Jump to content
RESET Forums (homeservershow.com)
GotNoTime

AmpliFi by Ubiquiti

Recommended Posts

itGeeks

So far I haven't had any issues with UTM blocking anything that should not be (inbound). In my case, my sites are nothing critical, so if it does I don't really care. Now, OUTBOUND blocking is a different story. In fact, recently Plex (or Amazon) moved their sites hosted by Amazon Web Services (AWS) to Ireland, and it broke the application for quite a few people. I don't do much outbound blocking, but it just so happened that I was blocking Ireland and Plex broke for me. All I did was run some quick logs and I figured it out, and posted the fix to Plex's forum. I do purposely block some countries outbound, such as the typical countries that host malware. 

 

I haven't looked at Untangle in a long time. It wouldn't be hard for me to do it since all I have to do is spin up a VM, but I don't have time to do it right now. I'll keep it in the back of my mind though.

Thanks for sharing. yes that was my point, Seems to break things. I was blocking a country and Synology updates broke, Seems we always chasing problems using geo so I stopped using it. What country do you block outbound? Do you really feel more secure vs are you really more secure by blocking country? I personally think its debatable, Just my 2 cents.

Share this post


Link to post
Share on other sites
itGeeks

Like RobbieH, I too run Sophos UTM 9.  Works reliably for me.  Am running on an Intel G1610 Celeron box w/ 8 GB RAM and 4 Nics (only 2 used).  Sophos has taken some time to tune, but haven't felt the need to fix something that isn't broken.  Untangle is intriguing and perhaps will consider as a winter indoor project.

 

People have suggested running ESXi on this hardware and Sophos UTM as a VM but I've never done this... as if my UTM hardward has more potential than what I'm using it for... but I actually built it only to be a firewall appliance.

I was running Untangle in a VM and though it worked great I am now in the stand alone appliance camp, I just think its the better way to go and have less problems.

Share this post


Link to post
Share on other sites
RobbieH

Inbound, I block everyone except the US. Nobody outside the US has any need to be on my servers. 

 

Outbound, I kind of pick and choose. The ones I obviously know I do not need to go to, I block. But for example, China, Russia, Netherlands, France, Germany, etc. are also blocked. 

 

Do I feel more secure due to these controls? Absolutely. When I was in operations, did I do this in practice to protect my servers? Absolutely. 

 

And even if you don't take the security into this, a big advantage is that it cuts down on noise on the firewall and IDS/IPS logs. Do I really want to see that someone from Russia is doing a port scan against my perimeter if I can instead block the traffic altogether? I was on call for intrusion attempts (and other incidents, of course) for a very large company who processes on average 750,000 credit card transactions per day. When you are the one that gets alerted and has to work nights, weekends, and holidays, you learn pretty quickly how to cut the noise. And any control you can show an auditor that exceeds the intent or requirement is always a good thing.

 

Another thing, I know better than to go to these sites, but my family does not. Rebuilding workstations due to drive-by malware is not my favorite hobby, and my wife and daughter were very good at finding it. I haven't had a single instance of this since implementing the blocks, but then correlation is not causation, so it may just be that they haven't tried to hit any of those sites since I put this in. 

 

As far as breaking things goes, the Plex server change was the only issue I've ever had. I had more trouble getting Netflix to work through UTM than I did dealing with that problem. 

Share this post


Link to post
Share on other sites
Jason

RobbieH, am intrigued by your Sophos UTM Country Blocking config.  Would you mind sharing screenshots of it?  I would like to adopt as mine is rather loose right now.  Thanks!

Share this post


Link to post
Share on other sites
itGeeks

Inbound, I block everyone except the US. Nobody outside the US has any need to be on my servers. 

 

Outbound, I kind of pick and choose. The ones I obviously know I do not need to go to, I block. But for example, China, Russia, Netherlands, France, Germany, etc. are also blocked. 

 

Do I feel more secure due to these controls? Absolutely. When I was in operations, did I do this in practice to protect my servers? Absolutely. 

 

And even if you don't take the security into this, a big advantage is that it cuts down on noise on the firewall and IDS/IPS logs. Do I really want to see that someone from Russia is doing a port scan against my perimeter if I can instead block the traffic altogether? I was on call for intrusion attempts (and other incidents, of course) for a very large company who processes on average 750,000 credit card transactions per day. When you are the one that gets alerted and has to work nights, weekends, and holidays, you learn pretty quickly how to cut the noise. And any control you can show an auditor that exceeds the intent or requirement is always a good thing.

