Moved from different thread

For a consumer bought store router, yes... for a custom router box, no. 

For example, the 3200 has a dual core 1.8gHz processor and 512MB of RAM, whereas my custom router box runs a A1SRi-2758F server board (TDP 20w], with an Octa Core 2.4gHz Atom C2758 & 16GB ECC RAM. Unless you're running a fiber or SAS storage network, those will simply not be taken advantage of.  Running ESXi [or any VM base OS] allows for the router OS [Sophos UTM] to be installed in a VM, all traffic being routed through it first, then one can take advantage of the hardware by running additional servers in VMs.

A router box should have a minimum of a quad core 2.0gHz CPU and 8GB ECC RAM due to the IPS, AntiVirus, Anti-Malware, and other features gained with a router OS like Sophos UTM.  For ~$300, one can pickup an AsRock J1900D2Y, 8GB RAM, & case, of which offers a massive performance gain over many enterprise routers, let alone consumer ones.

(Last edited by JW0914 on 25 Oct 2016, 16:20)

Not at all... Router OSes offer far better security over that of consumer routers.  The achilles heal of consumer routers is the hardware, as well as the limitations imposed by memory, RAM, and clock speed.  Sophos UTM is the exact same OS that's licensed to corporations and utilized on their HAs (Hardware Appliances), with the only limitation for home users being a 50 IP limit.  Sophos UTM is meant to be the WAN facing router as it lacks certain capabilities for security reasons:

• It cannot be configured as a VPN client, except if connecting to another UTM HA/SA

• It cannot be configured as a NAS server for SAMBA, NFS, etc

Sophos UTM as a Software Appliance is far more than just a Router OS... it's a comprehensive Unified Threat Management OS, which combines a router with IPS [Intrusion Prevention System] via SNORT and other open source & proprietary software, antivirus/anti-malware protection for all devices behind it (as well as endpoint software that is phenomenal at blocking attempted web exploits, of which is capable of being managed via the UTM itself or the endpoint PC), Outlook addin, auto scanning all email through two separate scanners prior to being delivered, 5 different VPN types (including HTML5), and a phenomenal web filtering capability.

• A major benefit is VPN speed, with a massive performance gain when processing encryption over that of my ACS.

1st Line:   WRT1900ACS      DD [4.4.14-2016.09.26, r49936]
2nd Line:   A1SRi-2758F     Sophos UTM [8C 2.4gHz / 16GB ECC RAM / 128GB 850 Pro]

Doing sha256 for 3s on 16 size blocks: 1547137 sha256's in 3.00s
Doing sha256 for 3s on 16 size blocks: 2460459 sha256's in 3.00s
    Doing sha256 for 3s on 64 size blocks: 824553 sha256's in 3.00s
    Doing sha256 for 3s on 64 size blocks: 1366848 sha256's in 3.00s
Doing sha256 for 3s on 256 size blocks: 347862 sha256's in 2.99s
Doing sha256 for 3s on 256 size blocks: 574461 sha256's in 3.00s
    Doing sha256 for 3s on 1024 size blocks: 105168 sha256's in 3.00s
    Doing sha256 for 3s on 1024 size blocks: 174758 sha256's in 3.00s
Doing sha256 for 3s on 8192 size blocks: 13991 sha256's in 3.00s
Doing sha256 for 3s on 8192 size blocks: 23320 sha256's in 3.00s

Doing sha512 for 3s on 16 size blocks: 298170 sha512's in 2.99s
Doing sha512 for 3s on 16 size blocks: 827431 sha512's in 3.00s
    Doing sha512 for 3s on 64 size blocks: 298564 sha512's in 3.00s
    Doing sha512 for 3s on 64 size blocks: 825344 sha512's in 3.00s
Doing sha512 for 3s on 256 size blocks: 101479 sha512's in 2.99s
Doing sha512 for 3s on 256 size blocks: 294862 sha512's in 3.00s
    Doing sha512 for 3s on 1024 size blocks: 33985 sha512's in 3.00s
    Doing sha512 for 3s on 1024 size blocks: 100454 sha512's in 3.02s
Doing sha512 for 3s on 8192 size blocks: 4719 sha512's in 3.00s
Doing sha512 for 3s on 8192 size blocks: 14052 sha512's in 3.00s

