frontier204
Well-known member
Hello all,
I decided to do a quick (experimented for 4 hours) review on this oddball proprietary router / firewall 'firmware', Sophos XG Firewall Home Edition.
TL;DR: The only thing "Home" about it is the non-commercial license clause - it's really a small/medium business firewall product.
I stumbled upon this software by accident while trying to find out if someone studied how much malware gets stopped by third-party antivirus on a Mac (nope, although Av-Test has numbers for Windows Defender and Google Play Protect). I've used both PFSense and OPNSense on my PC which have awesome amounts of bells and whistles, but I thought the intrusion prevention (Snort / Suricata) UI wasn't very intuitive, throwing tons of false positives.
https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx
Going into this review, I had no idea what to expect, but the marketing material mentions Linux, Intel-compatible, and IPS, so I'll give it a try.
-----------------------------
Download
-----------------------------
After selecting "Get Started" on the web page, you get a registration page that asks for First/Last name and "Business" e-mail.
I placed a valid but not "Business" e-mail into the form, and it allowed me to download a .ISO file without "verifying" the e-mail. Before allowing me to download the .ISO, as is typical, I get the giant EULA. Disclaimer: I'm not a law expert. It appears to be the same as the license for the free Sophos Home anti-malware on the Mac, so here's some of the highlights:
--
Phones home:
(Do you remember the days when people were outraged when the found a product doing this
h34r: )
No commercial use:
Class action waiver (I won't bother quoting that - as it's huge.)
--
After agreeing to license, I get a 409 MB download of SW-SFOS_17.0.6_MR-6-181.iso.
While looking at the license, an e-mail came in with setup instructions:
-----------------------------
Install on a Virtual Machine
-----------------------------
Since I couldn't find solid articles on whether it has a UEFI loader, I opted for the "Generation 1" virtual machine that uses BIOS. The VM had a single 40GB hard drive configured.
The hypervisor running the VM was a Dell Latitude E7450 with Intel Core i5 5300U, 16GB of RAM (2x8GB), and 256GB mSATA SSD, running Windows 10 Pro at version 1803 build 17134.48. Additionally, the SSD is encrypted with Bitlocker using the "new" encryption method that was released after Windows 10 version 1803.
Here's the settings of the virtual machine: (SULFUR is the name of the machine I'm writing this review from)
After about a minute of a blank screen (I was wondering if the installer was broken), I get this prompt to overwrite the entire contents of the one and only virtual hard drive.
After telling it to format the drive, it went into this text only installer, which took about 8 minutes.
I ejected the virtual disk and pressed "Y", but I didn't get a reboot. (although I did fill up the console with 'yyyyyyYYYY' trying) I resorted to a hard reset on the virtual machine.
-----------------------------
Install on Physical Machine
-----------------------------
I installed on my desktop with the following:
Core i3 6100
16GB
AsRock H170M-ITX/AC
120 GB SSD
In addition to the 2 network adapters on the motherboard, I have 4 other adapters from an expansion card (an old IBM EXPI9404PTL).
The compatibility support mode was turned on to allow "legacy" boot.
The installation screens looked exactly like the VM. Unlike the virtual machine however, pressing 'y' actually rebooted the machine at the end of the install.
After installation, I had to experiment plugging Ethernet cables into each of the six network adapters to find out what was "port 1" and "port 2". In my case, it turned out to be the farthest and second farthest ports from the motherboard on the add-on EXPI9404PTL card. Other than that, it seems to be running as I'm posting through the firewall right now.
-----------------------------
First configuration Wizard
-----------------------------
It took about 10 minutes for the firewall to start issuing DHCP and giving the computers IP addresses. The command line on the monitor of the computer had a password prompt, but as shown in the wizard, it's useless because you're overwriting the password anyway.
I used the https:// 172.16.16.16:4444/ link that the e-mailed instructions had. I was presented with an invalid SSL certificate warning "This site is not secure". (Aside: PFSense / OPNSense can be configured with Let's Encrypt to present a good certificate.) After ignoring the warning, I got the configuration page:
Here are the steps afterwards:
(Continue button)
(Continue button or finish button)
Register your firewall - it has a bunch of options. I used the serial number from the e-mail.
(Continue button)
If you registered with a serial number, you have a sign in prompt for Sophos ID (not the same as a Sophos Antivirus Home or Beta username / password). ...after signing in I was forced to go back to the beginning because the ID brought me away from the router's config page and didn't bring me back properly.
