What's new
  • Please do not post any links until you have 3 posts as they will automatically be rejected to prevent SPAM. Many words are also blocked due to being used in SPAM Messages. Thanks!

Sophos XG Firewall "Home" Edition

frontier204

Well-known member
Joined
Nov 2, 2008
Messages
1,344
Location
ON, Canada
Hello all,

I decided to do a quick (experimented for 4 hours) review on this oddball proprietary router / firewall 'firmware', Sophos XG Firewall Home Edition.

TL;DR: The only thing "Home" about it is the non-commercial license clause - it's really a small/medium business firewall product.

I stumbled upon this software by accident while trying to find out if someone studied how much malware gets stopped by third-party antivirus on a Mac (nope, although Av-Test has numbers for Windows Defender and Google Play Protect). I've used both PFSense and OPNSense on my PC which have awesome amounts of bells and whistles, but I thought the intrusion prevention (Snort / Suricata) UI wasn't very intuitive, throwing tons of false positives.

https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx

Going into this review, I had no idea what to expect, but the marketing material mentions Linux, Intel-compatible, and IPS, so I'll give it a try.

-----------------------------
Download
-----------------------------

After selecting "Get Started" on the web page, you get a registration page that asks for First/Last name and "Business" e-mail.

I placed a valid but not "Business" e-mail into the form, and it allowed me to download a .ISO file without "verifying" the e-mail. Before allowing me to download the .ISO, as is typical, I get the giant EULA. Disclaimer: I'm not a law expert. It appears to be the same as the license for the free Sophos Home anti-malware on the Mac, so here's some of the highlights:

--

Phones home:

collect the following types of information: (i) Products, Product versions, Product features and operating systems being used by Licensee, (ii) processing times taken by the Product, (iii) Licensee's customer identification code and company name, and (iv) IP address and/or ID of the machine which returns the above listed information. ...

(Do you remember the days when people were outraged when the found a product doing this :ph34r: )

No commercial use:

3.4 Restrictions. Licensee is not permitted to: / 3.4.5 use the Products other than in the course of business...

Class action waiver (I won't bother quoting that - as it's huge.)

--

After agreeing to license, I get a 409 MB download of SW-SFOS_17.0.6_MR-6-181.iso.

While looking at the license, an e-mail came in with setup instructions:

3. Connect a computer to the LAN interface (port 1) and access the setup screen at https:// 172.16.16.16:4444 (Note: it may take a few minutes for the necessary services to start before the setup screen is ready).
4. Follow the steps in the on-screen setup wizard.

-----------------------------
Install on a Virtual Machine
-----------------------------

  • I had to redo the install wizard because I later found it really wanted to have the Internet connection on Ethernet port 2 and LAN on port 1 - (hard-coded, and the opposite of PFSense / OPNSense.)

Since I couldn't find solid articles on whether it has a UEFI loader, I opted for the "Generation 1" virtual machine that uses BIOS. The VM had a single 40GB hard drive configured.

The hypervisor running the VM was a Dell Latitude E7450 with Intel Core i5 5300U, 16GB of RAM (2x8GB), and 256GB mSATA SSD, running Windows 10 Pro at version 1803 build 17134.48. Additionally, the SSD is encrypted with Bitlocker using the "new" encryption method that was released after Windows 10 version 1803.

Here's the settings of the virtual machine: (SULFUR is the name of the machine I'm writing this review from)

  • Again pay special attention to the fact that the internal switch is the first NIC and the external connection is the second NIC. The wizard just fails if you don't have that setup, so you may have to shut off the machine and swap cables around if you get the order wrong.



After about a minute of a blank screen (I was wondering if the installer was broken), I get this prompt to overwrite the entire contents of the one and only virtual hard drive.

After telling it to format the drive, it went into this text only installer, which took about 8 minutes.



I ejected the virtual disk and pressed "Y", but I didn't get a reboot. (although I did fill up the console with 'yyyyyyYYYY' trying) I resorted to a hard reset on the virtual machine.

-----------------------------
Install on Physical Machine
-----------------------------

I installed on my desktop with the following:

Core i3 6100
16GB
AsRock H170M-ITX/AC
120 GB SSD
In addition to the 2 network adapters on the motherboard, I have 4 other adapters from an expansion card (an old IBM EXPI9404PTL).