Doing aes-128 cbc for 3s on 16 size blocks: 4414932 aes-128 cbc's in 2.99s
Doing aes-128 cbc for 3s on 16 size blocks: 7269637 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 64 size blocks: 1227616 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 64 size blocks: 2024555 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 314664 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 256 size blocks: 528872 aes-128 cbc's in 3.00s
    Doing aes-128 cbc for 3s on 1024 size blocks: 79158 aes-128 cbc's in 2.99s
    Doing aes-128 cbc for 3s on 1024 size blocks: 263410 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 9942 aes-128 cbc's in 3.00s
Doing aes-128 cbc for 3s on 8192 size blocks: 33206 aes-128 cbc's in 3.00s

Doing aes-192 cbc for 3s on 16 size blocks: 3916567 aes-192 cbc's in 2.99s
Doing aes-192 cbc for 3s on 16 size blocks: 6073333 aes-192 cbc's in 3.00s
    Doing aes-192 cbc for 3s on 64 size blocks: 1056818 aes-192 cbc's in 3.00s
    Doing aes-192 cbc for 3s on 64 size blocks: 1701665 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 256 size blocks: 269232 aes-192 cbc's in 2.97s
Doing aes-192 cbc for 3s on 256 size blocks: 443045 aes-192 cbc's in 3.00s
    Doing aes-192 cbc for 3s on 1024 size blocks: 67603 aes-192 cbc's in 2.98s
    Doing aes-192 cbc for 3s on 1024 size blocks: 223402 aes-192 cbc's in 3.00s
Doing aes-192 cbc for 3s on 8192 size blocks: 8493 aes-192 cbc's in 2.99s
Doing aes-192 cbc for 3s on 8192 size blocks: 28117 aes-192 cbc's in 3.00s

Doing aes-256 cbc for 3s on 16 size blocks: 3434072 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 16 size blocks: 5370533 aes-256 cbc's in 3.02s
    Doing aes-256 cbc for 3s on 64 size blocks: 930883 aes-256 cbc's in 3.00s
    Doing aes-256 cbc for 3s on 64 size blocks: 1460201 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 236548 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 379486 aes-256 cbc's in 3.00s
    Doing aes-256 cbc for 3s on 1024 size blocks: 59421 aes-256 cbc's in 2.98s
    Doing aes-256 cbc for 3s on 1024 size blocks: 193861 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 8192 size blocks: 7528 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 8192 size blocks: 24392 aes-256 cbc's in 3.00s

Doing 2048 bit private rsa's for 10s: 330 2048 bit private RSA's in 9.97s
Doing 2048 bit private rsa's for 10s: 370 2048 bit private RSA's in 10.02s
    Doing 2048 bit public rsa's for 10s: 13559 2048 bit public RSA's in 10.00s
    Doing 2048 bit public rsa's for 10s: 14011 2048 bit public RSA's in 10.00s
Doing 4096 bit private rsa's for 10s: 51 4096 bit private RSA's in 10.02s
Doing 4096 bit private rsa's for 10s: 57 4096 bit private RSA's in 10.18s
    Doing 4096 bit public rsa's for 10s: 3662 4096 bit public RSA's in 10.00s
    Doing 4096 bit public rsa's for 10s: 3764 4096 bit public RSA's in 10.00s

Doing 256 bit  ecdh's for 10s: 3230 256-bit ECDH ops in 9.90s
Doing 256 bit  ecdh's for 10s: 3253 256-bit ECDH ops in 10.00s
    Doing 384 bit  ecdh's for 10s: 1480 384-bit ECDH ops in 9.99s
    Doing 384 bit  ecdh's for 10s: 1215 384-bit ECDH ops in 10.00s
Doing 521 bit  ecdh's for 10s: 763 521-bit ECDH ops in 10.00s
Doing 521 bit  ecdh's for 10s: 505 521-bit ECDH ops in 10.02s

Doing 283 bit  ecdh's for 10s: 1003 283-bit ECDH ops in 9.99s
Doing 283 bit  ecdh's for 10s: 2782 283-bit ECDH ops in 10.00s
    Doing 409 bit  ecdh's for 10s: 429 409-bit ECDH ops in 10.02s
    Doing 409 bit  ecdh's for 10s: 1413 409-bit ECDH ops in 10.02s
Doing 571 bit  ecdh's for 10s: 182 571-bit ECDH ops in 10.00s
Doing 571 bit  ecdh's for 10s: 628 571-bit ECDH ops in 10.00s

