Home User with Bypass Rules

[sclawrenc]

I was on Sophos XG before I moved to Untangle. It was a Sophos UTM, so was paying £200ish a year for fewer features than I get with Untangle at $50/year.

The interface looks nice and some of the groupings of hosts, services, ports etc they allow you to do make creating policies pretty flexible and I like the way that if you're running their endpoint products on your devices (and you're prepared to pay for it) that there can be some intelligence between them, but you're not gonna get that at $50 or even $150.

Oh... and let's not even mention the own-goal in the form SQL injection vulns that their product suffered from - game over.

Thanks again Armshouse. What about the most recent Sophos XG which doesn't have the device limit? I do think it has limits on amount of CPU and RAM you can use though. I haven't used it yet, but the SQL injection vulnerabilities are crazy.

This is what I have done. For IOT it makes a lot of sense. Don't need all the features of Untangle fro them. Have enough features to protect the router serving them. .

Thanks fatman13 for your comments. In a way, I feel like the IoT devices are the ones that I would actually want to monitor, and to be honest, the idea of putting my IoT devices and kids on a separate VLAN is what lead me down this deep rabbit hole.

[mikeyscott]

Thanks again Armshouse. What about the most recent Sophos XG which doesn't have the device limit? I do think it has limits on amount of CPU and RAM you can use though. I haven't used it yet, but the SQL injection vulnerabilities are crazy.




Thanks fatman13 for your comments. In a way, I feel like the IoT devices are the ones that I would actually want to monitor, and to be honest, the idea of putting my IoT devices and kids on a separate VLAN is what lead me down this deep rabbit hole.

The physical limits are 4 Cores and 6GB or RAM for Sophos XG Home v18 MR4. Got Untangle, pfsense and Sophos XG.

For me, unless it absolutely breaks the device, I want it to pass through the NGFW (whatever the vendor).

Re Sophos, any organisation bought by Thomas Bravo is a bad thing in the long run.

[sky-knight]

Sophos to me went out the window when this happened: https://support.sophos.com/support/s...language=en_US

A SQL injection vuln, in the LOGIN PAGE for a security product in 2020 is utterly unacceptable. Untangle has some questionable dev practices, but a least they try. Sophos on that day showed the world they flat don't care about security, or their users. They are coding crap like it's 1990 and they just don't care. In this case they got caught... who knows what else is left in there.

[fatman13]

Thanks again Armshouse. What about the most recent Sophos XG which doesn't have the device limit? I do think it has limits on amount of CPU and RAM you can use though. I haven't used it yet, but the SQL injection vulnerabilities are crazy.




Thanks fatman13 for your comments. In a way, I feel like the IoT devices are the ones that I would actually want to monitor, and to be honest, the idea of putting my IoT devices and kids on a separate VLAN is what lead me down this deep rabbit hole.

IOT and Kids on seperate VLANs is exactly where this started with me too. And frustrated the hell out of me. And quite frankly made me quite short, terse and on the verge of greater adjetives when I contacted sales right after my purchase as I had then noticed the device limit.

I agree with you I don't want my IOT bypassed, but of course behind a NAT'd router is kinda similar, kinda not. It's up to you on that front. I'm happy with it right now behind router.

[sclawrenc]

IOT and Kids on seperate VLANs is exactly where this started with me too. And frustrated the hell out of me. And quite frankly made me quite short, terse and on the verge of greater adjetives when I contacted sales right after my purchase as I had then noticed the device limit.

I agree with you I don't want my IOT bypassed, but of course behind a NAT'd router is kinda similar, kinda not. It's up to you on that front. I'm happy with it right now behind router.

I agree fatman13. I don't want my IoT devices bypassed either which I think is the only solution if I want to stay with Untangle (currently at end of 14 day trial). I'm honestly considering just saying I'm done with the different firewalls, and going with the Xfinity XB7 (unlimited data) in router mode (in bridge mode currently) which comes with xFi Advanced Security and decent parental controls since I can create many profiles with different limits. I know it's not what I set out to do, but it does somewhat accomplish what I wanted which was security around my IoT and my kids, and it doesn't cost me $150 per year. It actually sounds like the xFi Security is decent although there is no way to configure or adjust anything. It's just on of off and mostly the same with the kids profiles.

https://forums.xfinity.com/t5/Intern...s/ta-p/3180099

I don't know... I'm just not a fan of paying for something that gets me 90% there, you know?

[sclawrenc]

Just to give an update, I am not using Untangle. I've been using the included Xfinity Advanced Security offering , although I would have preferred using Untangle, just not for $150. The ONLY reason I decided not to purchase Untangle was due to the license limit. I really wish they could go back to the old license structure or something comparable that allowed more than 50 devices for the $50 cost. I think I speak for many home users when I say that $150 is too much and bypassing the IoT devices (least secure I think) is not the best option.

Again, I appreciate everyone's input and help.