Sophos Firewall: v18.5 MR1: Feedback and experiences

Any chance AES-NI support for SW installs made it into this update? Believe its Jira ID NC-59127.

Their answer has v18.5 or v19, If AES-NI isn't present until v18.5 GA, then we will have to wait for v19.

LuCar Toni,

Is there any news on NC-59127 for v19?, the original thread I've made about It back then got locked because of old age.

Thanks!

The support of Intel based chips within Sophos SFOS is still on the backlog. We are still looking into this and the impact of implementing this. But i am assuming V19.0 is not the target release for this yet. More answers if ready to publish by Product management. 

Wow. That’s disappointing to say the least.

It is not that easy to integrate a Hardware support for AES-NI. And currently the same team is working on improvements for XGS hardware and the integration of more technology to the Sophos own chip. 

Guess my use case is somewhat unique yet I’m sure also common. I have a home license but using Sophos hardware. To use the home license I have to install the software version and because of that I miss out on AES-NI. 

Hi,

why do some Sophos firewalls (using intel CPUs) have AES-NI and others don't, it really should be a switch in the compiler, the integration has been tested over many releases?

Ian

Is there any reason at all on why the Devs prefer to only patch for vulnerabilities instead of update the underlying open source software such as SSLVPN (OpenVPN), or WAF (Apache)?

The Firewall could have AES-GCM and TLS 1.3 support for SSLVPN if OpenVPN has been updated.

Or even HTTP/2 and TLS 1.3 support for WAF.

Is there any reason at all on why the Devs prefer to only patch for vulnerabilities instead of update the underlying open source software such as SSLVPN (OpenVPN), or WAF (Apache)?

The Firewall could have AES-GCM and TLS 1.3 support for SSLVPN if OpenVPN has been updated.

Or even HTTP/2 and TLS 1.3 support for WAF.

There is a difference. You cannot simply update a openVPN tool and "hope" it will works. And you need openssl to update first. Which is a much more difficult. OpenSSL is a module used in all modules. As you can see, there are multiple dependencies. This is the reason, openssl 1.0.2 still exists in a LTS. Vendors have difficulties to open such a module. But Sophos is commited to tackle this for the future. 

Thanks a lot for the answer!

Hopefully some of those packages get updated in the future.

Will there be a v19 EAP in the future?

Yes - ETA is to be announced. You will see the EAP as usual in the community, once it is ready. 

Will it still be announced this year or 2022?

I cannot comment on that, as i am not a product manager.