Zenfolio | Sublime Light Landscape Photography | Home Network Protection: Sophos XG

Home Network Protection: Sophos XG

December 08, 2017  •  Leave a Comment

 

Up until 2015, I used a consumer router as my home gateway (device that connects computers and devices to the internet).  Then I started investigating what would be good network security for the home network.  I didn’t like what I found.

 

The dirty little secret is that consumer routers used as gateways are laughably easy to hack, even when configured properly.    See links 1, 2, 3, 4, 5, and 6, as examples, or search “router easily hacked” or “router insecurity” online.  It’s not just one brand…. it’s all of them.  Enterprise-grade routers are not much better.  See links 7 and 8 as examples.  With routers, it’s not enough to configure them securely and to patch them regularly, which almost nobody does.  Router firmware, by its nature, is riddled with exploitable bugs.  If your router is infected, your devices (PCs, tablets,…) might become infected, and your bank account and other critical information can be stolen.

 

For personal reasons, I needed something better.  Way better.  I also wanted something that could protect every device in the home.  That meant a firewall of some type after the cable modem.

 

Sophos XG running in a Polywell custom-built computer. Front view

Sophos XG running in a Polywell custom-built computer. Rear view

 

After much searching, I decided to try an enterprise-grade UTM (Unified Threat Management, or, a "firewall") software, Sophos UTM, which has since been replaced by Sophos XG, which is what I currently run.  Sophos has kindly made this Sophos XG software FREE for home users.  Wow!

 

Sophos XG has achieved test results that are among the best enterprise UTMs/firewalls.  In a recent NSS Labs test, it blocked 95% of attacks, and placed 3rd in security effectiveness, behind ForcePoint and Cisco.  However, neither ForcePoint nor Cisco offer free firewall software to home users.

 

Sophos XG Security Effectiveness vs. the Competition. From NSS Labs, 2017

 

I did this work primarily because I figured that an enterprise-grade UTM, highly maintained, would be much more difficult to hack than a consumer-grade router.  But doing this work is not for the uncommitted:

 

  • First, you need a low-power computer with at least 2 ethernet connections (aka, NICs) from acceptable manufacturers (Intel, NOT Realtek).   I currently use a custom-specified $1300 fanless Polywell mini-ITX computer with 6 ethernet connections, so it effectively does double duty as a 2nd (non-wireless) router.   I over-specified the Polywell computer in case I want to use it in the future as a desktop computer.  You can do just fine with ~ $800 (dual Intel NIC card instead of quad, lower processor, 8GB RAM) configuration.  Some people have builds costing as little as $300.  I chose Polywell because they offered the most configuration options.  However, Polywell's customer support is, well, not very good.  They appear to be a commodity builder.  Another option I might suggest is AVADirect, which may offer more hand-holding.  A  couple of tips:
    • Get a fanless build.  No noise.  Mini-ITX systems often have noisy fans.  I love the silence
    • Not all NICs will work.  My build has one I219V NIC that Sophos XG does not recognize; I knew this before I ordered.  Check Sophos’ compatible hardware list before specifying and buying your computer.  For the H270N motherboard in my build, you will have to add at least one Intel NIC card due to the I219V compatibility
  • Second, you have to download the Sophos XG software, write it to an ISO image, and then load it onto your Firewall PC.  That will require a monitor, keyboard, and external CD drive for the installation, and VGA, DVI, or HDMI cables.
  • Third, you have to learn how to configure Sophos XG.  To quantify the complexity of an enterprise firewall configuration, I have over 200 screenshots of my Sophos XG configuration as a reference that I can go back to and look at for troubleshooting and for history
  • Finally, if Sophos XG stops offering its software free to home users, my investment in the Polywell computer may no longer be useful.  There is a small risk here, but still a risk

 

Polywell Configuration for Sophos XG. Fanless Build

 

I did all of this work without a background in networking nor in network security, so it took 2-3 days just to get most of my devices connected to the internet, because I had to learn as I went along.  Also, enterprise-grade firewalls are not as friendly as routers to internet-of-things devices like Rokus, Apple TVs, Amazon Echos, Sonos speakers, security cameras, SmartThings smart home controller, and so on.  That means figuring out workable firewall rules not just for PCs, but for all the devices in the home.

 

Sophos XG Home Screen

 

I’ve been running Sophos XG for almost two years now.  It has blocked numerous exploits and malware.  It has also shown all sorts of (blocked) attempts to hack into the devices in my home (China is easily the worst offender).  I’m glad I use Sophos XG, and after I conquered the learning curve, it does not take much time to maintain.  I’ve also developed an understanding on why it is so valuable, and what to look for in a good home gateway (firewall, UTM, router) device.

 

Sophos XG Example Report Page

 

Below is my required feature list.  Sophos XG offers everything on my list

 

Malware Defense

  1. Ability to scan encrypted (e.g. HTTPS) browser connections for malware.  That means installing a Sophos XG HTTPS certificate into your computers, tablets, and similar devices to scan encrypted links for malware
  2. Email protection, including the ability to scan email and block specific file type attachments in email
  3. Intrusion protection (system), or IPS
  4. Ability to prevent malware propagation on the network through firewall rules and detection
  5. Ability to isolate devices from the internet while allowing communications on the home network
  6. Ability to isolate devices on the home network from each other, so that if one device is infected, it cannot infect other devices
  7. Ability to force-drop outbound connections to specified adversarial countries and hacker havens like China, Brazil, Ukraine, and Russia
  8. Blocking of known malware-serving URLs

 

Configuration / Administration

  1. Customizable firewall rules by device and by device class
  2. The ability to force and maintain (DHCP) device IP addresses so I can run reports and see if any devices are potentially hacked or compromised
  3. Notifications of specific events such as internet down and malware blocked
  4. Automated updates and security patches
  5. Decent reporting

 

Network Access

  1. VPN-in capability to remotely access home network devices while traveling

 

In a future post, I’ll outline some consumer alternatives to Sophos XG and how many of my required feature list they fill (hint: not that many).

 

I’d like to thanks Sophos for making such a powerful tool available for free to home users willing to put in the time to learn network security.

 

Jeff


Comments

No comments posted.
Loading...