My new homelab Firewall is insane! // Sophos XGS 2100
Summary
TLDRThis video showcases the setup and features of the Sophos XG 2100, a next-generation firewall, in a home server rack. The presenter highlights its deep packet inspection for malware detection, management of two new Surface access points, and the ease of network management it provides. The video also discusses the importance of network separation for security, setting up firewall rules, and managing Wi-Fi access points through the Sophos interface. It concludes with a teaser for upcoming content and a recommendation for viewers interested in home lab security solutions.
Takeaways
- đ The video introduces the Sophos XG 2100, a next-generation firewall designed to secure home networks by managing and protecting devices.
- đ The firewall connects all devices in the home network and is equipped with deep packet inspection to detect exploits and malware.
- đĄ Two new Surface Access Points are added to enhance the home Wi-Fi, managed entirely by the firewall for streamlined network management.
- đ§ The user shared a Twitter poll indicating that many people are considering firewall solutions for their home labs, suggesting a growing interest in home network security.
- đŠ The unboxing segment reveals the contents of the Sophos XG 2100 package, including a getting started guide and an Ethernet cable.
- đ The Sophos XG 2100 is part of the latest series of Sophos XG appliances and is the smallest rackmount model with eight gigabit Ethernet ports and two SFP plus modules.
- đĄ The user plans to upgrade the network speed with a 4x SFP plus Flexi Port Module for 10 gigabit connectivity, showcasing a step-up in network performance.
- đ ïž The video provides a detailed walkthrough of setting up the firewall, including configuring general settings, licensing, and firmware updates.
- đ The user demonstrates how to create layer 2 bridge interfaces and bind ports for different network zones, emphasizing the importance of network segmentation for security.
- đ The Sophos XG firewall's advanced features include intrusion prevention system (IPS) engines, malware detection, and traffic prioritization, enhancing the home network's security posture.
- đĄïž The video concludes with a discussion on the importance of firewall rules for controlling traffic and protecting critical services within the home network.
Q & A
What is the Sophos XGS 2100?
-The Sophos XGS 2100 is a next-generation firewall that connects and protects network devices, scans traffic for exploits and malware through deep packet inspection, and manages wireless access points.
What are the key features of the Sophos XGS 2100?
-Key features include eight gigabit Ethernet ports that are fully programmable, two SFP plus modules supporting one gigabit, and the capability to manage wireless access points directly from the firewall.
What additional hardware is required for the Sophos XGS 2100 to support 10 gigabit?
-A four-part SFP plus flexi port module is required to extend the capabilities and support 10 gigabit connections.
How does the Sophos XGS 2100 manage wireless access points?
-The firewall can manage access points directly, allowing for centralized configuration of settings such as SSID, password, and Wi-Fi channels through the Sophos X2U wireless dashboard.
What is the purpose of the layer 2 bridge interface created in the setup?
-The layer 2 bridge interface is created to bind specific ports together, allowing them to be part of the same local network and facilitating the configuration of firewall rules and traffic control.
How does the Sophos XGS 2100 differentiate between different network zones?
-The firewall uses different zones such as LAN and DMZ to control and isolate traffic. It allows the creation of specific firewall rules to manage which services and IP addresses can be accessed within each zone.
What is the advantage of using the physical Sophos XGS 2100 appliance over a virtual machine?
-The physical appliance is optimized for computing tasks and can accelerate and offload traffic more efficiently than a virtual machine, especially when multiple scanning engines are enabled.
How does the Sophos XGS 2100 protect against exploits and malware?
-It includes various scanning engines that can detect and block malicious patterns, exploits, and malware, with capabilities like sandboxing and artificial intelligence.
What is the significance of the firewall rules created in the Sophos XGS 2100 setup?
-Firewall rules define the traffic flow and access permissions within the network, ensuring that only authorized and authenticated users can access specific services and servers.
How does the Sophos XGS 2100 handle unauthorized access to services running on home servers?
-The firewall can be configured to allow unauthorized access to specific services and workloads on home servers by creating rules that permit access to certain IP addresses and ports, while still maintaining security controls.
