With the XG17 out and in full swing what does UTM9.x provides that XG17 doesn't?

After several years with UTM, I feel like I finally understand it sufficiently to configure it correctly (effectively and safely).  My brief attempt to learn XG was discouraging.   Sophos does not seem to provide much concept documentation.

It would be great if a real user would lay out the concept mapping.  For example, UTM implements web proxy with the hierarchy of Filter Profile...  Policy... Filter Action... then overrides and exceptions.   What is the XG flow for this?  I think it starts with user groups first, not source I.P, but then what?

Hi folks,

I have been running UTM for many year-end now running one XG. I went to XG because when I was working we were installing NGFs similar to XG configurations which is a very different way of thinking compared to UTM.

The UTM supports native IPv6, though the last couple of releases have introduced some bugs. XG has limited IPv6 support and is very difficult to configure, no auto re-assignement, no PPPoE support.

The UTM mail relay is vey easy to setup and manage, the XG even in the v17 mr-1 it is extremely complex and I have not been able to get it to work after many attempts.

The UTM DHCP/DNS are linked or linkable, XG the DHCP does not know about the DNS.

The UTM has a secure NTP and DNS function, the XG has neither.

The UTM is a pain to setup dual links, the XG is much easier v17 mr-1 has a minor bug with fail over, doesn't work.

The UTM only scans pop3 and smtp while the XG will scan imap, pop3 and smtp (and S variants)

The UTM IPS is very easy to tune, the XG is extremely difficult, there is promised improvement but not sure in which version.

The UTM supports VLANs in firewall rules, the XG does not.

I am not 100% sure about the accuracy or affects of this, one uses VLAN at L2 and and the other at L3 which is limiting.

Both devices have very complex reports and can be fine tuned. 

The XG report generation time is any with in 1 hour of the set time depending on processor load.

The UTM has lower throughput than the same size XG, but I expect this will equalise as more functions are added to the XG to bring it to UTM function parity.

The UTM and XG use different web site checking databases, the current XG version is being tuned, but seems to perform better (Sophos in house).

The XG GUI/menu system is improving with more cross links, but the groupings do not appear to be logical.

The UTM has very comprehensive logging, the XG is improving,  but has a long way to go to be very useful to the security admins.

The UTM is configured using the GUI, the XG uses a mix of cli and GUI and if your CLI abilities are limited like mine you are always asking for assistance when the GUI is missing a feature.

The UTM has good web server security, whereas the XG does not appear to work that well. I have not tried either, this is just repeating forum gossip.

The UTM is full feature firewall and industrial strength, the XG is slowly getting there. My current opinion is the XG is suitable for small business and home use, for those coming from other products and for those coming from the UTM it is very lacking in functions. The XG is a very good training system for people looking to get into NGF security. There are schools and large business using the XG.

I know Micheal Dunn will disagree with some of that I have said and if Billybob or Bill Roland read this they might add their 10c worth.

Ian

Yes, I know very long winded.

Updated - fixed spelling/typing errors

Since Sophos can't make up its mind on what to do with UTM, threads/discussions like these keep on popping up. True answer is that try both and see which one is better for you, otherwise readon...

I am a big UTM fanboy and wouldn't even try to hide that fact. Having said that I have been using XG v17 full time at home since the beta became available and can live with it mostly. But not all is well at XG and to further add to what rfcat_vk (Ian) has already outlined, here are my top gripes about XG.

• UTM used mcaffee database for web categorization. XG uses sophos which is not that great when it comes to categorization. Most people only see that as ok so a few ads get through so what? The problem is that certain subdomains to legitamate domains have ads, trackers etc and sophos database really fails here. For example most google domains are tagged as search engines. A lot of other cdns are tagged as Information technology incorrectly. 
• For some reason they can't get logging to work. Probably because back end produces horrendous logs. Astaro always used open source daemons and the in house development tried to stick with regular conf files and logging which makes verbose logging trivial in UTM. That is why its so easy to then grep those logs and present them in the gui. XG which is derived from cyberoam comes from a philosophy of taking open source daemons, making a few changes to them and making them closed source (I have no actual proof of this other than all cyberoam daemons are developed in house. Looking at their firewall offering, I don't think their programmers were capable of writing their own daemons). In any case, the inhouse daemons produce very few logs so sophos is having a hell of a time to now create verbose logging comparable to UTM.
• If you have any clients that host their own SMTP server, don't even think about XG. No logs to know what happened to your mails and the MTA is very limited in its capabilities.
• Open VPN is still stuck on a fixed port after almost 2 years of requests. Maybe v18... In the meantime a chinese router can run openvpn on any port that you want. Try selling that to your customers.
• Port names are stuck as port1, port2 etc. and you can't rename them. HR is having connectivity problems, hopefully you tagged your cables correctly with a sticky tape[:|]
• There is no way of knowing who or what is using all your bandwidth. Actually, there is really no way of knowing if your WAN link is completely saturated in XG other than users coming to you and telling you that you suck as a firewall admin. Nothing even remotely comparable to flow monitor which is not that great to begin with.
• As Ian has already mentioned, no NTP server so all your IOT devices and phones have to contact the internet for time. Even worse, if you have an inhouse NTP/DNS server, there is no way to DNAT that traffic to internal servers. i.e There is no way to write a rule DNAT all NTP/DNS traffic, source IOT devices/ cell phones destination internet to MY SERVER.
• IPSec seems to be broken even after the release of v17 MR2 but I don't use IPsec so I will leave that for someone else.

