Sophos UTM

Discussion in 'other firewalls' started by Mayahana, Mar 6, 2015.

  1. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I am up and running on Sophos UTM thanks to MikeMT's recommendation.

    Sophos 9.3
    HW: Dual Core 2.66Ghz, 4GB Ram - $89.00 Refurb Dell Slim from Microcenter.
    Tossed a couple Gbe NIC's in it w/Cat6a all around.
    My pipe is a 180Mbps Fiber.

    Setup was a breeze, this is a professional package. Once I got my port forwards, exclusions, and other tricks in, it was running brilliantly. I dialed up the security giving me full IPS/AV/WF on the gateway, and turned both AV engines on (Avira+Sophos).

    Some initial issues were;

    ROKU and Tivos need to be punched through with IPS exclusions.
    Security Server needed a hole.
    Encrypted VOIP required exclusions, and SIP enabled traffic forwarding.

    With all of the UTM features dialed up to maximum I am not seeing any speed degradation with any protocol at all. I streamed on netflix last night without any issues at all. Steam downloads are full speed, and gaming seems stable, and fast.

    FYI: Some speed tests may report inaccurate results. The reason is they use files to download, often compressed files. Sophos UTM seems to have a proxy AV, which means it is going to buffer then scan, which will skew the Java Applets in browsers. For example speed test is showing me at 6.52Mbps right now. However I can steam a 30 min 1080 Movie almost instantly. So don't pay too much mind to performance numbers on consumer speed test sites, they don't factory AV proxy. Also, I haven't tweaked, I may be able to change the proxy to tweak this - ZyXEL you can turn off scanning of compressed files (which includes EXE's) to make speed tests normal. On Fortinet you can switch to Flow-Through rather than Proxy. Both of which reduce security for a mere cosmetic change!
     
  2. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
    Well done Mayahana, I will start watching this thread now..
     
  3. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Mike..

    Sophos is reporting 2Gb of ram on a machine I have 4Gb on.. Any ideas? Also, how can I check as to if I have the 32-Bit vs 64-Bit version installed? I THINK I chose the 64-Bit Version, but I may be mistaken. That may cause the ram issue, but I thought the 32-Bit one would show up to 3Gb?

    Any tips? Right now ram is pegged at 76% of maximum (2gb), which I have 4gb, so this is something I need to figure out. If I have to rebuild it from scratch that won't be pleasant.
     
  4. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Well duh on me.. I thought the server I dropped it on had 4GB, it has 2.. I ordered 2GB more overnight shipping ($24 hehe), that will fix that.. I don't like to run a server over 65% ram use consistently, so this should drop it down to 30-40% max. So far so good, I have netflix punched through fine now, still checking various devices/systems, and still haven't punched some of the cameras through.

    I think it's a keeper so far!
     
  5. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    BTW to me you know what makes this the strongest solution I have seen?

    Full Reputation Web Filtration. I set anything under 'low' to be blocked, and I have been unable to push a single crappy IP/URL through it, and I have tried 50-60 per day. This reminds me of AV's reputation file systems but extended to the internet. I have seen $20,000.00+ fortinets not perform as well, or offer as deep features.

    This is a true Layer 8 NGFW.
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Mike, is this ... AMAZING? Dual Scan Engines at the Gateway. PUA Detection, Ability to Block Scripts at the Gateway? I'm feeling like this is better than Fortinet and ZyXEL to be honest.
     

    Attached Files:

    • scan.png
      scan.png
      File size:
      90.7 KB
      Views:
      192
  7. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Now this is security.. Eliminating 'billions' of IP addresses, networks, proxies, relays from hitting my network, and almost all potential malware from dialing out of my network, not to mention countless ad-type programs, etc.
     

    Attached Files:

  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    I must say, that looks extremely well organized and tidy. Yet wickedly powerful.
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    You forgot the "Mayahana standard period" at the end of the thread title. :)

    Are you using free version of Sophos UTM or a premium version?
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Yeah, those hackers in Antarctica are a real nasty bunch.:D
     
  11. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I figure nothing comes out of Antarctica I need/care about, so why not region block in case someone is proxying out of there?

    Wild, I am using the free version. It can take 50 clients, and you can deploy up to 10 managed endpoint suites for free as well. VERY powerful!
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    Thanks. I am considering purchasing one of those tiny NUC's from Intel specifically for Sophos UTM now. It seems Sophos has extraordinary engineering along with a well designed user/admin experience. Keep us all informed of your testing, it is always appreciated.
     
  13. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
    Hi M

    When you install off ISO it detects X64 processor & prompts with options to either Go X64 route for better speed efficiency or remain on X32 install .

