Time to Move on

William

I see your name in replies to a lot of the forum posts I have been reading recently so I value your opinion and so this is interesting to me.

I am a long time 'IT guy' of 15+ years and have not had a huge amount to do with UTMs/Gateway devices in the past as I'm mainly a Microsoft Server specialist. My limit has basically been your typical router with port forwarding where required.

So I have a family with kids and my home router was not up to the job (not fast enough and not enough features) so I looked around and from a long list decided to try Sophos UTM first (Untangled and PFSense were on the shortlist too).

The more I learn about Sophos UTM the more I am concerned that this is not a good fit for my requirement. What you say above and also (here) makes me wonder if the Sophos UTM is really fit for purpose when so many workarounds are required to allow 'the modern internet' to work. For example I switched on Web Protection this weekend and immediately the kids came to me because Amazon Prime and Netflix had broken on their iPads. Sheesh. I don't want to turn this into a 'how to fix' request, I'll try some of the other threads I have bookmarked before I come back and ask here.

My requirement is fairly typical of a home network (and also likely fits many small/medium businesses too):

• Protection from 'the bad guys':
  • Malware 'executables' and scripts etc.
  • Phishing sites and other URLs that you don't want people to go to for whatever reason
• Fast Internet connection with minimal interference in 'normal internet' traffic:
  • Web surfing obviously
  • Streaming media of all kinds
  • Allow fast downloads (peer to peer (legit stuff obviously), Dropbox, OneDrive, Steam updates, etc.)
• Block traffic when required:
  • Time based (stop the kids waking up in the dead of night and watching Netflix!)
  • Category based (for me this is mainly about protection from Malware)

Beyond that I am not sure I really need anything much more complicated. For example, I am not sure I need a device that does IPS. I don't run servers on my LAN so really no traffic needs to come from WAN to LAN unless in response to outgoing request, so I am not sure what a IPS really adds.

So I think this is on topic for the post: what can do this job for the home if not Sophos UTM? I see you recommend PFSense. I need to look at it again but I got the impression in my first look that it was just a basic firewall and that I needed to use Sophos UTM or Untangle to meet my requirements.

Any thoughts?

Ian

Hi Ian,

you can setup the UTM for some serious protection without using all the features. Enable web protection with URL filtering or use the ATP features will give you anti-virus etc on incoming traffic.

As a home user you don't need any of the work arounds. It does native IPv6 if interested.

I will certainly not give up right away, I need to try some of the workarounds I have found so far.

I am intrigued in your comment about IPv6, why is that important?

I will certainly not give up right away, I need to try some of the workarounds I have found so far.

I am intrigued in your comment about IPv6, why is that important?

Excuse us William while we temporarily highjack your thread. Everyone gets very excited about IPv6, so I thought you should be aware.

And you don't need work arounds on the UTM if you are a home user.

rfcat_vk said:

Excuse us William while we temporarily highjack your thread. Everyone gets very excited about IPv6, so I thought you should be aware.

And you don't need work arounds on the UTM if you are a home user.

 

 

IPV6 is still borked here on comcast with UTM.  I got tired of them telling me I was wrong when I can point to more than a few threads.  IF they have fixed it..good....they'll break it again later.  Keep in mind SG is a dying breed.  XG is the sophos future..SG is jsut a cash cow they are milking.

 

Pfsense and IPV6=heaven.

Mine worked well until UTM 9.5b

Mine was working native on internode in AU. No special tricks required. Turned on IPv6 at ISP and UTM and bingo IPv6 appeared.

About to add details to a thread in the 9.5 forum on IPv6.

It seems like IPv6 is something that 'normal home users' should never need to worry about. At worst you might end up given an IPv6 public IP so you will need a router that can handle that, and then translating all IPv6 arriving on the edge and being translated to IPv4 for those devices on the LAN that need IPv4 (or routing IPv6 for newer devices that can use IPv6). To me it seems pointless forcing oneself along the IPv6 path, IPv4 works, ISPs won't make home users abandon it until they have decent working alternatives in place. Anyway just my 2 pence.

I need to look more at the UTM being replaced by XG, from what I can gather from comments here is that XG is not a mature product yet. If anyone can point me at a good comparison post between them two that would be great.

If PFSense is not a good Sophos replacement (and opinions seem to vary) what are good alternatives? Is Untangle worth the $50/year?

We were using Cisco 5520's in conjunction with untangle. It worked. However, we now use the UTM's.

I've used pFsense as well. Very good firewall although comparing it to the UTM is like comparing apples to oranges.

As for XG, my last look at it a month ago sort of frightened me off. I can see some good things but equally, I'm not quite sure I like the GUI as it stands.

Hi guys,

I have both utm and XG. Installed the XG to see what is like and be an active member of the beta environment similar to the UTM.

