- Sophos Community Edition 2019
- Sophos Knowledge Base
- Sophos Community Edition 2019
- Sophos Community Edition 2020
For an IT-guy like me who feels IT-security is an important thing, both at work and at home it is really welcome that Sophos is offering XG Firewall free of charge for home use.
You can sign up for Sophos Home, a free anti-virus solution where you can manage up to three computers from a central management console.
Besides Sophos Home, for a long time Sophos also provides their firewall solution completely free of charge for use in home environments. Both the Sophos UTM and Sophos XG Firewall products are available for free.
Sophos UTM is a firewall that has been around for many years now. It has evolved from the Astaro firewall which Sophos has acquired back in 2011.
Sophos’ latest firewall product is called XG Firewall; a completely rewritten firewall really aiming at the future. This blogpost describes how to get and install Sophos XG Firewall Home Edition.
From the Sophos website:
“Our Free Home Use XG Firewall is a fully equipped software version of the Sophos XG firewall, available at no cost for home users – no strings attached. Features full protection for your home network, including anti-malware, web security and URL filtering, application control, IPS, traffic shaping, VPN, reporting and monitoring, and much more.”
This blogpost contains several steps. Use the following links to jump directly to any step or continue reading for a step-by-step instruction.
- Aug 06, 2020 If you plan to use the community edition, it would require an intermediate level of expertise to configure a robust security infrastructure. A large and vibrant open-source community can provide valuable advice and resources. You can get training and support from NetGate for a charge, which might affect the total operating cost.
- Here you'll find all the information you need about our free products and tools for Windows and Mac desktops - for Mobile apps go to Mobile Device Protection. Sophos UTM Home Edition go to Sophos UTM (hardware, software, virtual).
1: Get the software
2: Install the software
3: registering and activating the firewall
4: Installation finished
Step 1: Get the software
Go to the Sophos website and click on Get Started.
By submitting this form, you consent to be contacted about Sophos products and services from members of the Sophos group of companies and selected companies who partner with us to provide our products and services. Sophos is committed to safeguarding your privacy.
Here you need to register for your free serial number that you need later during installation. You will receive the serial number by email. After filling in the details and submitting them, you’ll see the following page that confirms successful registration.
From here you can immediately download the ISO file that you need to install the software. When installing on a real physical computer, you need to either burn the ISO to a rewriteable CD/DVD or to a USB memory stick using the Rufus tool. When using Rufus remember to write in DD image mode, not ISO image mode.
Step 2a: Install the software
Before installing the firewall beware that the installation will completely erase disk in the machine.
After starting the installer you get one warning that the disk will be erased and the opportunity to stop the installation.
Press ‘y’ to continue. The installation will start and after a short wait it will tell you that the installation has finished. Remove the installer disk and press ‘y’ again to reboot the machine. After restarting the system greets you with a password prompt.
Step 2b Basic configuration
Enter the default password: admin en press enter, next the End User License Agreement will show.
If you agree with the EULA, then press A, and the main menu will show:
The firewall is now ready to be setup from a web browser. It may however be convenient to first configure the IP-address of the LAN interface. The default IP-address is 172.16.16.16 which may not be reachable from the computer you use to configure the firewall. To change the IP-address press 1 in the Main Menu for Network Configuration, then 1 for Interface Configuration. The system will show the currently configured and/or assigned IP-addresses for the LAN and WAN interface. First it will show the LAN interface (172.16.16.16/255.255.255.0), then after continuing it will show details of the WAN interface.
After showing both interfaces the system asks if you want to set the IPv4 Address. Choose ‘y’ and Enter to do so and fill in the correct values for your own network:
After entering the correct values for use in your own network it will show the configuration is Done. The WAN-port cannot be set from here at this time. After confirming the system will ask if you want to also set the IPv6 Address. If necessary then do so, otherwise just hit Enter for no.
The Network configuration menu will show again. Press 0 to exit to the main menu and 0 again to exit from the menu and log out.
Sophos Community Edition 2019
Step 3a: registering and activating the firewall
After setting up and preparing the IP-address of the firewall it’s time to start a browser on your management computer and browse to: https://<ipaddress>:4444 where <ipaddress> of course is the IP-address you have given the firewall’s LAN port.
