Jump to content
RESET Forums (homeservershow.com)
itGeeks

Sophos XG, Good news! MR2 is downloading today.

Recommended Posts

pcdoc

I'm in the security paranoid group, which is why I was a little surprised to see UT wide open for outgoing.

 

Given the penetration of Cryptowall and its relatives, my thinking is that _if_ a zero day exploit hits my LAN, hopefully closing all outgoing except the essentials will prevent the malware phone home to its C&C and will delay any nasties until the endpoint security catches up and alerts me to the infection.

I know some malware will encrypt without key exchange with C&C, but its all about minimising the risk...

 

it does, thanks.

I think I'll have to spin up an XG VM and take it for a drive.

 

 

edit: as an aside, I get the free Security Week newsletters, which I find useful way of seeing whats happening in the security world: http://www.securityweek.com

 

We should all be in a "Security Paranoid Group".  It is a better place to be.  If you are going to spin up a XG VM, my article may (or may not) help you.  Tomorrow I will be working the Sophos deployment team to deploy their solution in two locations which will include site to site and end point.  I am going to try and take copious notes so I can share them with everyone.  Remember when using XG, to think backwards.  It is easy but very different and have to unlearn conventional wisdom.

 

 

 

http://thedocsworld.net/sophos-xg-firewall-part-2tightening-security/

Share this post


Link to post
Share on other sites
psykix

I'm revisiting XG. It seems that now I can turn everything on apart from malware scanning and Netflix will still work on iOS devices. I'm pretty sure that wasn't the case previously.

 

Wonder why the malware scanning breaks it?

 

I'll have a play at adding the iOS devices into a rule above the default with malware scanning off and see how I get on. Problem is it would have to be mac address based, or I'm gonna have to start doing DHCP reservations.

Share this post


Link to post
Share on other sites
Poppapete

I'm revisiting XG. It seems that now I can turn everything on apart from malware scanning and Netflix will still work on iOS devices. I'm pretty sure that wasn't the case previously.

 

Wonder why the malware scanning breaks it?

 

I'll have a play at adding the iOS devices into a rule above the default with malware scanning off and see how I get on. Problem is it would have to be mac address based, or I'm gonna have to start doing DHCP reservations.

In reference to Malware scanning: When I first installed W10 on my newly built desktop I was getting Blue Screens 3 and 4 times a day. I traced it to Malwarebytes Premium and I when removed it, the BS's stopped. So I don't have it installed on that machine but it works fine on 3 other clients on my LAN.  The one giving the trouble was the only one with a fresh install (as opposed to upgrades from 7 or 8) and is a high end workstation board.

Share this post


Link to post
Share on other sites
nrf

with regard to stingy permissions for outgoing traffic, much malware is smart enough to masquerade as a commonly needed/allowed protocol thus living within the normal permitted firewall 'holes'.

Share this post


Link to post
Share on other sites
pcdoc

I'm revisiting XG. It seems that now I can turn everything on apart from malware scanning and Netflix will still work on iOS devices. I'm pretty sure that wasn't the case previously.

 

Wonder why the malware scanning breaks it?

 

I'll have a play at adding the iOS devices into a rule above the default with malware scanning off and see how I get on. Problem is it would have to be mac address based, or I'm gonna have to start doing DHCP reservations.

 

You are correct.  It all works with scanning and filtering on except for Malware.  Not 100% sure about this comment and have not tried yet, but I think it has something to do with how it scans in batches.  It first downloads part/all of the file and scans it locally before sending it off to your system for performance reasons.  That feature can be turned off and I might try to see what the side effects are.

Share this post


Link to post
Share on other sites
psykix

You are correct.  It all works with scanning and filtering on except for Malware.  Not 100% sure about this comment and have not tried yet, but I think it has something to do with how it scans in batches.  It first downloads part/all of the file and scans it locally before sending it off to your system for performance reasons.  That feature can be turned off and I might try to see what the side effects are.

 

I read about that, and so I changed the scanning from batch to real time. It made no difference.

 

The question is though, why does it only affect streaming on mobile devices? Netflix works fine on the desktop with everything switched on.

 

I checked Windows updates too, and they seem to work fine with webfilter/IPS/Application filters on. I'm sure they never used to.

 

I seemed to be having performance issues with Untangle - nothing I could reliable point to, but web sessions would just hang, or instagram on my iPhone would miss loading some pictures. Was quite odd. Untangle also started reporting rx errors on one of the NICs. I just couldn't be bothered to try and troubleshoot it all, so decided to give Sophos XG another chance!

 

At least I have all the fancy graphs with XG now which I never had before because I had to have everything switched off.

Share this post


Link to post
Share on other sites
psykix

I would have been happy to help troubleshoot this issue with them, but since they won't entertain home users, it's a no go.

 

I found a couple of problems with the Untangle OVA which I flagged up to them, and once I got them to appreciate that it wasn't me installing it incorrectly, and convinced them it was an actual problem with their OVA, then they got it fixed. Don't even have that option with Sophos!

  • Like 1

Share this post


Link to post
Share on other sites
itGeeks

And deny-then-allow out of the box is always more secure than allow-then-deny.  For real IT users, or security-conscious enthusiasts, the first method is always the way to go.

 

(It would be good if it was the way to go for everyone, but entry-level home users end up getting frustrated with it).

You make a very good point. For the record I am not an "entry-level home user" but even for me starting out with deny-then-allow gets me very frustrated with all the different device types we have in our homes and if you have a few gaming consoles that just feed for a network with uPnP support next thing you know your pulling your hair out and know I don't use uPnP even if the router does support it because of the obvious security reasons. This must be a problem for many of all skill types because even Sophos has now changed this with the new XG starting with allow-all outbound rule. I think it all boils down to what king of devices you have on your network and how much time you want to invest into managing the firewall, For me I already have a full-time job so I just want a nice balance of security with ease of use. Everyone should also be using some kind of endpoint protection on there devices so that would further reduce your risk. I use the new Sophos Home endpoint protection on all my Windows devices and Sophos Mobile Security on my Android devices and Untangle for my home gateway and I feel pretty secure.

Edited by itGeeks

Share this post


Link to post
Share on other sites
itGeeks

I would have been happy to help troubleshoot this issue with them, but since they won't entertain home users, it's a no go.

 

I found a couple of problems with the Untangle OVA which I flagged up to them, and once I got them to appreciate that it wasn't me installing it incorrectly, and convinced them it was an actual problem with their OVA, then they got it fixed. Don't even have that option with Sophos!

Agreed. I will say it again Sophos is commercial/corporate no interest in home users & Untangle commercial/corporate/home users with support for a price per month of only 5.00 less then a cup of Coffey at Starbucks, I see the clear winner here. :)

Share this post


Link to post
Share on other sites
itGeeks

We should all be in a "Security Paranoid Group".  It is a better place to be.  If you are going to spin up a XG VM, my article may (or may not) help you.  Tomorrow I will be working the Sophos deployment team to deploy their solution in two locations which will include site to site and end point.  I am going to try and take copious notes so I can share them with everyone.  Remember when using XG, to think backwards.  It is easy but very different and have to unlearn conventional wisdom.

 

 

 

http://thedocsworld.net/sophos-xg-firewall-part-2tightening-security/

This all sounds very exciting, I look forward to your documented notes on the chain of events deploying XG. Though I have stopped using XG in favor of Untangle for now I still have XG in a VM but just turned off so I can turn it back on at anytime if there is some late braking news about it that gets me excited :) Like you I am always interested in the next best thing and like you I could change my mind about something tomorrow. Thanks for the link I will have a read.

Edited by itGeeks

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...