Outlines
đ Introduction to Sophos XG Firewall and Home Network Setup
The video begins with an introduction to the Sophos XGS 2100, a next-generation firewall that protects the home network and servers by scanning for exploits and malware through deep packet inspection. The presenter shares their excitement about integrating the firewall with their home server rack and mentions their recent Twitter poll which indicated many people are considering firewall solutions. The presenter unboxes the Sophos XGS 2100, highlighting its features including eight gigabit Ethernet ports and two SFP plus modules. They also discuss the addition of a four-part SFP plus flexi port module to support 10 gigabit connections and mention plans to explore 10 gigabit capabilities in a future video. The video concludes with the presenter expressing gratitude to Sophos for providing the devices and a tease of upcoming content related to setting up and managing the firewall.
đĄ Network Configuration and Zone Management with Sophos XG
In this segment, the presenter delves into the network configuration of their home server rack, detailing how they've connected various devices to the Sophos XGS 2100 firewall. They explain the setup of a Layer 2 bridge interface for their local area network (LAN) and another for a demilitarized zone (DMZ), which includes their servers and virtual machines. The presenter discusses the strategic placement of devices into different zones within the firewall for better traffic control and security. They also touch on the creation of firewall rules to manage access to the servers, ensuring that only authenticated users can connect to certain services. The video highlights the importance of network segmentation and the use of firewall rules to protect critical services within the home network.
đĄïž Advanced Firewall Features and Traffic Management
The presenter continues by exploring the advanced features of the Sophos XG firewall, focusing on its ability to inspect network traffic at various layers and detect malicious patterns and exploits. They mention the inclusion of multiple scanning engines within the firewall, which are managed by the Extreme Architecture for high-performance traffic scanning. The video explains how the firewall can be configured to apply specific protection features, such as Intrusion Prevention System (IPS) policies, to detect and block known vulnerabilities like the recent 'Log4Shell' exploit. The presenter also discusses the potential for using the firewall to manage Wi-Fi access points, simplifying the process of configuring and updating network settings across multiple devices. The segment concludes with a brief mention of upcoming changes to the presenter's home lab and a tease for future content related to Sophos products.
đ Home Lab Security and Future Network Enhancements
In the final paragraph, the presenter addresses the practicality of using the Sophos XG firewall for home lab setups, suggesting that the model featured in the video may be overkill for most home users. They recommend exploring virtual options or free home licenses as more accessible alternatives. The presenter also encourages viewers to consider implementing basic firewall systems for their home networks, emphasizing the importance of network separation and security. They hint at future videos that will cover more advanced topics like TLS inspection and network protection. The video ends with a promise to keep viewers updated on any significant changes to the presenter's home lab setup and a farewell until the next video.
Mindmap
Keywords
đĄSophos XGS 2100
đĄFirewall
đĄDeep Packet Inspection
đĄSurface Access Points
đĄRackmount
đĄGigabit Ethernet Ports
đĄSFP Plus Modules
đĄNetwork Zones
đĄFirewall Rules
đĄAuthentication
đĄSD-WAN
Highlights
Introduction of the Sophos XG 2100 next generation firewall for home server network protection.
The firewall's capability to manage and protect critical servers and scan network traffic for threats.
Integration of two new Surface Access Points for home Wi-Fi, managed by the firewall.
Discussion on the importance of firewall solutions in home labs and a survey of Twitter responses.
Overview of the advanced features of the Sophos XG firewall, especially the Surface XG.
Unboxing and setup process of the Sophos XG 2100 appliance.
Explanation of the firewall's programmable gigabit Ethernet ports and SFP plus modules.
Installation of a 10 gigabit SFP plus flexi port module for enhanced network capabilities.
Introduction of Sophos access points and their management through the firewall.
Physical setup of the firewall in the server rack and initial configuration.
Network configuration detailing the creation of layer 2 bridge interfaces and IP address assignments.
Explanation of network zoning and its role in traffic control and server protection.
Firewall rule creation for controlling access to servers and services within the home network.
Authentication requirements for accessing servers through the firewall.
Demonstration of how to manage Wi-Fi access points through the firewall's wireless dashboard.
