Reply

Sophos XG Home Edition UTM with Orbi?

sjoberge
Aspirant

Sophos XG Home Edition UTM with Orbi?

Hi, all!  To call me a n00b would be fair - so please, speak simply.  

 

I currently have FiOS Coax internet 50/50 service in my home.  This requires their Quantum G1100 Gateway router, so I'm necessarily running my Orbi in AP mode.  However, I'd like to add a stronger firewall to my home.  I'm considering waiting for the BitDefender Box 2, but since the first generation Box was unimpressive (as it lacked any sort of deep packet inspection), I'm tempted to build a chromebox to handle Sophos' free software XG Home UTM.  But before I go through the significant learning curve involved in this build and implementation, I was wondering if anyone had any thoughts or advice on whether it is feasible incorporate an external firewall with the Orbi?

 

Thank you in advance!

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 1 of 4

Accepted Solutions
Flash008
Luminary

Re: Sophos XG Home Edition UTM with Orbi?

Same setup I have.

 

Started withSonicwall 10 years ago, then moved to Sophos UTM 3 years ago, moved to Sophos XG 9 months ago.

 

Orbi running in AP mode (required).

 

Sophos handling all router, firewall, and deep packet needs I have. Full visibility with what is happening, and with who, on my network

 

20 years of I.T. Mostly in infrastrcuture, network, security and architecture. I cannot believe the TRUST people put into these consumer level products. IP cameras, home automation, cloud services with all thier data, etc, etc....And not one of these Netgear, ASUS, and other consumer level products offer a single ounce of real protection.

 

Two friends in the past 2 years call me, saying they got hit with ransomware. Nothing I could do to help them (no backup). FCC 2 months ago wrote a public letter to D-Link telling them to stop claiming thier IP cameras were secure with the cloud. FCC says a 5 year old with basic hacker skills could break through the cheap code D-Link uses on thier products. I am sure Netgear is no different.

 

And the list goes on, and on...

 

I run Sophos. Full IPS, App control, A/V and Malware/Spyware scanning, SYN, TCP, UDP, ICMP Flood control. And I am considering making a "small" investment into a real Sophos license so I can use SandStorm for Zero-Day threats.

 

If you turned on the news today and heard the Wikileaks CIA bombshell, which now every hacker and terrorist has...Then add the Snowden NSA leaks, then add the FBI and Interpol ransomware statements (we cannot stop it, and we cannot recover your data)......I cannot understand why people just cant open thier eyes that they need a Sophos FW running in their homes, and they should stop putting so much blind trust into the $200 consumer routers and cloud services with "Pretty GUIs"....

 

Even if you have nothing to hide and fear, it still doesn't help when you wake up one day and find all your family photos, important documents and other non-replaceable data fully encrypted with ransomware, or find your girlfriend, wife and duaghter's pictures photoshopped on some porn site....with you thinking, "How did they get that"....

View solution in original post

Message 2 of 4

All Replies
Flash008
Luminary

Re: Sophos XG Home Edition UTM with Orbi?

Same setup I have.

 

Started withSonicwall 10 years ago, then moved to Sophos UTM 3 years ago, moved to Sophos XG 9 months ago.

 

Orbi running in AP mode (required).

 

Sophos handling all router, firewall, and deep packet needs I have. Full visibility with what is happening, and with who, on my network

 

20 years of I.T. Mostly in infrastrcuture, network, security and architecture. I cannot believe the TRUST people put into these consumer level products. IP cameras, home automation, cloud services with all thier data, etc, etc....And not one of these Netgear, ASUS, and other consumer level products offer a single ounce of real protection.

 

Two friends in the past 2 years call me, saying they got hit with ransomware. Nothing I could do to help them (no backup). FCC 2 months ago wrote a public letter to D-Link telling them to stop claiming thier IP cameras were secure with the cloud. FCC says a 5 year old with basic hacker skills could break through the cheap code D-Link uses on thier products. I am sure Netgear is no different.

 

And the list goes on, and on...

 

I run Sophos. Full IPS, App control, A/V and Malware/Spyware scanning, SYN, TCP, UDP, ICMP Flood control. And I am considering making a "small" investment into a real Sophos license so I can use SandStorm for Zero-Day threats.

 

If you turned on the news today and heard the Wikileaks CIA bombshell, which now every hacker and terrorist has...Then add the Snowden NSA leaks, then add the FBI and Interpol ransomware statements (we cannot stop it, and we cannot recover your data)......I cannot understand why people just cant open thier eyes that they need a Sophos FW running in their homes, and they should stop putting so much blind trust into the $200 consumer routers and cloud services with "Pretty GUIs"....

 

Even if you have nothing to hide and fear, it still doesn't help when you wake up one day and find all your family photos, important documents and other non-replaceable data fully encrypted with ransomware, or find your girlfriend, wife and duaghter's pictures photoshopped on some porn site....with you thinking, "How did they get that"....

Message 2 of 4
sjoberge
Aspirant

Re: Sophos XG Home Edition UTM with Orbi?

