Sophos

[diedrichg]

I can't test my VPN remote login until Monday but so long as the internet works, everyone will be happy here.

OpenVPN Connect for Android or OpenVPN for iOS. They work great for testing VPN over cell network

 

[joeschmuck]

OpenVPN Connect for Android or OpenVPN for iOS. They work great for testing VPN over cell network

My flip phone doesn't support those features, I can't even get a smiley face to show up. Didn't you know that I'm an old man.

However I do appreciate the comment, maybe my wife will let me use her smart phone (LOL, never gonna happen).

 

[ChriZ]

Glad to hear it. I may be upgrading to the latest version today. I'm on 9.402-7 right now and the new version is 9.403-4. I actually haven't heard many bad things at all, almost all of it was good.

Yeah, i am glad, too... I really hate it when things go sideways and yesterday it was a really bad day for my equipment: Sophos lost internet, my living room media player went MIA... But today i got both fixed. Incredible what couple of hours tranquility can offer (no wife and kids around, lol..)

EDIT: Pulled the trigger and did the Sophos update, all is working so far. I can't test my VPN remote login until Monday but so long as the internet works, everyone will be happy here.

Thanks for letting me know! I am actually on 9.402-7, too and I will schedule for the update for tomorrow night at 3 am.
But TBH, still considering switching to Pfsense... While I adore sophos interface and all the things that automatically does which save you a lot of time, at the same time I hate it that it does not have more settings for already imlemented things... A simple example that gets on my nerves is UPS support. While it recognizes my USB connected Eaton and displays the current capacity on the dashboard, that's pretty much it.
I would like more info, like current load for example, as long as the ability to allow remote monitoring via NUT.
I mean it does use NUT and does send alerts when disconnected or on battery. But people are also asking for the ability to have a config page for the UPS for a long time now, which is not happening..
It would be nice to have my monitorix connected to it, along with my other UPS and see all info...

 

[Rand]

EDIT: Pulled the trigger and did the Sophos update, all is working so far. I can't test my VPN remote login until Monday but so long as the internet works, everyone will be happy here.

You could enable HTML5VPN (if your cellphone supports html5;))
Its not quite the same but at least some kind of remote access (verification)

 

[ChriZ]

I would like to ask a question here, because I honestly hate the new Sophos forum...
If anyone can help I would be happy (not really important, though)
So here it goes:
My WAN nic is connected to an ADSL router (bridged mode)
I read that you can go to Interfaces and add an additional address in order to be able to access the modem. Has anyone done this?
Asking because I tried giving an additional address but I see no place to bind it with my ADSL router. No matter what address I enter, it is always up and active and the network can ping it normally.
Makes sense since I guess it creates a virtual address, but how to bind that to the ADSL router, in order to access its interface?
EDIT: OK, till now I was trying to access the additional address using http. I gave it a try using https an it redirected to the VPN user portal...lol...
Something is wrong there... or simply what I want can't be done...

To answer my -very- old question, here, in case anyone with an ADSL line is interested.
(Yes, today i had to find some time to look into this, because I had about 150 disconnects and the ISP told me that it must be my modem, because on their end things seemed fine... So i performed a factory reset to the modem and set things up again)
Anyways, in order to access the webui of the modem, i set a static IP -different subnet than my main network ofc- and set an additional address of that subnet on the WAN interface of the UTM.
The first time i set this up i didn't bother changing anything, just set it to bridge mode and i had internet.

 

[diedrichg]

I'm finally at the point, financially and time, where I can repurpose an old AMD A8-3870K (FM1 socket, 65W). My question is; does Sophos benefit from dual-channel RAM or is a single stick sufficient? Not that I wouldn't use the second stick, just curious.

 

[zoomzoom]

I'm finally at the point, financially and time, where I can repurpose an old AMD A8-3870K (FM1 socket, 65W). My question is; does Sophos benefit from dual-channel RAM or is a single stick sufficient? Not that I wouldn't use the second stick, just curious.

It depends on how much traffic you're pushing through it... for normal home usage, a minimum 4GB should be used, with a max of 6GB (mine normally hovers at a little over 2GB of RAM usage).

