Sophos UTM Tutorial: VirtualBox Deployment

March 30, 2015

Sophos UTM Home Edition (formally Astaro Security Gateway) is an enterprise-grade Unified Threat Management appliance that can be licensed at no charge for home users. Its features include antivirus scanning of HTTP, HTTPS & FTP traffic with your choice to use Avira, Sophos, or both AV engines, web content filtering and application control permitting the blocking of undesirable sites, IPS protection using Snort, network firewall and the ability to block traffic based on country of origin, client authentication, e-mail protection, VPN access, traffic shaping, and other capabilities. By default features are turned off so that one can enable only what is needed, however with its solid web interface the task of enabling features is quick and hassle free. Before continuing further we wish to clarify that we are not affiliated with Sophos or the UTM developers in any way and do not personally benefit from people using this product.

This tutorial will showcase how to install and configure Sophos UTM as a virtual system on an Intel i7-4770 based VirtualBox server to be used to protect outbound internet access on a home network. A web filtering policy that blocks known-malicious sites, web ads, and scans web traffic for malware is employed. The IPS will be configured to block client targeting exploits, and the firewall will be configured to permit all outbound traffic except for a select set of protocols. In this setup Sophos UTM will be upstream of clients but will be behind a hardware firewall (i.e. not directly exposed to the internet) and we will show how it could also be used to protect a simple network that employs a single subnet. System requirements for UTM can be found here. In our setup we allocate two cores, 2 GB RAM, and 60 GB storage to the VM.

Below is the list of topics:

  1. Create the virtual machine
  2. Install Sophos UTM & basic configuration
  3. Configure management settings
  4. Configure IPS protection
  5. Configure firewall
  6. Configure web protection
  7. Optional: Improve TLS ciphers
  8. Optional: Improve ad blocking
  9. Optional: Test the IPS
  10. Possible privacy concerns
  11. How to deploy and use your UTM
  12. Conclusion

Create the virtual machine

Download the Sophos UTM v9 software appliance ISO by registering for UTM. Below are the hashes for the UTM v9 software appliance file asg-9.306-6.1.iso:

md5     c8fada7a9694b9eda08b53cec45f164d
sha1    d261adc1a0462b83f1694d3e3dfe230cf12ccb76
sha256  99144c488a15afb7371d273561803a6f722c4c912c944ca1dd78eb9a84af6919

In VirtualBox select New. Give your system a name, for Type select Linux, for Version select openSUSE (64 bit) (SUSE is the base for Sophos UTM). For Memory size specify 2048 MB (this can be increased later if necessary). For Hard drive specify "Create a virtual hard drive now", then select VDI, Fixed size, and set it to 60 GB.

Once the VM is created, right click on it, select Settings, click on System, and on the Motherboard tab change the Pointing Device from USB to PS/2 Mouse, and uncheck Floppy from the boot order. Click on the Processor tab and specify 2 CPUs (again this can be incremented later if necessary). Click on Storage and under Controller: IDE specify the Sophos UTM ISO that you downloaded, click on Audio and uncheck Enable Audio, click on Network and for Adapter 1 change Attached To from NAT to Bridged Adapter, click on Advanced and for Adapter Type select Paravirtualized Network (virtio-net), click on the Adapter 2 tab on top and replicate these settings (i.e. create two network adapters) although for our use of UTM you can select NAT instead of Bridged for the second adapter. Click on USB and uncheck Enable USB Controller. Click OK to complete.

If your host OS CPU supports Nested Paging1 and you can enable it, we recommend specifying large pages so that the VirtualBox hypervisor can use large pages to reduce TLB usage and overhead.2 This is done via a command line entered in the host OS:

[user@Centos ]$ vboxmanage modifyvm "Sophos UTM" --largepages on
[user@Centos ]$ vboxmanage showvminfo "Sophos UTM" | grep "Large Pages"
Large Pages:     on

With the VM created, we proceed to install UTM.

Install Sophos UTM & basic configuration

Start your VM and select Start when prompted to install Sophos UTM 9.3. You will be asked basic questions such as keyboard layout and timezone.

When prompted which interface to use for WebAdmin, we select eth0. You will be asked to specify its network configuration (IP address, netmask, gateway). Provide the appropriate information for the network that UTM will be residing in.

When prompted on whether you wish to have a 64-bit kernel installed, select Yes. Also answer Yes when prompted to install all capabilities. The installer will proceed to partition and format your virtual disk.