Doing 283 bit  ecdh's for 10s: 897 283-bit ECDH ops in 10.00s
Doing 283 bit  ecdh's for 10s: 2543 283-bit ECDH ops in 10.00s
    Doing 409 bit  ecdh's for 10s: 374 409-bit ECDH ops in 10.02s
    Doing 409 bit  ecdh's for 10s: 1278 409-bit ECDH ops in 10.00s
Doing 571 bit  ecdh's for 10s: 159 571-bit ECDH ops in 10.02s
Doing 571 bit  ecdh's for 10s: 564 571-bit ECDH ops in 10.02s

OpenSSL 1.0.2j  26 Sep 2016

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes

aes-128 cbc      23625.05k    26189.14k    26851.33k    27109.63k    27148.29k
aes-128 cbc      38771.40k    43190.51k    45130.41k    89910.61k    90674.52k
    aes-192 cbc      20958.22k    22545.45k    23206.53k    23230.02k    23269.12k
    aes-192 cbc      32391.11k    36302.19k    37806.51k    76254.55k    76778.15k
aes-256 cbc      18315.05k    19858.84k    20185.43k    20418.49k    20556.46k
aes-256 cbc      28453.15k    31150.95k    32382.81k    66171.22k    66606.42k

sha256            8251.40k    17590.46k    29783.50k    35897.34k    38204.76k
sha256           13122.45k    29159.42k    49020.67k    59650.73k    63679.15k
    sha512            1595.56k     6369.37k     8688.50k    11600.21k    12886.02k
    sha512            4412.97k    17607.34k    25161.56k    34061.22k    38371.33k

                  sign    verify    sign/s verify/s
rsa 2048 bits 0.030212s 0.000738s     33.1   1355.9
rsa 2048 bits 0.027081s 0.000714s     36.9   1401.1
    rsa 4096 bits 0.196471s 0.002731s      5.1    366.2
    rsa 4096 bits 0.178596s 0.002657s      5.6    376.4

                              op      op/s
 256 bit ecdh (nistp256)   0.0031s    326.3
 256 bit ecdh (nistp256)   0.0031s    325.3
    384 bit ecdh (nistp384)   0.0067s    148.1
    384 bit ecdh (nistp384)   0.0082s    121.5
 521 bit ecdh (nistp521)   0.0131s     76.3
 521 bit ecdh (nistp521)   0.0198s     50.4
 
 283 bit ecdh (nistk283)   0.0100s    100.4
 283 bit ecdh (nistk283)   0.0036s    278.2
    409 bit ecdh (nistk409)   0.0234s     42.8
    409 bit ecdh (nistk409)   0.0071s    141.0
 571 bit ecdh (nistk571)   0.0549s     18.2
 571 bit ecdh (nistk571)   0.0159s     62.8
 
 283 bit ecdh (nistb283)   0.0111s     89.7
 283 bit ecdh (nistb283)   0.0039s    254.3
    409 bit ecdh (nistb409)   0.0268s     37.3
    409 bit ecdh (nistb409)   0.0078s    127.8
 571 bit ecdh (nistb571)   0.0630s     15.9
 571 bit ecdh (nistb571)   0.0178s     56.3

I've always recommended anyone with children in the home to try Sophos UTM as their WAN facing router simply for it's web filtering capabilities, which can be ran in transparent mode, scanning all traffic, including SSL/TLS encrypted packets (it decrypts, scans, re-encrypts, then signs the packets with it's internal Proxy CA).

Sophos UTM is built upon an openSUSE base OS, so it will run on most hardware provided the hardware meets the minimum hardware reqs and has at least 2 ethernet ports. 

