This post will summarize how to configure Hyper-V and build the Sophos UTM firewall as a virtual machine. This is part 3 in a series of posts about rebuilding my home network.
Before I get into the firewall I’ll give my thoughts on Hyper-V. I’ve never used Hyper-V before this little project. I have experience with VMWare ESX but I wanted to learn Hyper-V for comparison purposes. I have to say that it’s really easy to use but there are a lot of “if’s” and “but’s” with it still. I can appreciate Hyper-V’s capabilities for what they are and I wouldn’t be afraid to use it for hosting development or testing environments. It’s not ready to compete with ESX and I question if it ever will based on the gap between the two. VMWare is working on a virtual ecosystem while Microsoft is still trying to polish their hypervisor. Hyper-V is a capable product that can provide business value under the right circumstances. Microsoft has made a case for a share of the market that is looking to reduce their VMWare licensing costs but VMWare is much more capable of hosting business critical services.
Back to the topic at hand. I chose the Sophos UTM because it’s a full featured firewall and it’s free for home use. I have experience working on Checkpoint, Cisco and McAfee (Secure Computing Sidewinder) firewalls. Working on a firewall is not for everyone and it can be difficult to get experience on such a critical enterprise security system. I think that’s an attractive benefit of using the Sophos UTM system as a home firewall. If you’re looking to pick up firewall management as a skill then you can get experience with enterprise level features in your home lab or network.
The first thing to do is visit the Sophos website and register for your home license. The Sophos website has a “Free Tools” section on their website where you can find the Sophos UTM Home Edition. You’ll receive an e-mail with instructions on how to download the software and access your license key file. Don’t be confused by any Astaro labeling which is what the product used to be called. I downloaded the file asg-9.004-33.1.iso to be run as a VM on my 2012 Hyper-V server. Download the ISO file and store it where it can be accessed from the Hyper-V server.
As I mentioned in a previous post, I have already setup my external and internal virtual switches for the firewall. See the picture below for the configuration of my external and Internet interface (vSwitch).
Basically, I have a Broadcom NIC which will be my Internet NIC and my Realtek NIC will be the inside interface for the Firewall. The Realktek NIC will also be used for other VM’s on the LAN.
Now that we have the network setup and our ISO file we can prepare the installation. Open Hyper-V Manager and select New->Virtual Machine.
- Give the new virtual machine a name for your reference and select the location you want to store the VHD. As mentioned in a previous post, I put my VHD on a stand-alone mechanical hard drive. This is a firewall and it will write everything that passes through it to disk for logging purposes. Don’t burn out a SSD unnecessarily.
- On the next screen enter the amount of RAM you want to give the firewall. The minimum recommendation is 1 GB and I’ve gone with 2 GB and have not had an issue. Linux does not support dynamic memory so do not enable this setting.
- Add a vSwitch. It doesn’t matter which one, just remember which one you add. We’ll add the other after this wizard completes.
- I’m creating a new VHD through this wizard. So, I’ll just verify the name and location and change the size. The minimum recommendation for the hard drive is 20 GB. I’ve gone with 30 GB and have not had any space issues yet. The larger the drive the more log history you will be able to maintain.
- On the Installation Options screen we’ll choose to install from media using the Image File (.iso) option. Browse to the location where you saved the .ISO file.
- Click Finish and Hyper-V will prepare the virtual machine.
- Let’s add the second vSwitch now. Open the settings menu for the VM and add a new network adapter under the add new hardware option. Select the vSwitch that was not added during the wizard.
- Next we can disable hardware acceleration for our network adapters. If you have a NIC that provides this functionality then you can leave it on. I recommend turning it off for your standard consumer NIC though. See the picture below for an example.
If you have a desire for other network adapters then go ahead and add them. Maybe you want a DMZ, repeat step 7 to add that adapter as well assuming you have created the vSwitch. What we have just done is prepared the logical hardware configuration for the firewall and inserted our media into the CD-ROM drive. Now it’s time to power this VM up. Select the VM and click “Start” to power the system. Click “Connect” to provide a console window to the VM. You should be presented with a window that looks like this:
If you don’t get this screen then there is either a problem with the ISO file or Hyper-V itself. Go ahead and press ENTER. The hard drive it is referring to is the VHD that we created through the wizard. Proceed to start hardware detection. At the end of the detection routine you should be presented with a screen that summarizes the hardware configuration we built through the Hyper-V wizard.
The next step is to go through the software configuration wizard. You’ll be asked to select your language and time zone. You’ll also select your internal network adapter where you will access the webadmin interface. It’s difficult to determine which virtual adapter translates to which physical NIC. If you get it wrong then you can boot the media and go through the wizard again and select the other adapter. Go ahead and complete the software configuration and Sophos will boot. At completion you should be at the following screen.
