Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 28 subscribers
  • Views 11700 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Planning to use Sophos XG at home (LAN, DMZ, WAN)

Christian Baum

Hallo everyone,

 I’m planning on deploying a Sophos XG (Home Edition) on my infrastructure at home. As I’ll plan to get some new hardware for that I would like to double check my plan; hopefully with your help and advice.

 Here’s a brief overview of my current network situation:

  • Switch: HP 1810-24g (not the current version but from somewhen 2008)
  • NAS: Synology DS-1511+
  • Clients:
    • 3-4 Windows Client
    • home-typical clients as streaming clients, game consoles, TV, printer, etc.
    • VMWare ESXi (mostely a sandbox; 4 NICs)
      • a few internal used VMs for ActiveDirectory, DNS, etc.
      • 2 Linux server for external Access
  • Router: Asus RT-AC68U
  • Connection: 400/20 Mbit with 5 static public IP addresses

 

The plan is to switch the Asus Router for a Sophos XG and an additional WiFi access point and divide the whole network into 3 segments: LAN, DMZ & WAN. (classical)

The DMZ would contain the 2 servers for external access and the LAN segment everything else. (I also had the thought to use 2 other segment: WiFi & management network. But I’ll care about that later ... think big, start small.)

 

So first question: Hardware for the Sophos XG

I found an interesting product on amazon: Firewall Barebone
Specs: Core i3-7100U or Celeron 3865U, 8GB Ram (yes, only 6 are addressable with the HomeEdition), H67 chipset, 6x Intel 82583V, 128GB SSD)

Does the Celeron do the Job for the 400/20 WAN connection (Firewall, IDS, WebFiltering) + some low bandwidth connections between LAN and DMZ or should I better stick to the i3 version?

 

Second question: Network-implementation

The idea is, so separate the segments via VLAN-tagging. So the switch ports of the ESXi (which runs the DMZ-hosts) as well as the Sophos XG will get a dedicated VLAN tag for the DMZ-Traffic. Within ESXi I can define a NIC that tags the hosts traffic. The ports on the switch which are used by ESXi and Sophos will be assigned to the corresponding vlan in addition to “no vlan”.

Is this approach constructive?
Are there any points to consider from a security point of view?

 

Third Question: WiFi Access Point

I love the idea of being able to manage my WiFi from within the Sophos XG. Unfortunately the Sophos-Devices supporting 802.11ac standard are quite pricey (300€ +). I would be fine spending ~130€ on a AP 15, but … no 802.11ac.

Which other WiFi-products can you suggest? I heard Ubiquity products are very good?
Is Sophos planning to release a 802.11ac capable AP 15?

 

Thanks for reading the long post and your advice

 Regards
  Chris



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    please check the hardware specifications of the XG hardware to find what CPU matches your internet connection speed and throughput requirements.

    VM Security for home use is not considered a great issue, but me I find it odd to add another network stacked exposed to the internet. I did this with a UTM for awhile and did apparently have any issues that I am aware of. If for a business I would not like the added level of risk.

    APs. If you want to manage your APs from the XG then they have to Sophos, otherwise any AP will do. There are some very high performance ones which should be able to carry your small home network without performance degradation.

    Ian

Reply
  • 0

    Hi,

    please check the hardware specifications of the XG hardware to find what CPU matches your internet connection speed and throughput requirements.

    VM Security for home use is not considered a great issue, but me I find it odd to add another network stacked exposed to the internet. I did this with a UTM for awhile and did apparently have any issues that I am aware of. If for a business I would not like the added level of risk.

    APs. If you want to manage your APs from the XG then they have to Sophos, otherwise any AP will do. There are some very high performance ones which should be able to carry your small home network without performance degradation.

    Ian

Children
  • 0 in reply to rfcat_vk

    Hey Ian,

    thanks a lot for your input.

    please check the hardware specifications of the XG hardware to find what CPU matches your internet connection speed and throughput requirements.

    I did have a look at the seizing guide. Unfortunately the guide refers to Sophos Hardware Appliances not CPUs, flops, etc. and I couldn't find any table showing the appliances hardware specs.

    VM Security for home use is not considered a great issue, but me I find it odd to add another network stacked exposed to the internet. I did this with a UTM for awhile and did apparently have any issues that I am aware of. If for a business I would not like the added level of risk.

    What other options does one have when running his servers from home?
    Fore sure it's not the absolute security optimum but i also don't see huge issues here. Separate subnets for DMZ (with static public IPs) and LAN (private IPs, NAT), all traffic between LAN, WAN and DMZ are going through XG. Out of curiosity: What network infrastructure is state of the art for companies?
    I could also divide the switch's ports and use separate NICs (on ESXi and Sophos XG) so the networks are physically seperated. Form a security point of view: Is this the better option?

    APs. If you want to manage your APs from the XG then they have to Sophos, otherwise any AP will do. There are some very high performance ones which should be able to carry your small home network without performance degradation.

    I'm aware of the fact, that Sophos XG is only capable of managing Sophos access point. I hoped someone from Sophos' team can tell me, if any changes regarding ac support on the smaller Sophos access point is in the delivery pipe.

    Best regards
     Chris

  • +1 in reply to Christian Baum

    Hi Chris,

    somewhere on the Sophos site there is a listing of hardware for each SG/XG device. Most of us home users have overkilled the hardware compared to the Sophos hardware.

    The smaller units usually run something like a 1.7ghz atom or celeron it is only when you start to get larger numbers of users 100 or more with fibre interfaces do you start to see the I series cpus appear.

    For a number of years I had a VM using an E3-1275 24gb, 8 NICs and lots of disks with a UTM, SUM and small server 2012 essentials. Moved back to hardware for the XG and the server 2012. Now use about 40 watts instead of 90w. The server runs on an esxi 6.5 on a NUC.

    For the APs you will need at least an AP55. As I advised above there a high performance APs on the market that for home use run rings around the Sophos product for throughput etc and have beam forming technology.

     

    Ian

  • 0 in reply to rfcat_vk

    Hi,

    thanks a lot for your input.

    My Core-i3 just arrived yesterday and installation of Sophos XG via USB went fine.

    Playing around and testing configurations now before putting in my productive enviroment.

    Regards

     Chris

  • +1 in reply to rfcat_vk

    rfcat_vk said:

    Hi Chris,

    somewhere on the Sophos site there is a listing of hardware for each SG/XG device. Most of us home users have overkilled the hardware compared to the Sophos hardware.

    The smaller units usually run something notre boutique en ligne like a 1.7ghz atom or celeron it is only when you start to get larger numbers of users 100 or more with fibre interfaces do you start to see the I series cpus appear.

    For a number of years I had a VM using an E3-1275 24gb, 8 NICs and lots of disks with a UTM, SUM and small server 2012 essentials. Moved back to hardware for the XG and the server 2012. Now use about 40 watts instead of 90w. The server runs on an esxi 6.5 on a NUC.

    For the APs you will need at least an AP55. As I advised above there a high performance APs on the market that for home use run rings around the Sophos product for throughput etc and have beam forming technology.

     

    Ian