Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 18592 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

setting up two UTM instances to overcome license.

DavisDarvish
i was wondering if anyone has sucessfully deployed two sophos UTM instances in virtual machines w/ the free 50 ip license in order to overcome going over license limit. If so how did you design your network topology? also is there anyway to put certain IP addresses out of the scope of the UTM such that they don't count towards the license? i would only require simple routing to those ips not content filtering or anything else..


This thread was automatically locked due to age.
Parents
  • 0

    How much money did you willingly spend to acquire devices that consume more than 50 IP addresses in your home?  

    Each of your cell phones probably cost more than one commercial license for UTM.   

    Do you have any sense of obligation to the people who work hard to keep those 50+ devices away from the bad guys?

    Consumers, both business and residential, always want a deal, but we also need our suppliers to stay in business.

    Treat Sophos fairly.   They could drop the home license program in a heartbeat and be none the worse for it.

    For the record, it seems foolish to ask how to violate a contract in a public forum, especially, the public forum of the people whose contract you want to violate.

  • 0 in reply to DouglasFoster

    I am regretting being so difficult.   I am sorry.

    Your question got me thinking about the "Internet of Things" (IoT for short).   "Experts" are worried that the IoT is a huge security problem, because vendors either fail to design security into their products or because the products are too stripped-down to have room for security features.   Either way, the end-user (often the homeowner) doesn't know until a breach occurs.   One website infamously showed the security cameras from many homeowner's not-very-secure security systems.  On another occasion, home cameras were used to create a DDOS attack against the DNS root servers.   So protecting our appliances and our TVs from bad stuff is necessary, but is it possible?

    I am guessing that most of these devices create https sessions back to the vendor(s).  You cannot do https inspection because you cannot install a UTM CA certificate on the device, and you cannot see anything useful if you cannot do https inspection.   TVs and other streaming media may not use https, but even the UTM configuration pages do not recommend filters on streaming media because it is likely to create performance problems.

    For any of you homeowner who are hitting the 50-license limit, is it occurring because of IoT devices?   If so, do you see any evidence that UTM is useful for protecting these devices?

    If only a few devices are receiving value-added services from UTM, then the reasonable answer to your question would be to split the network.   Use UTM to protect the devices that can benefit (PCs and tablets), and bypass it for the others.   Putting UTM in bridge mode behind a residential-grade firewall should allow you to have one subnet and one external IP address.   But because most home devices are wireless, you would probably need two WiFi networks on separate hardware.

    If IoT is the next big threat to our networks, and we don't have a way to protect ourselves from sloppy vendors, what hope is there? 

  • 0 in reply to DouglasFoster

    If you're problem is just the 50 IP-limit, then you could change to XG firewall instead of UTM. In XG there's no limit on the number of IP's (but instead there's a limit on memory and I believe processor cores).
    Trying to use all kind of "tricks" to circumvent the IP-limit brings you into a grey area of what is and is not allowed. Having a different routed subnet behind your UTM will probably not help you, since these IP's are all traveling the UTM when they need to access the UTM"s internal network. Only preventing some devices to use a default gateway or using double NAT will help in achieving this, but I think it's better to either buy a license or switch to another product (like ie. XG).

    Yes I do think having a real next-gen firewall in a home environment adds to the overall security of at least your own devices and data (and privacy), but it's not something for every home (not everyone will be able to manage it).

    Having said this; security is not only implemented by having firewall technology; it should be something that is "by design" starting with the end-user; the end-user should check upfront if any new devices they are preparing to acquire are secure and/or have a record of fixing security holes when found and not walk to a store to blindly buy the first internet-connected device they see which has an attractive price.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    I am wondering what will happen when somebody calls a manufacturer support line to say,

    "I think my laundry appliances have malware!   My firewall indicates abnormally high traffic volumes coming from those devices and going to an unexpected country." 

    I doubt that it will be an easy conversation...

Reply
  • 0 in reply to apijnappels

    I am wondering what will happen when somebody calls a manufacturer support line to say,

    "I think my laundry appliances have malware!   My firewall indicates abnormally high traffic volumes coming from those devices and going to an unexpected country." 

    I doubt that it will be an easy conversation...

Children
No Data
Unfiltered HTML