My new homelab Firewall is insane! // Sophos XGS 2100

00:00

[Music]

00:00

this is the sophos xgs 2100

00:03

a powerful next generation firewall that

00:06

i just added to my new home server rack

00:08

it connects all the devices in my

00:10

network and protects my critical servers

00:12

it also scans the traffic in my home

00:14

network to detect exploits and malware

00:16

through deep packet inspection

00:18

absolutely amazing stuff and i also

00:20

connected two new surface access points

00:23

that are powering my wifi at home the

00:25

firewall entirely manages these devices

00:27

and that's making my wireless and

00:29

network management extremely easy and

00:32

comfortable at home

00:33

by the way i recently made a twitter

00:35

post where i asked you guys if you're

00:36

already using a firewall solution in

00:38

your home lab and it seems like many

00:41

people don't but at least plan to do it

00:44

so i hope this will be very interesting

00:46

for you guys who aren't already familiar

00:47

with firewalls but also if you are

00:50

already using pfsense or opensense for

00:52

example you still might want to watch

00:54

because i want to show you some

00:55

conceptual ideas and how i've structured

00:58

my home network and of course talk about

01:00

some of the advanced features firewalls

01:02

especially the surface xg can do and i'm

01:05

really excited about the new surface xgs

01:08

rack devices they are just fantastic so

01:10

many thanks to sophos for sending me

01:13

these devices

01:15

and let's let's start unboxing them so

01:17

there are some smaller packages here i

01:19

just need to put away for a second

01:21

because i just want to start with the

01:23

biggest one

01:28

so this is it

01:30

oh man

01:31

so this one is really heavy and this

01:33

contains my new firewall device so let's

01:35

unbox it

01:38

[Music]

01:43

i i guess this won't be the firewall

01:47

it's a getting started guide

01:51

and this ethernet cable what should i do

01:54

with this

01:56

okay so let's put this aside for a while

01:59

and unbox the firewall

02:05

so here we have the software xgs 2100 so

02:08

this will power all the network devices

02:10

and control the traffic in my home

02:12

network it is the latest series of sofas

02:15

xg appliances while this is by the way

02:17

the smallest one for the rackmounts

02:19

it has eight gigabit ethernet ports

02:21

which are fully programmable so you can

02:24

configure them as local network ports

02:25

you can configure them as bridges up

02:27

links to internet vlan tags and so on so

02:30

really cool stuff and it also has some

02:32

two sfp plus modules but as far as i

02:35

know they only support one gigabit so

02:37

that's why i ordered another box

02:40

so here we have a four part sfp plus

02:43

flexi port module for the surface xgs

02:45

which supports 10 gigabit so this module

02:48

can be plugged into the xgs to extend

02:51

the parts and the functionalities and

02:53

there are also other flexi ports for

02:55

these devices which have additional

02:57

ethernet ports for example or this one

02:59

here like sfp plus modules depending on

03:02

what you need and into the flexipod i

03:04

will put these for 10 gigabit uh jibbix

03:07

so i hope that will all work because

03:09

this is the first time i am playing

03:11

around with 10 gigabit but i probably

03:13

will do a separate video on this if

03:15

that's something you're interested in so

03:17

um stay tuned for that

03:20

i've also ordered access points from

03:22

software so in case you don't know it

03:24

sophos has also access point that you

03:26

can connect and manage directly in the

03:28

firewall you can also do this with your

03:30

surface xg home license by the way or

03:32

you can control these access points in

03:35

software central in the cloud so they

03:37

aren't always the cheapest but you can

03:38

get them in various ranges from small

03:41

office access points to some bigger ones

03:43

but i just ordered them to replace my

03:45

old access points in my network so the

03:47

most exciting part for me is absolutely

03:50

this device here the surface xgs so

03:52

let's get this thing into my server rack

03:59

[Music]

04:00

[Applause]

04:02

[Music]

04:04

[Applause]

04:06

[Music]

