Sophos

[joeschmuck]

I just got my new network switch in the mail, I'll test it out later tonight but if it's possible, I'll get it working soon. More to follow.

The NIC's for Linux are not as unsupported as with FreeBSD and I had two RealTek NICs and no issues. I did just replace those with an Intel NIC pair however to make my second WAN work, I'm activating the MB NIC.

 

[joeschmuck]

I got an email stating IMAP email will be supported in the next version of Sophos among other things. I have no idea how long it will take to get this through beta but once it hits the streets, I'm going to make IMAP do it's job. That will be the last thing to configure, I hope. Well with the exceptions of a periodic Web Filter rule being added or changed.

 

[joeschmuck]

I thought I'd add this into this area for those still tracking and using Sophos, even thought this is not a Sophos site but a FreeNAS site, glad I'm in the Off-Topic area.

It doesn't appear Sophos does any SMART testing of the hard drive and I don't know if it's even monitoring the hard drive at all. Anyway, I took one of my old FreeNAS scripts, modified it for Sophos, and now I perform a short test once a day and on Sundays I perform a long test, then I get an email with the results. The email subject line tells me if things are normal or an error occurred and the details are in the body. I've also added my system specs too (CPU Temps, Fan Speeds, Voltages) to the bottom of each email. I plan to adjust the script to warn me if the CPU fan drops below a specific threshold, but I haven't done that just yet. My MB does not have a speaker connected so no alarm sound, plus it's in the basement, I wouldn't hear it anyway.

The script does survive a reboot however I do not know if they will survive a software upgrade. It seems like forever since an upgrade occurred.

 

[ChriZ]

Realized something interesting today....
I am currently using a dell 3020sff for my sophos utm.
It has an i3-4130, 2x4GB RAM, an additiomal PCI-E Intel Pro 1000 NIC and an old 100GB laptop drive.
The thing idles at ~26 watts.

Today at work I found some spare 15 minutes and tested my Atom Mobo (which is supposed to replace the Dell PC as a sophos appliance)
Specs are : Atom D525 CPU, 2x2GB RAM, an additional PCI, Marvell based Netgear GB NIC and an OCZ vertex 2 SSD.
Clean installation of sophos, no network cables connected...
Idle .....~34 watts....
Unbelievable, huh?

 

[gpsguy]

Yep


Sent from my phone

 

[joeschmuck]

I wish mine consumed that little but I'll survive.

 

[BigDave]

Realized something interesting today....
I am currently using a dell 3020sff for my sophos utm.
It has an i3-4130, 2x4GB RAM, an additiomal PCI-E Intel Pro 1000 NIC and an old 100GB laptop drive.
The thing idles at ~26 watts.

Today at work I found some spare 15 minutes and tested my Atom Mobo (which is supposed to replace the Dell PC as a sophos appliance)
Specs are : Atom D525 CPU, 2x2GB RAM, an additional PCI, Marvell based Netgear GB NIC and an OCZ vertex 2 SSD.
Clean installation of sophos, no network cables connected...
Idle .....~34 watts....
Unbelievable, huh?

Put the SSD in the Dell and it may drop to 24 or lower

 

[ChriZ]

I am sure it will..
The thing is that the Dell was a temporary solution. It is intended to replace my Windows desktop which is - unnecessarily - housed in a Full tower case ( it only has one SSD for the OS and one 3.5" hdd for some data). So thought about downsizing using the Dell.
It's a waste to keep the Dell as a UTM - my internet connection is 8/1 Mbits so no horsepower is needed; the atom will do just fine.
It was a big surprise, though, that the Atom uses more power. I thought that it would consume about the same, no more than 25 watts...
A solid proof that Haswell CPUs are indeed extremely efficient...