and finally INTENTIONAL SABOTAGE AND DOWNRIGHT DESTRUCTION OF THE UTM9 platform. I have been using UTM since v4 and even though I could roll my own redhat linux distros back in the day and run snort and squid etc on separate boxes to protect my network, Astaro made it so simple. On top of that, the philosophy of sharing and caring that astaro had is something that I greatly miss. After acquiring cyberoam, sophos has pretty much abandoned the UTM platform. Sandstorm is the only thing added to UTM other than mostly patches for vulnerabilities. Same old gui since v7/8 days, same daemons (some optimized) and honestly, it is showing its age. They are still charging full prices for licenses and yet all the development is being done on XG. Whoever decided to kill UTM in favor of cyberoam most likely for cost saving measures probably ended up costing the company more in development time to get XG running.

I can keep on rambling but this is how it is and although the usual people will come and say its all good, it really is not.

Since Sophos can't make up its mind on what to do with UTM, threads/discussions like these keep on popping up. True answer is that try both and see which one is better for you, otherwise readon...

I am a big UTM fanboy and wouldn't even try to hide that fact. Having said that I have been using XG v17 full time at home since the beta became available and can live with it mostly. But not all is well at XG and to further add to what rfcat_vk (Ian) has already outlined, here are my top gripes about XG.

• UTM used mcaffee database for web categorization. XG uses sophos which is not that great when it comes to categorization. Most people only see that as ok so a few ads get through so what? The problem is that certain subdomains to legitamate domains have ads, trackers etc and sophos database really fails here. For example most google domains are tagged as search engines. A lot of other cdns are tagged as Information technology incorrectly. 
• For some reason they can't get logging to work. Probably because back end produces horrendous logs. Astaro always used open source daemons and the in house development tried to stick with regular conf files and logging which makes verbose logging trivial in UTM. That is why its so easy to then grep those logs and present them in the gui. XG which is derived from cyberoam comes from a philosophy of taking open source daemons, making a few changes to them and making them closed source (I have no actual proof of this other than all cyberoam daemons are developed in house. Looking at their firewall offering, I don't think their programmers were capable of writing their own daemons). In any case, the inhouse daemons produce very few logs so sophos is having a hell of a time to now create verbose logging comparable to UTM.
• If you have any clients that host their own SMTP server, don't even think about XG. No logs to know what happened to your mails and the MTA is very limited in its capabilities.
• Open VPN is still stuck on a fixed port after almost 2 years of requests. Maybe v18... In the meantime a chinese router can run openvpn on any port that you want. Try selling that to your customers.
• Port names are stuck as port1, port2 etc. and you can't rename them. HR is having connectivity problems, hopefully you tagged your cables correctly with a sticky tape[:|]
• There is no way of knowing who or what is using all your bandwidth. Actually, there is really no way of knowing if your WAN link is completely saturated in XG other than users coming to you and telling you that you suck as a firewall admin. Nothing even remotely comparable to flow monitor which is not that great to begin with.
• As Ian has already mentioned, no NTP server so all your IOT devices and phones have to contact the internet for time. Even worse, if you have an inhouse NTP/DNS server, there is no way to DNAT that traffic to internal servers. i.e There is no way to write a rule DNAT all NTP/DNS traffic, source IOT devices/ cell phones destination internet to MY SERVER.
• IPSec seems to be broken even after the release of v17 MR2 but I don't use IPsec so I will leave that for someone else.

and finally INTENTIONAL SABOTAGE AND DOWNRIGHT DESTRUCTION OF THE UTM9 platform. I have been using UTM since v4 and even though I could roll my own redhat linux distros back in the day and run snort and squid etc on separate boxes to protect my network, Astaro made it so simple. On top of that, the philosophy of sharing and caring that astaro had is something that I greatly miss. After acquiring cyberoam, sophos has pretty much abandoned the UTM platform. Sandstorm is the only thing added to UTM other than mostly patches for vulnerabilities. Same old gui since v7/8 days, same daemons (some optimized) and honestly, it is showing its age. They are still charging full prices for licenses and yet all the development is being done on XG. Whoever decided to kill UTM in favor of cyberoam most likely for cost saving measures probably ended up costing the company more in development time to get XG running.