04:09

okay so that is what i've done the last

04:11

weeks and i think the new firewall

04:12

appliance just looks amazing in this

04:14

server rack i've now connected

04:16

everything and i've done the basic setup

04:18

and as i said in the past i was running

04:20

the sofas xg as a virtual machine inside

04:22

my proxmox server

04:24

this one here and there were two network

04:27

cards in the server which i had

04:28

connected to the virtual firewall one

04:31

for the local network that i connected

04:32

to my switch and one for the internet

04:35

connection and now that isn't needed

04:37

anymore because i now have the firewall

04:39

as a physical hardware appliance here

04:41

and i now have the freedom to use and

04:42

configure all the ethernet ports and the

04:44

flexi port module exactly how i want

04:47

that of course gives me much more

04:49

flexibility to test specific scenarios

04:51

isolate my network and create separate

04:53

firewall rules on all these interfaces

04:55

for example i have connected my switch

04:57

to the first port on the surface xg to

05:00

connect all my ethernet devices in my

05:02

house it doesn't need much speed because

05:04

these are mostly things like printers

05:06

laptops or my philips hue bridge for

05:08

example and i've also connected my poe

05:10

switch to the fourth part of the

05:12

firewall and these two ports are bridged

05:14

together so that means they are in the

05:16

same local network this is important to

05:19

keep in mind because i also connected my

05:20

servers directly to the firewall by

05:22

using this flexi port module which is a

05:24

10 gigabit one and these ports on the

05:26

flexi port module are also bridged

05:28

together so they are in the same server

05:30

network and they can talk to each other

05:32

but not on the same network as my

05:34

switches so i've put these ports into

05:37

two different zones on the fireball

05:38

because then i can better control which

05:40

traffic is allowed to come in and go out

05:42

and i also can create firewall rules to

05:44

do malware scanning or traffic filtering

05:46

to better protect and isolate my servers

05:49

from the rest of the network and this is

05:51

really cool let me explain this in more

05:52

detail and how you generally configure

05:54

things like that on the firewall

05:57

[Music]

