Categories
Security

2FA

In this day and age, two-factor authentication (2FA)  is basically a must. I try and use it on any system that supports it. I have a Yubikey and I am a massive fan of this but not everything supports U2F and sometimes it’s not convenient.  I recently have seen an announcement that Yubikey is developing a Lightning based version including USB-C which is awesome,  as at the moment I have a suboptimal experience with my new Mac.

 

 

Suboptimal

 

For the systems that don’t support my Yubikey but do support the Google authenticator protocols, I have moved to using Authy as the 2FA application.  The primary reason behind this Is that I use multiple devices and having to add secrets multiple times and then keep them in sync is a pain. For me using multiple devices (2 iPhones, iPAD, Mac & Work Laptop) It was too much hassle to try and keep them in sync. Authy has a sync feature that totally solves this.  Add once and the token is passed to all your other devices.  One feature that I only found out post install is that Authy works on an Apple Watch.  For me, this is a killer feature that I didn’t even know I needed.  I have had occasions in the past where I have been away from home and my iPhone has a flat battery etc.

Some people may be unhappy with the secret synchronizing feature of Authy. For me, this is a very acceptable trade-off.  It can be turned off if required and in the event of a device loss, I can revoke access from any of the other devices.

Revoke

I recommend having a look at twofactorauth and adding any company/device that supports it.   A few companies were listed that I use but wasn’t aware they supported 2FA

I have a few more of my lab systems to add but at the moment I have 16 services in Authy with a subset shown below

Categories
Homelab Security

Sophos UTM Endpoint protection

I have been using the Sophos UTM Appliance at home for about 3 years.  It has been my internet gateway all this time and also has been useful for the lab I run at home.

It’s pretty much the full featured enterprise edition but its limited to 50 IP’s on the lan side.  The feature set is huge and needs its own blog post.

I am just going to describe the basic endpoint side here. It’s been on my todo list to blog about this but I saw a fellow vExpert’s elderly father in law fall prey to a scam that Sophos would have probably caught…

If your interested in the product you can obtain it  here.

To enable features in the UTM you typically turn them on globally then they can be configured.

Once this has been done you can deploy the endpoint package (encompassing the AV and control agent)

This can either be done with a direct download or with a unique URL see screenshot.   For any homelabers  a push with group policy is required.

After that its a next next installer

Im not sure what the third party software it removes is but its a nice feature.

And your done nice and simple.

Once the agent is deployed it updates itself and runs a full scan. This can be monitored from the client end but also centrally in the UTM console. 

The example above is one of my fileservers.

One of the really cool things is the tamper protection seen above which means if you or your try and uninstall the agent from the client you will get the below message. You need a password to uninstall!!

I am just running with the basic protection for me which includes all of the following

 

As you can see web protection and blocking of malicious sites is enabled.  This is fully customisable and able to apply the same filtering as the firewall implements. It has a large numbers of categories  and a policy checker to see how a site will be handled.    The best part of the UTM is these are applied when the device is not behind the firewall.   Think Kids or Old people etc.

I have this implemented for a few friends and family but with slightly different policies.