As to hardware, I recommend mini-itx server boards with a dedicated IPMI port that are capable of passive cooling and have a TDP no higher than 24W, with a minimum of a quad core running 2.0gHz+, 8GB ECC RAM, and at least a 128GB SSD.  There are other manufacturers besides AsRock and SuperMicro, however I'm most familiar with them since I own server boards from each.  ECC RAM is highly recommended and not all boards support it (Intel's J1900 does not, and J1900 boards will be the cheapest in the ~$175 range, with C2X50/C2X58 boards in the ~$275 - $375 range)

Sophos UTM can be run in a VM and I highly recommend one tests it in a VM prior to buying hardware for a build.  There is a slight learning curve to Sophos UTM, and while the WebAdmin may appear overwhelming at first, it's laid out in a common sense way, making it easy to navigate.

• CPU
  

  • SOCs
    

    • Intel J1900

    • Intel C2550/C2750

    • Intel C2558/C2758

  • Motherboards
    

    • non-ECC [NOT recommended]
      

      • AsRock J1900D2Y

      • SuperMicro X10SBA/X10SBA-L

    • ECC (C2550/C2750) (C2558/C2758)
      

      • AsRock C2550D4I/C2750D4I
        

        • I'd stay away from the C2750D4I for a router, as it's meant for a NAS (it's what I run in my SilverStone DS380 FreeNAS server)

      • SuperMicro A1SAi-2550F/A1SAi-2750F

      • SuperMicro A1SRi-2558F/A1SRi-2758F

• Case
  

  • In Win Chopin (currently out of stock on Newegg, otherwise $90 USD)
    

    • Most smaller mini-ITX cases will be in the $50 - $100 range, with aesthetics varying wildly by manufacturer; however, I've yet to come across a mini-ITX case that's designed better than the Chopin.  In Win makes art out of their cases, so if you're looking for a phenomenal case, check them out.

  • Wichever case one chooses, it should come with it's own power supply or a supply board.  Many of the Atom SOC server boards can be powered either by ATX plugs from a power supply, or via a 12v DC jack on a power board.

• HDD
  

  • High end SSD such as Samsung;s 850 Pro 128GB drive (~$100, 10yr/300TBW warranty)

• Accessories
  

  • I highly recommend investing in SilverStone CP11 SATA cables, as they will make one's life easier when routing through a mini-ITX case.  At $10/cable on Newegg, they're 5x the price of regular SATA cables, but they're worth it due to their size and how they can be bent. 
    

    • IIRC, SilverStone made these cables specifically for their NAS project with AsRock, with AsRock manufacturing their C2550D4I/C2750D4I server boards specifically for SilverStone's DS380 and vice versa for DIY NAS builders.

    • I personally prefer the 1st gen CP11's, which are blue, over that of the 2nd gens that are black.  It seems like they switched shielding materials between the generations as I had repeated data corruption issues on 4 of the 6 black CP11's I had, whereas I haven't had a single issue with any of the 15 blue CP11's I use.

• To download Sophos UTM, first create a My UTM user account to receive the free home user license, then register for a Sophos account.  For company and occupation, type "Self".

  Once you've logged in, download the ISO under Software Appliance.

  • There is a bug that was introduced a few months back that requires manual fixing.  Once you've installed/updated to 9.405+, you'll need to SSH in and perform the steps listed in this post to disable WAN MTU autodiscovery.

1. It cannot be configured as a VPN client [not server], as that poses a massive security risk to corporations and businesses.  Sophos UTM for home users is the exact same OS that's licensed to businesses, simply without specific license features that would apply mainly to paid [business] licensees.  To provide an idea of the sophistication of the OS, paid licenses for businesses start at the $600/yr range and go past $10k/yr.
   .

2. VPN Types
   

   • Site-to-Site VPN Servers (Router  <-> Router)
     

     • Amazon VPC

     • IPsec

     • SSL [OpenVPN]

   • Remote Access (Sophos UTM <-> Client)
     

     • SSL [OpenVPN]

     • PPTP

     • L2TP over IPsec

     • IPsec

     • HTML5 VPN Portal

     • Cisco VPN Client

3. I run my network with Sophos UTM as the WAN facing router, with my ACS as a smart switch
   

   • 5 LANs
     

     • eth0 & eth1 bridged - Subnet .0/26 [ACS configured as the main DHCP server, with DHCP relay specified in Sophos, allowing for the ACS to serve as the DHCP & DNS server, rather than Sophos, for the .0/26 subnet]

     • eth2 - Subnet .64/26 [Sophos configured as DHCP server, with this connected to my FreeNAS server to serve as dhcp & DNS server to my jails]

     • eth3 - WAN

     • IPMI connected to ACS

   • You can run OpenWrt as a VM, however it depends on what features of OpenWrt you want as many features and packages [menuconfig] are not available for OpenWrt's x86 crossover.