Once UTM has finished installing, you will be prompted to remove the CD-ROM from the VM, reboot, and connect to the WebAdmin interface on https://<eth0>:4444.

Connect to the WebAdmin interface and fill in the fields as requested, then click on Perform basic system setup at the bottom right. Once this is complete you log back into WebAdmin with the username "admin" and the password you selected a minute ago.

The setup wizard should begin. Select the Continue radio button and click on Next. When prompted to enter a license file, you can either specify your free home license file that you should have received by email when registering for UTM, or you can choose not to specify anything and proceed without a license for 30 days. But keep in mind that the free home license is slightly more restrictive than the commercial product and 30-day free trial and so some minor functionality in UTM will disappear once you apply the free home license key.

When prompted for the Internal (LAN) Network Settings, these should contain the entries that you specified during the installation earlier. In our setup we do not enable a DHCP server on the internal interface.

When prompted for the Internet Uplink (WAN) Settings, we select Standard Ethernet interface and specify a static IP address. If when creating your VM you selected NAT instead of Bridged for Adapter 2, then instead of a static IP you would configure it so that it is automatically assigned. Important: The WAN settings is likely the one that could cause UTM to not work out-of-the-box and if you find that you cannot access the internet through UTM, this is a setting you'll wish to revisit. In our case the IP address we specify is an unused IP within the subnet of the hardware firewall's internal interface that UTM is connected to, with the default gateway of this interface pointing to the firewall. For most home networks the default gateway and DNS forwarder are likely the same.

When prompted for the Allowed Services, we select Web and FTP, and check both UTM Ping settings, but this does not matter much as later in the configuration we change these settings.

For Advanced Threat Protection Settings, we check both Intrusion Prevention Engine and Command & Control/Botnet Detection Engine.

For the Web Protection Settings, we check Scan sites for viruses and leave all others blank.

For the Email Protection Settings, we leave both unchecked.

The next screen is a configuration summary. Review and click Finish.

You should now be in the Sophos dashboard. In our cases there is one firmware update available. Click on the red text to bring you to the Up2Date screen then click on Update to latest version now. In our case the system required a reboot and so the web interface became unresponsive. Once the system reboots, close your web browser and log back into UTM to complete the configuration.

Configure management settings

We strongly encourage you to visit every single tab in UTM to review all settings, but below are some management settings we wish to highlight:

Management | System Settings | Scan Settings: This is where you specify which AV engine to use, and whether you wish to upload suspicious samples to Sophos.

Management | WebAdmin Settings | Advanced: Here you can specify the WebAdmin idle timeout, change the default WebAdmin port, display a warning banner, and specify whether to send anonymous data to Sophos.

Management | Up2Date | Configuration: Specify the firmware and signature updates download interval.

Management | Backup/Restore | Automatic Backups: Enable or disable automatic backups and specify whether to send backups by email (which we do not recommend).

Management | Notifications | Notifications: Specify the conditions in which you wish to send notifications via SNMP and/or email. We recommend that you disable all of these now unless you have a system in place to handle SNMP or emails. If disabling there is a handy "Toggle all" checkbox at the bottom of each list.

Configure IPS protection

We enable and configure the IPS to block client targeting exploits. Click on Network Protection | Intrusion Prevention | Global to enable the IPS and configure it to Drop Silently (setting it to Terminate Connection will send to both source and destination a RST packet for blocked TCP connections and ICMP Port Unreachable for blocked UDP). Next click on the Attack Patterns tab on top and tailor this list to your environment. In our case given that we only wish to use UTM to protect endpoints we disable all server-related groups and leave all others enabled. For the Rule Age we set it to 12 months with the exception of Protocol Anomaly for which we specify no time limit. The Add Extra Warnings rule generates alerts only (doesn't drop or block traffic) unless you override this in Network Protection | Intrusion Prevention | Advanced | Modified rules. But this needs to be done one rule at a time. A quick and dirty way to see which snort rules are set to alert versus drop is via the following command in UTM:

grep -v drop /etc/snort/rules/astaro.rules

Configure firewall

Firewalls are normally configured with a default deny policy which blocks all traffic that isn't explicitly allowed, but in our case given that this UTM is for a home environment and we don't wish to spend too much time adjusting firewall rules to not conflict with things such as Skype, VOIP, online games, VPN traffic, etc., we create only two rules: A rule at the top that blocks outbound SMTP and DNS traffic to prevent an infected system from sending SMTP SPAM and certain types of DNS hijacking, and a rule at the bottom that permits everything else. All factory default rules are deleted. The firewall is configured by clicking on Network Protection | Firewall, then clicking on the New Rule button on top to add new rules.