(Continue button)
"Basic Setup is Complete" - (with some useless list of features) and an "Customer experience improvement" checkbox that's UNCHECKED (the less invasive state) by default.
(Continue button)
Network configuration (LAN)
(Continue button)
Network Protection
There's a bunch of checkboxes:
(Continue button)
Notifications and Backups: Allows you to configure something to sent weekly e-mails of the config file. I "ignored" this one by putting a (what I expect to be) bogus e-mail of a@a.aaa into the fields.
(Finish)
The last step of this install was SLOW - it was 10 minutes just to do the "Applying Configuration Changes". The web UI actually went to the new IP address I entered, but failed to load anyway because I had to ignore the SSL certificate issue again
-----------------------------
Basic Checks on Security Defaults
-----------------------------
The bad:
The good:
I found it mind-boggling that HTTPS would be open by default on something from a security company. This option was the culprit
-----------------------------
Dashboard / Boatload of Business Features
-----------------------------
This is the same UI as a small business firewall product, with the emphasis on stuff that offices are supposed to care about, like "not safe for work" web site filtering. There's also a lot of high availability stuff littered around the UI.
Under "Monitor & Analyze", there's a frightening level of detail in "Current Activities" and "Reports".
The Diagnostics panel allows for the following: Ping, Traceroute, Name Lookup, Route Lookup, Generation of Reports from Log Files, Packet Capture, CPU/Memory/Disk/Interface usage
The Firewall panel allows definition of rules to allow, block, reject, and scan traffic for malware. An interesting note is that you can't directly enter port numbers or addresses without giving them some label first. This is typical of firewalls where they expect you to have lots of rules, so you don't have magic numbers floating around everywhere.
The Intrusion Prevention panel provides more customization than any sane home user would bother to understand. Fortunately the rules are grouped into items like "LAN to WAN" which looks for stuff that you wouldn't want going out (i.e. malware phoning the command and control).
The "Web" panel has policies that definitely show the business nature of this product, with stuff like "Not Suitable for the Office", "Not Suitable for Schools" as items that you can turn on.
The "Applications" panel shows a list of definitions for different programs that communicate with the Internet, like specific web mail clients and social media.
As mentioned before, the "Wireless" is made for managing dedicated thin hot-spots rather than the WiFi built into the router device like home routers have. It has definitions of groups of access points or mesh networks, for instance.
The "Email" panel has rules that you can use to apply antivirus to POP and IMAP mail (I don't have anything to test that).
The "Web Server" panel allows you to designate computers on the network as web servers, and apply protection like SQL Injection blocking on them.
"Advanced Threat" and "Synchronized Security" seem to be paid features.
The "VPN" panel has IPSec, SSL VPN, Cisco VPN, LT2P, Clientless, and PPTP. (I've only used IPSec, and won't be trying it since I don't have a static IP to test with.)
The "Network" panel lists the network ports that you have and allow you to designate them as WAN, LAN, DMZ, or WiFi. It also has all the connection stuff like DNS, DHCP, and some IPv6 settings I don't know about...
* An interesting item buried in this one is Dynamic DNS support with DynDns, ZoneEdit, EasyDNS, DynAccess, and Sophos's own dynamic DNS.
* I couldn't get IPv6 to work: under PFSense / OPNSense I'd use "track interface" to get IPv6 addresses, but couldn't find that here.
The "Routing" panel has static routing tables plus a bunch of stuff that a home user would only be playing with if they were studying for some network admin exam (and even then, I don't want to know how you set up your rig to do that). Example: BGP, OSPF
The "Authentication" panel has all the access controls plus Captive Portal for guest WiFi.
The "System Services" panel has high availability, traffic shaping / quality of service, malware protection, logs, and a summary of the stuff that's running on the machine.
The bottom options of the sidebar are for backup of configuration and updating the firmware.
-----------------------------
General Impressions and Conclusion
-----------------------------
This is definitely a business firewall OS with some features taken off. There was no effort to make this a home edition: The help links point to the business site, the firmware is exactly the business one, and the interface looks like something more like the firewall at work than even PFSense. The only way you're running this as a "home" environment is if you have a home lab (and you put this as a VM or as another PC near your VMWare ESXi or XenServer box).