 

[joeschmuck]

I'm finally at the point, financially and time, where I can repurpose an old AMD A8-3870K (FM1 socket, 65W). My question is; does Sophos benefit from dual-channel RAM or is a single stick sufficient? Not that I wouldn't use the second stick, just curious.

Makes no difference to be honest. The LAN/WAN traffic is so slow that it will not be noticable and your CPU is more than fast enough.

Have you decided if you will be using Sophos UTM 9 or XG Firewall? The later is the most current product. I'm not sure how much longer UTM will be supported. XG Firewall has two limitations which is 4 CPU cores and 6GB RAM. There is no limit of 50 IPs as in UTM. If you have a modern home, 50 IPs is pretty close to hitting. I think I'm at 43 IPs right now.

EDIT: I just checked the Sophos support site and the UTM has not current deadline so it will be produced for at least a few more years.

 

[diedrichg]

Makes no difference to be honest. The LAN/WAN traffic is so slow that it will not be noticable and your CPU is more than fast enough.

Have you decided if you will be using Sophos UTM 9 or XG Firewall? The later is the most current product. I'm not sure how much longer UTM will be supported. XG Firewall has two limitations which is 4 CPU cores and 6GB RAM. There is no limit of 50 IPs as in UTM. If you have a modern home, 50 IPs is pretty close to hitting. I think I'm at 43 IPs right now.

EDIT: I just checked the Sophos support site and the UTM has not current deadline so it will be produced for at least a few more years.

I signed up for the XG license. The 50 IPs brings up a question I had regarding my network setup. Is there an advantage to letting Sophos handle the DHCP or can I continue to let my ASUS router manage the DHCP to save on the max IPs? The planned trace would be

Cable modem
...Sophos box
.......ASUS router
...........AP
...........clients
...........switch
................clients

 

[zoomzoom]

@diedrichg You can, however any local IPs routed through Sophos will count against the allocated 50 available.

@joeschmuck Have they finally ported everything over to XG from UTM yet, as I know when I tried it again late last year it was still missing substantial pieces of UTM that hadn't been ported over. (I know Sophos was shooting for summer of this year to have everything ported over, but I misplaced the bookmark for the Sophos news page.)

 

[ChriZ]

IIRC, only those IPs with static mappings count on the total of 50; I may be wrong, though...
Last time I attempted to use XG I was disappointed; perhaps it is improved now, don't know. Perhaps @joeschmuck has tried one of the latest versions of XG and can provide some more info.
I - personally - have no plans to move to XG, unless they create a migration tool to port everything from the UTM. If this doesn't happen and UTM goes EOL, I will think about moving to pfsense, my hardware is capable enough. I am very pleased with the UTM, though, so this won't be an easy decision
@diedrichg regarding resources :
These are the active modules I have:

And this is the usage:

The above is with a core i3-4130 CPU

I don't have a big home network, though; not tiny either (38 IP addresses in scope of license ATM)

 

[joeschmuck]

@diedrichg You can, however any local IPs routed through Sophos will count against the allocated 50 available.

@joeschmuck Have they finally ported everything over to XG from UTM yet, as I know when I tried it again late last year it was still missing substantial pieces of UTM that hadn't been ported over. (I know Sophos was shooting for summer of this year to have everything ported over, but I misplaced the bookmark for the Sophos news page.)

This is the correct answer for the UTM IPs, it doesn't matter who generates the IPs, 50 is all it will pass for the UTM.

I upgraded XG the other day and was quite surprised at the feature set, see link below for full listing of features.
https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophosxgfirewallflna.pdf?la=en

 

[zoomzoom]

I upgraded XG the other day and was quite surprised at the feature set, see link below for full listing of features: XG Firewall FLNA

Right, but that doesn't show whether they've fully ported UTM to XG. XG was released in 2015 (it was wholly unusable through 2016 due to the missing features), with Sophos' plan being to have UTM fully ported over to XG by mid-2017. As of Dec 2016, XG was still missing quite a few UTM features, and Sophos does have a news article on their site they regularly update with what has and has not been ported over, however I either misplaced the Bookmark or accidentally deleted it.

