Easy DIY Home Internet Monitoring System with Sophos UTM and Fastvue

When I was working my way through college about 6 months ago, my wife and I had a guest staying with us for a few months. He lived separately but shared our same Internet connection. I was using OpenDNS at the time, and one day, out of simple curiosity I looked for 'Blocked Requests'. The report was replete with pornographic websites!

Unfortunately, the blocked DNS requests did not show which user on the network attempted to visit this website. At the time, it was obvious to me that it was the guest making these requests, but what if there is more than just you, your wife and a guest? These concerns started to really bother me, especially when I thought about all of the issues that are likely to arise in the future with children in the house, knowing what the Internet contains.

I recently stumbled across Sophos UTM Home Edition and Fastvue Sophos Reporter and after a brief chat with Scott, one the co-founders at Fastvue, they gave me this opportunity explain why I find these two software solutions to be the best and easiest way to keep ourselves, our families and even guests safe and protected online.

Why Sophos UTM over OpenDNS?

As mentioned, I was using OpenDNS to filter Internet traffic. OpenDNS is graciously offered free to home users, and the process it uses (as you may have guessed), revolves around DNS. You configure your router to send all DNS requests to OpenDNS and then depending on your settings, it will allow or block certain content.

For those unfamiliar with DNS, every time you type in a web URL such as www.google.com, your computer asks the DNS server "What is the IP address of www.google.com?". Your DNS server will then respond with one of Google's IP addresses such as 74.125.129.105. Now your computer can communicate and request content from that IP address.

When your network is configured to use the DNS servers at OpenDNS, they simply refuse to give you the IP address for blocked sites. For example, if a DNS request is made for the IP address of a pornographic site, OpenDNS does not give you the IP address of the server, thereby blocking the rest of the communication.

OpenDNS works well, and it is very easy to identify if DNS requests are being made to bad websites. But OpenDNS does not have visibility into which user or computer on your network attempted to visit the websites, nor does it show when they attempted to visit it, or anything else about their browsing habits are overall.

Here are the pros and cons of OpenDNS:

OpenDNS Pros:

• Free
• Fairly simple set up procedure
• Not easily bypassed
• Effectively blocks your network from prohibited websites

OpenDNS Cons:

• Low visibility on reporting
• No idea who visited what site at what time
• Inability to filter specific websites within domains. For example, to block www.si.com/swimsuit, you need to block all of www.si.com

Getting Started with Sophos UTM Home Edition

In order to get better visibility into the devices and users on my home network, I knew I needed a filtering and reporting solution on my side of the home router. Most home Internet routers typically do not have any content filtering options, and I'm yet to find one with any sort of web usage reporting.

Sophos UTM Home Edition is an excellent solution as it is a full featured UTM (Unified Threat Management) device which includes a comprehensive web filtering feature. It is also one of the only solutions to provide comprehensive logging of web activity that includes fields such as the referrer URL field, which is incredibly useful for reporting on what sites people are 'actually' visiting (more on that later).

Installing Sophos UTM

To install Sophos UTM Home Edition, you need to first decide how you want to install it. You basically have two options:

1. You can install it on a physical computer as the operating system (instead of Windows or something similar). Or,
2. You can install it in a virtual environment.

I personally host my UTM in a virtual environment, but some may find it more attractive to simply overwrite an unused machine with the Sophos UTM operating system.

First, download Sophos UTM Home Edition. Once you've downloaded the software, copy it to a CD and place it in your chosen computer. When you boot, depending on your machine, use one of the function keys (F1-F12) to enter your boot options and select the CD. You will then be placed into the installation of the UTM.

Etienne Liebetrau has already written a very clear and easy to follow blog on installing Sophos UTM in Hyper-V, and these steps are also very useful for installing Sophos UTM on a physical machine if you begin with step 3.

Getting Started With Fastvue Sophos Reporter

Once you've installed Sophos UTM, enabled the Web Filtering feature, and have a working Internet connection, you can use the on-box reporting to view top users, sites and so on.

However, you'll soon notice problems with the on-box reports, such as not being able to find when someone browsed a site. You will also see a lot of websites in the reports that were never intentionally visited, such as advertising servers and content delivery networks (CDNs). This is a major issue when needing to report on 'actual' web activity.