To the people who are privacy conscious, or believe that they get more "privacy" on the Internet than is actually there, I think the report pages of this can be an eye opener. The default settings on this firewall do not rip open encrypted communication and only work with DNS and IP addresses, but it can still give a detailed picture of what stuff people are visiting when connected to the network. Any Internet service provider or device maker would also have the same data in their logs. (By the way, if you want to give yourself less of an illusion of privacy, that's when you use VPN if it's still allowed in your country.)
The general usability of this product is very poor. The UI is laid out more by engineering component (how it was developed) rather than by use case (what you want to do regardless of how the developer programmed it), so expect to visit several tabs to enable any feature. Would I rather have command line than this UI? Maybe, depends if the command line interface is designed well... the dumb HTTPS firewall rule would have been easier to see that way.
As for the feature I was curious about, intrusion prevention, I think the categories are presented a little better than PFSense / OPNSense, but not by much. I'll keep this running and see if the logs are any useful at all.
It's a curious product, and at this point I'd only recommend it for someone who for some reason needs to learn about this type of tool. That said, assuming you've disarmed the HTTPS being wide open, I won't tell you to uninstall and run away either.
I can't outright recommend this because for each use case, I can think of a better product.
Thanks for reading!
I decided to do a quick (experimented for 4 hours) review on this oddball proprietary router / firewall 'firmware', Sophos XG Firewall Home Edition.
TL;DR: The only thing "Home" about it is the non-commercial license clause - it's really a small/medium business firewall product.
I stumbled upon this software by accident while trying to find out if someone studied how much malware gets stopped by third-party antivirus on a Mac (nope, although Av-Test has numbers for Windows Defender and Google Play Protect). I've used both PFSense and OPNSense on my PC which have awesome amounts of bells and whistles, but I thought the intrusion prevention (Snort / Suricata) UI wasn't very intuitive, throwing tons of false positives.
https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx
Going into this review, I had no idea what to expect, but the marketing material mentions Linux, Intel-compatible, and IPS, so I'll give it a try.
-----------------------------
Download
-----------------------------
After selecting "Get Started" on the web page, you get a registration page that asks for First/Last name and "Business" e-mail.
I placed a valid but not "Business" e-mail into the form, and it allowed me to download a .ISO file without "verifying" the e-mail. Before allowing me to download the .ISO, as is typical, I get the giant EULA. Disclaimer: I'm not a law expert. It appears to be the same as the license for the free Sophos Home anti-malware on the Mac, so here's some of the highlights:
--
Phones home:
(Do you remember the days when people were outraged when the found a product doing this
h34r: )No commercial use:
Class action waiver (I won't bother quoting that - as it's huge.)
--
After agreeing to license, I get a 409 MB download of SW-SFOS_17.0.6_MR-6-181.iso.
While looking at the license, an e-mail came in with setup instructions:
-----------------------------
Install on a Virtual Machine
-----------------------------
- I had to redo the install wizard because I later found it really wanted to have the Internet connection on Ethernet port 2 and LAN on port 1 - (hard-coded, and the opposite of PFSense / OPNSense.)
Since I couldn't find solid articles on whether it has a UEFI loader, I opted for the "Generation 1" virtual machine that uses BIOS. The VM had a single 40GB hard drive configured.
The hypervisor running the VM was a Dell Latitude E7450 with Intel Core i5 5300U, 16GB of RAM (2x8GB), and 256GB mSATA SSD, running Windows 10 Pro at version 1803 build 17134.48. Additionally, the SSD is encrypted with Bitlocker using the "new" encryption method that was released after Windows 10 version 1803.
Here's the settings of the virtual machine: (SULFUR is the name of the machine I'm writing this review from)
- Again pay special attention to the fact that the internal switch is the first NIC and the external connection is the second NIC. The wizard just fails if you don't have that setup, so you may have to shut off the machine and swap cables around if you get the order wrong.
After about a minute of a blank screen (I was wondering if the installer was broken), I get this prompt to overwrite the entire contents of the one and only virtual hard drive.
After telling it to format the drive, it went into this text only installer, which took about 8 minutes.
I ejected the virtual disk and pressed "Y", but I didn't get a reboot. (although I did fill up the console with 'yyyyyyYYYY' trying) I resorted to a hard reset on the virtual machine.
-----------------------------
Install on Physical Machine
-----------------------------
I installed on my desktop with the following:
Core i3 6100
16GB
AsRock H170M-ITX/AC
120 GB SSD
In addition to the 2 network adapters on the motherboard, I have 4 other adapters from an expansion card (an old IBM EXPI9404PTL).
