Sophos UTM working....but should I switch to the Unifi Security Gateway

[Party2go9820]

Looking for some of your thoughts on the these two front end UTM solutions for my home network. I already have a significant investment in the Unifi ecosystem with a cloud key, AP's and a couple of cameras, but I had the home built Sophos box built first and it seems to have a far more advanced feature set. Both play plenty well individually, but trying to decide if switching to the USG is worth any benefits besides a single management console.

 

[IdiotInCharge]

In general, not really.

The 'Dream Machine' gateways have enough oomph to turn IPS on, but I'd expect Sophos to still be more sophisticated at this point. Forward in visibility, backward in security, if you will.

Now, if you don't need the Sophos security for whatever reason, cool, or, you could put the Sophos setup in passive mode before or after a USG at the cost of some latency.

 

[Vengance_01]

Not currently. Unifi's IDS/IPS is still in the early stages. If you want everything into the Unifi eco system wait for new rumored USG Pro. It will use the hardware from the dream machine but without the extras. Current USG 3P and the one above that can not do decent speeds with all the goodies turned on. If I can find the thread, but thats what I would wait for.

 

[EniGmA1987]

rumored USG Pro.

Im sure such a product will eventually come out since everyone must keep updating hardware, but I am not seeing anything on a USG Pro in the early access area yet. Could be a ways away.

 

[Vengance_01]

Im sure such a product will eventually come out since everyone must keep updating hardware, but I am not seeing anything on a USG Pro in the early access area yet. Could be a ways away.

Its not EA yet but all signs point to it coming soon. If I can find the thread on the unifi boards I will post it.

 

[IdiotInCharge]

If you want everything into the Unifi eco system wait for new rumored USG Pro

So, pedantry...

There is a USG Pro already, it's just the ancient and underpowered USG Pro4, which is overpriced for what it is (and always has been).

There is also a UDM Pro, which while more expensive than it needs to be, is still fairly affordable overall at ~US$380 when available.

One would hope that a new set of USGs are on their way, that is, one that is just the routing / firewalling / IPS in a smaller format, and another that perhaps includes a few more features and more performance in a rackmount chassis. Ubiquiti could easily sell a base USG based on the UDM as a one stop shop edge solution for those with GigE connections.

But for now, the UDM Pro fits the bill overall pretty nicely.

 

[Dopamin3]

Absolutely do not buy Unifi firewalls. Absolute garbage. They don't support super common things like OpenVPN server, wireguard, or multiWAN even though the community has requested them for years. USG is old, underpowered and overpriced for both the USG and USG Pro 4. You can get stuff like OpenVPN server or multiWAN working by doing annoying config.gateway.json files but it's a pain and could break with any controller or firmware update. The new UDM and UDM pro not only don't have hardly any features, they also don't allow you to use the config.gateway.json method. They also don't let you adopt them in another controller, the controller runs on the UDM/UDM pro itself which some people don't want for various reasons.

The Edgerouter 4 is pretty good and priced decent but it doesn't support IPS/IDS. With the CLI you can do a lot (essentially it's running a modified version of Vyatta VyOS). IMHO there is no benefit to having everything in the Unifi controller. I understand why people wanted it, and initially I wanted it too. Nice "single pane" type setup to view all your network.

The last things Unifi I have on my network are 1x AC Lite and 1x AC Pro access points. Swapped out my Unifi switches for Mikrotik. Swapped out the Edgerouter for a custom built Yanling PC (same thing as Protectli but cheaper) that runs OPNsense for the firewall. OPNsense is great, I'd highly recommend you check it out. It's a port of pfSense with more features, better UI, updated more frequently and the devs aren't dicks like the lovely people over at Netgate.

Also lets not forget about the time Ubiquiti started collecting metrics without consent and then mishandled the entire situation: , there are plenty of different articles that go into more depth on how poorly they handled it.

Ubiquiti is good to get your feet wet with "enterprise" networking until you realize there is nothing enterprise about them. Used Juniper, Cisco, Brocade etc... from eBay is a good route for used stuff. New Mikrotik stuff is a great value too, but RouterOS has a steep learning curve. I will no longer support a company that refuses to add heavily requested features for years that could be easily implemented, introduces new "Pro" switches that have L3 support "in an upcoming firmware" (yea good luck, won't be the first time Ubiquiti never delivers features), introduces telemetry without user consent and mishandles the entire situation, and instead of improving products releases dumb stuff like the Ubiquiti Frontrow camera. What a disaster.

 

[Spartacus09]

Also lets not forget about the time Ubiquiti started collecting metrics without consent and then mishandled the entire situation:

Except this has nothing to do with the gateway/switches, it was the APs calling home, and was easily remedied by a DNS block. That said the situations concerning and worth noting, and as you mentioned they handled it poorly.