05:59

when i set up a new firewall first i

06:01

usually configure some general settings

06:03

like the initial deployment the

06:05

licensing downloading the latest

06:07

firmware and so on and i don't think i

06:09

need to walk you through all of this

06:10

stuff because this is actually very

06:12

straightforward to set up the

06:14

interesting part i want to show you is

06:16

the network and interface configuration

06:18

that i changed on the firewall so first

06:20

i created a layer 2 bridge interface

06:22

with the name lan underscore br and i

06:25

bound the ports 1 and the port 4

06:27

together remember the first port goes to

06:29

my switch and the second goes to my pue

06:32

switch which i have connected my home

06:34

devices to i've put both ports into the

06:36

lan zone and added the 10.10 ipv4

06:39

network with a subnet mask of 16 to this

06:42

interface and this gives me a really

06:44

huge ip address range for my home

06:46

network not that i need it for anything

06:48

but yeah it just looks nice the second

06:51

layer 2 bridge that i created is called

06:53

dmz underscore vr and that bounce all

06:56

the 10 gigabit ports on the firewall

06:58

together i've put them all in the dmz

07:00

zone in the 10.20 network also with a

07:03

subnet mask of 16. this connects my

07:05

servers the virtual machines the nas and

07:08

everything like this i mostly use static

07:11

ip addresses for all of these machines

07:12

that are also managed on the firewall so

07:15

all of my servers are assigned to groups

07:17

here which contain the ip addresses for

07:19

the actual servers there later can use

07:21

these objects in the firewall rules to

07:23

define the access to my internal server

07:26

network i later also might differentiate

07:28

this further into vlans because i want

07:30

to put several vms on my proxmox server

07:32

into different networks but this is a

07:35

project for upcoming videos currently

07:37

putting all of these servers into one

07:38

single network is fine the main reason

07:41

why i'm doing all of this is i want to

07:43

isolate my servers from the rest of my

07:45

home network and control with firewall

07:47

rules which services and ip addresses

07:49

can be accessed because as you probably

07:52

know a firewall system like this only

07:54

allows traffic to pass through if a

07:56

fireball rule matches this specific

07:58

traffic for example i have created one

08:01

firewall rule that allows all devices

08:03

from my lan and the dmz zone to connect

08:05

to the lan zone but not anywhere else

08:08

this just allows basic internet access

08:10

for all of the devices in my network but

08:12

if i want to connect from my pc which is

08:14

in the lan zone to my servers which are

08:16

in the dmz zone i need another fireball

08:19

rule to specifically allow this and

08:21

because i don't want everyone in my home

08:23

network to access my servers i created

08:25

another firewall rule where i defined

08:27

that only authenticated users are

08:29

allowed to connect from the lan zone to

08:31

any target in the dmz zone with that

08:34

firewall rule i'm ensuring that only

08:36

administrators have full access to my

08:38

servers mainly this is a fiber rule just

08:40

for me because i'm the only

08:42

administrator in my home network but the

08:44

interesting part here is that the

08:46

surface xg doesn't just work with ip

08:48

addresses and zones it can also allow

08:50

traffic based on users so when i want to

08:53

access my servers i always need to

08:55

authenticate with the software's client

08:56

on my pc first to match this firewall

08:59

rule and access my servers now in a

09:01

typical company environment you might

09:03

also have external authentication

09:05

providers you can set up in the firewall

09:07

so for example you can create a

09:09

connection to an active directory or to

09:11

an ldap to authenticate users to the

09:13

firewall and even synchronize the

09:15

authentication with a software's

09:17

endpoint client and this works even in

09:19

large environments in networks with

09:20

thousands of users and this is perfect

09:23

to add another layer of protection to

09:25

your network stack

09:26

however i still might want to allow

09:29

unauthorized traffic in some cases

09:31

because my servers are also running some

09:33

workloads that should be accessible for

09:35

everyone in my home network so for

09:37

example this is my password manager i've

09:39

set up or my minecraft server that i

09:41

want to play on with my son so i have

09:43

created other firewall rules and this

09:45

allows access to my servers even when

09:47

the user is not authenticated but only

09:49

to specific ip addresses and ports

09:52

so this can give anyone access to

09:54

specific services and workloads running

09:56

on my virtual servers or maybe i could

09:58

also configure access to my storage

10:00

server if i'd like to do file sharing

10:02

with other pcs and so on

10:04

the point is that when you set up or

10:06

allow unauthorized access on your

10:08

firewall you should at least always

10:10

limit your ip addresses and services or

10:12

protocols which are permitted so for

10:15

example with these firewall rules

10:17

everyone in my home network can connect

10:18

to my minecraft server but not to the

10:21

ssh port

10:23

but this is not all the surface xg

10:24

firewall does just look at ip addresses

10:27

and ports it can also look inside the

10:29

network protocol stack and is able to

10:31

detect malicious patterns exploits

10:33

malware and so on now this is possible

10:36

because the software's engineers

10:37

included a bunch of different scanning

10:39

engines into this system which are all

10:41

handled by the new extreme architecture

10:44

and this is a high performant

10:45

architecture that can decrypt and scan

10:47

https traffic with the latest protocols

10:50

it can detect and block malware by

10:52

including sandboxing and artificial

10:54

intelligence and you can also accelerate

10:56

