Installing Sophos UTM 9 Firewall In Home Network
Have you ever thought about securing and monitoring your home network, or protecting your children from online treads? There are hundreds of applications you could install which is challenging to choose. I do care about online security and I’m very keen to know what’s going on in my home network. This has led me to creating my own, central home intrusion prevention system (IDS) on a budget equipment. And I’m going to share with you, how to do it.
Traditional home network armed with IDS system
In the previous post Securing Home Network with SOPHOS UTM IDS we have introduced SOPHOS UTM 9 and we have discussed some benefits of having such system implemented in our home network. In this post we will focus on building that IDS Box, which is shown on the diagram above in a red square. Let’s take a look at example hardware which can be used to build our home network Intrusion Detection System.
Bill of materials (BoM). Choosing a decent piece of hardware.
 Intel NUC6CAYH, Celeron J3455 |
€ 129 |
 RAM: Crucial 4GB PC3L-12800 |
€ 39 |
 SanDisk SSD Plus, 120GB, 2,5″, SATA3 |
€ 60 |
 TP-Link USB 3.0 to Gigabit Ethernet Adapter |
€ 19 |
| TOTAL: | €247 |
In our project we are using Intel NUC6CAYH mini PC which has a quad-core Intel Celeron processor. It is power-efficient and very quiet device. Although it comes with only one network interface card (NIC), it is not an issue because that’s the way we save some money and we hook-up an USB 3.0 gigabit Ethernet adapter, which will serve as of a secondary NIC. This is because our IDS system requires two network interfaces – one for the external network (WAN) and the second for internal network (LAN). We’ve got 4GB of RAM and 120 GB solid state hard drive (more disk space is good for longer logs’ retention time). This configuration will ensure a decent performance and long up-time for our system.
The total price is around € 250 (2017), but this is only example of the hardware which can be used for this purpose. The IDS system can be installed on any spare desktop PC, as well as in a virtual machine. The minimum hardware recommendations are as follows:
- CPU: 1.5+ GHz (dual core recommended)
- RAM: 1GB (2GB strongly recommended)
- HDD: 60GB +
Connecting hardware and Installing Sophos UTM software.
Sophos UTM network topology
IDS box must be installed in the way it intercepts traffic from both, external and internal networks. This means we have to plug it in between our ISP modem on NIC:2, and our local network switch on NIC:1. This way our entire network traffic will flow through IDS. It will serve as a router, an internet gateway, a firewall and a DNS forwarder to all devices in our local network. It will also manage entire network traffic.
Firewall rules
For example we can define a firewall rule which will prevent our Smart TV from accepting inbound connections from the internet, or block communication between a gaming console and a network printer, or maybe we would like to block WiFi mobile devices from accessing our NAS storage, etc.
Downloading Sophos ISO image and obtaining free license.
Free Sophos UTM Home Edition features full Network, Web, Mail and Web Application Security with VPN functionality and protects up to 50 IP addresses. You can register and request for software download URL here. Register your account as a home user and follow instructions from an email that you will receive to download ISO image of Sophos UTM. You will also receive your free license attached with that email. We will be using USB pen drive as our installation medium, so no need to burn ISO image onto a CD.
Note: You must download the latest version of the following ISO image: UTM v9 software appliance “asg-9.506-2.1.iso” (2018). Do not download hardware appliances ISO images.
Once the ISO image has been downloaded, we create a bootable USB installation drive using Rufus. ISO requires at least 1GB on a memory stick.
Connect some keyboard, monitor and plug in USB installation media into free USB port and power up a PC. Go to BIOS settings and configure boot sequence the way it boots up from an external USB device.
The installation process starts:
TIP: After first reboot, you may login to the system as a root user. At the first login attempt you will be asked to reset root password. Just leave empty password for “Old Password:” prompt and set the new and secure password for the root user account.
The system is ready for initial setup. All configuration is done with Web Admin using web browser. Open the following URL https://10.0.0.2:4444 (IP of NIC1) to perform basic system setup.
Next, login to Web Admin console with username admin and the password you just set. Now you must activate the product with a license file obtained during the registration process (check the mailbox). Follow the Setup wizard:
Finally, we are ready to enjoy our brand new Sophos UTM 9 instance.
Sophos UTM WebAdmin Dashboard
Summary
The installation process is straight forward. However the fun begins with IDS configuration, where we have to setup NAT, firewall rules, routing rules, network and websites protection. Sophos UTM comes with lots of features. Imagine you are running a web server, or a mail server, or access your home network over a VPN. All these network services can be monitored and protected by Sophos UTM. As a matter of fact, we pay a lot to our internet providers and our network’s bandwidth is pretty good, why not to utilize it to its full potential? Lightweight home websites, mail servers, lab servers can easily be running in home networks. The only challenge is to keep them secured and backed up.
Stay tuned!! In following articles we will focus on Sophos UTM configuration. The fun is just about to begin!
