Jump to content
RESET Forums (homeservershow.com)

Can i get by with Sophos Home edition?


Recommended Posts

The reviews I have read on the Goolge On Hub haven't been very good.

 

I can't wait for my Luma 3-pack as I have the same issues the original poster.

 

Another question. I believe it is Sophos that limits you to a certain amount of IP's. I have around 50 items on my home automation network,

not counting all the PC's, tablets, PC's, phones, media streamers, etc. I assume the home automation isn't just seen as a hub, if so

I am well beyond the device limits for the free version. 

I am with you i can't wait to get the four Luma's I pre-ordered so I can put it threw some testing. Good catch about the 50 IP limit however that is only on the old Sophos UTM for home use. The new Sophos XG has no such limit but rather they limit the CPU to 4 cores and 6GB or memory, This is more then enough for home use.

Edited by itGeeks
Link to post
Share on other sites
  • Replies 40
  • Created
  • Last Reply

Top Posters In This Topic

  • itGeeks

    12

  • Cuco

    6

  • schoondoggy

    6

  • nrf

    6

Top Posters In This Topic

Popular Posts

people have been speaking about 'sophos' without distinguishing between UTM and XG versions. that may muddy the resulting discussions. in any case, a network that stops like that probably causes yelli

I was speaking to Sophos about purchasing a XG unit because I hadn't really understood the home version.  To me, home versions, usually are cut down and I wanted more features and not something average home users wanted (in general.)  So I wanted to make sure something like the XG 85 was sufficient.  The person on the phone told me she recommended the XG 135 for my size/needs.  I was like WHAT?  When I asked for clarity on what I said that made her think a solution that big and expensive was the right solution.  She said the number of devices.  I said but they are that, devices, not people.  I asked what is a XG 85 targeted at? She said 4-5 users.  I said I am 4-5 users.  Does she consider a device the same as a user?  It seemed way overkill and a major upsell to me.  Specific detailed questions couldn't be answered by the Sophos rep.  I'm technical, but I am not a net op so I couldn't believe my questions were too much. 

If this is for home use there is no need to purchase the hardware and pay the high prices for Sophos, That's a complete wast of funds. The home license/install on your own hardware is the very same protection you get with the business version with the exception of there is no 'hart beat' integration and your limited to 4 cores and 6 GB of memory, This is more then enough for home use. I have an upwards of around 60 devices with anywhere from 5-8 users and never had a problem.

Link to post
Share on other sites
schoondoggy

I was referring to recent disclosures of a hard-coded ssh password that allowed fortinet into your router - they said it was not a vulnerability but rather an authorization issue. their patch did not remove or change the password, but will most likely allow them in in the future if they 'knock on' the right ports for it to open up again. hence the statement that they believe they need to be able to get into your fancy router without your permission.

The SSH vulnerability came from an option that allowed Fortinet products to talk to each other: http://blog.fortinet.com/post/ssh-issue-update
Link to post
Share on other sites

well, so it is a feature, but guess what - fortinet still has the password. are you 100% sure they will never ever use it?

Link to post
Share on other sites
schoondoggy

well, so it is a feature, but guess what - fortinet still has the password. are you 100% sure they will never ever use it?

No, I am not, that is why it is referred to as a vulnerable issue. Of course if they did access it it would show up in your log files.

Link to post
Share on other sites
schoondoggy

The problem is, there are people out there actively looking to exploit that vulnerability.

Yes there are. Thus it is important for vendors to patch/secure such vulnerabilities when they are found or exploited.

There is a long list of firewall vendors that have had to deal with a backdoor they built in or one that is created by malware. Fortinet and Juniper are the latest. Cisco was hit with a malware issue that opened access. A few years ago Barracuda had to deal with a built in backdoor issue. 

These situations will occur, I think it is important to look at how the vendor handles the situation.

Link to post
Share on other sites

yes, you get some interesting responses. I love the one where somebody changed a constant in the source code but they have no idea who did it or when...

 

if there is supposed to be a password for global management 'feature' it should be configurable by the user, not hard coded in firmware. It won't be long before someone observing the 'product' in action will determine which ports need to be knocked upon and the still present password will be in play again.

Link to post
Share on other sites

I don't find Sophos UTM to be all that difficult. For me, the issue with the non-PC devices for me has only revolved around the A/V scanner interfering with Netflix. I set up a bypass rule to deal with it. When I notice a device having problems, I search for it in the DHCP lease table, then click the "Make Static" button, then I go over and add the device to the A/V bypass rule. 

 

Here are the details of how I have the bypass set up. In Web Protection, Filtering Options, go to Misc. Under "Skip Transparent Mode...", add the device you just added to the static IP list as described above.

Link to post
Share on other sites

I don't find Sophos UTM to be all that difficult. For me, the issue with the non-PC devices for me has only revolved around the A/V scanner interfering with Netflix. I set up a bypass rule to deal with it. When I notice a device having problems, I search for it in the DHCP lease table, then click the "Make Static" button, then I go over and add the device to the A/V bypass rule. 

 

Here are the details of how I have the bypass set up. In Web Protection, Filtering Options, go to Misc. Under "Skip Transparent Mode...", add the device you just added to the static IP list as described above.