You will see a certificate warning when you open the page. This is because of a self-signed certificate on the firewall.
It is safe to skip this specific warning, so by clicking on Advanced, you can continue loading the website (different web browsers may show the warning somewhat different).
After clicking on ‘Click to begin’ you first need to change the default admin password. Also if the WAN-port is already connected correctly (DHCP-address from modem or router) then you can leave the checkbox to install the latest firmware automatically during setup enabled. Also you need to once more accept the EULA and acknowledge Sophos’ Privacy Policy to continue.
After continuing, you’ll need to setup the firewall’s name and time zone.
Next step is to register the firewall (you can skip this step for the first thirty days, but after this time you must register to keep the firewall up-and-running. You will have received the serial number by email after step 1 of this instruction.
After entering the serial number your firewall should be registered. For this you need to create a Sophos ID or log in to it if you already have one. From your Sophos ID you will always have access to your serial number and downloads at a later time.
After registering the license can immediately be synchronized with your firewall
3b. finishing basic configuration
After continuing the next step is to configure the LAN settings. Your IP-address is most likely already configured correctly, but you can also enable a DHCP server on the LAN if you need it or just disable it if you don’t.
Then the setup will ask you if and which network protection features you would like to need.
The first three options are valid for Home Use, the last one about Sandstorm will not work for the Home use version.
The explanation under each of the features should be enough explanation.
Next step is to configure whether or not you would like to receive weekly backups by email automatically.
If you do want to receive the weekly backups, you also need to enter a password that is used to protect the configuration backup files. Do not loose this password, otherwise you will not be able to restore the backup at a later moment.
Next the system will show you a summary of all the selected options during the install, and after clicking on Finish the system will apply all the settings and restart automatically after it finishes.
You can now just wait, the page will refresh once the firewall has restarted and it will show you the login screen.
3c. First login
After logging in for the first time the system will ask you to create a secure storage master key. You can skip this step, but it will come back each time you login, so it’s best to create one and make sure to safe it somewhere secure. You will need this key once you need to restore a backup or when you need to import a configuration.
The system will ask you to confirm that you stored the key in a safe place so you can recover should you need it again (possibly not until after a few years).
Step 4: Installation finished
The basic installation is now ready. If you enabled a DHCP server then you can connect new computers to the LAN-side of the firewall and they will automatically receive a local IP-address and have their default gateway set correctly. In fact these machines should immediately have access to the internet protected by your newly setup XG firewall.
Now your basic setup is complete, you may also want to read my article: Configure XG-firewall for Home use.
This article lists a few additional steps I recommend in a home-network.
Furthermore I highly recommend you to register an account in the Sophos Community. That’s the place where you can find a lot of information and highly skilled people that can quickly help you in case you run into problems or if you have some questions on how to configure certain settings in your situation.
If you like this post about Sophos XG, you may also like my other posts about Sophos.
Unified Threat Management (UTM) stands for complete protection. UTM systems filter incoming and outgoing network traffic, detect and prevent attacks, and block and quarantine viruses. If an appliance takes care of all these tasks, it needs to meet the customer's individual requirements precisely.
Sophos Knowledge Base
The UTM Firewall by Endian, a company founded in 2003, is one of the few open source firewalls available in both free and commercial versions. According to the manufacturer, more than 4,000 customers deploy Endian Firewall Enterprise, and more than 1.2 million users have downloaded the community edition. Both are based on the IPCop Linux distribution.
Although the free community variant is available for unrestricted free use in the enterprise, it lacks many of the features of the Enterprise Edition. Only the commercial version offers hardware appliances, virtual network drivers, professional support, a hotspot feature, and commercial-grade spam and content filtering. However, the community edition does provide the basic UTM functions, including antivirus, anti-spam, URL filtering, IPsec, and OpenVPN. It even protects larger networks easily. The ISO image of the community edition is available online [1]. If you want to test the Enterprise version, you can request a test key and the download link from the website [2].
Sophos UTM – first introduced in 2000 as Astaro Security Linux – has consistently focused on the needs of customers; it accordingly bills itself as 'the market leader for Unified Threat Management in Europe.' Although Sophos does not offer a community version, it does offer a home-use license for personal and noncommercial use. This license protects networks with up to 50 IP addresses and includes almost all features of the commercial version. The Sophos UTM Home Edition is available from the company's website [3].
