Really? I got ClearOS working as a WiFi hotspot at the moment. But anyhow, back to Sophos. I wish I could run it...
Quick question on this product, does the Sophos UTM Home Edition offer dual engines (Sophos + Avira)? And I know this is asking too much for a free product but is there a way to enable PUA detection on endpoints (seems like it's impossible to configure it, since this version only seems to offer "Basic Protection") Also, for quarantining items, the endpoint user can't seem to control the items -- and somehow I can't find the "Quarantine" on WebAdmin.
Home Edition offers dual engines. PUA detection can be enabled, on UTM and endpoints. Quarantined Items need to be removed via endpoints, but you can 'resolve' them on the UTM< such as adding them to exclusions, which removes them from quarantine.
I just applied the new firmware for Sophos UTM.. REMARKABLE! Firmware version: 9.309-3 Pattern version: 77649 They chopped RAM use IN HALF! Seriously, now my box is using only 42% of it's ram, and it is only a 2GB system. Prior to this firmware, it was chewing away 76-90 of my RAM. This is a fantastic improvement. No idea how they pulled it off.
does Sophos UTM comes with IDS and IPS? which products are they using? snort? and the rules updates free as well? Does the AV's comes with free definitions updates?
Snort integrated, 24000 signatures, auto updated. Sophos and Avira antiviruses, free updates for life. You can set update intervals.
Sophos is holding firm at 42-50% ram use on 2GB machine since patch! They've really improved performance, and optimizations of it. I have turned back on region/country blocking as a result of how fast, and light it's become.
Sophos UTM v9.310-11 Just released. A MEDIUM rated update. Which is significant. Bugfixes 22468 HTML5 iptables rule doesn't match for IPSec-routed hosts 23965 Prevent removing default network objects 25191 awed (awed_ng) fails on missing rrd-metadata file 27463 Cablemodem interface does not renew interface address after modem reboot 27601 error message: Netlink message type is not supported in ulogd 28261 Allow ICMP Forward for incoming ICMP packets on uplink interfaces 28627 Sender Blacklist works for Enduserportal but not for Webadmin -> SMTP -> Antispam -> Sender Blacklist 29326 [BETA] rephrase notifications for APT/IPS events 30069 Transparent authentication in cluster mode shouldn't be balanced 30332 Don't let INVALID traffic FORWARD over utm 30770 SMTP mailmanager hides filter summary and sorting text 30840 Static route using a pptp RAS IP not set by middleware after connection is estalished 31000 SMTP: different behavior for internal malware and spam dependent on scan outgoing setting 31160 Mail manager language does not use webadmin language 31744 Blacklisted(Mail) due to not working Mutlipath rule 31746 Not downloadable Mails can be downloaded with the 'Selcect action to apply on messages' dropdown 32631 iptables-restore running with nearly 100% CPU (CVE-2014-9402) 32665 memleak in afcd 32761 Proxy cert for customized HTTPS enduser messages is not delivered with complete chain information 32880 Cached user backend memberships won't be updated 32960 Tunnel traffic is counted twice by QoS 32996 Authentication failed after I proceed with accepting warn- or quota page 33027 Packetfilter numeration in webadmin does not match iptables 33149 rrdcached exiting due to unknown reason 33228 Remote access reporting incorrect in case openvpn gets a restart 33304 SSL interception causing annoying pop-ups in Microsoft Outlook and other client software 33704 lag2 interface will be lost after adding as HA interface 33709 Logfile Search for pop3 proxy not working 33752 Wifi: confd error after awe->device validation 33872 Reporting for HTML5VPN connections didn't work 33952 Not possible to store comments for Vouchers 34009 Bridge with a RED interface and some other Ethernet doesn't work after Update to v9.3 34128 vpn-reporter.pl invoked oom-killer 34156 IPv6 network in "Block password guessing" do not work 34180 Duplicated HTML comments break the production web application 34225 Authentication failed with a disabled