The compatibility support mode was turned on to allow "legacy" boot.

The installation screens looked exactly like the VM. Unlike the virtual machine however, pressing 'y' actually rebooted the machine at the end of the install.

After installation, I had to experiment plugging Ethernet cables into each of the six network adapters to find out what was "port 1" and "port 2". In my case, it turned out to be the farthest and second farthest ports from the motherboard on the add-on EXPI9404PTL card. Other than that, it seems to be running as I'm posting through the firewall right now.

-----------------------------
First configuration Wizard
-----------------------------

It took about 10 minutes for the firewall to start issuing DHCP and giving the computers IP addresses. The command line on the monitor of the computer had a password prompt, but as shown in the wizard, it's useless because you're overwriting the password anyway.

I used the https:// 172.16.16.16:4444/ link that the e-mailed instructions had. I was presented with an invalid SSL certificate warning "This site is not secure". (Aside: PFSense / OPNSense can be configured with Let's Encrypt to present a good certificate.) After ignoring the warning, I got the configuration page:



Here are the steps afterwards:

  • Create New Admin Account: You enter a password
  • (A checkbox checked by default): Install the latest firmware automatically during setup (recommended).
  • Checkbox to agree to license agreement

(Continue button)

  • If you don't get the NIC2 attached to Internet and NIC1 attached to LAN like the installer expects, you get an "Internet Configuration" screen with error messages. Otherwise,
  • "Filewall Name" to create a host name for the machine
  • A graphical time zone selector (similar to a Linux one)

(Continue button or finish button)

Register your firewall - it has a bunch of options. I used the serial number from the e-mail.

(Continue button)

If you registered with a serial number, you have a sign in prompt for Sophos ID (not the same as a Sophos Antivirus Home or Beta username / password). ...after signing in I was forced to go back to the beginning because the ID brought me away from the router's config page and didn't bring me back properly.

(Continue button)

"Basic Setup is Complete" - (with some useless list of features) and an "Customer experience improvement" checkbox that's UNCHECKED (the less invasive state) by default.

(Continue button)

Network configuration (LAN)

  • You can choose between routing and bridged, device IP address, subnet, and DHCP lease range.
  • I decided to switch the default device IP address here to see if it would come back up properly (..sort of?)

(Continue button)

Network Protection

There's a bunch of checkboxes:

  • "Protect Users from Network Threats"
  • "Protect users from the suspicious and malicious websites" - which mentions "It does not scan the SSL traffic." (Thank you! Having that on by default just messes stuff up for me)
  • "Scan files that were downloaded from the web for malware"
  • "Send suspicious files to Sophos Sandstorm"

(Continue button)

Notifications and Backups: Allows you to configure something to sent weekly e-mails of the config file. I "ignored" this one by putting a (what I expect to be) bogus e-mail of a@a.aaa into the fields.

(Finish)



The last step of this install was SLOW - it was 10 minutes just to do the "Applying Configuration Changes". The web UI actually went to the new IP address I entered, but failed to load anyway because I had to ignore the SSL certificate issue again :(

-----------------------------
Basic Checks on Security Defaults
-----------------------------

The bad:

  • HTTPS (the config interface) wide open on the WAN side - see below to close security hole

The good:

  • Doesn't (at least on my hardware) enable WiFi - it looks like it's set up like a small business router where you buy a separate WiFi access point and connect it over Ethernet for this to manage
  • Actually put a decent randomized password on wifi if it was configured - mine was "MWQ2ZmJhODY2OTc1OGFj"

I found it mind-boggling that HTTPS would be open by default on something from a security company. This option was the culprit



-----------------------------
Dashboard / Boatload of Business Features
-----------------------------

This is the same UI as a small business firewall product, with the emphasis on stuff that offices are supposed to care about, like "not safe for work" web site filtering. There's also a lot of high availability stuff littered around the UI.



Under "Monitor & Analyze", there's a frightening level of detail in "Current Activities" and "Reports".





