10 years to recoup in power cost savings so the odds of me replacing my hardware, probably not going to happen, however I do have other systems in the basement which I may dust off to see what they can do. Most likely are too slow but I need to go through the stuff anyway and toss out the crap.

If I could plug this software into my ASUS router, it would be there. Too bad DD-WRT isn't up to this level, I really like DD-WRT and have been using it for over 10 years, just not in my ASUS router (yet).

 

[pirateghost]

Transparent mode: In transparent mode, all connections made by client browser applications on port 80 (and port 443 if SSL

is used) are intercepted and redirected to the Web Filter without client-side configuration. The client is entirely unaware of the Web Filter server. The advantage of this mode is that for many installations no additional administration or client-side configuration is necessary. The disadvantage however is that only HTTP requests can be processed. Thus, when you select the transparent mode, the client's proxy settings will become ineffective.

Standard mode: In standard mode, the Web Filter will listen for client requests on port 8080 by default and will allow any client from the networks listed in Source Networks box to connect. When used in this mode, clients must have specified the Web Filter as HTTP proxy in their browser configuration.

This means that in standard mode, you aren't filtering anything unless you are pointing your browser to the PROXY on port 8080. This requires manual configuration on all clients you want protected.

In transparent mode, all traffic is intercepted. If there is any traffic you do NOT want intercepted (think Roku boxes, sonarr, sickrage, crashplan, etc. stuff that doesnt need to be filtered), you would use the MISC tab in 'Filtering Options' and add a host to 'skip transparent mode source hosts/nets'

 

[pirateghost]

@joeschmuck you should have a look at ditching Norton and going with the Sophos endpoint protection included in your home license. 10 free licenses is nothing to sneeze at, considering the amount of stuff it can handle. You get centralized management and notifications from the clients, you can lock down specific machines/profiles from things like (optical drive access, thumbdrive access, wireless, bluetooth, etc)

My favorite component of the endpoint protection for Windows laptops:

Endpoint Web Control lets you enforce Web Protection settings on endpoints when they are not behind the UTM (such as a company laptop surfing from home).
Both the global policy (Web Protection) and profiles (Web Protection > Web Filter Profiles) can be enforced on endpoints using this feature.

Sophos LiveConnect applies changes and records logs regardless of where the endpoint is.

Your clients are filtered just like they would be at home.

 

[joeschmuck]

@pirateghost I like the idea of using the Sophos endpoint protection however I would still retain Norton, I'd have to build up some faith in the Sophos product to protect me in that maner. When I purchase Norton (5 license version) I typically pay under $20 for the box or nothing at all with a purchase of parts or something. I wait for sales to occur and when I see one, I buy it. I already have another box ready for use and I still have 240 days left on my current purchase so unless I see a free one in the next year, I'm set. I only have 5 windows computers right now, so I'm actually good. If I get another windows system, I'll use some other free A/V software, that is what I do with my VMs.

This means that in standard mode, you aren't filtering anything unless you are pointing your browser to the PROXY on port 8080. This requires manual configuration on all clients you want protected.

I was not aware of this. I need to understand more then because as I've admitted, I'm not a networking guru. Time to read a little more on the Transparent mode. I do not want to break the internet at my house, a major concern.

As for Netflix, when I place it in transparent mode, and apply the web protection rules I've found, I cannot make it work. This is not an issue for the home devices, I can just put those into a DMZ if I must but it's the cell phones and computers that I have an issue with, those fail to pass Netflix. I'm not going to worry about netflix for this moment, I can just tell the daughter to watch it on her TV vice her cell phone.

Damn, I need a shower, just got done cutting some shrubs back and I got bugs all over me, and I stink too but that's another story :)

 

[pirateghost]

I just realized as I sat down to write up about GMAIL, that I was referring to getting GMAIL configured to send me reports, and not protecting GMAIL accounts with Sophos. I don't know if it is possible to do this. I will do some digging.

 

[joeschmuck]

LOL, of course. I wouldn't waste much time on it but I do appreciate the offer.

Well I've been working hard to get the HTTPS thing working. I had to make a few changes and recreate my certificates but I believe I have it working fine.

To get NetFlix working here is my setup and I'm sure there is something that will kick me in the teeth...
1) Transparent Mode
2) On the HTTPS tab, "Decrypt and scan the following"
3) On the Scan These Categorized Websites: delete "Media Downloads"
4) I have no filtering options specific for netflix

An alternate method is (not my preferred yet):
1) Transparent Mode
2) On the HTTPS tab, "URL filtering only"
3) I have no filtering options specific for netflix

For the all my dedicated media streaming devices (Roku, BluRay Player, etc...) I placed the devices in the "Skip Transparent Mode Source Hosts/Nets" as you indicated. I also included the cell phones here, I'm not going to worry about the cell phones just yet, they have so much internet access, all I'm really providing to the family for these is streaming media so my usage plan doesn't get excessive.

Cheers!

 

[ChriZ]

News from my end:
Found some time to install Sophos on a physical machine.
I had a spare Dell optiplex 3020 SFF laying around and decided to use that, after adding a spare Intel NIC... Overkill, but it was the easy solution for now since I don't have a spare PSU ATM to use with the spare atom motherboard I intent to use at the final setup.
The process was difficult in a funny way, lol...