    From the control panel you can also back up daily / weekly / anytime your config files & restore as well. The is an awesome PDF manual you can download same as the contents in the ? icon on the web admin page.

    RE RAM: 30 - 40 % is the norm on 4GB. If I remember correctly all Linux distro's will try to take / reserve as much working memory as the system offers for efficiency, unlike their MS counterparts that normally just take whats needed the time.

    Mayahana.. I am by no means a Sophos UTM expert & still have a load to learn on this baby as I'm still a new kid on the block with this too. I went into Sophos again only recently when I was evaluating Untangle alternatives again. All I can say is on the boxes I have installed this on, it is doing a great job.

    IMHO a good way to go.
     
  14. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
  15. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Fortinet won't be ditched. Everything is standardized, and heavily vetted where I work. We have mid-six figures invested in Fortianalyzers/Managers/Presence gear at our COLO. Also the fact that we have so many channels into Fortinet, we can get engineers on the line in a few minutes, and can get remote sessions initiated within an hour of a service call if we need it. But yes, I would love to switch to Sophos UTM, but it will never happen at work. Fortinet is very complex, and at times problematic. Sophos is a breeze in comparison, and also more powerful unless you CLI the Fortinet.
     
  16. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    RED sounds amazing.

    Do you know the trouble we go through to do this right now with Fortinet? Multiple Devices, Multiple VLAN segregation, and VPN's to branch offices.. It's complex, difficult, and at times - unreliable.
     
  17. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    I just wonder if the branch offices will experience notable drag and slowdown, depending of distance of course?
    But on the other hand, what an easy way of control and protect your users? Just punch in the id of the device and you are done, looks like built-in TeamViewer to me.
    Did you spend some time at CleanMX testing yet?

    /E
     
  18. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    CleanMX was blocked 100% perfect by this UTM, every single link and file.

    RED isn't like team viewer, it's like what we do already with COLO's and Branch Offices. Usually a VPN through to the main office from the branch to facilitate day to day operations, sharing, etc.

    Also, these are VERY powerful settings;
     

    Attached Files:

  19. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    When I get a fiber connection next time this is the UTM I will go back to :thumb:

    /E
     
  20. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I kind of feel bad for people still relying on NAT(layer2) to secure their network in this day and age...

    22 hour statistics;

    15,285 Packets Rejected
    458 Direct Attacks Thwarted
    27 Viruses Blocked
    876 Websites Blocked
    27 Attacks blocked on Endpoints
     

    Attached Files:

  21. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    383
    What?
    Do you live in Pentagon? ;)

    /E
     
  22. henryg

    henryg Registered Member

    Joined:
    Dec 13, 2005
    Posts:
    293

    Pentagon..... It took military sanitizers 14 months to clean up the infection after the breach.
    Also, you wonder what type of UTM, Sony was using when they got hit....
     
  23. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    No, but I used to. Needless to say I take security/privacy seriously, I have good reasons. If I toss a cheap consumer router on my network I am infiltrated within hours. At the very least, my home network makes a good testbed for security protocols and products. :p

    Also, I do not believe the security Sony used has been disclosed. I have heard everything from FireEye to Cyberroam were used. But most important.. Sony was hacked because they were lazy, and didn't have IT people that were observant, and likely didn't even have DLP activated on their network. Security software, and firewalls aren't to blame. Incompetance, and laziness were to blame. Sony was trying to make themselves look good. When the CEO uses the password 'sonyml3' you can't blame your software, blame your brain.

    http://www.billboard.com/articles/business/6413955/sony-security-kevin-mitnick-electronic-frontier
    McClure said that his research leads him to believe the breach was accomplished through some sort of social engineering, rather than by a computer program. One striking thing to have emerged from the data that the Guardians of Peace have so far disseminated is the lack of security around passwords at Sony, including the revelation of an embarrassingly simple password CEO Michael Lynton was apparently using. It’s a clear sign that the company did not have sufficient corporation-wide password standards. “There was clearly stuff going on with Sony’s security that was well outside of any industry best practice, and these were not one-offs but occurred en masse,” said Maiffret. McClure noted that using even the basic encryption tools native to Windows may have prevented a good deal of the damage. Electronic Frontier Foundation staff technologist Seth Schoen says that compromised passwords are a likely vector of infiltration in the hack, especially given Sony’s size.
     
    Last edited: Mar 9, 2015
  24. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    @Mayahana

    This is interesting reading, keep it up. Sophos has a few other interesting free tools in addition to UTM. The Virus Removal Tool is one. I've been looking for something that I can cold scan hard drives with for infections.
     
  25. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Is there a single-board computer that we can use with Sophos UTM?
     
    Last edited: Mar 9, 2015