Discussion on the benefits of network separation for security and traffic control.
Overview of the firewall's advanced threat detection capabilities, including IPS, malware scanning, and AI.
Recommendations for home lab network protection and the use of firewall systems.
Conclusion and a tease for future content related to Sophos products and home lab updates.
Transcripts
[Music]
this is the sophos xgs 2100
a powerful next generation firewall that
i just added to my new home server rack
it connects all the devices in my
network and protects my critical servers
it also scans the traffic in my home
network to detect exploits and malware
through deep packet inspection
absolutely amazing stuff and i also
connected two new surface access points
that are powering my wifi at home the
firewall entirely manages these devices
and that's making my wireless and
network management extremely easy and
comfortable at home
by the way i recently made a twitter
post where i asked you guys if you're
already using a firewall solution in
your home lab and it seems like many
people don't but at least plan to do it
so i hope this will be very interesting
for you guys who aren't already familiar
with firewalls but also if you are
already using pfsense or opensense for
example you still might want to watch
because i want to show you some
conceptual ideas and how i've structured
my home network and of course talk about
some of the advanced features firewalls
especially the surface xg can do and i'm
really excited about the new surface xgs
rack devices they are just fantastic so
many thanks to sophos for sending me
these devices
and let's let's start unboxing them so
there are some smaller packages here i
just need to put away for a second
because i just want to start with the
biggest one
so this is it
oh man
so this one is really heavy and this
contains my new firewall device so let's
unbox it
[Music]
i i guess this won't be the firewall
it's a getting started guide
and this ethernet cable what should i do
with this
okay so let's put this aside for a while
and unbox the firewall
so here we have the software xgs 2100 so
this will power all the network devices
and control the traffic in my home
network it is the latest series of sofas
xg appliances while this is by the way
the smallest one for the rackmounts
it has eight gigabit ethernet ports
which are fully programmable so you can
configure them as local network ports
you can configure them as bridges up
links to internet vlan tags and so on so
really cool stuff and it also has some
two sfp plus modules but as far as i
know they only support one gigabit so
that's why i ordered another box
so here we have a four part sfp plus
flexi port module for the surface xgs
which supports 10 gigabit so this module
can be plugged into the xgs to extend
the parts and the functionalities and
there are also other flexi ports for
these devices which have additional
ethernet ports for example or this one
here like sfp plus modules depending on
what you need and into the flexipod i
will put these for 10 gigabit uh jibbix
so i hope that will all work because
this is the first time i am playing
around with 10 gigabit but i probably
will do a separate video on this if
that's something you're interested in so
um stay tuned for that
i've also ordered access points from
software so in case you don't know it
sophos has also access point that you
can connect and manage directly in the
firewall you can also do this with your
surface xg home license by the way or
you can control these access points in
software central in the cloud so they
aren't always the cheapest but you can
get them in various ranges from small
office access points to some bigger ones
but i just ordered them to replace my
old access points in my network so the
most exciting part for me is absolutely
this device here the surface xgs so
let's get this thing into my server rack
[Music]
[Applause]
[Music]
[Applause]
[Music]
okay so that is what i've done the last
weeks and i think the new firewall
appliance just looks amazing in this
server rack i've now connected
everything and i've done the basic setup
and as i said in the past i was running
the sofas xg as a virtual machine inside
my proxmox server
this one here and there were two network
cards in the server which i had
connected to the virtual firewall one
for the local network that i connected
to my switch and one for the internet
connection and now that isn't needed
anymore because i now have the firewall
as a physical hardware appliance here
and i now have the freedom to use and
configure all the ethernet ports and the
flexi port module exactly how i want
that of course gives me much more
flexibility to test specific scenarios
isolate my network and create separate
firewall rules on all these interfaces
for example i have connected my switch
to the first port on the surface xg to
connect all my ethernet devices in my
house it doesn't need much speed because
these are mostly things like printers
laptops or my philips hue bridge for
example and i've also connected my poe
switch to the fourth part of the
firewall and these two ports are bridged
together so that means they are in the
same local network this is important to
keep in mind because i also connected my
servers directly to the firewall by
using this flexi port module which is a
10 gigabit one and these ports on the
flexi port module are also bridged
together so they are in the same server