The compatibility support mode was turned on to allow "legacy" boot.
The installation screens looked exactly like the VM. Unlike the virtual machine however, pressing 'y' actually rebooted the machine at the end of the install.
After installation, I had to experiment plugging Ethernet cables into each of the six network adapters to find out what was "port 1" and "port 2". In my case, it turned out to be the farthest and second farthest ports from the motherboard on the add-on EXPI9404PTL card. Other than that, it seems to be running as I'm posting through the firewall right now.
-----------------------------
First configuration Wizard
-----------------------------
It took about 10 minutes for the firewall to start issuing DHCP and giving the computers IP addresses. The command line on the monitor of the computer had a password prompt, but as shown in the wizard, it's useless because you're overwriting the password anyway.
I used the https:// 172.16.16.16:4444/ link that the e-mailed instructions had. I was presented with an invalid SSL certificate warning "This site is not secure". (Aside: PFSense / OPNSense can be configured with Let's Encrypt to present a good certificate.) After ignoring the warning, I got the configuration page:
Here are the steps afterwards:
- Create New Admin Account: You enter a password
- (A checkbox checked by default): Install the latest firmware automatically during setup (recommended).
- Checkbox to agree to license agreement
(Continue button)
- If you don't get the NIC2 attached to Internet and NIC1 attached to LAN like the installer expects, you get an "Internet Configuration" screen with error messages. Otherwise,
- "Filewall Name" to create a host name for the machine
- A graphical time zone selector (similar to a Linux one)
(Continue button or finish button)
Register your firewall - it has a bunch of options. I used the serial number from the e-mail.
(Continue button)
If you registered with a serial number, you have a sign in prompt for Sophos ID (not the same as a Sophos Antivirus Home or Beta username / password). ...after signing in I was forced to go back to the beginning because the ID brought me away from the router's config page and didn't bring me back properly.
(Continue button)
"Basic Setup is Complete" - (with some useless list of features) and an "Customer experience improvement" checkbox that's UNCHECKED (the less invasive state) by default.
(Continue button)
Network configuration (LAN)
- You can choose between routing and bridged, device IP address, subnet, and DHCP lease range.
- I decided to switch the default device IP address here to see if it would come back up properly (..sort of?)
(Continue button)
Network Protection
There's a bunch of checkboxes:
- "Protect Users from Network Threats"
- "Protect users from the suspicious and malicious websites" - which mentions "It does not scan the SSL traffic." (Thank you! Having that on by default just messes stuff up for me)
- "Scan files that were downloaded from the web for malware"
- "Send suspicious files to Sophos Sandstorm"
(Continue button)
Notifications and Backups: Allows you to configure something to sent weekly e-mails of the config file. I "ignored" this one by putting a (what I expect to be) bogus e-mail of a@a.aaa into the fields.
(Finish)
The last step of this install was SLOW - it was 10 minutes just to do the "Applying Configuration Changes". The web UI actually went to the new IP address I entered, but failed to load anyway because I had to ignore the SSL certificate issue again
-----------------------------
Basic Checks on Security Defaults
-----------------------------
The bad:
- HTTPS (the config interface) wide open on the WAN side - see below to close security hole
The good:
- Doesn't (at least on my hardware) enable WiFi - it looks like it's set up like a small business router where you buy a separate WiFi access point and connect it over Ethernet for this to manage
- Actually put a decent randomized password on wifi if it was configured - mine was "MWQ2ZmJhODY2OTc1OGFj"
I found it mind-boggling that HTTPS would be open by default on something from a security company. This option was the culprit
-----------------------------
Dashboard / Boatload of Business Features
-----------------------------
This is the same UI as a small business firewall product, with the emphasis on stuff that offices are supposed to care about, like "not safe for work" web site filtering. There's also a lot of high availability stuff littered around the UI.
Under "Monitor & Analyze", there's a frightening level of detail in "Current Activities" and "Reports".
The Diagnostics panel allows for the following: Ping, Traceroute, Name Lookup, Route Lookup, Generation of Reports from Log Files, Packet Capture, CPU/Memory/Disk/Interface usage
The Firewall panel allows definition of rules to allow, block, reject, and scan traffic for malware. An interesting note is that you can't directly enter port numbers or addresses without giving them some label first. This is typical of firewalls where they expect you to have lots of rules, so you don't have magic numbers floating around everywhere.
