Hello guys,
This is a long post so please bear with me!
I'm currently running Sophos UTM as a VM on Hyper-V, on the Boot Camp partition of a late 2012 Mac Mini.
Mac Mini OSX partition will be kept for future firmware updates from Apple
The second Ethernet connection on the Mac Mini is the Apple Thunderbolt to Gigabit Adaptor.
Both network adaptors got Broadcom chipsets with VLAN support.
The host OS is Windows 8.1 Pro, running Client Hyper-V and Windows Media Centre, connected to the TV in the lounge.
The host has three primary tasks.
• Running Sophos on Hyper-V
• Running Windows media Centre for watching FTA TV.
• Stream FTA TV to a XBOX 360
The CPU on Mac Mini is a mobile Core i5-3210M, 2.5GHz, 3.1GHz turbo, Max TDP 35 W
I have upgraded RAM to 8 GB and a TB Seagate SSHD, Idle power consumption ~ 15 W
While watching Live TV it goes up to ~ 25 W
Works fine for me as it consumes much less energy and handles the ISP’s 100 Mbps connection easily. I get up to about 95% of the speed on speedtest.net. FTA plays smoothly on TV and via XBOX 360
This is what I've done with my NICs on the physical host:
ISP modem is on bridged mode so the devices connecting to the modem will receive an Internet address.
WAN is a direct connection from modem to the Thunderbolt adaptor. This then connects to the virtual switch SOPHOS-INTERNET and the connection type is set to not share with the management OS.
The second connection, which is LAN, is Mac Mini’s Internal NIC, plugged into an Access Point for internal network traffic. This then connects to the Virtual Switch INTERNAL and the connection type is set to share with the management OS. The management OS get its DHCP address from this connection from Sophos.
As above, the Sophos VM has two NICs - WAN is attached to SOPHOS-INTERNET and LAN is attached to INTERNAL
I am trying to minimize the attack surface on the host PC. Other than the OS, it will only have the essential device drivers installed. It doesn’t even have an internet security suite as it got Windows defender. This PC is not used for web browsing and there are plenty of other PCs and tablets for that. The only tasks it will be used in addition to hosting the UTM are to watch FTA TV, stream FTA to XBOX 360. Watching FTA on Media Centre is done by logging in with a non admin account.
Note that this is a home setup and the only path from Internet is:
ModemThunderbolt Adaptor External Hyper-V switch Sophos UTM Internal Hyper-V switch DHCP to Management OS and also to Internal clients via the Access Point connected to the Internal NIC
I am looking for possible ideas to harden this setup as UTM on hyper-V is on the edge of my network together with Media Centre, instead of a single dedicated device for UTM. I felt a little nervous initially especially to put a Microsoft OS on the edge but the security and stability has improved on their products recently I believe (I have actually ran Sophos on Hyper-V with VLAN for a while on a desktop, but abandoned that due to higher power consumption). My feeling is that this is not ideal in terms of accepted security practices but safe enough.
Any ideas or comments?
Thanks.
This thread was automatically locked due to age.
