Hi,
this request for an update on progress is for those of us that do not have access top partners/resllers.
Would some-one in the know who is allowed to provide progress on v18 please add to this thread.
I am not after guesses or conjecture, but real timelines (give or take a month).
Ian
Hi,
exactly this is my experiences with Sophos (XG and Support), they should stop toasting their name and reputation.
Sophos is not able to get a stable release of XG 17.5 MR or comply with their service level agreements.!
I had most of the MR and no Release was stable, i still have the same bug since MR4 and Sophos is not able to get this done.
The only statement was, that the XG is not designed to use more than one ISP Line.
I need to get a stable product.
Jürgen
Hi, you did not share you issue in the community? Maybe there is an alternative of your issue, and somebody can help you here. Could not find an Post with the details about your issue (WAN and Wireless).
Hi,
I find your answer rather odd and bit short of information and slightly of thread.
I had until the Australian NBN was installed two different ADSL2+ services from different ISPs working quite happily. One even had IPv6 running.
Ian
Big_Buck said:A UTM, by definition, is a jack of all trade.
That is certainly not the definition of UTM. UTM stands for Unified Threat Management. DNS and DHCP have nothing to do with threat management.
I agree that those services need to be secured, but it doesn't make them secure just because you are running them off of a firewall.
I understand that this is still a viable option for small businesses (and sometimes the only option), but that does not mean, that:
DNS and DHCP shall run on a firewall for security reasons.
They should not, if it can be avoided. The more services you concentrate on your firewall, the less secure these services become. Once that one system is compromised, all services are compromised. Once that one system has a catastrophic failure (device dies, no HA), all your services fail. That's one (of several) reasons why no business that's serious about their security should ever do that.
What else do you want to run on your firewall for security reasons? Would you agree that your NAS, your phone system, your Wiki, your website, your project management system and so forth all need to be secured? Would you put them on a firewall?
Not everybody who uses firewalls uses them in small businesses. Just keep that in mind.
Putting NAS, phone systems etc onto a firewall is not really the same as putting networking components onto a networking device.
Regarding DNS for satellite offices there is nothing wrong with putting forwarders on the UTM, with client devices using the IP address of the UTM as a DNS server - you would ideally have the firewall configured with rules that only allow DNS communication from the device to these forwarders.
For the UTM, it is considered best practices to use the DNS functionality when dealing with external DNS servers, as in the UTM becomes the DNS server for internal devices - this provides an extra layer of security, and certainly with the SG firewalls by enforcing DNSSEC - and you will find that most firewall / security appliances support DNS on them for this very particular reason.
For DHCP - you're damned if you do and you're dammed if you don't - it's not a security risk by having a permitter firewall perform this or not - and a lot of edge firewalls have DHCP in them for satellite offices - mainly offering DHCP relay, but some also have the ability to work as a DHCP server.
Your firewall is the first line of defence, if this is breached then most of the time the hackers will be in the network anyway, so I really don't see how DNS and DHCP would be a worry at that point.
The XG, as many other devices have these functionalities included as for the what if situations, as in what if a customer needs them...sometimes they do, sometimes they don't - there's no correct answer here if DNS & DHCP should be on the firewall or not - small business can enable them, larger businesses can disable them - no right answer.
Reas Sophos's recommendations community.sophos.com/.../120283
BLS said:
Regarding DNS for satellite offices there is nothing wrong with putting forwarders on the UTM, with client devices using the IP address of the UTM as a DNS server - you would ideally have the firewall configured with rules that only allow DNS communication from the device to these forwarders.
I agree on using a firewall as a forwarder, but I do not agree on running a full-blown DNS server on a firewall.
For the UTM, it is considered best practices to use the DNS functionality when dealing with external DNS servers, as in the UTM becomes the DNS server for internal devices - this provides an extra layer of security, and certainly with the SG firewalls by enforcing DNSSEC - and you will find that most firewall / security appliances support DNS on them for this very particular reason.