That said I have a usg for the single pane of glass, its meh on features from an enterprise perspective but the dpi is useful, however I have it setup for my parents, inlaws, and sister who are all technologically dysfunctional. The remote management of their network for basically no cost other than the hardware and a pi docker to run the Unifi container is convenient.

Additional note if you have top tier internet even the usg-pro-4 still cant do ids/ips full speed.
With ips/ids turned on:
Usg -100Mbps
Usg-pro-4 - 250Mbps
Usg-xg - 1Gbps

I’m moving to a new house soon has AT&T Giga power, I would definitely welcome ips on a new usg 3p pro if it could handle gig, though I wouldnt want to pay more than about $200 for that feature and I would want it to be passive cooled still. (which might be wishful thinking)

 

[iroc409]

Except this has nothing to do with the gateway/switches, it was the APs calling home, and was easily remedied by a DNS block. That said the situations concerning and worth noting, and as you mentioned they handled it poorly.

I think the point is though sometimes it doesn't matter how good the product is if where it comes from is questionable. Like blood diamonds, or child slave labor, or insert-violation-du-joir here. It's a personal preference I suppose, but UBNT has a long list of issues Dopamin3 hasn't mentioned (rumored or otherwise). I even had a bad experience with someone I think might be an employee recently "IRL". They were crazy solid and have been a huge disruption for the market in a good way, but there seems to be a loss of coherence in some of their stuff, or maybe a loss of focus. They got a huge market hold marketing themselves as "enterprise" for Linksys prices while people on forums parroted this all over the internet.

That being said, I have a ERL and a AC-AP-Pro, and while people have had a lot of issues mine has been ridiculously reliable and I've had them both for years now. The ERL is old enough I'm expecting it to EOL itself any time. When it works, it's stable, cheap, feature-packed, and low power. It lives in a market segment with little competition--better than consumer gear, not anywhere near enterprise but accessible pricing. Just make sure you read the forums before you update any firmware, or have really good backups. I am still afraid of 2.x.x.

Now, not to completely derail the thread, I don't know that for someone looking at a new solution I'd recommend either product. I am running an ERL right now, and I ran Sophos UTM for a couple of years.

The Sophos UTM (I have not run XG) is an awesome product. Very polished, incredibly reliable, and very feature-packed. The executive reports it would generate are fantastic. The email relay system was something that I loved as my FreeBSD file server could email direct reporting from the server, Sophos would intercept it and send it with my Gmail account so it wouldn't get blacklisted. I really like the product, with maybe two exceptions.

First, I had headache after headache getting the filtering to work with a lot of stuff. Household stuff, like Netflix. The forums used to be filled with "how do I get Netflix running?!", and answers were filled with regex expressions for the filter exceptions. To watch Netflix. Barf. At the end of my Sophos use, I had most of my network on bypass in the filter just because it was too much of a pain in the arse to get it running. The worst devices on my network were the ones that weren't being checked. Later I tried running it again in a virtual system in a bridge, and every time I turned the filter on it would block all traffic. I got tired of chasing it and just quit. Oh yeah, I had to bypass my file server from the traffic filter because the downloader on Sophos would interfere with updating! The downloader was a neat tool with AV, but it usually required a click from the gateway page to download & scan a file, and that didn't work with the package managers. It would intercept the file and the package manager had no way to interact with it.

Second, somewhere on the forums I started reading problems about network traffic being passed across VLANs and such despite discrete rules to the contrary. People were saying that basically the firewall is ignored if the filter allows traffic, so you have to put the rules into the traffic filters. Yikes! No thanks. I guess I'm old school using ACLs but I expect them to work on a firewall. Maybe that has changed or XG doesn't do that.

So currently I have the ERL and the AC-Pro runnig with Pi-Hole and a couple browser extensions. Keep everything inside the network up to date, firewalls on, etc. I miss those reports though!

Anyway, long ridiculous post that doesn't entirely answer your question. If you're happy with what you have stick with it. I would check out Untangle. I ran that for many years and was quite happy with it (I ran it before the Home Pro stuff). Endian might be an option. I used that before Untangle. Endian fell apart at one point, but they brought it back and it looks solid. If you don't want to use a UTM, I'd look at making a basic OpenBSD or FreeBSD router/firewall.

 

[IdiotInCharge]

The Sophos UTM (I have not run XG) is an awesome product. Very polished, incredibly reliable, and very feature-packed. The executive reports it would generate are fantastic. The email relay system was something that I loved as my FreeBSD file server could email direct reporting from the server, Sophos would intercept it and send it with my Gmail account so it wouldn't get blacklisted. I really like the product, with maybe two exceptions.