Securing Home Network with SOPHOS UTM IDS
Traditionally, households are connected to the internet via modems. Modern modems come with builtin basic routers and Wi-Fi access points. All we have to do is to plug them in, activate the service and enjoy a vast ocean of content available on the internet. What if the “internet” would attempt to browse our home network?
Cyber threat real-time map: cybermap.kaspersky.com
Are traditional devices strong enough to secure home network from internet threats, or protect the children from browsing unwanted content? Unfortunately not. Their role is to provide internet service at basic security level. Home networks certainly need something more than simple modem to increase level of security. Here comes the enterprise grade firewall, an Intrusion Detection System – Sophos UTM Home Edition. And guess what, it is for free! Continue reading…
How To Build an FPV Drone – Beginners Guide
Building a quadcopter is relatively easy nowadays. Components required to build a decent quadcopter, equipped with a first person view camera (FPV), are broadly available for purchase. The average time for a hobbyist to build a “qwad” is less than an hour! Well, let’s build a multipurpose quadcopter capable of flying freestyle, racing, and recording HD videos at the same time!
Even though it appears to be difficult, trust me it isn’t. Once you created your first qwad, you won’t have any problems with building even more advanced configurations. It is very easy to learn how to put all the things together and take your bird in the air. This post is about to provide basic information on haw to get started with the hobby, short buying guide of “ready to fly” quads and finally some generic information about building the quadcopter equipped with FPV & HD recording camera.
Let’s roll…
Provisioning WebLogic Server in less than 1 minute using Docker
We are going to demonstrate how to provision Oracle WebLogic Server in less than 1 minute Using Docker running on Ubuntu.
Prerequisites
To follow this tutorial, you will need Ubuntu 64-bit up and running. We will be using Ubuntu version 16.04 in our fancy VirtualBox sandbox machine. This is because Docker requires a 64-bit version of Ubuntu as well as a kernel version equal to or greater than 3.10.
1. Installing docker on Ubuntu:
#Add the GPG key for the official Docker repository to our system: sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D #Add the Docker repository to apt sources: sudo apt-add-repository 'deb https://apt.dockerproject.org/repo ubuntu-xenial main' sudo apt-get update #we make sure that we use Docker repo instead of default Ubuntu repo: sudo apt-cache policy docker-engine #installing Docker $ sudo apt-get install -y docker-engine
Verifying installation and displaying information about Docker:
$ docker images -a REPOSITORY TAG IMAGE ID CREATED SIZE hello-world latest 48b5124b2768 3 months ago 1.84kB $ docker run hello-world Hello from Docker! This message shows that your installation appears to be working correctly. #Other check commands $ sudo systemctl status docker $ docker info
2. Provisioning WebLogic Server Domain
Our docker is ready to roll so we navigate to docker hub website:
https://hub.docker.com/r/playniuniu/weblogic-domain
or simply go to https://hub.docker.com and search for “weblogic” docker images.
@ https://hub.docker.com/r/playniuniu/weblogic-domain we copy the following command:
docker run -d -p 8001:8001 –name=wlsadmin playniuniu/weblogic-domain:12.2.1.2 startWebLogic.sh
Run it and after a while (depends on your network speed) a brand new WebLogic Server domain is up and running:
$ docker run -d -p 8001:8001 --name=wlsadmin playniuniu/weblogic-domain:12.2.1.2 startWebLogic.sh Unable to find image 'playniuniu/weblogic-domain:12.2.1.2' locally 12.2.1.2: Pulling from playniuniu/weblogic-domain 8d30e94188e7: Pull complete 1d43e94144e5: Pull complete ... Status: Downloaded newer image for playniuniu/weblogic-domain:12.2.1.2
Voila! We can login to WLS Admin Console http://ubuntuhost:8001/console using credentials weblogic/welcome1 and check if managed server (AdminServer) is up.
Learn more about Docker:
Oracle Compute Cloud Service Overview – Network
Oracle Compute as part of Oracle Cloud Service, is a standards-based infrastructure service. In Network section we control the ways of how we can connect to our Oracle Cloud Services.
Oracle Compute Cloud Service architectural overview
Access to Oracle Compute instances is possible in several ways.
We can use a web browser to access the web console, we can access the REST API directly, or we can use the command-line interface. Secure access is provided by protocols such as SSH and RDP. We can also set up a VPN tunnel to provide secure access to instances in our Oracle Compute Cloud Service network.
Accessing Oracle Compute Cloud with a web browser
Creating Oracle Database Cloud Service (DBaaS)
Previously we were looking at How to get 30 days Free Oracle Cloud Subscription Plan PaaS IaaS. Now let’s take a look at the Oracle Database Public Cloud Services and one of its offerings: Oracle Database Cloud Service (DBaaS).
We will create brand new 12c Database instance, enable remote access and using Oracle SQL developer we will connect from our local machine to the newly created database. Finally we will show how to monitor the database instance with OEM Database Express 12c and DBaaS Monitor.
