Sophos Firewall – hardware, or virtual appliance?
Update: The information in this blogpost is not quite up to date. The UTM hardware is no longer available and we would advise the new XG Firewall in any case.
Everyone should have a firewall in place. Whether the free Home version to secure the home network, or the Business version for the company. There are several ways to run them. On the one hand, there are the UTM and SG boxes, virtual appliances, cloud images and the software variant for your own hardware. In this post, I would like to briefly discuss three different options. After that, you should know which variant of deployment is right for you.
Product designations
Sophos, or Astaro as it used to be, is having a hard time with product names, and it also seems like they themselves aren’t sure where this is going yet.
The devices used to be called “Astaro Security Gateway” (ASG), then “Sophos UTM” after the acquisition of Sophos, and currently “Sophos Security Gateway” (SG).
Even with the modules like “Web Security” or “Web Protection” only the name is the difference. Whether the box says Astaro, Sophos, UTM or SG, the system is always the same.
Hardware appliance
The Sophos hardware variant is available as a small box or as a 19″ rack solution. The devices differ in performance and are suitable for small companies with one employee, up to large companies with 5000 employees.
There are currently (as of January 2015) 19 different boxes from Sophos. Of these, 7 are UTMs and 14 are from the SG series. Buying a new UTM no longer makes sense in my opinion. The SGs are priced the same, but offer more performance. However, the UTMs will remain in our store for the time being so that customers can obtain licenses or replace a defective UTM in the cluster.
This leaves 14 different Sophos SG models. To decide on a model, you need to ask yourself two questions:
- How many users or devices are behind the firewall?
- Which modules do I want to license?
Include the following possibilities:
- Sophos RED, which connects additional sites via VPN.
- Sophos wireless access points, which bring even more users onto the network.
Based on this information, the following scale helps relatively well to make a hardware selection.
If in doubt, go one size up. Every year there are new features that require more resources. The SG105 to SG135 are still available as (w)-model with integrated WLAN module. In most cases, however, the firewall is not central enough for reception to be good.
virtual appliance
Sophos is also available as a virtual variant. If you already have a virtual environment in operation, you no longer need to invest in hardware. The system can be installed on a VMware vSphere hypervisor, Microsoft Hyper-V, Citrix XEN or KVM environment. An ISO can be downloaded free of charge from the Sophos FTP servers and offers a 30-day trial period. But also the Amazon Web Services offer in EC2 Image, with which you can start right away.
Unlike the hardware box, you can regulate the performance yourself with the virtual solution. For this reason, Sophos also has a different licensing model here.
Each IP address must be licensed. Thus also any WLAN client or network printer. In some cases, the hardware version is much cheaper. An office with 3 employees can quickly have over 10 devices with smartphones and tablets. The next highest package is 25 IP addresses, followed by 50.
Own hardware
Sophos Firewall can also be installed on your own hardware. However, care must be taken to ensure that the hardware meets the minimum requirements for the Sophos system.
The Sophos UTM combines all security applications in one operating system. All components are combined in a single software image and can be easily installed on the hardware of your choice. The self-booting software package can be installed on a dedicated Intel-compatible computer within minutes. A later change to a Sophos hardware is possible via backup/restore of the config. The performance metrics depend on the selected hardware. Information about recommended and tested server systems and components can be found in the hardware compatibility list. The licensing model is then IP-based, as with the virtual appliance.
In any case, we will be happy to help you and share our experience with you.