 

[TheDubiousDubber]

Does anyone know of a good tutorial/guide to get Sophos UTM set up? Recently had some very strange activity regarding my Windoze desktop. It's probably just a weird bug, but have a Sophos UTM 110/120 sitting around waiting to be setup and now I'm thinking I shouldn't be putting it off any longer. I just haven't had the time (full-time work + full-time school) and didn't want to cripple my internet as I would be jumping in blindly trying to set this thing up. I'm not too concerned with anything other than making sure outgoing traffic works, particularly to websites needed for school, in addition to some sort of firewall and making sure I have no outsiders poking around.

 

[pirateghost]

Does anyone know of a good tutorial/guide to get Sophos UTM set up? Recently had some very strange activity regarding my Windoze desktop. It's probably just a weird bug, but have a Sophos UTM 110/120 sitting around waiting to be setup and now I'm thinking I shouldn't be putting it off any longer. I just haven't had the time (full-time work + full-time school) and didn't want to cripple my internet as I would be jumping in blindly trying to set this thing up. I'm not too concerned with anything other than making sure outgoing traffic works, particularly to websites needed for school, in addition to some sort of firewall and making sure I have no outsiders poking around.

The first run wizard will get you up and running with a basic firewall and router. Just get a base going and mess with the rest later.

 

[joeschmuck]

I agree with @pirateghost the best thing to do is just set up a basic firewall, don't try anything fancy just yet. The Sophos firewall will be more restrictive than your standard router firewall. Be careful which blocks you invoke such as country blocking. Believe it or not, Facebook requires Ireland, Sophos requires Germany, and you will likely have some need elsewhere so I'd just leave all the country blocking turned off for now. If you must turn on Country blocking, set them all to "From". I personally have several places completely blocked "ALL" but that did require attention when my family started complaining about things they could no longer do.

I know of no good guide to setup Sophos, it can be a real challenge to be honest with you. My best advice is this... Once you have a basic firewall running and it works without issue for several weeks, then you may start adding some restrictions. You will more than likely need to add a few new firewall rules to pass maybe a specific website, for instance my daughter could not access some specific college website for her studies and I had to create a single rule to allow that specific IP address for the computers she uses in the house, or one more likely is IMAP/SMTP passing for GMail traffic. Take very good notes and do not make too many changes at once or it will bite you in the ass if you are not a networking guru.

The Sophos forums are a fantastic place to get good quick help, but try a search of them for anything you have specific help request for, odds are it's already been asked.

 

[TheDubiousDubber]

Looks like I have my work cut out for me, but its good to know you can get a working config relatively easily. First step is making sure all of my devices can connect to the internet, which includes setting up my current router as an AP. I need to set a static IP for my FreeNAS box and lastly need to make sure I have access to school websites, and email. Then it sounds like its best to wait it out to make sure no issues before messing with anything else. Thanks for the tips.

 

[joeschmuck]

In Sophos you can easily establish set IP addresses based in MAC addresses. This is something I fought in the past at my home but I have embraced it. I would also recommend that you setup a DMZ rule in your firewall because there will become a point in time where you just don't have time to fool around with Sophos and you need some device to work. You can add your device easily to this DMZ and when done, remove it again. When you have time to screw around with it and create a proper firewall rule, well you can do that. Just thoughts because I've recently gone through this too.

 

[gpsguy]

And, while you're taking notes, I'd do some interim backups of the configuration (option in the webGUI).

I have a scheduled backup task that backs up the configuration file weekly and emails it to me. All this can be done via the GUI.

Take very good notes and do not make too many changes at once or it will bite you in the ass if you are not a networking guru.

 

[joeschmuck]

And, while you're taking notes, I'd do some interim backups of the configuration (option in the webGUI).

I have a scheduled backup task that backs up the configuration file weekly and emails it to me. All this can be done via the GUI.

That is a great recommendation. I currently do a nightly email backup but I'm almost to the point of changing that to weekly. I still have a few small things I want to address over the next few months and I do take my own advice, I'm taking it slow and making only changes I need to and taking notes on what I do with hopes I can fix any damage I induce by accident.