 

Another thing, I know better than to go to these sites, but my family does not. Rebuilding workstations due to drive-by malware is not my favorite hobby, and my wife and daughter were very good at finding it. I haven't had a single instance of this since implementing the blocks, but then correlation is not causation, so it may just be that they haven't tried to hit any of those sites since I put this in. 

 

As far as breaking things goes, the Plex server change was the only issue I've ever had. I had more trouble getting Netflix to work through UTM than I did dealing with that problem. 

Thanks for the detail response, Maybe I will take another look at setting this up in Untangle once I setup a new box for it. Do you have any devices to roam off network and if is how do you handle the security for those devices?

Share this post


Link to post
Share on other sites
RobbieH

iPhones are the only thing that's routinely off the network. I have a personal laptop, but given I've been in Infosec for going on 20 years, I trust myself to make intelligent decisions. And I don't take it out of the house much unless I'm traveling for work. I only use Windows Defender for A/V. I do use OpenDNS for some marginal means of multi-layered security, but I don't depend on it. Daughter has a laptop at college, but they filter on their wifi, and I have OpenDNS on it too. And she's pretty darn saavy, she uses a hardened browser with some protection built-in on top of the other controls I already have in place.

Share this post


Link to post
Share on other sites
itGeeks

iPhones are the only thing that's routinely off the network. I have a personal laptop, but given I've been in Infosec for going on 20 years, I trust myself to make intelligent decisions. And I don't take it out of the house much unless I'm traveling for work. I only use Windows Defender for A/V. I do use OpenDNS for some marginal means of multi-layered security, but I don't depend on it. Daughter has a laptop at college, but they filter on their wifi, and I have OpenDNS on it too. And she's pretty darn saavy, she uses a hardened browser with some protection built-in on top of the other controls I already have in place.

I also use OpenDNS for the extra level of protection but unlike you I don't use Windows Defender I use the new Sophos Home endpoint security, Its completely free for up to 10 devices, Have you tried it? It has a central management console for all protected devices and frankly better protection then Defender in my humble opinion.

https://www.sophos.com/en-us/lp/sophos-home.aspx

 

Q) It sounds like you bind the public IP address of OpenDNS to your daughters internal NIC, Is that correct? I have been told its not a good idea to bind any routable public IP's to your NIC's and that the router should handle all the forwarding request for the clients, Whats your take on this?

Share this post


Link to post
Share on other sites
RobbieH

I also use OpenDNS for the extra level of protection but unlike you I don't use Windows Defender I use the new Sophos Home endpoint security, Its completely free for up to 10 devices, Have you tried it? It has a central management console for all protected devices and frankly better protection then Defender in my humble opinion.

https://www.sophos.com/en-us/lp/sophos-home.aspx

 

Q) It sounds like you bind the public IP address of OpenDNS to your daughters internal NIC, Is that correct? I have been told its not a good idea to bind any routable public IP's to your NIC's and that the router should handle all the forwarding request for the clients, Whats your take on this?

 

I hardcoded her DNS before she left. It's the only way to do it. She has no control over UT or her dorm's routers.
 
Here at home, I run my own DNS server on Windows Server 2012. I added the OpenDNS addresses as forwarders. 
 
Note, there are two different OpenDNS systems. The Family version (blocks porn) is:
208.67.222.123 and 208.67.220.123
 
The non-porn blocking addresses are 208.67.222.222 and 208.67.220.220
 
I don't care which one you use, that's none of my business. :)
Edited by RobbieH

Share this post


Link to post
Share on other sites
itGeeks

 

I hardcoded her DNS before she left. It's the only way to do it. She has no control over UT or her dorm's routers.
 
Here at home, I run my own DNS server on Windows Server 2012. I added the OpenDNS addresses as forwarders. 
 
Note, there are two different OpenDNS systems. The Family version (blocks porn) is:
208.67.222.123 and 208.67.220.123
 
The non-porn blocking addresses are 208.67.222.222 and 208.67.220.220
 
I don't care which one you use, that's none of my business. :)

 

Thanks for the info, Yes I am aware of both sets of IP's for OpenDNS I been using it for years and its great. I also run my own DNS at home on my Synology NAS and use that as forwarders and it works great. I just wanted to point out the risk of hard coding a public IP on the local NIC but I do think you understand but as you say its the only way because you don't have control over the router.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...