The Diagnostics panel allows for the following: Ping, Traceroute, Name Lookup, Route Lookup, Generation of Reports from Log Files, Packet Capture, CPU/Memory/Disk/Interface usage

The Firewall panel allows definition of rules to allow, block, reject, and scan traffic for malware. An interesting note is that you can't directly enter port numbers or addresses without giving them some label first. This is typical of firewalls where they expect you to have lots of rules, so you don't have magic numbers floating around everywhere.

The Intrusion Prevention panel provides more customization than any sane home user would bother to understand. Fortunately the rules are grouped into items like "LAN to WAN" which looks for stuff that you wouldn't want going out (i.e. malware phoning the command and control).



The "Web" panel has policies that definitely show the business nature of this product, with stuff like "Not Suitable for the Office", "Not Suitable for Schools" as items that you can turn on.

The "Applications" panel shows a list of definitions for different programs that communicate with the Internet, like specific web mail clients and social media.

As mentioned before, the "Wireless" is made for managing dedicated thin hot-spots rather than the WiFi built into the router device like home routers have. It has definitions of groups of access points or mesh networks, for instance.

The "Email" panel has rules that you can use to apply antivirus to POP and IMAP mail (I don't have anything to test that).

The "Web Server" panel allows you to designate computers on the network as web servers, and apply protection like SQL Injection blocking on them.

"Advanced Threat" and "Synchronized Security" seem to be paid features.

The "VPN" panel has IPSec, SSL VPN, Cisco VPN, LT2P, Clientless, and PPTP. (I've only used IPSec, and won't be trying it since I don't have a static IP to test with.)

The "Network" panel lists the network ports that you have and allow you to designate them as WAN, LAN, DMZ, or WiFi. It also has all the connection stuff like DNS, DHCP, and some IPv6 settings I don't know about...
* An interesting item buried in this one is Dynamic DNS support with DynDns, ZoneEdit, EasyDNS, DynAccess, and Sophos's own dynamic DNS.
* I couldn't get IPv6 to work: under PFSense / OPNSense I'd use "track interface" to get IPv6 addresses, but couldn't find that here.

The "Routing" panel has static routing tables plus a bunch of stuff that a home user would only be playing with if they were studying for some network admin exam (and even then, I don't want to know how you set up your rig to do that). Example: BGP, OSPF

The "Authentication" panel has all the access controls plus Captive Portal for guest WiFi.

The "System Services" panel has high availability, traffic shaping / quality of service, malware protection, logs, and a summary of the stuff that's running on the machine.

The bottom options of the sidebar are for backup of configuration and updating the firmware.

-----------------------------
General Impressions and Conclusion
-----------------------------

This is definitely a business firewall OS with some features taken off. There was no effort to make this a home edition: The help links point to the business site, the firmware is exactly the business one, and the interface looks like something more like the firewall at work than even PFSense. The only way you're running this as a "home" environment is if you have a home lab (and you put this as a VM or as another PC near your VMWare ESXi or XenServer box).

To the people who are privacy conscious, or believe that they get more "privacy" on the Internet than is actually there, I think the report pages of this can be an eye opener. The default settings on this firewall do not rip open encrypted communication and only work with DNS and IP addresses, but it can still give a detailed picture of what stuff people are visiting when connected to the network. Any Internet service provider or device maker would also have the same data in their logs. (By the way, if you want to give yourself less of an illusion of privacy, that's when you use VPN if it's still allowed in your country.)

The general usability of this product is very poor. The UI is laid out more by engineering component (how it was developed) rather than by use case (what you want to do regardless of how the developer programmed it), so expect to visit several tabs to enable any feature. Would I rather have command line than this UI? Maybe, depends if the command line interface is designed well... the dumb HTTPS firewall rule would have been easier to see that way.

As for the feature I was curious about, intrusion prevention, I think the categories are presented a little better than PFSense / OPNSense, but not by much. I'll keep this running and see if the logs are any useful at all.

It's a curious product, and at this point I'd only recommend it for someone who for some reason needs to learn about this type of tool. That said, assuming you've disarmed the HTTPS being wide open, I won't tell you to uninstall and run away either.

I can't outright recommend this because for each use case, I can think of a better product.