 

[gpsguy]

Although I quoted you, my message was directed to TheDubiousDubber.

That is a great recommendation.

 

[zoomzoom]

I'd like to build a box to run Sophos out of, however what's the max specs I should stick within for the hardware I'm buying?

• i.e. no point in buying 16GB RAM if it never utilizes more than 8GB (or over 16GB if it will never exceed 16GB of usage), or no point buying a 256GB SSD if a 128GB would never be fully utilized
• What form of mobo is recommended, a server board or a desktop board (I assume mini-ATX/ITX is a given)
  • Should it utilize DDR4 RAM or should I stick to boards with DDR3?
  • Is it better to buy a mobo that comes with a CPU (i.e. like my AsRock C2750D4I) or would I benefit from buying it separately?

What I'm looking to gain by switching from a WRT1900ac [OpenWRT] to Sophos UTM as my main router

• VPN throughput
  • I can never get uploads through OpenVPN to exceed 1.5mbps even though I have a 65 down/4.5 up ISP connection
  • Higher throughput on VPN file access
    • I utilize Mitchell OnDemand while working on my car and I store the VHD of all 18 DVDs on my FreeNAS box, and currently there's a lag while accessing the OD5 files via OpenVPN
      • I've configured both my OpenVPN server and client configs for maximum throughput, which I've posted at the bottom as well in case anyone has any suggestions for improvement

• There's far more I'm looking to gain by switching to Sophos, the above is what I'm looking to gain by utilizing it, instead of the WRT1900ac, for my VPN

Server Config

Code:

config openvpn 'VPNserver'

        option enabled    '1'

    # --- Protocol ---#
        option dev         'tun'
        option dev         'tun0'
        option topology    'subnet'
        option proto       'udp'
        option port        'xxxx'

    #--- Routes ---#
        option server    '10.10.10.0 255.255.255.240'

    #--- Client Config ---#
        option ccd_exclusive            '1'
        option ifconfig_pool_persist    '/etc/openvpn/clients/private/ipp.txt'
        option client_config_dir        '/etc/openvpn/clients/private'
        option ifconfig                 '10.10.10.1 255.255.255.240'

    #--- Pushed Routes ---#
        list push     'route 192.168.200.0 255.255.255.192'
        list push     'dhcp-option DNS 192.168.200.1'
        list push     'dhcp-option WINS 192.168.200.1'
        list push     'dhcp-option DNS 8.8.8.8'
        list push     'dhcp-option DNS 8.8.4.4'
        list push     'dhcp-option NTP 129.6.15.30'

    #--- Encryption ---#
        option cipher      'AES-256-CBC'
        option dh          '/etc/openvpn/keys/PrivateVPN/dh2048.pem'
        option pkcs12      '/etc/openvpn/keys/PrivateVPN/OpenWRT-VPNserver.p12'
        option tls_auth    '/etc/openvpn/keys/PrivateVPN/ta.key 0'

    #--- Logging ---#
        option log       '/tmp/openvpn-private.log'
        option status    '/tmp/openvpn-private-status.log'
        option verb      '7'

    #--- Connection Options ---#
        option keepalive        '10 120'
        option comp_lzo         'yes'

    #--- Connection Reliability ---#
        option client_to_client '1'
        option persist_key      '1'
        option persist_tun      '1'

    #--- Connection Speed ---#
        option sndbuf      '393216'
        option rcvbuf      '393216'
        option fragment    '0'
        option mssfix      '0'
        option tun_mtu     '48000'

    #--- Pushed Buffers ---#
        list push    'sndbuf 393216'
        list push    'rcvbuf 393216'

    #--- Permissions ---#
        option user      'nobody'
        option group     'nogroup'
#       option chroot    '/etc/openvpn/jail/vpnserver'


config openvpn 'NASserver'

        option enabled    '1'