I can keep on rambling but this is how it is and although the usual people will come and say its all good, it really is not.

Billybob said:

and finally INTENTIONAL SABOTAGE AND DOWNRIGHT DESTRUCTION OF THE UTM9 platform. I have been using UTM since v4 and even though I could roll my own redhat linux distros back in the day and run snort and squid etc on separate boxes to protect my network, Astaro made it so simple. On top of that, the philosophy of sharing and caring that astaro had is something that I greatly miss. After acquiring cyberoam, sophos has pretty much abandoned the UTM platform. Sandstorm is the only thing added to UTM other than mostly patches for vulnerabilities. Same old gui since v7/8 days, same daemons (some optimized) and honestly, it is showing its age. They are still charging full prices for licenses and yet all the development is being done on XG. Whoever decided to kill UTM in favor of cyberoam most likely for cost saving measures probably ended up costing the company more in development time to get XG running.

I can keep on rambling but this is how it is and although the usual people will come and say its all good, it really is not.

100x THIS!!!!! can't agree more! In 2 years our UTM Subscriptions will be due again and if the current state doesn't change we will probably be not renewing for 3 years again but look for options!

Ben said:

100x THIS!!!!! can't agree more! In 2 years our UTM Subscriptions will be due again and if the current state doesn't change we will probably be not renewing for 3 years again but look for options!

Well at the pace of things today, i'm even wondering if these old school gateways at a perimeter will still be relevant in 3 years. I mean DPI is a hack and nothing else, technologies like HSTS render's such devices completely blind, disable pretty much any captive portal usability (yes yes, teach a user to request 1st an http web site, absolutely), per definition annihilate MiTM DPI. Currently, I'm battling with SSO on a UTM in order to get the users fully authenticated, the gateways knows the user already either per SSLVPN daemon, RADIUS WPA2 Ent WiFi auth and you name it and i'm still not authenticated as a full gateway user (at the UTM layers), useless.. This is so old school that i'm wondering really how long this will make any sense.. At the end with full encryption everywhere the only really important piece of gear has shifted back to the end point if you ask me...

Hi,

they will still be relevant to stop open attacks on devices that do not go to the internet (and by inference have no real network security) and/or until the IoT of things improve their security.

Ian

Mokaz said:

I mean DPI is a hack and nothing else, technologies like HSTS render's such devices completely blind, disable pretty much any captive portal usability (yes yes, teach a user to request 1st an http web site, absolutely), per definition annihilate MiTM DPI.

HSTS is irrelevant as long as the client has the XG's Certificate Authority installed and HTTPS scanning on.  Any device that is in Active Directory should have the CA pushed to it automatically.  Then Captive Portal and MiTM DPI works fine, even on HSTS sites.  BYOD phones are a different issue because installing CA on them is a pain.

Curious that you think that endpoints can be effectively protected.    My experience is that there are always some that are misconfigured, so our strategy is to minimize mobile usage and rely heavily on good perimeter defenses.

I put up a post 6 months ago, asking about defending mobile devices against malware and internal networks against infected mobile devices.   I thought I would get some stories about how easy it would be if I bought more of the Sophos product line.   But it received zero responses, not even a sales pitch.   Certainly left me feeling that nobody else had a mobile device security plan that they thought was rugged enough to deserve bragging rights.

Oh no not really, i do not think that EP can be "effectively" secured, i'm no End Points solution expert at all. What i think is rather that they actually pretty much "are" at the end of encrypted traffic, which makes them under certain circumstances (like no DPI policy) the 1st in line to actually potentially discover what exactly that gathered content is.. Hence my remark on the fact that i do think that more and more the EP should get more attention..

Also as somebody here said, installing a DPI cert on BYOD is now almost impossible/or at least very painfull; i've tried on some of the latest Android devices; you simply can't get the cert to install (aside on Firefox itself). (I haven't spent much time at trying to hack my way around this really..)..

And also, when i've been talking about old school gateways, that doesn't translate to Sophos "only"; its pretty much the same standings with every vendors really.

Cheers,

-m-