The Intrusion Prevention panel provides more customization than any sane home user would bother to understand. Fortunately the rules are grouped into items like "LAN to WAN" which looks for stuff that you wouldn't want going out (i.e. malware phoning the command and control).
The "Web" panel has policies that definitely show the business nature of this product, with stuff like "Not Suitable for the Office", "Not Suitable for Schools" as items that you can turn on.
The "Applications" panel shows a list of definitions for different programs that communicate with the Internet, like specific web mail clients and social media.
As mentioned before, the "Wireless" is made for managing dedicated thin hot-spots rather than the WiFi built into the router device like home routers have. It has definitions of groups of access points or mesh networks, for instance.
The "Email" panel has rules that you can use to apply antivirus to POP and IMAP mail (I don't have anything to test that).
The "Web Server" panel allows you to designate computers on the network as web servers, and apply protection like SQL Injection blocking on them.
"Advanced Threat" and "Synchronized Security" seem to be paid features.
The "VPN" panel has IPSec, SSL VPN, Cisco VPN, LT2P, Clientless, and PPTP. (I've only used IPSec, and won't be trying it since I don't have a static IP to test with.)
The "Network" panel lists the network ports that you have and allow you to designate them as WAN, LAN, DMZ, or WiFi. It also has all the connection stuff like DNS, DHCP, and some IPv6 settings I don't know about...
* An interesting item buried in this one is Dynamic DNS support with DynDns, ZoneEdit, EasyDNS, DynAccess, and Sophos's own dynamic DNS.
* I couldn't get IPv6 to work: under PFSense / OPNSense I'd use "track interface" to get IPv6 addresses, but couldn't find that here.
The "Routing" panel has static routing tables plus a bunch of stuff that a home user would only be playing with if they were studying for some network admin exam (and even then, I don't want to know how you set up your rig to do that). Example: BGP, OSPF
The "Authentication" panel has all the access controls plus Captive Portal for guest WiFi.
The "System Services" panel has high availability, traffic shaping / quality of service, malware protection, logs, and a summary of the stuff that's running on the machine.
The bottom options of the sidebar are for backup of configuration and updating the firmware.
-----------------------------
General Impressions and Conclusion
-----------------------------
This is definitely a business firewall OS with some features taken off. There was no effort to make this a home edition: The help links point to the business site, the firmware is exactly the business one, and the interface looks like something more like the firewall at work than even PFSense. The only way you're running this as a "home" environment is if you have a home lab (and you put this as a VM or as another PC near your VMWare ESXi or XenServer box).
To the people who are privacy conscious, or believe that they get more "privacy" on the Internet than is actually there, I think the report pages of this can be an eye opener. The default settings on this firewall do not rip open encrypted communication and only work with DNS and IP addresses, but it can still give a detailed picture of what stuff people are visiting when connected to the network. Any Internet service provider or device maker would also have the same data in their logs. (By the way, if you want to give yourself less of an illusion of privacy, that's when you use VPN if it's still allowed in your country.)
The general usability of this product is very poor. The UI is laid out more by engineering component (how it was developed) rather than by use case (what you want to do regardless of how the developer programmed it), so expect to visit several tabs to enable any feature. Would I rather have command line than this UI? Maybe, depends if the command line interface is designed well... the dumb HTTPS firewall rule would have been easier to see that way.
As for the feature I was curious about, intrusion prevention, I think the categories are presented a little better than PFSense / OPNSense, but not by much. I'll keep this running and see if the logs are any useful at all.
It's a curious product, and at this point I'd only recommend it for someone who for some reason needs to learn about this type of tool. That said, assuming you've disarmed the HTTPS being wide open, I won't tell you to uninstall and run away either.
I can't outright recommend this because for each use case, I can think of a better product.
- The open-source home router custom firmwares are more easily customized than this for home use
- If you have a spare x86 PC you want to turn in to a router at home, you can use PFSense / OPNSense which has better documentation
- The security features are still too abstract, so if you're security paranoid you're better off just assuming your network is always pwned and following the hardening guide on every computer product you own (and destroy the storage + chuck the rest of the product if you find it can't be hardened).
- If you want to protect a web server, get a good provider and use their DDoS protection
- You can't use it for business due to the license, so businesses that don't specifically have a Sophos appliance must use whatever the appliance came with or PFSense / OPNSense
Thanks for reading!