    # --- Protocol ---#
        option dev         'tun'
        option dev         'tun1'
        option topology    'subnet'
        option proto       'udp'
        option port        'xxxx'

    #--- Routes ---#
        option server    '10.10.100.0 255.255.255.240'
        option route     '192.168.3.0 255.255.255.224'

    #--- Client Config ---#
        option ccd_exclusive            '1'
        option ifconfig_pool_persist    '/etc/openvpn/clients/nas/ipp.txt'
        option client_config_dir        '/etc/openvpn/clients/nas'
        option ifconfig                 '10.10.100.1 255.255.255.240'

    #--- Pushed Routes ---#
        list push    'route 192.168.200.0 255.255.255.192'
        list push    'route 192.168.3.0 255.255.255.224'
        list push    'dhcp-option DNS 192.168.3.1'
        list push    'dhcp-option WINS 192.168.3.1'
        list push    'dhcp-option DNS 8.8.8.8'
        list push    'dhcp-option DNS 8.8.4.4'
        list push    'dhcp-option NTP 129.6.15.30'

    #--- Encryption ---#
        option cipher      'AES-256-CBC'
        option dh          '/etc/openvpn/keys/nasVPN/dh2048.pem'
        option pkcs12      '/etc/openvpn/keys/nasVPN/NAS-VPNserver.p12'
        option tls_auth    '/etc/openvpn/keys/nasVPN/ta.key 0'

    #--- Logging ---#
        option log       '/tmp/openvpn-nas.log'
        option status    '/tmp/openvpn-nas-status.log'
        option verb      '7'

    #--- Connection Options ---#
        option keepalive       '10 120'
        option comp_lzo        'yes'

    #--- Connection Reliability ---#
        option client_to_client   '1'
        option persist_key        '1'
        option persist_tun        '1'

    #--- Connection Speed ---#
        option sndbuf    '393216'
        option rcvbuf    '393216'
        option fragment  '0'
        option mssfix    '0'
        option tun_mtu   '48000'

    #--- Pushed Buffers ---#
        list push    'sndbuf 393216'
        list push    'rcvbuf 393216'

    #--- Permissions ---#
        option user      'nobody'
        option group     'nogroup'
#       option chroot    '/etc/openvpn/jail/nasserver'

Client Config

Code:

client
dev tun
tun-mtu 24000
fragment 0
mssfix 0
proto udp
remote my.ddns.com ####
float
resolv-retry infinite
nobind
persist-key
persist-tun
pkcs12 OpenWRT-VPNclient-client.p12
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>
remote-cert-tls server
cipher AES-256-CBC
auth-nocache
verb 5
comp-lzo

 

[ChriZ]

My personal opinion:
Regarding size: The smallest the better. It is your "router" and it must be as small (regarding its footprint) as it gets.
Horsepower: I have an i3-4130 and I reckon it would not go above 10-15% cpu even when maxing out your connection.
So your avoton would be just fine.(the 2558/2758 variants would be even better choices; they have more NICs)
8 GB of Ram is enough.
Space above 80GB is not needed. Mine uses a 100GB laptop hdd and reports it will be filled in 5000+ days.

 

[zoomzoom]

My personal opinion:
Regarding size: The smallest the better. It is your "router" and it must be as small (regarding its footprint) as it gets.
Horsepower: I have an i3-4130 and I reckon it would not go above 10-15% cpu even when maxing out your connection.
So your avoton would be just fine.(the 2558/2758 variants would be even better choices; they have more NICs)
8 GB of Ram is enough.
Space above 80GB is not needed. Mine uses a 100GB laptop hdd and reports it will be filled in 5000+ days.

Thanks, I appreciate it =]

Does it need to be a server board or can it be either or?

 

[pirateghost]

It doesn't have to be a server board but it would be better than a standard desktop board.

Honestly, for a sophos box a good j1900 setup with a dual or quad port Intel nic would be an ideal setup.