Published: May 1, 2020
The first Intro to Security Analysis- HomeIDS article focuses on configuring a home router for DMZ or transparent mode. This allows us to send all traffic destined for our public IP to an internal resource. This resource could be anything… A software based firewall, or in my case, a Sophos Home hardware UTM. This allows us to better control and analyze network traffic.
You may not have my AT&T home router or Sophos firewall, but these steps should allow you to ask the right questions and successfully google your setup.
This first thing we want to take note of is our public IP address. Your local ISPs router will contain this info as well:
Connect an ethernet cable from an open port on your ISP’s router to your machine, or WAN port of your intended firewall.
Browse to your routers IP. My AT&T routers’ default IP is 192.168.1.254. So I browsed to http://192.168.1.254
Then I browse to Settings -> Firewall
And choose “Applications, Pinholes and DMZ”
First step is to select a computer (Sophos FW in my case)
The Sophos FW showed up as:
Since the name wasn’t descriptive I had to confirm this on the routers DHCP page, based on the IP
Step two is to edit the firewall settings
Continue scrolling down and select “Allow all applications (DMZplus mode)”
Click Save, enter your Access code/password, and the configuration is saved!
All traffic destined for your router should now be forwarded to your destination resource (my Sophos FW).
Now, we’ll login to the firewall and configure the WAN and LAN interfaces. This is my Sophos UTM welcome screen:
Under Interfaces & Routing – Interfaces
My ATT_WAN interface IP address matches my external IP address and our default gateway is pre-populated. This means the settings are being forwarded.
Default settings for this interface in my FW:
Now I’ll create a new internal interface with the following info:
This internal interface (eth0) will be connected to a switch on my network. My home computers and all my VMs are connected to this switch, which I use to mirror and analyze traffic in Security Onion.
In the Sophos UTM, we have to enable some things before the network is operational. I’ll add the network to DNS
Interfaces & Routing -> Network Services -> DNS
Add: Internal (Network)
Configure a DHCP Server (Internal)
The last thing required is to setup masquerading to NAT all outbound traffic as our public IP:
Now we can setup our firewall rules, and determine what our internal network can communicate with:
So what are the benefits?
Commercial/Home edition firewalls have better UI’s, controls and features than most ISP routers. Maybe you’re familiar with a particular brand or looking to learn a new interface. For me, using the Sophos Home UTM adds IPS, web protection, WAF, email, ATP, wireless and VPN features. All of which I’ve tested for research, and most of which I currently use. I also output all of my firewall traffic and logs to Splunk for further analysis. Here’s an example of UTM reports.
Network Protect and IPS:
Firewalls will have different features out of the box, but I’ve found a lot of success with the Sophos UTM for home use. I recommend you give it a try as a VM or on a spare machine.
In the next article, we’ll look at setting up our managed switch in preparation of mirroring traffic to a local IDS: Security Onion.