Question Operating system for Sophos XG 115w

[dreamerman]

Hoping to get some suggestions from members.

I bought a used Sophos XG 115w rev 3 very very cheaply on facebook marketplace. It has 8GB DDR3L memory, 64GB M.2 2242 SSD and Intel Atom E3940 (could be quad core, not sure). I would have used the Sophos free home firewall OS on this unit if the free version supports in-build wireless. Only paid license supports it.

I was wondering if there is other free open source firewall operating systems that can run this unit and supports in-built wireless. Must have GUI as I am hopeless with CMD.

Thanks.

 

[evermorex76]

https://www.google.com/search?q=what+OS+will+run+on+sophos+xg+115w

 

[bill001g]

There is a very good reason you can buy very old commercial hardware for almost free on the used market.
That product has been declared end of life which means they no longer provide any kind of support. Almost no company that uses devices like this for their actual business needs will use these and basically sell them for ewaste. Firewalls in particular need regular software updates since they protect servers against new attacks.

Like many of these type of product it also appears the software license does not transfer if did not come with a paid version already loaded.

The cpu chip itself supports various linux distributions and likely with some effort you could get something to work. This though is not a GUI thing. You likely would actually have to build your own custom image with the proper driver loaded. Not all that hard but not a beginner linux thing either. The company though might be jerks and have the hardware rigged to prevent running anything other than their firmware on it.

So the simple question first. Why don't you just use any other old router as a wifi AP for wireless. This should solve you direct question of how to get wifi. Problem is there are many other firewall feature not supported in the home version

Which brings up the much harder question of why do you want a firewall in the first place. What exact feature do you plan to use and are those features in the free home version.

In general a home user has no need of any kind of actual firewall. Firewall are mostly used to protect a server that you have exposed to the internet. Almost nobody run a server from their house anymore when you can get cloud based servers that also have firewall protection.

The simple NAT function in the cheapest router you can find is as good as the best firewall. Because it is stupid it will drop any unkown traffic that comes from machines on the internet. So any attack traffic can never even get sent to any of your internal machines.

Many other function such as content filters no longer really work on any firewall because all traffic is encrypted. That why I laugh when home routers talk about limiting childern access with parental controls. At best they can see IP addresses which mean nothing now that everything is cloud based. And of course all 12yr old know all about free proxy and vpn sites.

 

[American2021]

I can't find a solution to this. At first I thought maybe the free home version would work but then, like you already said, it doesn't support the built-in wireless.

 

[evermorex76]

The simple NAT function in the cheapest router you can find is as good as the best firewall.

Well, the BEST (or even just good) firewall can do better even with encrypted traffic, because they have functionality to inspect HTTPS traffic. And even some parental protections and other features are better than only NAT, which just protects from incoming connection attempts.

 

[bill001g]

Well, the BEST (or even just good) firewall can do better even with encrypted traffic, because they have functionality to inspect HTTPS traffic. And even some parental protections and other features are better than only NAT, which just protects from incoming connection attempts.

That would be crazy if there was any ability to inspect HTTPS traffic. That would mean someone could sit anywhere in the path between you and the server and place some "firewall" and be able to intercept your data. HTTPS is fundamentally designed to prevent this.

 

[evermorex76]

That would be crazy if there was any ability to inspect HTTPS traffic. That would mean someone could sit anywhere in the path between you and the server and place some "firewall" and be able to intercept your data. HTTPS is fundamentally designed to prevent this.

That's exactly what mid- and high-end firewalls do (usually requiring a subscription for the feature). They perform man in the middle attacks basically. The firewall is basically proxying the connection anytime it sees that there is an SSL/TLS setup. They re-encrypt the data after inspection and replace the SSL certificate with their own in some cases. Anti-malware software does the same when you enable HTTPS inspection. This is also how data loss prevention features work with encrypted traffic, preventing stuff from going OUT, as well as features that monitor traffic patterns or perform heuristics to watch for suspicious data that looks like connections to control servers and the like, beyond just known IPs. There is an obvious need for PHYSICAL security on your network to prevent someone installing a piece of hardware that would do this, as well as overall network security to prevent someone taking over routing to cause traffic to pass through a compromised host that might have malware performing this function. Anywhere in the networks between yours and the remote hosts is more difficult to compromise this way, though, so for example a backbone provider between your ISP and the other ISP can't decrypt and re-encrypt the traffic. This is the cert that I receive in the browser with NOD32:

Common Name (CN)
forums.tomshardware.com
Organization (O)
<Not Part Of Certificate>
Organizational Unit (OU)
<Not Part Of Certificate>

Issued By​

Common Name (CN)
ESET SSL Filter CA
Organization (O)
ESET, spol. s r. o.
Organizational Unit (OU)
<Not Part Of Certificate>

Validity Period​

Issued On
Saturday, November 23, 2024 at 10:42:31 PM
Expires On
Friday, February 21, 2025 at 10:42:30 PM

SHA-256 Fingerprints​

Certificate
bc4dac6b84e3e2968ed7d30bf4e167129d42141d684ef416fa5redacted
Public Key
37b83fe40e6bc132bbb03f505d57bbafbd04e3fcf64355778aredacted

Even lower-end "business class" firewalls that only cost a few hundred dollars often have this capability, and have their own certificate authority built in that can generate the replacement certs, although it costs a good bit in subscription fees to enable the feature, and a low-end firewall takes a big throughput performance hit to do all that extra work. Anti-malware on your PC doesn't cause a noticeable hit with it unless you're on a system that is already very underpowered and overloaded.

 

[bill001g]

That method really only works if you can make changes to the browser so it does not flag the firewalls fake certificates as fakes. Obviously you can do that if you have control of the end clients like a business does. HTTPS is designed that a government can not just insert some kind of firewall in the path. The CIA got caught/ratted out by snowden/ intercepting normal HTTP traffic. Part of the reason HTTPS was so quickly adopted. It is still secure enough that china can not break HTTPS with the massive country firewall.

There is a new issue with doing this in a corporate environment. You can technically do it but the lawyers are basically saying the risk it too high. The company can now collect say bank information and if they do not secure it well enough the company now becomes liable. They can try to say you have no right to use company equipment for personal use but the courts are do not really agree in all cases.

But this is almost a stupid discussion. Why would someone do this in their house. They can just load filter/firewall software one the end client that can see the data before any encryption takes place.

 

[BFG-9000]

Plenty of people have installed pfSense onto XG v2 as it's just an old PC, with a regular old BIOS that supports USB keyboards and USB boot:

Given even the older SG could boot other OSes like this too, it's doubtful they would've changed just the v3. After installing an OS (which could even be Windows!), you can try to hunt down drivers for the wireless radios.

pfSense or OPNsense may have kind of a steep learning curve if you aren't experienced in networking and FreeBSD, but there's now a tomato64 project that is more limited but would be as simple to use as a consumer router. All have a GUI

 

[evermorex76]

That method really only works if you can make changes to the browser so it does not flag the firewalls fake certificates as fakes.

The certificates like the ones NOD32 creates look perfectly valid to the browser because it adds itself as a valid certificate authority on the system when you enable it. When it's done as part of a firewall, yes, you need to manually add the authority to the PCs or have it automatically done as part of a company-managed system/domain. That's why any intervening networks or even your own ISP can't do it. I was just pointing out that it's POSSIBLE, not whether it's reasonable in every situation.