Hi,
I am currently looking at Sophos UTM + REDs, as well as another vendor's firewalls, for putting in place a new central/HQ firewall and two retail stores. Having known about Sophos UTM and REDs for quite a while, this was a great opportunity to investigate it further. I was actually really excited about the possibility to have the Sophos option put into production, but after some investigation I am now more worried than excited, that it might be the wrong choice from a security perspective.
One thing I did was to take four of the latest "big" vulnerabilities on the Interwebz, and look up how each vendor responded to these vulnerabilities:
First up, GHOST, published 2015-01-27:
Sophos:
- 2015-01-29 Released blog post with reference to KB 121879.
- 2015-02-02 Released patch for 9.3.
- 2015-02-09 Released patch for 9.2.
Other vendor:
- Not vulnerable.
Second, Heartbleed, published 2014-04-07:
Sophos:
- 2014-04-09 Released patch for 9.1.
- 2014-04-?? Released patch for 9.2 (I have not been able to confirm the date of this).
Other vendor:
- Not vulnerable.
Third, Shellshock, published 2014-09-24:
Sophos:
- Not vulnerable.
Other vendor:
- Not vulnerable.
Fourth, POODLE, published 2014-10-14:
NOTE: This vulnerability was due to the actual *specification* of the SSL protocol, and hence not a bug in any vendor's implementation of it (as long as they were merely following the specification).
Sophos:
- 2014-10-16 Released blog post with workaround instructions.
- 2014-11-23 Released patch for 9.2.
Other vendor:
- 2014-10-21 Released PDF with information about the nature of the vulnerability.
- 2014-11-23 Released patch for all current firmware versions.
The attentative reader will notice that it took Sophos *one week* (minus one day) for Sophos to get a patch for 9.1 out for the GHOST vulnerability, and *two weeks* (minus one day) for 9.2. This should be put into perspective with the fact that about *six hours* after I learnt about this vulnerability, I had patched my RHEL/CentOS servers. Hence, the actual patches to the glibc library (which was the culpruit in this case) were available almost immediately once the vulnerability was known. This naturally raises the question of why it took Sophos so long to issue patches for this highly severe vulnerability (especially since Sophos UTM uses exim, which is the software that a PoC was developed and published for).
Another thing to note is that out of two firewall vendors, Sophos was vulnerable to three out of four example vulnerabilities, while the other one was only vulnerable to one (which was the one that neither of the vendors could have been reasonably expected to evade in the first place). The main difference here is that Sophos UTM is based on a Linux distribution, whereas the other vendor has its own custom firmware (AFAIK not based on anything).
Given the above, I have the following questions:
1. Why hasn't Sophos provided workaround instructions for the GHOST vulnerability, in their KB 121879 ( https://www.sophos.com/en-us/support/knowledgebase/121879.aspx )? Until a patch is available, appropriate workarounds is arguably the next thing to publish after the initial information about whether or not products are affected at all. In this KB, we still see "Investigating" in the "Workaround" sections for most products. We also still have "Investigating" in the "Affected versions" for "Sophos UTM Manager".
2. Why did it take Sophos up to two weeks to get patches out for the GHOST vulnerability, even though patches to glibc were available almost directly following the publication of the vulnerability?
3. In general, is there anything that can be said in favor of Sophos in this case? How are we supposed to have faith in Sophos UTM for our core firewall infrastructure, when it is kept less secured/patched than our regular Linux servers (thinking about the RHEL/CentOS servers I had patched the same day as GHOST came out, not to mention the same for the other vulnerabilities and Linux distributions I run)? After all, the firewall is one of the most fundamental parts of the network infrastructure, and that if anything should be a secure platform not vulnerable to the general exploits we encounter in our daily work.
4. In this post, https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22559 , of the forum thread started due to the GHOST vulnerability, it is mentioned that Sophos UTM does not implement hardenings such as SELinux and/or PAX. Why is this? Again, the firewall (if anything) should be one of the most secure platforms in your entire infrastructure. Why hasn't Sophos put more effort into hardening the platform (especially knowing that it is based on a commodity Linux distribution)?
5. Related to the previous question, what *has* Sophos done to harden its UTM platform? I see there are chroots implemented, but as we all know that is more of a container detail than something that locks down/secures the processes in it (this has been discussed lots of times). I'm very curious to know/understand what things in UTM/RED there are that makes these platforms more secure.
On a final note; This post is not written for the purpose of bashing Sophos or its UTM/RED. I am *genuinely* interested in getting the most out of it, as one of the options when purchasing a new firewall and related equipment. But as you hopefully understand, having seen what I explained above, it's very hard to feel that Sophos UTM is a secure firewall platform that will resist even the common vulnerabilities we are exposed to on a daily basis - Especially when put into comparison with other vendors it seems like Sophos is more focused on implementing new features than to lock down and secure the platform all these features run on.
I think that what worries me the most at this point in time is the response times from Sophos when there are vulnerabilities, but of course it's arguable whether this is a bigger problem than the platform being vulnerable in the first place. I'm not sure which is worse.
I'm hoping people with more insight into how Sophos products are built can shed some light on this [:)]
Thanks!
PS: Even pfSense, which is a free and open source firewall based on BSD, has been less vulnerable to the above issues (just look it up for yourself if you don't believe me). It doesn't have the same feature set as Sophos UTM, but at least it doesn't expose my network to common vulnerabilities, nor does it take two weeks to get patches for it.
This thread was automatically locked due to age.