For companies, Sophos also offers the Essential Firewall, a free version which, however, again only provides basic security functions. Except for the DNS proxy, it lacks all proxy-based features such as HTTP(S), SMTP, and POP3 and thus antivirus scanning, URL filtering, and application control. In terms of VPN protocols, however, IPsec and OpenVPN are missing; only L2TP over IPsec and the obsolete PPTP protocol are on board. At least, the former lets mobile devices such as smartphones connect via VPN. The installation medium for the Essential Firewall is available from Sophos [4].
Dosage Forms
Both Endian and Sophos offer their firewalls as hardware and software appliances. The latter both run on physical hardware and as virtual appliances. Sophos supports VMware, Xen, KVM, and Hyper-V.
Endian lacks official support for Microsoft's Hyper-V hypervisor. Although it can also be installed in a Hyper-V environment, it lacks drivers for the native Hyper-V network adapter, which limits the network bandwidth to a miserly 10Mbps. Additionally, full support for VMware and Xen is only available in the Enterprise version. Endian provides optimized images or virtual machines for the various hypervisors. Safety considerations for operating virtualized firewalls are discussed in the 'Virtualized Firewalls?' box.
A virtual firewall entails some risks: Its most important task is to isolate networks reliably from each other. However, in virtual environments, it is the virtual switches that keep the networks. This means the virtualization host is the highest authority. The security of a virtual firewall stands and falls with the security of the virtualization software used. If the host is compromised by a configuration error or a vulnerability in the hypervisor, the virtual machines and, ultimately, the firewall can be hijacked by an attacker. Most hypervisors have already been affected by such vulnerabilities [5][6]. A report by the IBM Security X-Force in 2010 came to the conclusion that one third of all hypervisors suffer from vulnerability gaps [7].
Virtualizing a firewall on the same host as internal IT resources (e.g., domain controllers or file or web servers) is generally inappropriate. If you do not want to do without the benefits of a virtualized firewall – rapid deployment of additional resources, as well as simple and inexpensive high availability – you should at least run it on a dedicated virtualization host.
HTTP(S) transports far more than just websites: With manipulations and tricks, almost any application can be tunnelled through this protocol. This approach works even better if there is no proxy between the server and the client. URL or content filtering alone is no longer sufficient to block resources, which is where application recognition comes into its own. It analyzes web traffic and discovers applications such as Skype, Facebook, Dropbox, and Google services by referring to patterns. Application recognition needs to update these regularly.
Both the Endian Firewall and Sophos UTM have appropriate modules. Endian blocks applications with the outgoing firewall, Sophos also supports traffic shaping and download throttling (QoS) at the application level.
The hardware appliances have the advantage that manufacturers tune their equipment exactly to the requirements of the software. Sophos uses only Intel hardware, Endian also offers Endian Mini, an ARM SoC (System on Chip) variant. The use of appliances normally leads to a leaner kernel than with software appliances, which also potentially need to support exotic hardware. The hardware solutions do not envisage upgrading, for example, the memory or hard disk capacity; hence, a small appliance only effectively supports small networks.
Licensing for software and virtual appliances is by protected IP addresses and users (see the 'Pricing Models' box). The reason is that the admin can expand the (virtual) hardware practically arbitrarily and thus significantly improve firewall performance.
Sophos and Endian offer their products both as hardware appliances and as software for installation on your own hardware or as a virtual appliance. Both provide licenses for their software and virtual appliances on the basis of user or IP addresses; no restrictions apply to physical appliances. Both manufacturers always provide software with identical functionality with their physical appliances. Small and large appliances do not differ in this respect; the usability scope depends solely on the hardware resources. An exception is the Sophos UTM 100 appliance with a BasicGuard subscription, whose license artificially restricts throughput and functionality.Whereas Sophos offers a purely modular subscription model, Endian adds a maintenance model. Maintenance covers the basic functions of the Endian Firewall Enterprise, including Endian Network, and already includes – at Advanced Maintenance level – support by the manufacturer. Only third-party software such as the Panda antivirus scanner and Commtouch Content Filtering require an additional license from Endian.Another difference exists in licensing for high-availability (HA) mode: In Endian's case, all appliances in active/passive HA mode of operation require maintenance and corresponding subscriptions. For Sophos, a license is sufficient, in principle, for active/passive mode.Tables 1 and 2 contain the entry-level and mid-sized appliances from Endian and Sophos, with the recommended pricing when this issue went to press.