First, I had headache after headache getting the filtering to work with a lot of stuff. Household stuff, like Netflix. The forums used to be filled with "how do I get Netflix running?!", and answers were filled with regex expressions for the filter exceptions. To watch Netflix. Barf. At the end of my Sophos use, I had most of my network on bypass in the filter just because it was too much of a pain in the arse to get it running. The worst devices on my network were the ones that weren't being checked. Later I tried running it again in a virtual system in a bridge, and every time I turned the filter on it would block all traffic. I got tired of chasing it and just quit. Oh yeah, I had to bypass my file server from the traffic filter because the downloader on Sophos would interfere with updating! The downloader was a neat tool with AV, but it usually required a click from the gateway page to download & scan a file, and that didn't work with the package managers. It would intercept the file and the package manager had no way to interact with it.

Second, somewhere on the forums I started reading problems about network traffic being passed across VLANs and such despite discrete rules to the contrary. People were saying that basically the firewall is ignored if the filter allows traffic, so you have to put the rules into the traffic filters. Yikes! No thanks. I guess I'm old school using ACLs but I expect them to work on a firewall. Maybe that has changed or XG doesn't do that.

So currently I have the ERL and the AC-Pro runnig with Pi-Hole and a couple browser extensions. Keep everything inside the network up to date, firewalls on, etc. I miss those reports though!

I started looking at Sophos when they were switching from UTM to XG; XG is a ground-up rebuild apparently. I've been meaning to go back and look at it again personally, but if Ubiquiti gets their house in order before then, I might wind up skipping.

Home networks are just not worth the hassle, generally speaking. Hopefully one of these companies catches on to the idea of serving up a curated IPS / IDS solution for SOHO use.

 

[iroc409]

Sophos bought Cyberroam or something, and that is what spawned XG. I can't remember the name. Anyway, for a short time they had two concurrent projects and eventually dropped UTM (I think, it's been a couple years). I don't think they ground-up built anything, since UTM was an aquisition of Astaro--unless Sophos was a direct re-brand but I didn't think so.

I don't think anyone will ever curate an effective IPS for home networks--it's too much of a moving target (many OSes, smart bulbs, smart TVs, smart espresso machines). With a corporate network you can tune for a controlled environment, because you know what you want and what is critical, and you have the staff to monitor it and make it useful or have the resources to pay people to do that. I've never been on a corporate network with IPS, though (IDS probably but I have no idea).

I think things like DNS blacklisting and securing the internal devices themselves are about the best we can ask for at home.

 

[Vengance_01]

I just use Geo blocking in and out of traffic to the typical bad actors in my USG along with pie hole things have been solid. Also DPI of my traffic helps if anything looks off or weird. I also have several vlans. Wifi, internal prod network, guest wifi, and Iot.

 

[Party2go9820]

<snip>
First, I had headache after headache getting the filtering to work with a lot of stuff. Household stuff, like Netflix. The forums used to be filled with "how do I get Netflix running?!", and answers were filled with regex expressions for the filter exceptions. To watch Netflix. Barf. At the end of my Sophos use, I had most of my network on bypass in the filter just because it was too much of a pain in the arse to get it running. The worst devices on my network were the ones that weren't being checked. Later I tried running it again in a virtual system in a bridge, and every time I turned the filter on it would block all traffic. I got tired of chasing it and just quit. Oh yeah, I had to bypass my file server from the traffic filter because the downloader on Sophos would interfere with updating! The downloader was a neat tool with AV, but it usually required a click from the gateway page to download & scan a file, and that didn't work with the package managers. It would intercept the file and the package manager had no way to interact with it.

Second, somewhere on the forums I started reading problems about network traffic being passed across VLANs and such despite discrete rules to the contrary. People were saying that basically the firewall is ignored if the filter allows traffic, so you have to put the rules into the traffic filters. Yikes! No thanks. I guess I'm old school using ACLs but I expect them to work on a firewall. Maybe that has changed or XG doesn't do that.
<snip>

These are actually the two reason why I'm even considering the switch. I originally had the content filters setup and working to limit some stuff for my kids (but not other due to regex complication land) and found that it broke some of the firewall rules in place. I'm with you, that one shouldn't trump the other. I've since turned all the content filters off as my kids have (roughly) gotten old enough to not need that level of supervision.

What I hear everyone say is that the USG platform isn't terrible, but not all that great of a platform either. Best to stick with where I am for now...although considering Untangle is an option. When I setup the Sophos, I also considered Untangle but there wasn't support for the built in NIC's (Marvel?) on my small form factor box. Maybe that's worth reattempting.

 

[IdiotInCharge]

Ran Untangle on a fanless miniPC for a while myself.
Works great, don't really have much all to comment on other than the yearly cost.
It's on the list of things to try if I decide to dedicate my Edgerouter 4 to homelab duties.

 

[jahsoul]

I thought about going towards the USG from Sophos but I felt that it wasn't worth it. I purchased a Fortigate 60F and will repurpose my Sophos UTM (C2758 with 16GB) as a "pure" proxy/load balancer. I would have went XG but I wasn't onboard with the hardware requirements, so I went the ASIC route.