1. Used Rufus to create an install USB and started the installation.
2. Removed the 500GB Seagate of the Dell and decided to use a spare 40GB OCZ Vertex 2
3. Turned it on and "Primary hard disk not found"
4. Triple checked the cabling and realized that disk was there on every other boot. Googled it and found out that sandforce chipset (OCZ's chipset) is incompatible with Haswell SATA ports
5. Found a spare 100GB Seagate momentus and everything was visible again
6. Began installing and after formatting the hard disk, "install.tar not found"
7. Suppressed my desire to throw the thing out of the window and googled again... USB install media is not supported (not without witchcraft at least)
8. Took me 10 minutes to find an empty CD-RW (yes, rewritable CD - they still exist!)
9. Took 20 minutes to burn it, because it was only a 4x and boom... failed to overburn..
10. Needed another 10 minutes to find another empty CD-R and finally managed to burn the ISO

All of the above and the installation had not yet started, lollll

I am currently in the process of configuring it (I have an ADSL line, so added a spare router as bridge only and used the existing as switch and AP)
Created a few NAT rules - added dyndns, found it a bit difficult to create NAT loopback, but so far so good..
It is located behing the living room LED TV for now.
Will update on further progress - so far so good - I blocked facebook access for fun and my wife throw me one of her shoes, lollll..
In other news, my younger, 2yo son thought it is fascinating to push the little Dell's power button, which lead to a graceful shutdown of the UTM..

And now comes the stupid question you were all expecting..
Is there a way to disable power button behavior?

Cheers for now..

 

[diedrichg]

BIOS if it's there. I know you can set the state of the power button for reset but not sure if you can disable it through the BIOS. Option 2, remove the wire from the motherboard.

 

[ChriZ]

Well I could not find it anywhere in the BIOS settings, so I was hoping if the UTM has any options to disable power button

 

[pirateghost]

That's not usually something the OS would handle.

 

[joeschmuck]

Your only option is disconnecting the switch from the MB. Of course, if it's just little hands you are trying to keep it away from, wire a different switch (momentary ON) to maybe the rear of the case and you could use that to turn the computer on and off.

There are two other options I can think of...
1) Duct tape the switch.
2) Duck Strap (aka. Cat of 9 Tails). My uncle used this method a few times and for me, once was more than enough. Looks like this but the ends are 100% leather, no metal back in the day.

Okay, option 2 is not likely on someone so young, maybe in a few more years :)

 

[ChriZ]

lol @joeschmuck
I actually found a solution...
I did a little digging and found that in /etc/acpi/events/ there is a file called powerbtn with the following

Code:

# acpi/events/powerbtn

event=button[ /]power
action=/usr/lib/acpi/powerbtn.sh

I changed the last line to

Code:

action=

and restarted acpid but no joy
I then edited powerbtn.sh

Code:

#!/bin/sh

/sbin/shutdown -h now "Power button pressed"

and commented the line. Now nothing happens when I press the button

 

[joeschmuck]

Very smart!

Does it survive a reboot?

 

[ChriZ]

Yeap... it does..

 

[ChriZ]

OK, I have a question:
So far I have done everything I need with sophos, including DNAT, some Full NAT, web filtering using transparent proxy, an SSL VPN etc and all is working great..
BUT... I cannot, for the life of me, setup reverse proxy (it is supposed to be the Web Protection thing....)
The situation is as follows:

• I have one WAN IP
• I am using dyndns pro and have a hostname (I can setup up to 30). My hostname (example) is mysite.dyndns.com
• I have a surveillance camera which has an IP of 192.168.1.200 and a webserver running on port 8585.
• Using NAT, I can easily create a rule and if I enter mysite.dyndns.com:8585 I get forwarded to camera's web interface.
• Now what I want to do is from outside to enter mysite.dyndns.com/camera and using reverse proxy to get forwarded to 192.168.1.200:8585, but have so far failed miserably....

What I 've done so far:

• Webserver Protection --> Real Webservers added the camera with the following settings:
  • Name -->Camera
  • Host --> The host (the camera in this case)
    
  • Port -->8585
• Virtual Webservers --> Add a new with the following:
  
  • Name -->Camera
    
  • Interface --> External (WAN) (Address)
  • Type -->Plaintext (HTTP)
  • Port -->80
  • In domains I add -->mysite.dyndns.com
  • In Real Webservers I check Camera (the one I created in previous step)
  • I click save and I enable it
• In Site Path Routing:
  • Path --> /camera (not really sure about this)

Now when I enter from outside mysite.dyndns.com/camera I get redirected to the main webserver and not the camera's webserver...
Even If I create a new hostname in dyndns (eg. mysitecam.dyndns.com) and enter that In domains in Virtual Webserver settings I see no joy...

Any help is much appreciated!!!!

 

[diedrichg]

You could just connect through VPN and access it through your internal network without messing with proxies.

 

[ChriZ]

Yes, I can..
Also DNAT works just fine..
My problem isn't that I can't connect, it is that I cannot setup this one additional thing.... OCD...lolll

 

[joeschmuck]

Let me ask this question before I start offering advice...

From an outside IP address, can you enter your actual IP address and port (ie. 64.178.34.43:8585) vice using the DYNDNS address and it work? If it works then you need to do some work at DynDNS which isn't so bad. If it fails then you need to create a port forwarding rule and until you can make your actual IP address work, I wouldn't bother with DynDNS.

 

[pirateghost]

With reverse proxy, there should be no need to forward ports. That's the point of reverse proxy, to bypass having to use port numbers.

I haven't used the reverse proxy features of sophos, as I use reverse proxy on my digital ocean vps. Then I have firewall rules only allowing traffic from my digital ocean IP.

 

[joeschmuck]

Damn, more for me to read. I had a different idea of what a reverse proxy did I guess.

Reading....