Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 12788 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I need help with XG configuration for my home network.

Hau Lin

Background:
I am new to networking, my only previous networking experience is setting up a home Netgear wireless router (only the very basics). Last night, I setup XG on a small PC that has 4 ethernet ports. I just got it set up and running so it has the configuration like new with no changes. I hooked it up to my modem and my home PCs all get the internet just fine through it.

Since I have teens and pre-teen kids in the house, the main bandwidth hogs are Spotify, youtube, and Netflix 4K. For us parents, we need our network secure so that our accounts, financial and private information and data are secured from outside threats/ hackers.

Goal:
1. Can you suggest an XG security setup guide or other suggestions on how to set up XG so that if the kids accidentally download a malicious video game or visit a bad website that has malicious HTML or software will somehow be caught by XG? Ideally, XG would catch or prevent the malicious code from doing harm, exposing private data, or giving hackers control of our networked PCs. Sorry, I'm new to the network security world so my terminologies might be off a bit.

Thanks so much!



This thread was automatically locked due to age.
Parents
  • +1

    I'll give you some samples that I use in my own network.  And mind you, I'm a very security conscious person, so I do try to personally maximize security, while keeping the network fairly open (not blocking many things except for malicious stuff and ads).

     

    Now, let's begin. 

    Setting up Web Filter policies for catching certain things is a great first step for web protection.

    This is a policy I setup on my network, you can use it as an example, it matches pretty much the type of web policy you'd like:

    This kind of policy can be setup in Web -> Policies.  Click the "Add Policy" button, then start customizing.  Make sure that the Actions allow and block both HTTP and HTTPS, depending on what you want.  Default Action should always be Allow, unless you want to manually whitelist every single website and service people can use online (which can be A LOT, and very time consuming).

    Under Web -> General Settings, I have these settings:

    To maximize virus protection, I have virus engines set on Dual, which will use both Sophos and Avira.  Blocking Potentially Unwanted Apps (PUAs) is also great, as that reduces the chance of someone downloading adware or something of that nature.  I personally have file size on the maximum it can go, to make sure it scans as much as it can.

     

    Another great tool for network security is Application Control.  With this, you can completely block malicious or ill-intent type of applications from connecting.

    I'd recommend creating your own policy for this, so you can customize it to your liking.  You should check out the categories and risk options the most.

    For instance, I block all applications with the risk level of "Very high".  And having checked the applications in that, I don't see any use for them on my network.  I additionally block the P2P category, since I don't really plan on torrenting anything.  You can also block the "Can bypass firewall policy" characteristic.

    But really, when it comes to App Control, I'd recommend you just go through this yourself and block what you feel doesn't belong on your network.

     

    And lastly, you can set this all up in a Firewall Rule.

    I'd suggest you create your own firewall policy, and have it be the last one on the list (very bottom).

    You can take my setup, as an example:

    Now, let me explain my policies.

    I've had the QUIC policy in place, before the option was given to simply block it.  Never removed it.

    LAN -> Smart TV is blocked because I don't want people in my house casting video content to any Smart TV's.

    Email scanning is a default, which I leave alone.

    I created a rule specifically for Netflix, so it can function without any issues.  You can read more about setting that up by clicking here.

    LAN -> WAN is my "allow LAN to WAN" connection policy.

    Make sure you set your policies you created by their name, in the App and Web policy settings.

    And there you go! I hope I was of some help!

  • 0 in reply to JesseB.

    Any service from netflix looks like a security hole to me, you should be limiting ports?

    No imaps? You should also be limiting your mail destinations to your ISP's servers to reduce the junk attacks on your LAN devices.

    Ian

  • 0 in reply to rfcat_vk

    I don't use mail from my ISP, at all.  It's useless to me, so, the mail filtering on Sophos isn't used, since what I use is web-mail based (Gmail).  I don't use mail clients on my PC.

     

    Also, Netflix is not an incoming filter, it's an outgoing.  There are no ports open, if you follow this guide, it's just a destination for specific hostnames used by Netflix.

    Local network -> WAN

     

    I'm not running a school or company network, I use Sophos at home.  So I see no need to restrict outbound ports.

  • 0 in reply to JesseB.

    You have posted a sample of your configuration with an email firewall rule, if you don't use your ISP email you should delete the firewall rule because gmail use https and will not be scanned by your email rule.

    Unrestricted ports will be used by a trojan etc if you ever get attacked.

    Ian

  • 0 in reply to rfcat_vk

    I run my network, you run yours.  Let me manage mine my way, thanks and goodbye.

Reply Children
No Data