I - personally - have no plans to move to XG, unless they create a migration tool to port everything from the UTM. If this doesn't happen and UTM goes EOL

UTM will continue to be supported for however long Sophos supports their SG UTM's (hardware), which will likely be far into the 2020's, as they can't EOL UTM until they've EOL'd the hardware UTM was developed for. Since SG UTM's are still being sold with SLAs, it's a safe inference EOL will likely not occur before 2025. -> See this post by @joeschmuck

 

[joeschmuck]

I signed up for the XG license. The 50 IPs brings up a question I had regarding my network setup. Is there an advantage to letting Sophos handle the DHCP or can I continue to let my ASUS router manage the DHCP to save on the max IPs? The planned trace would be

Cable modem
...Sophos box
.......ASUS router
...........AP
...........clients
...........switch
................clients

I would suggest you create a text document or spreadsheet that lists all your LAN IP addresses and prepare to assign these things out. For example:

192.168.1.1 - Sophos
192.168.1.2 - Asus AP
192.168.1.3 - Router
192.168.1.4 through 192.168.1.9 (spare)
192.168.1.10 through 192.168.1.29 DHCP
192.168.1.30 FreeNAS Main Machine
192.168.1.31 through .39 FreeNAS Jail IPs
192.168.1.40 --------- More stuff

192.168.1.100 Dad's Cell Phone
.101 Mom's Cell Phone
.102 Yet another cell phone
.103 DirecTv
.104 BluRay Player
.105 (spare)
----
.120 Main Computer
.121 Second Computer
.122 Yet another computer

So the goal here is to establish static IPs and this would be done in Sophos. And the reason why is because sometimes you want to just bypass all the firewall/protection/blocking and if you assign static IPs, you can then push those items into areas that will either be a DMZ or similar. So in the situation above I would take items like DirecTv, BluRay Player, Roku, Internet Radio, etc... and put those on a DMZ. Cell phones could be on a little more restrictive access but not a DMZ. Computers of course are fully protected. But you get my point. And anything on the DHCP gets full protection as well.

I have run into issues where some items like my internet radio or Samsung TV would not realize there was a firmware update and by placing them in a less protected area, it allows them to work normally.

But this is just what I did, it helped me sort things out. If you find a nicew way to use DHCP to get the same results, I'd love to see it posted.

 

[joeschmuck]

Here is the EOL doc I found yesterday.

 

[zoomzoom]

So the goal here is to establish static IPs and this would be done in Sophos, and the reason why is because sometimes you want to just bypass all the firewall/protection/blocking and if you assign static IPs, you can then push those items into areas that will either be a DMZ or similar. So in the situation above I would take items like DirecTv, BluRay Player, Roku, Internet Radio, etc... and put those on a DMZ.

I'm not sure it's a wise idea to place "smart" electronics into a DMZ, as that further exposes them to becoming bots for DDoS attacks (as occurred several months back). "Smart" electronics should be NAT'd with redirects, however this isn't always possible if the required port forwarding for the device is not able to be found. I personally recommend putting all "smart" electronics and game systems on their own vLAN/WiFi Network, with specific firewall rules for sharing /casting content from PCs/phones if one utilizes media sharing/casting for those specific devices.

Cell phones could be on a little more restrictive access but not a DMZ.

I personally recommend for all smartphones/tablets to be placed on their own vLAN/WiFi Network separate from all other devices, including PCs, with the same sharing/casting policy as above. The reason why is due to the amount of data mining that occurs with apps from app stores and the fact that too often malicious content is found within apps that have millions of downloads.

I have run into issues where some items like my internet radio or Samsung TV would not realize there was a firmware update and by placing them in a less protected area, it allows them to work normally.

If you don't have children in the home, or people for which web filtering is necessary, it should be disabled, which will solve the above issue (if it's due to Web Filtering). Web Filtering should only be enabled if absolutely necessary since it will always cause a a maximum throughput of ~30Mbit/s on devices it's applied to.

• If you don't have Web Filtering enabled, the other way to solve this:
  1. Adding all devices to Sophos as both a Host and a DNS host
  2. Creating Network Groups for those devices and adding applicable devices to it (DNS Host & Host)
  3. Creating firewall rules for the Network Group.