Creating Database as a Service Instance in Oracle Database Cloud.
- Login to my services using the URL provided by Oracle in a welcome email:
- https://myservices.emea.oraclecloud.com
- Create DB Cloud Service Instance:
We will create our demo database with a backup configuration enabled using both, Cloud Storage and Local Storage. This will allow us in the future creating Oracle SOA Cloud Service instance.
How to get 30 days Free Oracle Cloud Subscription Plan PaaS IaaS
Oracle now offers the Free Oracle Cloud Promotion plan. With this promotion, we start with $300 (€260) Cloud Service credits in your Oracle Cloud Services Account. This balance can be used towards activating and using any of the metered Oracle Cloud Services in the following categories: PaaS, IaaS, Big Data and Middleware Cloud Services, which are available as Pay-as-You-Go subscriptions.
Previously we were playing with free trial subscription of Oracle Database Schema Cloud Service. This tutorial however is different! We are going to try a 30 days free subscription plan, which includes all we need to get started with Oracle Cloud: Compute, Storage, Database, Database Backup, MySQL, Java, SOA, Application Container Cloud and Developer Cloud Services.
Oracle Database Cloud Service free trial account
Oracle Cloud is offering a free of charge 30 days trial subscriptions to Oracle’s Platform (PaaS) and Infrastructure (IaaS) Cloud Services. One of the services is Oracle Database Cloud Service.
Users can find two ways to discover Oracle Cloud. One way is to get 30 days trial subscription to Platform & Infrastructure services. Second way is to register for Application (SaaS) and Data (DaaS) quick tours which offers very nice interactive application demos, videos and e-books.
Oracle Sales Cloud Quick Tour
One of the Platform & Infrastructure services is Oracle Database in the Cloud providing several deployment choices such us single schemas, dedicated pluggable databases, virtualized databases and more. Our focus for today is to activate 30 days subscription to Oracle Database Schema Cloud Service and application express (APEX). Continue reading…
Data Redaction in Oracle Database 12c flaws or security gaps?
I’ve been working on proof of concept project for Data Redaction in Oracle Database 12c. Hard to say but POC has proven that data redaction has couple of flaws or according to Oracle “constraints”. Therefore before we could continue with implementation we would have to find solutions to below findings. Any feedback from the readers would be much appreciated.
Test scenario: Database user schema is “APEX_ZION”. A table “DEMO_CUSTOMERS” has data redaction enabled on CUST_POSTAL_CODE column, masking data using randomly generated characters. Here is how to enable data redaction. Another user schema “TEST_USER” has granted SELECT privileges on DEMO_CUSTOMERS table. The goal is to mask sensitive data for test_user only. So when we login to a database as “APEX_ZION” and we run an SQL query we can see true data:
SQL> SELECT CUST_POSTAL_CODE FROM APEX_ZION.DEMO_CUSTOMERS; CUST_POSTAL_CODE ---------------- 20166 30320 02128 60666 11371 63145 06096 7 rows selected
Next we run the same SQL query as “test_user” and we can see masked data only:
SQL> SELECT CUST_POSTAL_CODE FROM APEX_ZION.DEMO_CUSTOMERS; CUST_POSTAL_CODE ---------------- ]2x#( _UJX/ \Bzy# z:*Qr L`!<I oBE&5 N"2G] 7 rows selected
So far so good. Here comes the funny part…
Oracle Data Redaction in Oracle Database 12c
Data Redaction provides a way to define masking policies for an application. Oracle Data Redaction provides functionality to mask (redact) data that is returned from user SELECT queries. The masking takes place in real time. The difference between Oracle Data Masking and Data Redaction is that Data Redaction doesn’t alter underlying data in the database; it redacts the data only when it is being displayed. Data Redaction can be applied conditionally, based on different factors such as user, application identifiers, or client IP addresses. Data Redaction is available in Oracle Database 12c and now also in 11g Release 2, patch set 11.2.0.4. Data Redaction is licensed as part of Oracle Advanced Security.
EDIT: Be aware of Oracle’s data redaction “constraints”. Read David Litchfield’s white paper “Oracle Data Redaction is Broken” here (PDF). I checked all three described methods in my labs in September 2016 and using “RETURNING INTO” and “XMLQUERY()” methods appears to be fixed. However one gap still persist in a Database 12c version 12.1.0.2 – “an iterative inference attack”. It is still possible to be executed disclosing redacted data even to a regular test_user schema!
Below TEST 3 result based on David’s white paper example:
select cc from APEX_ZION.REDACTIONTEST; CC ------- XXXXXXXXXXXXXXXX --an iterative inference attack exec p_undoredaction; PL/SQL procedure successfully completed. CC: 4111222233334444
Data redaction doesn’t prevent application logic, operations like inserting, updating or deleting data are perfectly consistent with original data. If the application user creates a view on redacted table, the view will also contain the redacted data.