remote user if user name is similar to a local user 34232 Postgres died without any corefile 34236 Endpoint Protection overview is not displayed in the webadmin 34263 UMTS dongle shows up in webadmin twice 34315 Ulogd is filling up the swap memory 34317 websec-reporter segfaults in UPL_ParseLine 34320 Proxy download patience page not displayed when using custom template 34330 outdated SSL certificate for WebAdmin on fresh installations 34364 ulogd segfaults and core dumps 34381 Traffic shaping and throttleing is not possible from the web filtering dashboard 34394 Commit issues with visio behind the WAF - Empty content length 34396 LTE dongle (ACM modem) is not more working after update to v9.3 34413 Bridge Interface are not available for QoS since v9.305 34414 "Cannot allocate memory" messages in the afc log 34416 SSL VPN rekeying triggers a disconnect/reconnect of the whole tunnel 34438 processing of new http profile blocks client requests 34452 Authentication test incomplete when using custom group attributes 34458 Kernel panic - not syncing: Fatal exception 34459 Adobe Flash is not blocked by AFC 34470 status code 407 messages are not logged anymore 34475 Improve Firewall Rules search field behavior 34476 First boot after installation stucks in "Starting ProgreSQL" 34491 Web security search engine report shows every keytab from google search 34497 Request body no files data length is larger than the configured limit 34498 DNS Host still up in gui after change the hostname to a not existing name 34505 Can't enable L2TP profile anymore when the single user was deleted 34512 malformed UTF-8 character in JSON string, at character offset 5502 (before "\x{0}uency": 2304, "...") at awed_ng.pl 34514 [9.3] Availability Group object configured in active directory causes "malformed parameter setting precedes LDAP URL" 34534 End-user Messages for "SPX - Internal error - sender notification" cannot be changed 34541 Shell access cannot be activated when ssh networks are empty 34543 BGP: if "Install routes" is unchecked bgd deamon will not start 34544 HTML5 portal RDP login not possible if same user already logged in (smartcard required) 34570 Various segfaults after 9.308 34697 Import OpenSSL security updates from 1.0.1m
I've noticed that the Avira engine uses significantly more memory than the Sophos engine. When running Sophos, my system (an Atom-based mini-ITX board with 2 GB RAM) uses around 50-52% memory (according to the UTM's dashboard). When I switch to Avira's engine, the memory consumed immediately starts to climb to about 80%. I've tried this a couple of times, the results are consistent. (Just guessing here - I have read that the Sophos engine uses their cloud for detection, so maybe that explains the lower memory usage, keeping fewer signatures in memory than Avira does?)
Look under Network Protection/Intrusion Prevention and select the Attack Patterns tab. You can set which ones you want from there. Just remember that more isn't necessarily better - only select the ones that are appropriate to your network. For example, I have no WAN-facing servers, so I do not have the "Attacks against Servers" selected. That saves CPU cycles, and helps performance, with no loss of security.
https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx looks strong.... need registration
You need a separate dedicated PC to run it! It has its own OS. https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx
@simisq, nice catch! I'm currently running the XG Firewall Home Edition. It runs smooth and I have enabled malware scanning on the firewall on my policy, and it seems to be playing nice with my network [can still do bittorrent, play Steam online games, browse 9gag, update devices, etc.]. Tested the firewall via WICAR.org and it catches the EICAR test file and even detects the FLV AMR payload test. Seems like this is a keeper, especially if you have a spare machine around. Tried the UTM, pfSense and ClearOS, and I feel this one really suits my needs. Pro Tip: I used Rufus to create a bootable USB, use "ISO" mode and since the image is a Hybrid ISO, then select DD afterwards.