Endian Pricing
Model | Price | Maintenance | Price (1 year) | Total price (1 year) |
---|---|---|---|---|
Mini | US$ 995 | Advanced | US$ 385 | US$ 1,380 |
Mercury 50 | US$ 1,510 | Advanced | US$ 715 | US$ 2,225 |
Mercury | US$ 2,794 | Advanced | US$ 850 | US$ 3,644 |
Sophos Pricing
Model | Price | Subscription | Price (1 year) | Total price (1 year) |
---|---|---|---|---|
UTM 110 | – | BasicGuard Bundle | – | US$ 695 |
UTM 110 | US$ 595 | Hardware Only | – | – |
UTM 220 | US$ 1,275 | Hardware Only | – | – |
UTM 220 | – | FullGuard Bundle | – | US$ 2,870 |
Sophos Community Edition 2019
Endian 3.0
Endian released the new version of its firewall in January. The version jump from 2.5.2 to 3.0 already shows that this is a major release. With the latest version, the developers have visually modernized the user interface and extended it to include other languages. In addition to English, Italian, and German, it now supports Japanese, Spanish, Portuguese, Russian, Chinese, and Turkish.
Cleaning up the GUI has also had a positive effect, especially in the VPN configuration dialogs. The dialogs in the past were not very intuitive, and the system lacked its own certification authority (CA) for certificate management. Additionally, several new features have been introduced, including the previously missing HTTPS proxy.
The outgoing firewall is now familiar with applications like Dropbox, Facebook, Twitter, and Skype and thus allows more finely tuned firewall rules (Figure 1). In version 3.0, the Endian Firewall also replaces the ntop
tool for visualizing network traffic with its successor ntopng
[8] (Figure 2). It also uses the new Application Control Module (ntop Deep Packet Inspection library).
Installing Endian Firewall
If you want to test the Enterprise Edition before buying, you will find an online demo on the Endian site. Alternatively, Endian provides test licenses for the commercial version but only with registration [2]. The activation code required for the installation and a download link for the ISO image are sent to you by email. Also, the community edition is available for free downloading.
Whether you use a physical system or a virtual machine for the test, you need a dual-core processor clocked at 2GHz, 1GB of RAM, and 20GB of free hard disk space. After completing the installation, you can initially access the web interface on the default IP address of http://192.168.0.15:10443. You need to use the passwords for the root user for shell access and admin for the web interface and register your account with the Endian Network for the Enterprise version. This cloud-based management center for Endian Enterprise installations lets you monitor the remaining maintenance period, as well as the hardware resources and your licenses – for example, for the commercial antivirus and URL filters.
The Endian Network also handles the installation of updates and the remote management of Endian Enterprise installations. Access for this purpose is via a reverse HTTPS or SSH tunnel. Additionally, the Endian Network provides a free OpenVPN client for Windows, Mac, and Linux as well as disaster recovery keys (USB images) for restoring Endian hardware appliances.
The Endian Firewall enables the most important services in the direction of the Internet following a default installation: HTTP(S), FTP, SMTP, POP3(S), IMAP(S), DNS, and ping. You can configure this under Firewall | Outgoing traffic. New firewall rules need to specify the source and target networks or the interface and the desired protocol.
Endian uses the same color coding as IPCop for the network interface (Figure 3). Green refers to the internal network (LAN), red to the external WAN interface, orange the DMZ, and blue the WiFi network. The new Endian version has an Application
field that also lets you ban individual protocols or applications. For example, it prevents the use of Facebook and Skype:
This rule must come first in the outgoing firewall configuration. It is followed by a rule that allows HTTP to the outside and with no restrictions for applications.
Sophos Community Edition 2020
The integrated open source ClamAV antivirus scanner can be supplemented in the commercial version of Endian UTM by a license for the Panda antivirus scanner. IT works with HTTP, SMTP, FTP, and POP3 proxies; the configuration is found below Services | Antivirus Engine.