Currently the XG is powered off because I am retiring shortly and cancelled my second ADSL connection.

If you have a simple home setup and don't want any fancy firewall filters then the XG will be for you. If you have come from a UTM environment you will be very disappointed with the XG.

I have been using the utm since 2005 and been very active in all facets of its development, so I can speak with experience on the comparisons.

XG v20 might be good, but at this stage it is only vapourware we are still waiting for v17b to see if lives up to the hype and promised improvements.

This is not the first time I have posted these comments.

I agree. I think it has a long, long way to go before it catches up with the UTM. I sort of get the feeling that this is like a windows 95 & NT scenario with it all eventually merging into windows 2000/XP....

But at the minute, the XG is just a step too far....

Ian B said:

If PFSense is not a good Sophos replacement (and opinions seem to vary) what are good alternatives? Is Untangle worth the $50/year?

Pfsense is a great firewall and BSD flavors have always been very stable. William is looking at it from a reseller's point of view and pfsense is very robust and very competitive considering the licensing costs. Plus its mostly set it and forget it. I travel a lot and almost every other week I am at a hotel that is using pfsense as their gateway. You can't beat FREE specially when its rock stable and can do most of the UTM functions if set up correctly. I haven't tested untangle in a long time but UTM9 was a far superior product when I compared it to untangle years ago. 

For a home user, the choice is pretty clear. If you like messing with configs and want to download packages separately from your base install... Go with pfsense or even IPFire.

If you like everything bundled for you for free... Go with UTM or XG.

For home use, you will mostly need filtering/av protection/ QoS/ and time quotas sometimes. I feel UTM has an edge on filtering, AV is the same for XG and UTM, QoS for home use is great in XG but UTM uses codel qdisks which is good for buffer bloat but you can always throttle XG lower than your alloted upload and buffer bloat is not a problem. Time quotas are a toss up between the two.

If I had never used any of the sophos products, I would go with XG as that is what they are working on and is the future of sophos. If you want more robust/stable build, go for UTM9. XG gives you unlimited license compared to UTM 50 IP license so the choice is yours.

IPv6 is the future but NAT pretty much secures IPv4 for home use in the foreseeable future. I jumped on IPv6 when it was first introduced in astaro and turned it off after using it for exactly one year. If your environment doesn't need it, you don't get anything extra by using IPv6.

As far as exceptions/exclusions for streaming devices, you will have to do some exclusions no matter which firewall you choose. There are many KB articles that show you what URLs/IPs to exclude. I personally don't scan my streaming devices so its not a problem but I can see it being a problem on tablets/smart phones etc.

In the end more choices is a good thing. Try them all and you will more than likely end up with XG / UTM or untangle if you are willing to pay for their nicer features. Pfsense or similar if you like stability but don't mind adding packets and tinkering with firewall rules and messy QoS setup.

 

Louis-M said:

I sort of get the feeling that this is like a windows 95 & NT scenario with it all eventually merging into windows 2000/XP.... 

Yeah but microsoft merged 95 with NT. XG is 95 in this case[:'(]

Thanks Billybob that is a very useful comprehensive overview, much appreciated!

I've had a look at PFsense and IPfire and I think that, for me, there is too much command line involved in adding and configuring features (packages) that are not native. When I've done this for other devices in the past (NSLU2 etc.) I've found that these are fine when they work, but when they don't it's a beast to work out what went wrong.

I think I will persevere with UTM9 for the moment and see how I get on, if that doesn't work out I'll give XG a spin and take it from there.

I am not looking at from a reseller's perspective.  BB you should know me better than that.  How many years have I advocated for Astaro/Sophos only to be told i was wrong(i wasn't) or ignored(very often)?  Now I can tell you that behind the scenes that most people do not see I am actively ignored and told even more forcefully I do not know what I am talking about.  The volumes i have written on this software and the detailed descriptions of issues I see along with the documentation I provide is not a side job in terms of the time it takes to handle this.  Ever since Sophos took this product...let go EVERYONE from the original Astaro team and the replacements are....unsatisfactory...speak volumes.  

Want to know what i resell?  One thing...anti-malware...that's it.  Everything else is a one time purchase.  I also manage a couple of Sonicwalls.  With the exception of their infuriating interface(the XG is actually BETTER here) their stuff...just works...and works well.  It is not as cheap as Sophos but at this point...i want what works.  I have found another vendor that carries SG/XG UTM devices AND Sonicwall devices.  For clients that really need UTM I'll point them to Sonicwall.  Now that I have pulled off the UTM blinders the amount of clients in my business size that really NEED utm are....nearly zero.  Proper policy, network design, and ongoing maintenance eliminate the need for and operation of a complicated UTM type device.