Running the XG home edition here, too. Configuration can be confusing (the UI is not task-oriented, so you need to go digging to find some basic settings), and I was stumped at first by the initial setup wizard (it requires you to give it a mail server's address so it can send alerts to the admin, and I don't have a mail server - it took me a while to discover that the wizard will accept 127.0.0.1 as a mail server address). The wizard is required to get the LAN side bridged to the WAN side (otherwise, you can reach the firewall's UI and the firewall can reach the internet, but you can't reach the internet through the firewall). Sophos's docs are detailed (and long - the admin manual is over 500 pages), but they only tell you what things are, not how to get things done. That's my biggest complaint. (Installation was odd, too - no options for address space, and the default is not 192.168.x.x, and you don't get to choose which port is LAN or WAN, the installer chooses for you.) Oh, and the ethernet ports auto-negotiated down to slower speeds than they could actually support - I had to manually set them both to 1000 Mbit, in a setting buried in the GUI. Once I did that, speeds were back to normal. Once I got it working, though, it seems powerful and fast (they claim much better performance than UTM 9 on the same hardware, in my case a dual-core Atom with only 2 GB RAM). I have Avira as the AV scanning engine, I use the LAN-to-WAN IPS rules (described as appropriate for protecting clients on the LAN), and I do URL filtering for malware and advertising. The XG firewall is based on the Cyberoam product ( a company that Sophos apparently acquired, like they did Astaro), with additions from Sophos/Astaro's bag of tricks (like the dual-engine AV scan, and Sophos's large database of URL categorizations). Sophos claims that the Astaro-based UTM product will continue to be developed alongside the Cyberoam-based XG, but there is a lot of functional overlap, so I imagine they will eventually get merged. We'll see... (By the way, the XG home license doesn't expire after three years like the UTM home license - mine says the XG license is good through December 31, 2999!) I haven't actively tested the AV (thanks for your tests, kerykeion) or IPS. The URL blocking does seem to work, and I have no issues with streaming media, file downloads, or other basic functions. And FWIW, Gibson's firewall test gives a 100% stealth rating. So a preliminary thumbs-up here - once you get over the (sizable) hurdle of getting XG installed and configured, it seems like a solid contender.
Astaro/Sophos UTM will disappear after a couple of years and Cyberoam will be the main Sophos UTM product. Astaro/Sophos UTM is way better and this is why their forums are full of complains due to this change. Interesting read https://community.sophos.com/products/xg-firewall/f/46/t/74160
That is a good read - thanks for that. It's good that Sophos admits XG has a way to go before it's complete. They recognize the user interface is difficult to use, and that the product is incomplete (geo-blocking, for example, seems to be missing). I have found performance to be good, and I think it's a good starting point for a new product. I am wondering what the underlying operating system is. They say it's the "Sophos Firewall OS" but it seems to me that if it's compatible with a wide range of PC hardware, then it needs drivers for a range of NICs, and the best way to get that is to start with Linux (like UTM 9) or BSD (like pfSense). I haven't seen any copyright notices or license statements (even in the "About" page of the XG UI), so I assume it's something else. Just wondering what it is...
To answer my own question, the XG underlying operating system may well be Linux. I say this because Sophos recently put up a notification that XG is affected by the recently announced glibc vulnerability (CVE-2015-7547) which affects Linux but not other operating systems like BSD (which is what pfSense is based on). In fact, Sophos's firewalls have several vulnerabilities posted. Here's the OpenSSL one from a month ago: https://www.sophos.com/en-us/support/knowledgebase/123390.aspx And here's that latest glibc vulnerability notification: https://www.sophos.com/en-us/support/knowledgebase/123675.aspx At the moment, UTM has specific patch versions/dates listed for both of these vulnerabilities, while XG has "TBA".
I am still considering building a UTM with Sophos UTM as the Operating System. Rather than purchasing a Refurbished PC and adding a second NIC Card, I would rather build a UTM with New Hardware. The most cost effective thing to do would be to buy a Server Motherboard (2 NIC's), CPU (Pentium or higher), at least 2 GB of RAM, a hard drive, etc. Has anyone built a Sophos UTM recently? Thanks in Advance.
Use one of these mainboards with 4 CPU's http://www.tomshardware.com/news/asrock-apollo-lake-motherboard-intel,32840.html I'm not sure if realtek nic works fine with Sophos but in any case you will need one of these: Intel I350 NIC (buy one used on ebay or china copy) https://forums.servethehome.com/index.php?threads/comparison-intel-i350-t4-genuine-vs-fake.6917/
Wish I could use this. I have a Lenovo M93P tiny right now with 8Gb of RAM, quad core i7 2.6Ghz CPU, and 250Gb SSD. Issue is I only have access to a secondary nic via USB on it. Sophos UTM wont detect it so I had to resort to Untangle.
