Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 2085 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Assistance in setting up XG Home (The most transparent way)

Daniel Bingham

Hi,

 

I have come to a point where I have messed with an XG in a home environment and a corporate environment enough to come to the conclusion where I would like to read how everybody is taking care of content filtering for their home network.

 

My scenario:

  • A technologically challenged wife who "hates it" when things don't work
  • An adventurous teenage boy who will try and push the boundaries of the internet
  • A nine year old which I want to protect from the web

My Equipment:

  • A Shuttle PC with Dual NIC, SSD, 8GB Ram with SFOS 17.5.5 MR-5
  • 30 Devices (so far)
    • ESX Server running
      • Ubuntu Server
      • CCTV Server (Windows)
    • Multiple CCTV devices
    • UBNT 24 Port Edge Switch
    • UBNT TS8 POE Switch (for CCTV)
    • Meraki MR33
    • Canon Copier
    • Raspberry Pi (Dakboard)
    • Android Devices
    • iOS Devices
    • Entirely Mac house, except the CCTV server
    • Apple TV's
    • IPTV Boxes
    • PS3

My goal:

  • Wife and I
    • 2X Mac's
    • 1X iOS
    • 1X Android
      • Open slather, access all areas
  • Kids
    • 1X mac
    • 2X iOS
    • 2X Android
      • Locked down, No internet after 10pm until 7:30am
      • Strict Youtube Policy
      • No usual suspects such as:
        • Joining ISIS
        • Making Bombs
        • Looking at Porn
        • etc.
        • etc.

What I have done (Tried so far):

  • Created Reservation IP's for all of the important devices such as the copier, ESX host, Mac's, Phones etc.
  • Created a Clientless User for each device (as below)

Firewall Overview

Created a Firewall rule for the Apple TV's / IPTV's (As per the following) - Happy with this and it works as desired

CCTV Rule (3389 locked to my work IP Address) Other rule for mobile access externally - Happy with this and works as desired

The Important rule

The Kids rule - Not happy and not working as desired

First rule is kill the internet between 10pm and 7:30am daily - works

Second rule config:

Furthermore the "Kids web policy:

What I can tell you is happening:

The kids hit the rule when looking at logging but nothing is enforced. My assumption is because they need to be an authenticated user (not clientless) with the authentication client installed and the trusted cert installed on their devices please advise if this is incorrect

What I have found when I do this, is they have worked out that if they don't authenticate, they go to the next rule being: Allow any / any (which the wife and I sit at).

So the fix I hear you say is authenticate the wife and I and do a Deny all rule.

What annoys me about this is when somebody comes over to our house and wants to use WiFi, they are denied until I ask them to download an app, install a cert, I spend time setting them up with a user account (nope.. not happening.. ever!)

Please assist in helping me make this transparent so the kids are blocked from stuff, and the grown ups aren't.

Thank in advance!

 


This thread was automatically locked due to age.
  • 0

    Hi,

    sounds like my household except the kids have left home. You need to create the clientless users into groups and then match the groups in every rule. Also you need to add either allow all in the Apps tab on the rules or build your own specific app policy to improve your scan rate.

    You will also need to change your any [ports to specific ports eg https and http otherwise have the nasties on the internet can bypass you policies. If the kids are using applications that require different ports eg games you can either add the ports to your kids rule or create a new rule above the kids rules using FQDN as the destination network with the required ports and m match users.

    I am not sure authenticating the kids is a good way to go.

    Try that for a start.

    Ian

  • 0 in reply to rfcat_vk

    Thanks for your reply, Ian.

     

    I have created a CAG:

    Added my phone as a clientless user to the CAG

    Added the CAG to the firewall rule

    Then tried browsing... anywhere:

    This is my concern, that regardless of setting up groups etc, the XG won't content filter without the installation of its SecurityAppliance_SSL_CA.pem file added (which can't be done unless you download the Sophos Network Agent app and authenticate).

    Ian, am I missing something if you don't have to do this?

  • 0 in reply to Daniel Bingham

    Hi Daniel,

    you do not need any of those to install the certificate. If using a MBP, download or email yourself a copy and double click on it. On a iPhone or iPad do the same, you will need to delete the mail accounts and re-install them to get mail to work on iPhones and iPads.

    My memory of all the steps on widows is a bit rusty, but there are a couple of threads and KBA on how to install the CA.

    For your guests, create a clienteles group with dummy names, then create a limited firewall rule with IPS, WEB and Application tabs filled. Allow https and http only. Scan http.

    Also, I notice you don't tick scan ftp or the sandbox, any reason?

    Ian

  • 0 in reply to rfcat_vk

    rfcat_vk said:
    you do not need any of those to install the certificate. If using a MBP, download or email yourself a copy and double click on it.

     

    Yes, that is correct and that will work clientless

    rfcat_vk said:
    On a iPhone or iPad do the same

    This isn't correct. The iOS and Android devices do not recognise what a .scc file is natively. They need the Network Auth app to do so, which then means you can't use clientless.

     

    HTTP scanning works fine clientless (but very little sites are HTTP anymore. The cert needs to be in place to scan HTTPS and thats where I come unstuck with the whole scenario.

     

    If I am totally missing something, please advise but I cannot see a way around managing devices such as Android / IOS without the network auth app. This even goes for guests.

     

    rfcat_vk said:
    Also, I notice you don't tick scan ftp or the sandbox, any reason?

    Scan FTP will evnentually be turned on, I am just trying to get HTTP and HTTPS going first. 

    As for sandstorm, as far as I am aware, this is not available with Home, only licensed copies of XG?

     

    Thanks

  • 0 in reply to Daniel Bingham

    Hi Daniel,

    what you are missing is, everything I have advised works.

    I have on my network, two managed switches, two Sophos APs working with VLANs. I have 4 VLANS, for IoT, infrastructure, printers, and ordinary users. I have Clientless and DHCP.

    I also have certificates installed in two MBPs, two W10, two iPhones and one iPad.

    Further i have been experimenting with blocking tunnels and VPNs with some interesting side affects.

    1/. you need to search the forums and KBAs for instructions on installing certificates, but in summary you change the suffix to one that you're OS accepts.

    2/. Sandstorm, you need a licence if you want to see the results of the sandboxed application, but for home use the offending application will be shown in the GUI so you can investigate yourself. The offending applications forwarded to Sophos, you don't see the results.

    3/. guests I put into clientless groups using a DHCP range but do not attempt to install the certificate, they have a rule for that clientless group.

    Ian

  • 0 in reply to rfcat_vk

    Thanks once again for your reply Ian,

    rfcat_vk said:
    1/. you need to search the forums and KBAs for instructions on installing certificates, but in summary you change the suffix to one that you're OS accepts.

    It just so happens that I was trying that myself and I believe I have it working (on an Android)!! HOOORAY!!!

    I found this site:

    http://www.realmb.com/droidCert/

    You upload the .pem, it then gives you a link to download which has now given me the result with no app!

    I will test to see if it screws me on other WiFi networks and if not, I will then move onto iOS devices.

    Thanks for your patience and help with me.