Sophos UTM

Discussion in 'other firewalls' started by Mayahana, Mar 6, 2015.

  1. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    From my experience. Sophos is VERY light on CPU, but heavier on RAM. 2GB ram works fine, can't go lower... But my dual core 2.66 isn't being TOUCHED.. Rarely over 3% with load! I may examine lower wattage, cheaper solutions since it appears to work so well on low end hardware.

    Cheap Chinese Tiny-PC's will apparently work great.

    https://forum.pfsense.org/index.php?topic=75415.0
     
  2. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    @Mayahana ,

    You are talking about Sophos UTM Home Edition?

    If you find more low end hardware solutions... :)

    I will have to find a solution for this in the future...
     
  3. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    My executive report generated, covering last night at Midnight, to this evening at 5:30PM. Remarkable performance from this UTM I must say. It's as effective as the ZyXEL USG110 I was testing, and more effective than the Fortinet I was testing.

    24GB of traffic processed.
    230,000 sessions

    14,251 packets rejected by firewall.
    147 direct IPS attacks blocked.
    44,000 URL's blocked.
    19 viruses blocked.
     

    Attached Files:

  4. 142395

    142395 Guest

    Agreed, when a company follow terrible security practice virtually NO security product can protect them well. Security is not just deploying products.
    Also even if we knew what product a compromised company used, it wouldn't add anything when we choose product, we see such misunderstanding about infiltration against New York Times.
    Even when company follow best practice, targeted attack is specially crafted attack to penetrate victim, there're many ways to know what product the target using and skilled attacker build his attack based on those info so such argument that "if the company used product X they could avoid the compromise" is completely flawed logic but I see this type of argument sometimes.
     
  5. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
    RE: Terms of use post from the AV thread

    From what I have gathered from experience & exploring the Sophos User Bulletin Board. As long as devices such as Network Printer’s etc. that do not require direct internet connectivity have their default gateway left blank, they are not included in the UTM IP license total. The fifty IP limit can increase by a factor of 10% or a few percent more & the admin will be emailed by the UTM. Constantly remaining above the limit will result in IP‘s dropped off to compliance level.

    Another point to bear in mind is if the UTM TCP/IPv6 module is enabled any NIC’s utilizing this count as 2 X IP’s in the licensing chart.

    As regarding commercial environment's Sophos leave this to the user’s conscience to comply with their terms of use. Lets give Sophos due credit as apart from a couple of small features, this is the full blown Enterprise pack and no other competitor in this Field offers nothing that comes close to this for free!!
     
  6. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    So basically - they don't enforce compliancy, it's a on a good faith program. It's TOUGH to restrict network appliances because when you do you run into issues. If you start dropping clients things can get ugly. Untangle runs the same way, also Untangle doesn't force you to count things like security cams and printers into the number. I disable IPv6 across the board anyway, so that's not a problem.

    I work on everything from ZyXEL (USG60-210+), and Fortinet's (40C-3000 series), and I must say Sophos UTM is the only true enterprise grade home solution for free, but also it's the only one that is a true Layer 8 NGFW. It rivals some of the 5 figure devices I work on in features, including ATP, WC, WAF, WP, DLP, VPN, IPS, AV, nothing really companies so far. Untangle is a joke in comparison, I don't even feel Untangle is anything more than a 'barely' adequate solution for SOHO and SMB, and even then with reservations. But Untangle seems to think they can compete on the enterprise market with that thing? Nevertheless.. Sopho's is remarkably powerful! One of the best things is the seamless HTTPS inspection without certificate errors. Which remind me of the peel apart capabilities in the higher end Fortigates.

    Also think about the endpoint protection managed by the UTM. Fortinet does this, but not nearly as well, as Sophos leverages an additional engine (Avira + Sophos), and the deployment/management/control is VASTLY superior on Sophos. We deploy hundreds of managed Forticlients, and they really don't offer the control that we need in most cases.
     
  7. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
    I agree.. M

    The only issue that I have found is that Avast’s https web shield certs don’t want to accept or play nice with the UTM https self-signed ones. This incurs pop ups for any https site when both are on.

    This is no draw back or criticism of Sophos as it’s cheap to put a certified one on the UTM / purchase additional Sophos lic’s. Or drop the web shield https from Avast & then use the Decrypt & Scan option from the UTM with no conflicts.

    Another small neat little feature that I like is the way you can prevent BYOD’S or any OS device connecting in the Global Web Filtering policy option. Well nice!!
     
  8. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I haven't experienced any popups or cert errors with both engines on.
     
  9. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
    Only happens to me when UTM Web filtering, HTTPS - Decrypt & Scan option is ticked. URL filtering only has no issues.
     
  10. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
    Credit where credits due to Avast Business Security as it has blocked every bad guy & zipped nasty @ source that I have tested through Https downloads. This leaves the Sophos UTM to blaze away well without having the additional intensive burden of decrypting, scanning & encrypting https traffic again.
     
  11. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    No interest in the Sophos UTM 9 Endpoints? Layered may be better, but the UTM offers Sophos+Avira.. I respect Sophos AV more than most people because I know it has good heuristic detection, and can pick up things nothing else does. Also I like the HIPS on the endpoints.