Below is a test confirming the firewall is blocking outgoing DNS traffic originating from a client.

user@ubuntu:~$ nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> rationallyparanoid.com
;; connection timed out; no servers could be reached

You can also block traffic to or from countries you define. Hypothetically if one wanted to block all traffic with New Zealand, in the Firewall configuration in UTM you would click on the Country Blocking tab on top, scroll down in the list of countries to find New Zealand, change its setting from Off to All in the drop-down menu (Off means do not restrict), then click on the Apply button at the bottom right.

Configure web protection

Web protection is what we use to block known malicious web sites as well as Web Ads, and for parents it can be used to restrict access to inappropriate sites. But keep in mind that any technically savvy kid will find ways to bypass filtering.

There are a few steps to this part. Click on Web Protection | Filtering Options | Categories. Click on New Filter Category and create a new category for the content you wish to filter. This will likely include the following: Browser Exploits, Malicious Downloads, Malicious Sites, Phishing, Spyware/Adware, Web Ads. Click Save.

Click on Web Protection | Web Filter Profiles | Filter Actions: Click on New Filter Action and create a new action that blocks the category you just created, and that also blocks websites with a reputation below Suspicious (checkbox at the bottom). Click on the Antivirus tab and specify the antivirus setting you wish. Unless you wish for every web site access to be logged, click on the Additional Options tab and uncheck "Log accessed pages". Click Save.

Click on Web Protection | Web Filtering | Policies. In the bottom left click on Base Policy and specify the filter action you created. Click on Save.

Click on Web Protection | Filtering Options | Misc. In the "Allowed target services" list, add all non-standard destination ports of web services you need to reach (ex: 8888, 8081, etc.). Otherwise you will get blocked with the error message "target service not allowed" when attempting to reach a web site that is running on a non-standard port (ex: http://example.com:9999/).

To enable and use HTTPS inspection (Web Protection | Web Filtering | HTTPS), you need to import into each system on your network your custom UTM CA certificate. There are two ways you can download this CA certificate: One is to access the following URL while passing through the proxy: http://passthrough.fw-notify.net/cacert.pem (this is a special domain registered to Sophos that UTM recognizes and retrieves internally - see the following for details). The other option is to download the CA certificate in UTM by clicking on Web Protection | Filtering Options | HTTPS CAs | Download, and export it as a PEM file. After you've configured one of your client to trust the certificate, confirm HTTPS inspection is working by downloading the EICAR test file over HTTPS to see whether it gets blocked by UTM. You may wish to review the CAcert Wiki which shows how to import CA certificates into different devices.

Optional: Improve TLS ciphers

In this optional but recommended step we remove support for 3DES and RC4 for web proxy connections out to the internet. Begin by enabling SSH remote access (Management | System Settings | Shell Access). You will need to specify a password for both loginuser and root. SSH to the UTM internal interface as loginuser, then su to root. Then enter the command cc followed by http, then tlsciphers_client$. The default list of TLS cipers will appear. Following this enter the line =HIGH:!MD5:!aNULL:!EDH:!3DES which omits RC4 and adds !3DES to remove Triple DES, then exit and restart the httpproxy service.

utm:/home/login # cc

127.0.0.1 MAIN > http

127.0.0.1 MAIN http > tlsciphers_client$ 
HIGH:RC4:!MD5:!aNULL:!EDH

127.0.0.1 MAIN http/tlsciphers_client (BLOB) > =HIGH:!MD5:!aNULL:!EDH:!3DES
result: 1
HIGH:!MD5:!aNULL:!EDH:!3DES

127.0.0.1 MAIN http/tlsciphers_client (BLOB) > exit

utm:/home/login # /var/mdw/scripts/httpproxy restart

Note that at this time it does not appear that UTM's web proxy supports TLS 1.2.

JUN/7/2015 EDIT: Version 9.312-8 of Sophos UTM supports TLS 1.2.

Optional: Improve ad blocking

We tested a number of entries in Ghostery's list of Advertising trackers against UTM's URL category and noticed that a number were classified as Internet Services or Marketing/Merchandising instead of Web Ads. If you wish to have a more aggressive Ad Blocking policy our recommendation is that you override some of the URL classifications in UTM to make them match those of Ghostery or Adblock Plus.