network and they can talk to each other
but not on the same network as my
switches so i've put these ports into
two different zones on the fireball
because then i can better control which
traffic is allowed to come in and go out
and i also can create firewall rules to
do malware scanning or traffic filtering
to better protect and isolate my servers
from the rest of the network and this is
really cool let me explain this in more
detail and how you generally configure
things like that on the firewall
[Music]
when i set up a new firewall first i
usually configure some general settings
like the initial deployment the
licensing downloading the latest
firmware and so on and i don't think i
need to walk you through all of this
stuff because this is actually very
straightforward to set up the
interesting part i want to show you is
the network and interface configuration
that i changed on the firewall so first
i created a layer 2 bridge interface
with the name lan underscore br and i
bound the ports 1 and the port 4
together remember the first port goes to
my switch and the second goes to my pue
switch which i have connected my home
devices to i've put both ports into the
lan zone and added the 10.10 ipv4
network with a subnet mask of 16 to this
interface and this gives me a really
huge ip address range for my home
network not that i need it for anything
but yeah it just looks nice the second
layer 2 bridge that i created is called
dmz underscore vr and that bounce all
the 10 gigabit ports on the firewall
together i've put them all in the dmz
zone in the 10.20 network also with a
subnet mask of 16. this connects my
servers the virtual machines the nas and
everything like this i mostly use static
ip addresses for all of these machines
that are also managed on the firewall so
all of my servers are assigned to groups
here which contain the ip addresses for
the actual servers there later can use
these objects in the firewall rules to
define the access to my internal server
network i later also might differentiate
this further into vlans because i want
to put several vms on my proxmox server
into different networks but this is a
project for upcoming videos currently
putting all of these servers into one
single network is fine the main reason
why i'm doing all of this is i want to
isolate my servers from the rest of my
home network and control with firewall
rules which services and ip addresses
can be accessed because as you probably
know a firewall system like this only
allows traffic to pass through if a
fireball rule matches this specific
traffic for example i have created one
firewall rule that allows all devices
from my lan and the dmz zone to connect
to the lan zone but not anywhere else
this just allows basic internet access
for all of the devices in my network but
if i want to connect from my pc which is
in the lan zone to my servers which are
in the dmz zone i need another fireball
rule to specifically allow this and
because i don't want everyone in my home
network to access my servers i created
another firewall rule where i defined
that only authenticated users are
allowed to connect from the lan zone to
any target in the dmz zone with that
firewall rule i'm ensuring that only
administrators have full access to my
servers mainly this is a fiber rule just
for me because i'm the only
administrator in my home network but the
interesting part here is that the
surface xg doesn't just work with ip
addresses and zones it can also allow
traffic based on users so when i want to
access my servers i always need to
authenticate with the software's client
on my pc first to match this firewall
rule and access my servers now in a
typical company environment you might
also have external authentication
providers you can set up in the firewall
so for example you can create a
connection to an active directory or to
an ldap to authenticate users to the
firewall and even synchronize the
authentication with a software's
endpoint client and this works even in
large environments in networks with
thousands of users and this is perfect
to add another layer of protection to
your network stack
however i still might want to allow
unauthorized traffic in some cases
because my servers are also running some
workloads that should be accessible for
everyone in my home network so for
example this is my password manager i've
set up or my minecraft server that i
want to play on with my son so i have
created other firewall rules and this
allows access to my servers even when
the user is not authenticated but only
to specific ip addresses and ports
so this can give anyone access to
specific services and workloads running
on my virtual servers or maybe i could
also configure access to my storage
server if i'd like to do file sharing
with other pcs and so on
the point is that when you set up or
allow unauthorized access on your
firewall you should at least always
limit your ip addresses and services or
protocols which are permitted so for
example with these firewall rules
everyone in my home network can connect
to my minecraft server but not to the
ssh port
but this is not all the surface xg
firewall does just look at ip addresses
and ports it can also look inside the
network protocol stack and is able to
detect malicious patterns exploits
malware and so on now this is possible
because the software's engineers
included a bunch of different scanning
engines into this system which are all
handled by the new extreme architecture