Again, agreed. See above. The assumption on my end was that people were talking about having a DNS server on the firewall that is managing DNS zones as authoritative entity.
For DHCP - you're damned if you do and you're dammed if you don't - it's not a security risk by having a permitter firewall perform this or not - and a lot of edge firewalls have DHCP in them for satellite offices - mainly offering DHCP relay, but some also have the ability to work as a DHCP server.
It very much is a security risk as outlined in my previous post. I do (again) agree that a DHCP forwarder is fine, but a full blown DHCP server has no place on a firewall (except in small business scenarios where you simply have no other option). DHCP servers belong on routers, dedicated servers, AD controllers and the like. Features that have nothing to do with security should not be put on a security device.
Your firewall is the first line of defence, if this is breached then most of the time the hackers will be in the network anyway, so I really don't see how DNS and DHCP would be a worry at that point.
You guys all just think about your small networks. Larger networks have multiple layers of firewalls, and that not just in the perimeter, but also internally. The loss of one firewall would be dramatic, but it wouldn't mean hackers infiltrated the entire network. Also, it's not just about breaches. Security is also about availability. If you have just one firewall that hosts some of your more important services then you have a real problem when the firewall goes down. If you separate services, then in this particular scenario your internet is gone but you can at least still work. Those are all things that can't be denied and should be considered. Even in small businesses.
The XG, as many other devices have these functionalities included as for the what if situations, as in what if a customer needs them...sometimes they do, sometimes they don't - there's no correct answer here if DNS & DHCP should be on the firewall or not - small business can enable them, larger businesses can disable them - no right answer.
It was a hypothetical discussion and I think I mentioned numerous times that I realize that having DNS and DHCP on the firewall is a viable option for many, and the only option for some.
The point I am trying to make is that not everything is a small business and you can't apply general assumptions to everyhing. I think some of you would be really surprised if you worked for a large enterprise once. No one in their right mind would ever put DNS and DHCP on their firewalls in those kind of networks.
cryptochrome said:
The point I am trying to make is that not everything is a small business and you can't apply general assumptions to everyhing. I think some of you would be really surprised if you worked for a large enterprise once. No one in their right mind would ever put DNS and DHCP on their firewalls in those kind of networks.
That's quite often because you can't - most large enterprises use active directory, which requires a hefty integration with DHCP and DNS.
If you read the comments of why people are wanting DNS and DHCP, these aren't for large enterprises, but for SME's - and to be honest there is no reason why a perimeter device for a SME cannot be a firewall, DNS and DHCP server.
The point here is that the device is capable should it be required, but can be disabled if not - so suits large and SMEs
BLS said:
That's quite often because you can't - most large enterprises use active directory, which requires a hefty integration with DHCP and DNS.
That is most often not the reason. Look, I don't want to sound like a smart ass, but as a freelancer I've been working for quite a lot of large scale enterprises and carriers for the better part of the past 20 years. More than I can count. And it is just common sense there to not "misuse" firewalls for anything other than firewalling (in broader terms). Because they can't is one of the reasons, but certainly not the most common one. The most common reason is actually that they have the resources to be able to design their networks and services properly. Single points of failure are usually avoided at all cost.
Even if they are heavy Microsoft shops they tend to use dedicated IP services tools (IPAM) for DNS and DHCP, stuff like Infoblox, Cisco Prime, Bluecat, QIP or even BIND (yikes).
The point here is that the device is capable should it be required, but can be disabled if not - so suits large and SMEs
I have switched of ssl inspection, because I have too many mobile and IOT devices to update with a trusted can to make this work. Http is hardly used any more, so http only scanning is not useful.
So I would like a solution for this in an upcoming Sophos release.
As a workaround I have started to use bitdefender on Windows boxes and have that do the SSL scanning. It inserts a trusted certificate and avoids the issues I had on Windows boxes with SSL scanning with Sophos.