4. That config would work

5. I have no experience with fiber, however I would imagine so. I'd check newegg or board manufacturers' website's directly.  SuperMicro's website has the largest selection of enterprise server boards I've seen

If one chooses to use the web filtering capabilities of Sophos for children, it's highly recommended to setup MAC exceptions for devices adults use.  Transparent web filtering will result with any device it's configured for being slowed to 30mbps [LAN side] due to the fact all packets are decrypted, scanned, re-encrypted, then signed by Sophos' Proxy CA. If one has no need for web filtering, simply disable it altogether

(Last edited by JW0914 on 25 Oct 2016, 16:27)

question 1. repeated: A major benefit is VPN speed, with a massive performance....you mention that OpenVPN,is not possible in S UTM, but you post after that this:

    A major benefit is VPN speed, with a massive performance gain when processing encryption over that of my ACS.

1st Line:   WRT1900ACS      DD [4.4.14-2016.09.26, r49936]
2nd Line:   A1SRi-2758F     Sophos UTM [8C 2.4gHz / 16GB ECC RAM / 128GB 850 Pro]

Doing sha256 for 3s on 16 size blocks: 1547137 sha256's in 3.00s
Doing sha256 for 3s on 16 size blocks: 2460459 sha256's in 3.00s
    Doing sha256 for 3s on 64 size blocks: 824553 sha256's in 3.00s
    Doing sha256 for 3s on 64 size blocks: 1366848 sha256's in 3.00s
Doing sha256 for 3s on 256 size blocks: 347862 sha256's in 2.99s
Doing sha256 for 3s on 256 size blocks: 574461 sha256's in 3.00s

why?

2. what do you do with those five types off VPN?  UTM inspect them? 
Especially this "Remote Access (Sophos UTM <-> Client)" this connection goes through UTM to openvpn server behind UTM?

3. openwrt for x86, i would never sad that there is less packages or features for that architecture !!! Why is that, you just compile packages for another architecture it should be the same as MIPS or ARM.

Regards,
Goran.

(Last edited by gsustek on 23 Oct 2016, 16:37)

You're confusing two separate VPN states... Sophos UTM fully supports being a VPN server, but cannot be configured as a VPN client unless it's connecting via RED to another UTM box.

VPN Server: UTM as the server with clients connecting to it <<< possible
VPN Client: UTM as a client, connecting to another VPN server <<< not possible

OpenWrt x86 does not have the same options/features and packages available to other architectures.  You'll need to check out menuconfig for x86 side by side with menuconfig for an ARM processor such as the WRT series... you'll notice many options and packages are missing from menuconfig for the x86 architecture

(Last edited by JW0914 on 23 Oct 2016, 16:45)

thnx, i overlook your sentence: "It cannot be configured as a VPN client, except if connecting to another UTM HA/SA"

do you know the reason why is that way,regarding OpenWrt x86?

not a clue.  nitroshift or sera would be great people to ask, or hop on the OpenWrt IRC channel and ask =]

(Last edited by JW0914 on 23 Oct 2016, 17:04)

@gsustek  Depending on what you wanted an x86 OpenWrt build for, it would probably be more convenient to simply utilize FreeBSD VMs for SAMBA, NFS, Transmission, and other media type services available to OpenWrt. 

FreeBSD is easily the best OS there is for servers, with loads of HowTos on the FreeBSD and FreeNAS forums.  FreeNAS can be run in a VM, however it does so with mixed results and is not recommended by FreeNAS devs, albeit I can't remember if FreeNAS 10 [likely to be released in the coming months] changes this.

(Last edited by JW0914 on 25 Oct 2016, 16:29)

i also use mjpg-streamer, mini-dlna,ftp,samba,motion
so what do you use for NAS zfs?

Does this feature need installation of special certs on the client devices (as I do not know of any other method of filtering https-traffic. But still learning :-)

@gsustek All of those, or equivalencies, should be available on FreeBSD through the ports collection.  ZFS should always be used as it's a self-healing file system that eradicates corruption.