Optional: Test the IPS

To test whether the IPS works we attempt to trigger a Snort rule to see whether the connection gets blocked. The first step is to search in our list of enabled rules one that we can easily trigger. We SSH to UTM and enter the following:

cd /etc/snort/rules
grep MALWARE astaro.rules | less

Reading through the rules we select the rule "MALWARE-OTHER Win.Trojan.Wysotot variant download attempt" (SID 30946) and so next we attempt to trigger it by entering the following on a Linux computer whose traffic is passing through UTM. In the case below replace www.testwebsite.com with a web server you can test against.

telnet www.testwebsite.com 80

We copy and paste the following pressing enter twice at the end:

GET /dl/get_tab?type=1 HTTP/1.1
Host: www.testwebsite.com
User-Agent: ElexNetDownload

If it works you should get a timeout (assuming you configured your IPS to drop instead of terminate and this signature is active and hasn't changed):

HTTP/1.1 504 Timeout while reading response from Server
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset="UTF-8"
Content-Length: 2653
Accept-Ranges: none
Connection: close

Finally in the the UTM IPS logs we should also see the blocked event. The key here are the words "action=drop". If you see "action=alert" it means that the IPS is detecting the rule but isn't blocking the traffic.

utm snort[7600]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-OTHER Win.Trojan.Wysotot variant download attempt" group="500" srcip="10.1.2.3" dstip="192.168.1.2" proto="6" srcport="49128" dstport="80" sid="30946" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"

Possible privacy concerns

The following is something that people are already aware of and so we don't wish to repeat the same concerns, but we wanted to discuss as people nowadays are more concerned than they used to about the privacy of their data and where it is being sent, and some choose to forgo security if it comes at the cost of their privacy.

The Web Filtering component of Sophos UTM sends to Sophos information related to each web site you visit so that UTM can provide up-to-date categorization and reputation of the web site (e.g. whether the site is categorized as banking, gambling, malicious, or has a reputation of trusted, neutral, suspicious, etc.). This unfortunately is one trade-off in order to get up-to-date information regarding the safety of newly registered and recently compromised web sites and we believe generally there isn't much objection to this, and UTM is certainly not the only security product that engages in this behavior. However UTM transmits this data in plaintext as a ROT13 encoded string of the web site. Below is an example of what is sent:

GET /V3.1/utm-toxbexsetxbyxbasic_setup/01/bpfc.qvtvpreg.pbz.m/ HTTP/1.1
User-Agent: SXL/3.1
Host: http.00.t.sophosxl.net
Accept: */*
Connection: Keep-Alive

We have to admit that we were surprised to see this wasn't done over SSL/TLS or at the least wasn't encoded in a more robust format. Our concern is not so much that this information is being sent to Sophos, after all they are providing at no charge an outstanding security product. Our concern is mainly the manner in which this information is being sent.

To illustrate we took a packet capture of both the internal and external interfaces of UTM while we made a HTTP request for http://example.com/ to observe what is sent. Below are the two HTTP requests that our client makes to the UTM's proxy service on its internal interface:

GET http://example.com/ HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive

GET http://example.com/favicon.ico HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive

Below are the corresponding HTTP requests to sophos that are sent via UTM's external interface to sophosxl.net:

GET /V3.1/utm-toxbexsetxbyxbasic_setup/01/rknzcyr.pbz.m/ HTTP/1.1
User-Agent: SXL/3.1
Host: http.00.t.sophosxl.net
Accept: */*
Connection: Keep-Alive

GET /V3.1/utm-toxbexsetxbyxbasic_setup/01/1.snivpba-2rvpb.rknzcyr.pbz.m/ HTTP/1.1
User-Agent: SXL/3.1
Host: http.00.t.sophosxl.net
Accept: */*
Connection: Keep-Alive

In the first HTTP request, the string rknzcyr.pbz.m is ROT13 decoded to example.com.z, and the second string 1.snivpba-2rvpb.rknzcyr.pbz.m decodes to 1.favicon-2eico.example.com.z.