The remainder of the configuration will be completed through the webadmin interface using your browser. I’ve given the internal NIC an IP address of 10.1.1.1. You can use 192.168.x.x or whatever scheme you want to use on your network. The next step is to get a client system, potentially the Hyper-V server, with an IP address in the same subnet that can communicate with 10.1.1.1 or whatever you chose to use. For this example I can either boot another VM using the internal vSwitch or use my spare network card on the Hyper-V server and assign a static IP of 10.1.1.2 then connect it to the same switch that the internal NIC is connected to.
The Sophos UTM manual available from the support site provides very good documentation walking through the setup step by step. You should be able to go through the configuration and see what the wizard has configured for you based on the questions you answered.
I will say that the interface is a bit cumbersome. I wouldn’t be too thrilled if I were a firewall administrator for an organization and this was my interface. It doesn’t make adding and modifying rules very easy but it’s functional. For a home environment I can’t complain but if I spent a fair amount of time on the dashboard I would definitely prefer a bit more flexibility. At this point it’s really up to you what services you want to enable and how you want to configure the firewall. I’ve enabled Country Blocking (Geo Blocking) and Endpoint Protection and spent time setting up static mappings and DNS records for all of my internal devices.
If you’re thinking of using the Country Blocking functionality I must warn you to tread lightly. When you block a country it applies to both inbound and outbound traffic as the rule to deny this connection is applied before your firewall access rules. For example, if you block all of Asia you’ll probably have a hard time getting firmware and drivers for your hardware. Sites like Facebook distribute services all over the world. This also applies to sites that host services on Amazon Web Services which could be located in any one of their data centers. The interesting outcome of using country blocking is determining what countries your accessing data from. From my perspective, the benefit of using this functionality is to reduce risk if there is no need for connectivity. Maybe it’s safe to block all communications with North Korea but you might have a need to communicate with Taiwan to get driver updates for your motherboard. I recommend getting a threat report from McAfee or another security service provider and select the top 3-5 geographical risks.
You can see some of the traffic that my firewall is dropping in the dashboard above. I have country blocking enabled with Ireland and China being blocked. You can see that Facebook has a service that resides in Ireland and the connection is being dropped. Another site is using AWS (Amazon Web Services) out of China and that traffic is being dropped. I also have two internal clients that are attempting to communicate through the firewall but there is no ACL to allow the traffic so it is being dropped.
Here is my recommendation for the firewall ICMP configuration
Unless you enable a rule that allows all clients to communicate externally over any port and protocol you’re going to spend some time in the Firewall Log. This will let you see what communications the firewall is blocking. You’ll then need to determine if you want to allow that traffic and setup a rule to do so. It would be nice if the live firewall log had an exclusion filter in addition to the inclusion filter.
You can see the green rows are my client PC connecting to the webadmin interface as being allowed. The red rows are a client attempting to communicate to an external service (AWS) over UDP 49317. Let’s say this is valid traffic and I want to allow it. In this case the client is an Amazon Kindle attempting to talk to AWS over UDP 49317. Let’s walk through how to allow this traffic.
- I like to create a static mapping for IP leases from the DHCP server. The first thing I will do is go to Network Services->DHCP. On the IPv4 Lease Table tab I should see 10.1.1.14 as a lease. I’ll click the button to create a new mapping for that IP address. I’ll also check the boxes to create a DNS mapping and a network definition for the host.
- This is also optional but I will now go to Network Services->DNS and look at the Static Entries tab. I should see an entry for 10.1.1.14 based on what I did in step 1. What I want to do here is create a reverse lookup record. I’ll edit the entry for 10.1.1.14 and select the checkbox for reverse DNS and save it.
- In the above steps I have created a static mapping in the DHCP server. This means the client should obtain the same IP address from the DHCP server when it connects to the network. I’ve also created a forward and reverse DNS entry for the device and a host object that I will use in the firewall ACK. Now I’ll go to Network Protection->Firewall and click New Rule.
- The new ACL requires three elements: Source, Service and Destination. My rule will allow the Kindle host object to communicate with Any destination over UDP-49317. See the image below.
- After I save the ACL I have to enable it. When ACL’s are created they are disabled by default. From the main ACL listing I can enable the rule and traffic should start flowing through the firewall. This means my live firewall log should be void of the rows we saw earlier.
This will most likely be an iterative process unless you just put a broad allow ACL in place for your network. If you’re new to firewalls then you should be getting the idea of the type of fun and knowledge that can be gained from firewall systems.
I would recommend running a port scan against your firewall once you have it setup. There are a couple of reputable and free port scanners that can be run from the Internet. Just determine your IP (Google: what’s my ip) and plug it into a port scanner. Unless you have enabled an ACL to allow traffic from the Internet to your network this port scan should be pretty clean with no active ports found. If the scan found an open port then you have a configuration or ACL allowing it.
I’ve been running the Sophos UTM firewall on Windows Server 2012 as a Hyper-V virtual machine for about a month now without any issues. I did have to spend a few hours configuring it initially but I’m very happy with the service it provides. If you have any questions feel free to contact me or leave them in the comments section and I’ll do my best to help.