  • The open-source home router custom firmwares are more easily customized than this for home use
  • If you have a spare x86 PC you want to turn in to a router at home, you can use PFSense / OPNSense which has better documentation
  • The security features are still too abstract, so if you're security paranoid you're better off just assuming your network is always pwned and following the hardening guide on every computer product you own (and destroy the storage + chuck the rest of the product if you find it can't be hardened).
  • If you want to protect a web server, get a good provider and use their DDoS protection
  • You can't use it for business due to the license, so businesses that don't specifically have a Sophos appliance must use whatever the appliance came with or PFSense / OPNSense

Thanks for reading!
 

frontier204

Well-known member
Joined
Nov 2, 2008
Messages
1,344
Location
ON, Canada
As a mini follow-up, I'm going to uninstall this firewall software because the feature set is so unlike what I want from the device that I'd be fighting the configs to get it to work as I want.

I found out the default policies blocked a whole lot of stuff: I assume the rules were made for IT departments that micromanage / rule with an iron fist (I'll refrain from putting other jokes in here). EDIT: Maybe the defaults could make sense for coffee shop guest wifi? For the offices where you want to lock down everything except the stuff you need for your job, you'd be better off writing a rule to only allow the stuff you use and block everything else.

  • SSH and password manager apps (some reviewed by third party studies) are listed as High risk level 4 / 5
  • Some cloud automated backup apps are also listed as high risk 4/5
  • If you enable "suspicious" web site blocking you also block all ads (not that I like ads, but that should be a different category + you trigger a lot of sites' "you have ad blocking enables"). The suspicious category is "Advertisements, Criminal Activity, Intellectual Piracy, Newly Registered Websites, Phishing & Fraud, Spam URLs, Spyware & Malware"

(In case you don't know, SSH is the most common way to log in to a Linux box that you've just created. That said it also has file transfer and tunnel features which may be why it got the 'high risk'.)

I'd probably keep it if I could reliably set rules to block the random VPN client that less than 1% of VPN users actually use but allow the clients that I do use (and SSH!) through, but essentially they cast wide blankets over a lot of stuff. That means when the rules update (since you can't change the categorizations of apps), I'll probably be stuck with false positives breaking more stuff than having intrusion prevention mode turned on in PFSense / OPNSense.

...and don't forget that for all these blanket firewall rules, it came by default with https:// open to the world :haha:

Additionally, the reason I couldn't get IPv6 working is because they don't bother to support the feature set I need:

https://ideas.sophos.com/forums/330...tions/11546439-add-options-for-ipv6-dhcpv6-pd

My goal was to have less weird stuff than OPNSense / PFSense, and this product doesn't deliver for me.

---
 

JD

Moderator
Staff member
Joined
Jul 16, 2007
Messages
12,080
Location
Toronto, ON
How about you compare it to Untangle next then?

I'll agree though, the one time I tried Sophos on a VM, I basically deleted it an hour later. Far from being user friendly, looks like you'd need a Sophos Engineer to set it up for you and never touch it after that.
 

frontier204

Well-known member
Joined
Nov 2, 2008
Messages
1,344
Location
ON, Canada
I heard about Untangle, but never used it. I've dropped back to basic functionality using a Google Wifi device as a router + switches coming off the LAN port. Maybe when I get some progress on my other research (currently playing with the 'serverless' stuff that cloud providers are introducing) I'll try it out.
 

Entz

Well-known member
Joined
Jul 17, 2011
Messages
1,878
Location
Kelowna
I'll agree though, the one time I tried Sophos on a VM, I basically deleted it an hour later. Far from being user friendly, looks like you'd need a Sophos Engineer to set it up for you and never touch it after that.
Same, I love the idea of it but the block everything first policy -- while amazing from a security point of view -- is a bit too much high maintenance for me. pfSense (or RouterOS) may not be pretty but it works.
 

odis172

Well-known member
Joined
Oct 16, 2008
Messages
672
Location
Ottawa, ON
I've used the Sophos SG and XG series appliances. The SG appliance firmware is called "UTM" and the XG firmware is completely different. When the XG series came out there was a huge backlash from the community about how it had gone so much in the direction of user friendly gui, and was too dumbed down. Since then they have been making changes to make it more technical people friendly. It's still not where it needs to be in my opinion.
 

Latest posts

Top