With the responses from sophosxl.net received and the URL category known, each request to the proxy's internal interface is then initiated from the proxy's external interface to the destination web site in order to actually retrieve the content being requested. You will notice that the HTTP headers are slightly different than those of the original request:

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive

GET /favicon.ico HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive

Some may argue that in terms of privacy this is not much different than DNS traffic or SSL certificate details for every web site one visits being sent in cleartext, however while this contains some truth it is not a perfect argument. One major difference is that your DNS resolver if within your ISP's network is probably much closer to you (in terms of hops) than traffic to sophosxl.net which could be hopping across countries. So basically the issue is that we are adding a new stream of cleartext traffic from your IP: one for DNS - hopefully limited to your geographic zone, one for the web site you are visiting - possibly limited to your geographic zone, and a new one for sophosxl.net - possibly spanning geographies. This of course is influenced by which country you live in and the web sites you visit.

If this is a concern, what we would advise is to configure exceptions in the web protection component of UTM to disable URL filtering for the internal IPs that you wish to avoid this issue, or for specific URLs (but not web site categories - this causes a catch 22) or alternatively disable it for specific HTTP user agents and everything over HTTPS, then test using tcpdump to confirm what is being sent. In this setup you can still benefit from the IPS, firewall, and antivirus scanning component of UTM but you will lose the protection of URL filtering, which although prevents the behavior above, could result in your system being compromised via a known malicious web site that would normally have been blocked by UTM's URL filter. Again you need to weigh your privacy concerns.

How to deploy and use your UTM

There are different approaches for this depending on which feature(s) of UTM you wish to use and whether you want to have full UTM protection or only a portion of it, how much configuration of your home network and/or device you want to deal with (some systems require a lot of configuration on the device and/or UTM to fully work behind a web proxy), and whether or not you want to protect or restrict guests who access your home network. If it makes sense for your home environment the most beneficial way is to configure your home router to use UTM's internal interface as both its default route/gateway and DNS server, assuming UTM is using a different default route out to the internet. In this tutorial we configured UTM's firewall to block outbound DNS traffic, and so if using this setup you will need to make sure the DNS settings for your devices, UTM, and router are configured properly for this (all of your system's DNS settings should point to UTM, and UTM's DNS setting should point to your ISP's DNS servers). In this setup, all systems on your home network will pass their traffic through UTM.

If you wish to only make certain systems use UTM, you can configure an individual system to have UTM's internal IP as that system's default route or gateway, and this is a setup that also works for home networks that have a single flat network where UTM is on the same subnet as your devices. For systems using static IP addresses you would configure this in your network settings whose location varies depending on the Linux distribution. For Linux systems acquiring their IP address via DHCP you can modify their default route with the following command (note that this does not persist across reboots):

route del default
route add default gw <UTM_internal_IP>

Another way which is even simpler than the two options above but won't provide you with all of UTM's protection is to configure your browser proxy settings to use UTM internal IP as its proxy. In Firefox' settings click on Advanced | Network | Settings to access this configuration:

Firefox proxy configuration

A similar alternative to the manual proxy configuration would be to use a proxy.pac or for those who want more sophistication a WPAD deployment to provide automatic proxy configuration via DNS or DHCP if your home network can accommodate this setup. If you block outbound DNS traffic through the firewall make sure to also configure your devices to use UTM as their DNS resolver.

Once you have everything configured you will want to test your systems to make sure they can still download their software and antivirus updates as you don't want one security product blocking security updates in other products. We found that using tcpdump on the VM host server or within UTM to be extremely valuable in troubleshooting issues as well as informative to watch (an interesting command to simply let run in the background is tcpdump -nn -v port 53 and host <UTM_external_IP>). The logging aspect of UTM (Logging & Reporting | View Log Files), its Policy Helpdesk (Web Protection | Policy Helpdesk | Policy Test), and support tools (Support | Tools) are all very useful here as is the UTM user community.

Conclusion

We rate UTM highly. It is surprising that a product of this caliber can be licensed at no charge for home users, although we recognize there are some benefits in this for Sophos as well. Everybody who wants to control their home network should take a look at this product, especially as we move forward with the Internet of Things. The features of UTM that are most likely to "break things" are the progress pages and SSL inspection. We recommend that you liberally disable the progress pages (they have their use but cause all kinds of problems for non-browser software that download large files from the internet). We also recommend that you do not enable SSL inspection until you've become accustomed to the product. If you find browsing the internet through UTM to be slow, re-examine your DNS configuration as this could be the issue.




1. "10.6. Nested paging and VPIDs", VirtualBox, Mar 26, 2015

2. "10.6. Nested paging and VPIDs", VirtualBox, Mar 26, 2015