 

[diedrichg]

I would suggest you create a text document or spreadsheet that lists all your LAN IP addresses and prepare to assign these things out. For example:

192.168.1.1 - Sophos
192.168.1.2 - Asus AP
192.168.1.3 - Router
192.168.1.4 through 192.168.1.9 (spare)
192.168.1.10 through 192.168.1.29 DHCP
192.168.1.30 FreeNAS Main Machine
192.168.1.31 through .39 FreeNAS Jail IPs
192.168.1.40 --------- More stuff

Awesome suggestion! Thanks. I have about a dozen static IPs set already but I hadn't considered starting fresh with an organized and logical list like you mentioned. I doubt I would think of a better way than what you have listed but I'll keep good notes with anything I find that may be of interest with XG.

My final pieces of hardware are being shipped (used Silverstone uATX HTPC case with power supply, used Intel 2-port NIC, and a CPU cooler. Yes!, during an office cleaning session a while back I apparently threw the FM1 stock cooler in the recycle bin thinking I would never use it again. *sigh). I then won't be able to assemble it until the end of the month because I go to work tomorrow, come home next week, it's then anniversary weekend followed by the eclipse and then back to work for another 8 days.

 

[joeschmuck]

I'm not sure it's a wise idea to place "smart" electronics into a DMZ, as that further exposes them to becoming bots for DDoS attacks (as occurred several months back). "Smart" electronics should be NAT'd with redirects, however this isn't always possible if the required port forwarding for the device is not able to be found.

You are absolutely 100% correct. I should not have used DMZ so frequently. I actually pass only a few items via DMZ (the Internet Radio is one of them), the other items are only behide a NAT. I'd say about 80% (wild guess of course) of my devices are under full protection. The cell phones are under normal firewall protection but it's minimal, but that is becasue I already have protection on the cell phones as well and I hear less complaining this way from the family. Thank God I have a Flip Phone.

f you don't have children in the home, or people for which web filtering is necessary, it should be disabled, which will solve the above issue (if it's due to Web Filtering).

I have a wife and father who love to challenge me with "there is somethign wrong with my computer" and I need to figure it out. Since Sophos I have not had those words uttered, but I have heard that the internet is screwing up again, like that was my fault .

Web Filtering should only be enabled if absolutely necessary since it will always cause a a maximum throughput of ~30MBytes/s on devices it's applied to.

Hum, I don't think I've ever hit that issue. Do you by chance have a reference for that? I would actually like to read about it as that is the first time I've heard about a limit. I do understand that the filtering will slow traffic down but I would have expected the hardware speed would be the bottleneck, not a hard 30MB/sec limit. If that is true then I will need to rethink who gets the filters.

 

[zoomzoom]

@joeschmuck There's documentation somewhere on Sophos' site regarding the 30Mbit/s limit on devices going through web filtering, and if you do a speedtest on your network on devices which are running through the web filter, you'll end up topping out around 30Mbit/s (best I've seen is 32Mbit/s). The reason why is all packets must be scanned, and if it's HTTPS, the packet is decrypted, scanned, then re-encrypted with Sophos' Web Filter CA. This only applies to connections to/from WAN, as LAN traffic should not be affected since it should not be passing through the Web Filter.

• Web filtering doesn't provide any type of protection except content restrictions, allowing one to restrict content available to devices behind it, and is why unless one has children accessing the network that need to have their traffic managed to prevent access to different types of content, it's recommended to leave Web Filtering disabled.

If you misconstrued it as offering malware protection while browsing, UTM offers the Endpoint Security installer, which is excellent at catching malware infested sites and adverts (the antivirus/HIPS portion of it is horrendous, but the scanning of web traffic is spot on).

As for the DMZ, the main concern is IoT devices (home theater receivers, harmony remotes, nest, smart tvs, etc.) which are highly susceptible to being exploited as botnets in a DDoS attack, which is exactly what occurred several months back with thousands of IoT devices.

 

[diedrichg]

@zoomzoom I just checked out your signature and noticed a case I've never heard of before; the In Win Chopin. What a beautiful case! It looks fantastic for a Sophos mini-ITX box. What do you think of it?