@augustus_meyer Nope, Sophos auto creates it's own CAs.  I would recommend creating your own CA, using it to create and sign all the certs you'll need for Sophos, then uploading all to Sophos as PCKS12 certs.

I created a pre-built openssl.cnf specifically for Sophos which can be found on my GitHub.  All commands & info required start at line 546; however my OpenVPN wiki's Encryption section will walk you through it step by step.

All certs, except the WebAdmin, must be issued by a CA, not an ICA; the WebAdmin can be issued by an ICA for a FQDN.  Required certs are split into two categories, UTM OS certs and UTM User certs:

• UTM OS Certs
  

  • IPsec VPN Server

  • Local x509 Self Cert

  • SSL VPN Server

  • WebAdmin

• UTM User Certs
  

  • Admin [required]

  • User1

  • User2

  • ...and so on

• Sophos will auto create a Client Authentication Certificate [IP of 1.2.3.4]

(Last edited by JW0914 on 23 Oct 2016, 21:28)

i

i am fan of luci, is it available on freebsd? zfs i resource hungry, thats why is int suited for our routers..(with 512Mb of RAM)

(Last edited by gsustek on 23 Oct 2016, 20:57)

I should have better articulated a few things =]

ZFS should be utilized if running a (or multiple) FreeBSD VM in lieu of OpenWrt for services not offered via OpenWrt's x86 build.

As to LuCI, I don't have a clue... you should be able to find out through google or via FreeBSD's forum

(Last edited by JW0914 on 23 Oct 2016, 21:28)

It's a massive security risk to corporations.  Sophos UTM, even with a free home user license, is the exact same OS that is licensed to their corporate customers.  I assume Sophos' reasons for offering it free for home use only is they're able to get a larger overall user base that provides a larger arena for testing, combined with the more people that use it, the more secure their corporate customers are. Since a single license for a year is something in the $600 range, with yearly licensing easily breaking the $10k/yr mark for most businesses, it's a huge win for home users.

(Last edited by JW0914 on 23 Oct 2016, 22:05)

Thanks for the great info JW.  I have downloaded Sophos UTM and now tinkering with it on a vm.  Looks pretty cool.  Your idea does spark my interest because I very much prefer having dedicated devices for different services.  I'm thinking something like an Apple Mac Mini might already have the all the required hardware in one small footprint.

If anyone's interested, Newegg has the AsRock J1900D2Y on sale for today only for $130 with promo code 102624HR08

The porn for me but not for thee idea. Also know as the irrational idea by parents that the child will not just work around your restrictions and not tell you.

It's not possible to bypass the web filtering of Sophos if it's configured correctly... it's difficult enough trying to gain access to regular content, which is why if one doesn't need web filtering, they should simply leave it disabled.  Web Filtering for an entire network and all devices on that network takes a few hours to fully configure and hours of troubleshooting when content is blocked that shouldn't be.  For example, here's a screenshot of the rules needed just to stream Netflix with Web Filtering enabled: https://1drv.ms/i/s!Aqp3KD9IuSlugscWQNxego4ywwkAGA

Sophos UTM isn't some obscure opensource OS... it's an investment in the 5+ figures for corporations and enterprises to protect their networks (that's just for SA licenses... HA purchases, and the required licenses for them, are far more expensive).

Most have never heard of Sophos because they only sell to businesses, however they were the 4th largest AntiVirus company in the world in 2011 (it's likely they're in the top 3 today after their acquisition of Astaro back in 2011), right behind Fortinet, SonicWall, and WatchGaurd at that point in time.  Many retailers and banks utilize Sophos, especially for RED within their different branches and stores, allowing each remote Sophos SA/HA to have a secure tunnel back to HQ over which all data flows, thereby preventing any data from being exposed to the public internet.  It's more than just a VPN however, as no traffic from remote UTMs [branches, stores] is ever given access to the public internet.  Traffic would flow:

Remote network on RED (all traffic) >> HQ UTM Intranet [internal network] >> HQ UTM VLAN >> Public WAN

• Regardless of whether a corporation is utilizing Sophos, SonicWall, or another UTM solution, this is one of the reasons why there's a lag on retailers' registers, such as Best Buy's, where the register acts as both a register and Intranet terminal.

(Last edited by JW0914 on 28 Oct 2016, 03:36)