Build Your Own Router with Sophos UTM 9

One of the questions I get asked most often by families with children is, “How can I protect my kids online?”  There are a few answers to this question.  Educating them is key so that they know what to look for, but that isn’t always enough.  Web filtering software is another option, but that can easily be disabled.  A great option here is a custom router.  Not just any router, but a UTM or Unified Threat Management device.

For this project, I went with Sophos UTM Home Edition, which is available for free from Sophos’s website.  This has all the same features as their business grade product, but for free.  The catch?  It’s limited to 50 IP addresses on the network, which is more than enough for even the most connected home.

For the hardware, I purchased a Qotom Q190G4 from Amazon and stuffed in 8GB of RAM and a 120GB mSATA SSD.  This particular unit features a Celeron J1900 at 2GHz, plenty of horsepower for a home network.  The Sophos UTM Home will run on virtually any x86 compatible PC.  The only special requirement is that it has multiple network adapters.  Simply download the image, burn it to a DVD and boot the PC from that DVD.

Installing

When you first boot the PC, you’ll be greeted by the screen below.  Go ahead and press Enter.

Install Start

Once the installer loads, you are warned that this will remove all existing data on the PC.  It will then detect all the hardware.

Install 2

On the next few screens you set the location and time zone settings as well as setting the time and date.  The next screen, it asks you which interface you want to use to access the WebAdmin.  In other words, select the interface that will connect to the LAN.  If you only have the one interface plugged in, it will indicate the interface that has a link by displaying “link” next to the interface.

Install 8

On the next screen, you can either specify a custom IP or accept the default.  The default is fine for most people.  Next, you’ll be prompted if you want to install the 32 or 64 bit kernel.  Unless you have more that 4GB of RAM, the 32 bit kernel is fine.  You will want to answer yes to the below screen.

Install 11

Answering “No” will only install a basic linux shell without any of the Sophos software.  After this, the installer will run and you’ll finally be prompted to reboot.

Install 12

Configuration

One thing to note is that if you changed the IP address from the default, you will need to configure the network adapter on your computer with an IP address within the subnet you configured during installation.  This is because changing it from default disables the DHCP server.

On the first screen, you’ll enter basic information about the appliance.  Ideally, the hostname should be something that is publicly resolvable, but it is not necessary.  All of the fields are required.

Config 1

After clicking Perform basic system setup, you will be asked if you want to continue configuring or restore from a backup.  Restoring from a backup here is useful if you’re upgrading your device to new hardware.  The next screen prompts for a license file.  If you downloaded the file that was emailed to you, you would upload it here, otherwise click Next.

Config 3

The next screen gives us our LAN settings.  If not already checked, you will want to enable the DHCP server, provided you don’t already have one on the network.

Config 4

Now, you will set up your internet connection.  If you only have two interfaces, this part is really easy as it will be the only available interface.  If you have more than two interfaces, make sure that your internet connection is plugged in.  The Interface drop down shows which one is up or not.

Config 5

Next, you will want to configure which Internet services are accessible to internal clients.  By default, nothing is selected, but you can select everything here.  I also like to have the UTM respond to pings as it proves useful when troubleshooting the network.

Config 6

The next screen gives us the Advanced Threat Protection settings.  Unless you’re hosting a web server, you can leave the Intrusion Prevention Engine disabled.  I like to enable the Command & Control/Botnet Detection Engine.  This serves to drop any traffic that is going to a known botnet or command and control server, something that is useful in preventing a ransomware infection.

After this, you will be asked to set up Web Protection.  By default, none of the options are selected.  I like to scan sites for viruses since it adds an extra layer of protection.  You can select the categories you wish to filter.  Keep in mind that this affects all internal clients.  There are a few ways around it such as segmenting your network off onto VLANs with one for the kids and one for the adults.  You can then apply different web filter profiles to each VLAN.

Config 8

If you access email via POP3 or run an internal email server, you can take advantage of the Email Protection.  Finally, you will confirm your settings and you’re ready to go.

Setting up your own UTM can be accomplished in under an hour.  The benefits here is increased network security, but it is more hands on and advanced.  What are your experiences with running your own router?  Share them in the comments below.