traffic and do things like sd-wan or

10:59

prioritization of application and

11:00

protocols now i get this is overwhelming

11:03

to explain all of this stuff i probably

11:05

would need a full one hour long video

11:07

again but to give you a brief overview

11:09

of what it does you can enable any of

11:12

these protection features per firewall

11:14

rule so you can for example use the ips

11:17

engine to scan the network traffic to

11:18

your servers and search for specific

11:21

exploits

11:22

do you still remember the recent lock

11:24

for jail vulnerability for example so

11:26

that incidents where so many java

11:27

applications were affected with so in

11:30

the surface xg there are ips patterns

11:32

that can detect and block this

11:34

particular exploit and if you enable

11:36

this ips policy in your firewall rule

11:38

that allows traffic to your servers the

11:41

fireball will detect and block these

11:43

specific attacks even before they ever

11:45

reach your servers

11:46

and just like this example there are

11:48

many many more of these well-known ips

11:50

signatures surface maintains for the

11:52

firewall i don't want to go into too

11:54

much detail here because there's so much

11:57

you can do with this i already made a

11:59

video about the surface xg home version

12:00

on my proxmox server which you can set

12:02

up entirely for free by the way and in

12:04

this one i covered some of the advanced

12:07

filtering engines like the web

12:08

protection the application protection

12:11

and so on

12:12

and from a software or protection site

12:14

there is just a very minimal difference

12:16

between the virtual version and the

12:18

hardware appliance here the features on

12:20

the system are actually the same the

12:22

only advantage the firewall appliance

12:24

has it is optimized for these computing

12:27

tasks so when you have a lot of scanning

12:29

engines enabled in your firewall rule

12:31

the hardware appliance will accelerate

12:34

and offload this traffic a bit more

12:36

efficient than the virtual ones anyway i

12:38

think i have explained the most

12:40

important concept here and that is to

12:42

separate your network this is really the

12:45

foundation for a good security concept

12:47

because if you're putting everything on

12:49

one single network the firewall is never

12:51

in control of this internal traffic and

12:53

you can't effectively protect your

12:55

critical services so here the surface

12:58

xgs really helps me a lot because i can

13:00

put everything on a different interface

13:02

and i can bound interfaces together and

13:05

put them in different network zones and

13:07

i know creating fiber rules for every

13:09

traffic and every protocol and

13:10

everything in your home network that can

13:12

be a challenge but it is absolutely

13:15

vital to protect your servers and this

13:17

is a great practice for everyone who

13:19

needs to administrate networks and

13:21

companies so i can just encourage you

13:23

start looking into firewall systems for

13:25

your home lab it doesn't need to be

13:27

complicated but you can just start

13:29

somewhere and then as your knowledge

13:31

expands you can also think about new

13:32

security policies or firewall rules

13:34

you're setting up

13:36

okay so enough for firewall rules it was

13:38

a lot but let me also show you what i'm

13:40

using the surface xgs4 to manage my wifi

13:43

access points in my home network because

13:45

this is also a feature that is extremely

13:47

useful it is not very complex to explain

13:50

so we can just go through this very

13:51

quickly but this is actually the point

13:54

it should be as simple as possible

13:56

the only thing i needed to do to set up

13:58

my new access points is to enable the

14:00

wi-fi in the zone that is attached to

14:03

the poe switch in my case the lan zone

14:05

and then i just connected my access

14:07

points to my poe switch and they will

14:09

automatically show up in the software's

14:11

x2u wireless dashboard all these access

14:14

points are controllable through this

14:15

dashboard so you can group them you can

14:18

set up things like the ssid the password

14:20

the wifi channels and all of this stuff

14:22

all the changes are applied to the

14:23

selected access points remotely so you

14:26

don't have any web interface where you

14:27

need to go and configure them one by one

14:30

and this is absolutely fantastic of

14:32

course i have configured some other

14:33

things on the firewall as well but i'm

14:35

still not finished with all of it

14:37

because i'm going to change a lot of

14:38

things here like adding new servers and

14:41

i want to change my network switches and

14:43

so on uh by the way there's something

14:45

really interesting for you sophos fans

14:46

coming i don't want to talk about it too

14:48

much right now but i hope this video

14:50

already gave you some ideas and

14:52

inspiration about protecting your

14:53

network and why it's always a great idea

14:56

to have such a firewall again i just

14:58

want to say if you are interested in

14:59

buying these firewall appliances this

15:02

device here is an absolute overkill for

15:04

usual home lab and as i've told you i've

15:07

done many setups with virtual surface

15:09

xg's and free home licenses which i was

15:12

running before myself so if you want to

15:13

check out how you can use the sofas xg

15:15

at home as a virtual machine for example

15:17

and if you want to have a deep dive into

15:19

setting up tls inspection network

15:22

protection and other firewall rules

15:24

check out my other video that i did some

15:26

time ago about the surface xg and if i

15:28

will change something interesting in my

15:29

home lab be sure that i will let you

15:31

know anyway thank you so much for

15:33

watching everybody take care and i will

15:35

catch you in the next video bye bye

15:38

i will let you know anyway thank you so

15:40

much for watching everybody take care

15:42

and i will catch you in the next video

15:43

bye