This is where Fastvue Sophos Reporter comes in. It monitors Sophos UTM's web filtering log files and provides real visibility into your home network's web usage. Fastvue do not officially advertise it, but they do offer a home user license for only $49.95 USD for a one year subscription. If you're interested, contact [email protected].

By way of introduction, I recommend watching the video below to give you a good overview of the capabilities of Fastvue Sophos Reporter.

Installing Fastvue Sophos Reporter

Setting up Fastvue Sophos Reporter is also very simple and is covered on Sophos Reporter's Getting Started page.

You may experience, as I did, that your computer will not receive any logs at this point. My install is on Windows 7 with Windows Firewall enabled, and I found that everything worked fine once I opened the Syslog port on Windows Firewall.

Once installed, play around with the reports and get comfortable. You'll find that it's very intuitive and easy to get around.

Top Five Sophos Reporter Features for Home Internet Monitoring

I want to share with you the top five features of Fastvue Sophos Reporter that have been the most helpful to me as a home user.

1. Fastvue Site Clean

Site Clean is a feature that I now consider essential to being able to accurately read web usage reporting. If you've ever dealt with web reporting before, you know that it can be hard to pin down the sites that users actually visited. When you load a web page, your browser goes to a variety of different servers to pull ads and other content which can be confusing and misleading.

Site Clean sees through this confusion to provide a true view of what was actually visited on your network. This will make your experience with web reporting much better than it ever has been!

In this screenshot, you'll notice I've selected 'Show Both' to illustrate what the url visited was (shown in all other web reporting solutions) and what Site Clean 'cleaned' it as. Of course, the 'Clean On' section simply shows the 'cleaned' sites. This makes it much easier to read, and yet I can still see what the specific URL was if I need to dig a little deeper.

You can read more about Site Clean here.

2. Bandwidth Dashboard

The next feature that I use frequently is the Bandwidth tab under Dashboard. This is pretty simple to figure out, and is very informative. Starting in the top left you can not only see that I am the top user for the day, but you can also hover over the bar next to my name and see what each portion of my bandwidth is made up of.

In the bottom left we can see the Top Sites. It's very plain to see that Vimeo and Pandora have been my top sites while writing this blog! As always, you can hover over any of the information on the table in order to get a more detailed report.

You'll notice a 'Departments' section in the screenshot above which just shows 'Unknown'. Sophos Reporter is really designed for businesses, so you'll probably see everything under the 'Unknown' department too. If you're keen, you could create a home 'domain' using Microsoft Active Directory and configure departments for 'Parents', 'Kids' and 'Guests', but that might be a little overkill!

3. Web Protection Dashboard

If you've ever had to figure out why something is being blocked by Sophos UTM, you'll know that it is extremely difficult if not impossible. Fastvue Sophos Reporter puts this information front and center, and shows you what is being blocked in the background. There are multiple ways to view this, but one way is on the Web Protection tab under Dashboard.

In the bottom left you can easily see the Top Block Events, and from there you can dive deeper by running a report on that site. The Web Protection section of the report will show you the Filter Actions (web policies) that blocked the site, and you can run further reports on those policies to ensure they're blocking or allowing the correct sites. This has made managing blocked sites and apps much, much easier.

4. User Overview Reports

I frequently use the User Overview Reports tab under Reports to get detailed information on specific users. I can't show the whole report with a screenshot below, but this is a very simple way to get a holistic view of the user's usage, for any time frame that you specify. This is the place to go to get a detailed view of your kid's Internet usage. You'll find yourself using it frequently!

5. Alerts

Fastvue Sophos Reporter makes alerts easy, effective and they're very customizable. The screenshot below shows just of one of my alert configurations. This alert addresses my concerns from the beginning of the blog: Who is visiting tasteless sites? When did they visit them? What was the site?

Every time a different user visits a pornographic site that is blocked (they're all blocked), I will get an email telling me who, when, what and pretty much any other information I would like to know. This is just the beginning of what you can do with alerts! There are also many more alerts that come configured by default, ensuring you stay informed about potential problems on your network.

There are many, many more reports possible in Fastvue Sophos Reporter, but these will get you started for now!

Conclusion:

Sophos UTM Home Edition and Fastvue Sophos Reporter is, for me, the easiest and most effective way to protect my family from not only tasteless content on the internet, but also from malware, viruses and other malicious content. With Fastvue Sophos Reporter, I feel truly in charge of my home network by seeing meaningful and clear information about what is happening, in real time.

If you have any questions or comments, please post below!