Thank you for this, Flash008!  I’m not in IT, and I’m quickly becoming aware of exactly how vulnerable my network is.  I can probably speak on behalf of the average Joe’s ignorance of their vulnerability, having been one myself: I think it’s a matter of willful blindness.  When I installed my smart door lock, for instance, I knew it wasn’t as secure as a standard lock – but I really wanted to be able to unlock the door when my hands were full.  And really, what are the chances someone’s really going to choose my house to hack?  But the fact remains, if I want to be able to unlock the door without a key, and I’m not worried about security, why have a lock at all?

 

You mentioned that you are running Sophos XG.  I’m presuming you’re running Sophos XG Home, but are you running it on Sophos XG hardware?  Since you’re considering expanding it, I presume you’re satisfied with it, and it is working smoothly in conjunction with your Orbi?

 

Thank you, once again, for helping to open my eyes.  I’ll have to do some more research to understand your acronyms – Full IPS, SYN, TCP, UDP, and ICMP flood control.  This is quite the rabbit hole, I’m finding!

Message 3 of 4
Flash008
Luminary

Re: Sophos XG Home Edition UTM with Orbi?

Yes, I am running XG. Coming from UTM there are things I miss. Understand that Sophos UTM is the more mature product, but Sophos is moving to XG so you should take the XG path. They have been slow on porting the UTM features to XG, so people such as myself are frustrated to lose features such as IPv6 DHCP-PD (XG doesnt support Prefix Deligation, YET...Required for ISPs which offer native IPv6 with DHCPv6)

 

XG does have the far better interface and excellent reporting.

 

I do prefer PAN (Palo Alto Networks) and Juniper, but not willing to pay the price to own them. Hence I go with Sophos which is free.

 

I am running Sophos on a VMware VM. VM is the better way to go. You can buy cheap Intel i-7 boxes for $500 or less with 8GB RAM all day. Buying an applicance locks you into the hardware limitations. And when you want to upgrade to new hardware in the future, you simply move the VM to the new PC. Or upgrade your existing PC.

 

No problem with Orbi.

 

You should be prepared for slower "responding" Internet. Any TRUE security IPS firewall means delay on webpage loading and "some" apps ability to login. Example; My Internet connection is 300/30 Comcast (California). With Orbi as the router pages load FAST. Sophos and other IPS Firewalls means an extra 3 seconds of loading time. Logically every object must be scanned by the IPS engine, along with any extra AV/malware or content filter scans you enable. It's the price you pay for TRUE security.

 

As for downloads, I still get my full 300Mbps. It only affects the webpages and makes them feel less responsive.

 

My area is scheduled to get Comcast 1 Gigabit service sometime this year. From what I have read for other Sophos users with Verizon FIOS, Google and ATT Fiber...I hear Sophos handles itself very well with gigabit Internet connections. I may soon try this myself. Another reason to go with VM. Appliances are hardware locked. If the appliance you buy is not capable of a faster Internet speed you want 1-2 years from now...you are screwed...With a VM with an Intel CPU and 6GB RAM...I can do anything I want.

 

Definitions:

IPS - Intrusion Prevention Services

SYN - Syn Flooding is a method hackers and viruses, etc use to perform Denial of Service (DoS) attacks. TCP, UDP and ICMP are the types of packets they use to execute these attacks.

 

Three types of Firewalls:

 

Port Based firewall - Basic open or closed door firewall (from the 1990s). If the door is closed you don't get in. If open, you do. With everything we do on the Internet today with applications coming and going both direction this method offers no security.

 

IDS - Intrusion Detection - Orbi can only perform IDS. A basic low paid bouncer at the front door of the bar checking IDs, and maybe a pat-down. But no real guarantee that someone with SKILLS can't easily bypass your low paid bouncer with a fake ID and weapon hiding in thier butt. It does not learn or have any form of artificial intelligence to see new potential threats.

 

IPS (with Deep Packet Inspection) - Intrusion Prevention - Same as IDS, but requires a far more power CPU and software. Every packet of data will be opened, inspected for code or behavior that "doesn't look right". Using daily (or hourly) definition files the firewall downloads it knows of "known" threats, and can easily see that activity hiding inside the packet and stop it. Actively a better paid bouncer with a full body scan x-ray machine, and full forensic lab where every person wanting in must go through a full DNA blood check to insure they are not carrying a pathogenic virus.

 

The next form of security is ZERO-Day threats.

 

To name a few:

 

Sophos - Sandstorm

Palo Alto Network - WildFire

FireEye - FireEye

 

IPS is really good, but still requires being taught about new threats via definition file updates which normally are available every 24 hours. But a new, and fast moving, threats (less than 24 hours, hence the name "Zero-Day") can sneak by IPS. So now they are giving firewalls their own ability to learn new threats on their own. And if the firewall sees something it is not sure of, it will upload it to the firewall OEM and have their security team inspect it.

 

Welcome to the new Internet of 2017.....Where everyone is potentially infected with HIV or some life killing super virus, and if you don't have proper protection...well, its only a matter time. Sometimes due to no fualt of your own.

 

 

 

Message 4 of 4
Top Contributors
Discussion stats
  • 3 replies
  • 4170 views
  • 2 kudos
  • 2 in conversation
Announcements

Orbi WiFi 6E