    Honeypots, and Threat Centers all have Sophos in the top quadrant. +/- 1-3% from the top players except ESET which kills everything at the signature+heuristic level. (but I won't run ESET)

    http://threatcenter.crdf.fr/?Stats
     
  12. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I decrypt only specific categories (phishing, malicious, download sites, etc), while leaving the inspection of ones not in the category unchecked. This takes a load off it, and it's not necessary IMO to decrypt everything.

    One thing I discovered today. If you use Sophos UTM Web Filtration, it will bypass your DNS filtration. So if you have Norton Connect Safe as your DNS, if you turn on Web Filter, and block porn. Sophos appears to draw from it's own DNS resources, and totally ignore Connect Safe on 'classification' hits. My tests revealed the following;

    1) Connect Safe ON (family) - Web Filtger ON (Porn)
    2) Hit websites Sophos MISSES on it's porn filter, connect safe doesn't kick in.
    3) Disable Web Filter in Sophos.
    4) Hit websites Sophos misses, and Norton Connect Safe picks them up.

    My early conclusions are - DNS level Filtration of Categories. This is similar to how Fortinet does it. Therefore there is NO POINT in using anything but the fastest DNS if you use Sophos web filtration, as it will default to itself for category hits, then failover to the other DNS on non-category hits. So having BOTH offers - NO redundancy! It's not layering, it's not double protection, it's meaningless. The ideal way to catch non-specific PORN sites are to BLOCK uncategorized AND set the reputation threshold to block anything under websites with classifications. Then it blocks virtually every potential unknown porn site, because once it is in the classification, it's porn, if it isn't classified yet, it's blocked.

    Does that make sense?
     
  13. coolcfan

    coolcfan Registered Member

    Joined:
    Nov 1, 2008
    Posts:
    130
    The intel NUCs have only one ethernet port. Is that a good choice or we'd better go with the box mentioned in the link of pfSense forum Mayahana posted in the next page?
     
  14. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    You need 2 ethernet ports, however if there is one USB and one Ethernet, I suppose you could use an Ethernet to USB adapter. But I would look for a Mini-ITX with dual ethernets, and make sure they are Gbe. A lot of mini-itx boxes are 10/100.. No go for me, my entire network is Gbe, and my connection is 180Mbps.
     
  15. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta

    Mayahana .. Cheers for the feed back .

    I will probably stay on the Avast Business route even though I have very high respect for Sophos, Eset & a few more in the Endpoint protection arena,

    Reasons being are that with ABS I can easily manage all endpoints on my sites from one portal. I find the additional protection provided by the Hardened Mode aggressive module excellent. The product is ultra-light on resources, very fast in all areas & plays nicely with IMAP Outlook accounts.

    Another big plus is that going in this direction I have just saved myself a "few thousand Euros’ per year" on AV licensing costs without degrading the security layer.

    Regarding our https traffic topic, I too came to the conclusion that it aint necessary for the UTM to decrypt & scan every packet.

    I will check out the DNS filtration as I have had all of our sites covered by Open DNS accounts for years & have currently set Sophos UTM only monitoring (blocking) the Criminal, Suspicious & Uncategorised Categories, with blocks on everything below Suspicious threshold.
     
  16. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Does anyone know how to install it on a VMware ESXi server? Do I need 2 physical network cards hooked up? Thanks.
     
  17. coolcfan

    coolcfan Registered Member

    Joined:
    Nov 1, 2008
    Posts:
    130
    Studied a bit about pricing in China.

    Price of an Intel NUC with i3-4010U is 2199; that's without memory and hard disk. On the other hand, Biostar B85 Dual-GBE ITX motherboard (459) + Box Core i3-4150 (759) + In-win Mozart (359) + 4GB DDR3 (199) + 120GB SSD (379) costs 2155, and one can definately reduce some more by using cheaper case, lower-end cpu and HDD.
     
  18. MikeMT

    MikeMT Registered Member

    Joined:
    Feb 7, 2015
    Posts:
    63
    Location:
    Malta
  19. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Guess I'll ask for help there if I run into any troubles. When I looked into getting pfSense working on the hypervisor, some say you can use 1 physical NIC and a VLAN or something.

    Well anyhow, I will try rerouting the home network and see what'll happen.
     
  20. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    New Firmware update today..
     

    Attached Files:

  21. 142395

    142395 Guest

    As to USB/PCMCIA for 2nd NIC, I heard this.
    I hope sb can confirm this.
     
  22. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    My dad owns the network, and don't want to re-route it. I tried to setup the hypervisor to filter only some guests, but failed because the subnet is always pulled from the router and Sophos default subnet is different. Maybe I'll try changing the subnet to be the same as the hypervisor later on.

    Since he doesn't want to re-route it, I guess I could try an USB adapter. Hopefully that will still allow me to connect to the rest of the network. Overall, this is very much an experiment rather than practical application so far.
     
  23. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Create your own subnet, then toss Sophos on it. Do a 10.1 or if your main router is 168.1, use 168.2..

    Also, I am IMPRESSED.. Now Sophos seems to actually proxy the downloads for AV scanning, and give a progress bar, then release the file to you once it's ready.
     

    Attached Files:

  24. coolcfan

    coolcfan Registered Member

    Joined:
    Nov 1, 2008
    Posts:
    130
    Zotac ZBox also has some dual NIC models.
     
  25. taytong888

    taytong888 Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    168
    Could you show which models? The Zotac boxes available in Canada's ncix dot com have only ONE NIC!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.