Update: The information in this blogpost is not up to date. The UTM hardware no longer exists and we would strongly recommend the new XG Firewall.

A firewall should be used by everyone. Whether it’s the free home version to secure your home network or the business version for your company. There are different ways to run it. On the one hand there are the UTM and SG boxes, virtual appliances, cloud-images and the software version for your own hardware. In this contribution, I would like to comment briefly on three different options. After that, you should know which version of the deployment is right for you.

Product Names

Sophos, or Astaro in the past, is having a hard time with naming there products, and it also seems as if they are not sure where it will lead.

The devices used to be called “Astaro Security Gateway” (ASG) and, after the acquisition of Sophos, they were now called “Sophos UTM” and, most recently,”Sophos Security Gateway” (SG).

Also for modules such as “Web Security” or “Web Protection”, only the name is the difference. Whether it’s Astaro, Sophos, UTM or SG on the box, the system is always the same.

Hardware Appliance

The Sophos hardware version is available as a small box or 19” rack solution. The devices differ in performance and are suitable for small companies with one employee up to large companies with 5000 employees.

There are currently (as of January 2015) 19 different boxes from Sophos. There are 7 UTMs and 14 from the SG series. In my opinion, buying a new UTM doesn’t make any sense anymore. The SGs are priced the same, but offer more performance. The UTMs remain in our shop for the time being, however, so that customers can obtain licenses or replace a defective UTM in the cluster.

This leaves 14 different Sophos SG models. To choose a model, you have to ask yourself two questions:

1. How many users or devices are behind the firewall?
2. Which modules do I want to license?

Include the following options:

• Sophos RED, which connects additional sites via VPN.
• Sophos Wireless Access Points, enabling even more users to access the network.

On the basis of this information, the following scale helps relatively well to make a hardware selection.

In case of doubt, I’d rather have one size bigger. Every year there are new features that require more resources. The SG105 to SG135 is still available as a (w)-model with integrated WLAN module. In most cases, however, the firewall is not central enough so that reception would still be good.

Virtual Appliance

Sophos is also available as a virtual version. If you already have a virtual environment in operation, you no longer have to invest in hardware. The system can be installed on a VMware vSphere Hypervisor, Microsoft Hyper-V, Citrix XEN or KVM environment. An ISO can be downloaded free of charge from Sophos FTP servers and offers a 30-day trial period. But also the Amazon Web Services offer an EC2 image, with which you can start right away.

Unlike the hardware box, the virtual solution allows you to regulate the performance yourself. That is why Sophos has a different licensing model here.

Each IP address must be licensed. This means that every WLAN client or network printer can be used. In some cases, the hardware version is therefore considerably cheaper. An office with 3 employees can quickly get to over 10 devices with smartphones and tablets. The next higher package is 25 IP addresses, followed by 50.

Own Hardware

Sophos Firewall can also be installed on your own hardware. However, care must be taken to ensure that the hardware meets the minimum requirements for the Sophos system.

Sophos UTM combines all security applications in a single operating system. All components are combined in a single software image and can be easily installed on the hardware of your choice. The self-booting software package can be installed on a dedicated Intel-compatible computer within minutes. You can switch to Sophos hardware at a later date using Config’s Backup/Restore feature. The performance ratios depend on the selected hardware. Refer to the Hardware Compatibility List for recommended and tested server systems and components. The licensing model is then IP-based, as with the virtual appliance.

We will be happy to help you and share our experience with you.