XG is the future but it boggles the mind..they are throwing away what was a leading security UTM for one that is widely known in the industry as a secondary player.  web a/v is really useless now with https everywhere unless you want to mess with https interception(that's shaky for anyone).  I have PFSense running here with suricata using the webUI with zero issues.  I can also EASILY hit a gigabit without having to make multiple streams go or without having to push the http proxy into overdrive to ramp up the cpu for snort to work at full speed.  I currently have 4 2.5 ghz xeon cpus dedicated to my pfsense vm with suircata and 1 gigabit happens easily as the load gets spread across all 4 cores and my cpu doesn't have to get slammed to max speed.  Sure I loose DPI(but that doesn't work properly inside of UTM so that's no big loss) and I do not have to touch the cli to get this working.  I have robust vpn services available by default and the system is rock stable.  

want to know much much i have touched the cli in PFSense for configuration?  ZERO.

Something else.  Resource requirements and ram usage.  I have 8 gigs assigned to the vm and I had 8 gigs assigned to the Sophos UTM vm. Same host machine with the same cpu allocations.  I have suricata active on 4 of my 5 interfaces.  Want to know my ram usage?  2 gigabytes out of 8 with ZERO swap.  NO MEMORY TWEAKS REQUIRED.  My now deleted UTM vm ran 2 gigs with ZERO modules active and 5 firewall rules.  

Now this is apples to oranges...in a way.  I do not have content filtering, i do not have the DPI(again doesn't work properly anyway), and I do not have web filtering.  My extensive internal testing though just going base firewall to base firewall.  PFSense ram usage...10% of 8 gigs so about 800 megs.  

I still have a couple of UTM devices deployed.  One is a fullguard machine(due to how many modules he needed it was cheaper to go FG).  This is an SG115W machine.  Using http proxy(web a/v, application control, content filtering, and snort it runs at 3.0 gigs of ram usage.  That's not telling the whole story.  This machine got into more than 50% swap as well.  Sophos thinks swapping is fine so they have no issues with it.  When the appliances were HDD based this was a huge performance hit.  Now they have SSD's in these devices which help except for the write endurance of SSd they are chewing through.  How did i "fix" this?  I had to reduce the report retention to minimum, disable web a/v and put the snort rules on a 6 month expiration.  Still showing 3 gigs of usage but with a 15% swap..still not working as planned because a properly tuned Linux machine would never swap.  The issue isn't Linux...the issue here is Sophos's code is wildly inefficient.  I long ago had to advocate for years that a 2 gig minimum  was not enough.  It took more than a year of constant reports of machines going into high swap and even totally locking up for Sophos to increase the base memory.  4 gigs for a Sophos minimum is not enough.  8 is the realistic minimum.  I have a sg105 that as we know only has two gigs of ram in it.  Sophos behind the scenes knows goo and wlel that this is unsupportable.  When I talked to them directly about this situation I was told that yes 2 gigs is not enough for both http proxy functions and ips to function.  They know this is insufficient...but so far...crickets.

I am not trying to pour sour grapes but Sophos has badly and continues to badly mismanage UTM.  My issues are with how they have totally murdered the functionality of UTM and despite their assurances to the contrary use UTM as their cash cow until they can figure out to get cyberoam(XG) from a secondary player in the market to the forefront.  Newsflash Sophos..you have a leading product already in SG.  Look at their actions.  Where do the new technologies and features go first?  XG.  I had somebody reach out to me this morning via e-mail pleading for help.  What was telling was he said he has gotten Sophos Professional Services involved(he bought an XG) and they have no idea how to make the XG work with his network.  This has been ongoing for 4 months.  He has since installed SG on it hoping to get better help.  I have pointed him to his nearest Platinum partners and told him talk to these folks and hopefully They can get it working.  I also told him if not..I would reup the sonicwall he has already working because at least not only does the appliance work but Dell's tech can keep it working well for him...it just costs more.

Now with PFSense going with suricata on 4 interfaces...20% ram usage...MAX and ZERO swap.  UTM with base firewall and snort in the same configuration...3-4 gigs usage.  That apples to apples there.  

You can see my network and the hardware i am using for my vm's here.

Oh and IPV6 works perfectly on PFSense...utm 9.x?  Nope.  When will ipv6 work on UTM9?  Who knows.  That's just another major issue that has yet to be fixed...and that is considered basic functionality in ANY firewall these days.

If Sophos was not mishandling UTM so badly and reducing it's security with unfixed problems in the proxy and other areas I would happily continue to resell it.  For me and my clients...that simply isn't the case.  I now have other products I am testing and deploying.  PFSense w/suricata is one of them...unifi/edgerouters are another.  I do not consider ipfire a serious player..that's just me.  I also tried endian, watchguard and smoothwall community before deciding on PFSense and ubiquiti.  I will check back on Sophos UTM products once SG goes away and/or XG becomes a first rate product.....It could be along wait.