and this is a high performant
architecture that can decrypt and scan
https traffic with the latest protocols
it can detect and block malware by
including sandboxing and artificial
intelligence and you can also accelerate
traffic and do things like sd-wan or
prioritization of application and
protocols now i get this is overwhelming
to explain all of this stuff i probably
would need a full one hour long video
again but to give you a brief overview
of what it does you can enable any of
these protection features per firewall
rule so you can for example use the ips
engine to scan the network traffic to
your servers and search for specific
exploits
do you still remember the recent lock
for jail vulnerability for example so
that incidents where so many java
applications were affected with so in
the surface xg there are ips patterns
that can detect and block this
particular exploit and if you enable
this ips policy in your firewall rule
that allows traffic to your servers the
fireball will detect and block these
specific attacks even before they ever
reach your servers
and just like this example there are
many many more of these well-known ips
signatures surface maintains for the
firewall i don't want to go into too
much detail here because there's so much
you can do with this i already made a
video about the surface xg home version
on my proxmox server which you can set
up entirely for free by the way and in
this one i covered some of the advanced
filtering engines like the web
protection the application protection
and so on
and from a software or protection site
there is just a very minimal difference
between the virtual version and the
hardware appliance here the features on
the system are actually the same the
only advantage the firewall appliance
has it is optimized for these computing
tasks so when you have a lot of scanning
engines enabled in your firewall rule
the hardware appliance will accelerate
and offload this traffic a bit more
efficient than the virtual ones anyway i
think i have explained the most
important concept here and that is to
separate your network this is really the
foundation for a good security concept
because if you're putting everything on
one single network the firewall is never
in control of this internal traffic and
you can't effectively protect your
critical services so here the surface
xgs really helps me a lot because i can
put everything on a different interface
and i can bound interfaces together and
put them in different network zones and
i know creating fiber rules for every
traffic and every protocol and
everything in your home network that can
be a challenge but it is absolutely
vital to protect your servers and this
is a great practice for everyone who
needs to administrate networks and
companies so i can just encourage you
start looking into firewall systems for
your home lab it doesn't need to be
complicated but you can just start
somewhere and then as your knowledge
expands you can also think about new
security policies or firewall rules
you're setting up
okay so enough for firewall rules it was
a lot but let me also show you what i'm
using the surface xgs4 to manage my wifi
access points in my home network because
this is also a feature that is extremely
useful it is not very complex to explain
so we can just go through this very
quickly but this is actually the point
it should be as simple as possible
the only thing i needed to do to set up
my new access points is to enable the
wi-fi in the zone that is attached to
the poe switch in my case the lan zone
and then i just connected my access
points to my poe switch and they will
automatically show up in the software's
x2u wireless dashboard all these access
points are controllable through this
dashboard so you can group them you can
set up things like the ssid the password
the wifi channels and all of this stuff
all the changes are applied to the
selected access points remotely so you
don't have any web interface where you
need to go and configure them one by one
and this is absolutely fantastic of
course i have configured some other
things on the firewall as well but i'm
still not finished with all of it
because i'm going to change a lot of
things here like adding new servers and
i want to change my network switches and
so on uh by the way there's something
really interesting for you sophos fans
coming i don't want to talk about it too
much right now but i hope this video
already gave you some ideas and
inspiration about protecting your
network and why it's always a great idea
to have such a firewall again i just
want to say if you are interested in
buying these firewall appliances this
device here is an absolute overkill for
usual home lab and as i've told you i've
done many setups with virtual surface
xg's and free home licenses which i was
running before myself so if you want to
check out how you can use the sofas xg
at home as a virtual machine for example
and if you want to have a deep dive into
setting up tls inspection network
protection and other firewall rules
check out my other video that i did some
time ago about the surface xg and if i
will change something interesting in my
home lab be sure that i will let you
know anyway thank you so much for
watching everybody take care and i will
catch you in the next video bye bye
i will let you know anyway thank you so
much for watching everybody take care
and i will catch you in the next video
bye
5.0 / 5 (0 votes)