Correct and my point is and has always been Y do we have to bypass any protection to allow legit things to work. In UTM 9.X we could fix this are self's by creating Regex entries for the services we wanted to allow threw so if we could fix it in UTM so could Sophos once and for all. We should not have to jump through hoops to get simple stuff like Netflix working. In XG the same Regex fixes don't work so we are left with completely turning off the HTTP scanning and the 'web filter' for those devices, That is simply not a solution but rather a workaround for now. Sophos needs to get this fixed ASAP.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Similar Content

    • JROrtiz
      By JROrtiz
      I've been banging my head for a few days now trying to figure this out and I've run out of ideas. Hoping the very intelligent crew here can help me out.
       
      I have a Drobo 5N and a Synology RS816 on my network, both of which have been working without issue for quite some time now. I've always connected to both via Windows Explorer by simply going to the network address i.e., \\N5 and \\SYN (sample names). 
       
      I recently got a new desktop which is where the issues are coming up. When I try to go to \\N5, it results in a message saying it cannot find that location. However, \\SYN works just fine. What's strange is that I can see and manage the Drobo through the Drobo Dashboard software. What could be preventing Windows from seeing the Drobo on the network? 
       
      I've already enabled the SMB 1.x protocol, ensured the workgroup names are the same, rebooted both the machine and the Drobo, made sure network sharing is enabled, and even did a fresh install to ensure that some program I installed didn't cause the issue. Every other machine I have can access the Drobo without issue. It's just this new desktop, and everything is running Windows 10.
       
      Another strange phenomenon that I discovered is that if I go to "\\DROBO" (verbatim, not a sample name) it leads me to the Synology. Where is Windows getting the mapping from that it is directing that address to the Synology?
       
      This is driving me nuts so any advice would be greatly appreciated.
    • Jason
      By Jason
      Have been running a Windows DHCP server on home WSE12R2 box for quite some time behind my Sophos UTM firewall. Also allowed me to seamlessly run Windows Deployment Services at home. WDS just worked.
       
      But if I needed to make a particular LAN IP address exception on the firewall, I had to 1.) create a Windows DHCP server reservations AND 2.) create a network definition for that IP on the Sophos UTM box. 2 steps. Not very efficient; was sure I was doing something incorrectly...
       
      Tried to migrate to Sophos UTM running the DHCP Server, but now WDS doesn't work. LAN devices can no longer PXE boot. Seems possible. Many guides. None have proven especially successful.
       
      Is it possible to run a Windows DHCP server and have Sophos UTM import DHCP reservations instead of maintaining 2 unique entries for each IP reservation (one in Windows DHCP, another on Sophos UTM box)?
       
      What is best practice?
       
       
      Sent from my iPhone using Tapatalk
    • donschmidt
      By donschmidt
      Good morning.  I've just  purchased a home still under construction and plan to have CAT6 installed throughout the living areas. I'm hoping that someone can advise me as to the specific quality/specs of cable that I should use.
      Thanks and Happy New Year.
    • Joe_Miner
      By Joe_Miner
      I've been looking at the Intel Compute Stick BOXSTK1AW32SC and was wondering if anyone here has experience with that and if the Intel AC 7265 built into it is backwardly compatible with older N and A,B wifi?
    • heavy21
      By heavy21
      I want to optimize the performance and security of my home network of servers, PCs, laptops printers, smartphones, TVs, etc.  Current network appliances include layer 2 and 3 switches (Cisco small business) and Linksys router.  I’m looking to replace the Linksys with a security (pfSense) router appliance (w/OpenVPN).  I will also be adding security cameras and a NVR to the network.
       
      The gigabit network is straightforward in structure with all Ethernet connections hanging off the24 port switch connected to the cable modem and router except a cascaded 8 port switch in a room to provide 4 Ethernet connections in a room with only one data port.  Wireless connections presently come off the Linksys but will eventually come off the to-be-purchased security/router appliance with a wireless card.  I don’t see more than 100 devices in total for the whole network.  No VLANS and no sub-netting.  All hardware supports IPv6.
       
      Hardware line up is:
      Dual Zeon server w/RAID 10 of 24 TB of storage, 64GB memory
      Cisco managed switches layer 2 and 3
      HPEX495 server
      Workstations, Desktops, Laptops, Tablets, iPads
      Printers
       
      Software line up is:
      Windows Server Essentials 2012 R2, single domain controller, storage and file server duties
      Windows 10 Pro all non-server Intel computing devices
      PLEX server for streaming audio and video to display units
      Office 365
       
      From what I’ve read so far, it appears that I need to incorporate an IP addressing scheme for clients and servers on the network.  It would also appear that I need to implement VLANS and/or sub-netting to protect access to certain files and security footage, provide guest networking with future consideration for electronic door locks and some sort of server based media distribution to various display devices,
      What are best practices on assigning client and server devices to IP ranges, fixed or dynamic IP addresses?  Do I need to assign clients or servers to IP ranges?  What are the considerations in establishing sub-nets over VLANS or vice versa?  I’m pretty sure I want to restrict access to cameras and their security footage and personal files on my workstation.
       
      Thanks for any resources and advice provided.
       



×
×
  • Create New...