Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 10388 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Making my XG as secure as my UTM

rfcat_vk

In another thread in another forum I said I would try to add the functions I have in my UTM to my XG.

This bravado was brought about by the post of AlanT about about the XG. So this thread will be a history of my successes and failures.

I started this last Friday the 21st April.

Progress so far

1/. haven't started on the XG

2/. building infrastructure to provide some of the features that the XG doesn't have

a long story of trying various pieces of hardware to re-install my server 2012 smb version. Nothing but failures and frustration with missing drivers in the install dvd.

I bought an Intel NUC to be my house server, software installed but no network, no intel hardware found... tried w10 hyper-v no network to the external world. Tried the VM hardware, failed, tried to install on the VM where it last worked, will not read the dvd.....

3/. Why do I think I need a server

a) DHCP server that can handle static assignments without requiring an email address

who in their right mind would require an AP or switch to need email address before you can statically assign an IP address and give it a name so it is identified in the daily reports? Not fixed in v15b or any of v16bs.

b) a DNS that will function with the DHCP server and use reverse lookup.

c) a DNS that can be the single point of reference and protection.

 

So tonight I have another go at getting the server up and running.



This thread was automatically locked due to age.
Parents
  • 0

    Server from previous step still not working.

    Next step.

    Actually starting on the XG.

    Create VLANs for users and phone networks.

    You have to create the VLANs with an active physical interface active and has an assigned IP address.

    Using a GS108PE v3 as my vlan switch, required different thinking to the other switches I have used.

    Eventually I have VLANs working.

    But, no connection speed or duplex or not.

    Need to build rules for the voip phones.

    Two different suppliers using different port ranges.

    No IPv6, using he tunnel, so there is another failure.

    edited - added comment about no details on vlans

    Next step is to put this in place of the UTM

  • 0 in reply to rfcat_vk

    My XG is back online.

    I have added

    1/. vlans

    2/. VoIP phones (2) different ISPs. I have not tried the incoming side yet nor actually making a call, just checked for dialtone which means registration.

     

    To make it work I have had to

    1/. disable all mail https scanning

    2/. remove vlan port from general access rule.

    3/. remove a specific clientless group from general access rule.

     

    After I removed the ports from the general access rule all the other traffic started to flow, strange VoIP included.

    Is the XG as secure as the UTM, no.

    UTM - I was able to limit access on the VoIP lan to only the VoIP phones - still have work to do on tightening the VoIP rules. I need to add destinations details.

  • 0 in reply to rfcat_vk

    VoIP traffic works in both directions.

    The general rule fails to pass traffic when the clientless group with the ip range is assigned. Also the traffic fails if I use the vlan network.

    I can't see anything wrong with the clientless group setup.

     

    Update. Added clientless group back and now works, maybe just too impatient?

  • 0 in reply to rfcat_vk

    Is the XG as secure as the UTM - NO.

    1/. No DNS proxy - all devices open to DNS attacks

    2/. no NTP proxy - all devices open to NTP attacks

    3/. secure mail fails. probably a certificate error that needs investigating.

     

    Earlier I indicated I was building a server to provide more DNS and DHCP functions, that failed the server software would not install on 5 different types of hardware/VM

    Other issues with the current XG

    1/. no IPv6 using HE tunnels.

    2/. Many DNS attacks even greater than before I took the XG off line over a month ago. There is either a classification error or a reporting error, IMAPS is being used for DNS attacks. There is along thread on the subject I need to add information to.

Reply
  • 0 in reply to rfcat_vk

    Is the XG as secure as the UTM - NO.

    1/. No DNS proxy - all devices open to DNS attacks

    2/. no NTP proxy - all devices open to NTP attacks

    3/. secure mail fails. probably a certificate error that needs investigating.

     

    Earlier I indicated I was building a server to provide more DNS and DHCP functions, that failed the server software would not install on 5 different types of hardware/VM

    Other issues with the current XG

    1/. no IPv6 using HE tunnels.

    2/. Many DNS attacks even greater than before I took the XG off line over a month ago. There is either a classification error or a reporting error, IMAPS is being used for DNS attacks. There is along thread on the subject I need to add information to.

Children
No Data