Security

Sophos UTM vs Untangle

UTM or Unified Threat Management devices are becoming more and more popular as businesses and corporations have realized in the past couple of years that a simple tradition firewall of allows and denies is not adequate any longer.  Hackers and attacks have become more sophisticated and the attack vector has broadened with the ever increasing “connected” state of most individuals these days with mobile and other devices.

I have long been a fan of Untangle as a UTM and now as its branding as NGFW or Next generation firewall which in most senses is just a different way to brand UTM.  However with more companies offering really good free firewalls and UTM’s I have been on a hunt and compare between Untangle and others out there.  Recently I was turned onto the Sophos UTM appliance that is a free download from Sophos for home use.  The home use license includes almost all of the full blown functionality with the limit of 50 IP addresses as well as Sophos Endpoint Protection for up to 10 computers.

I have to say I wasn’t expecting a whole lot as far as being close to Untangle’s free offering, but I was really blown away at the functionality of the Sophos UTM appliance and have since swapped out my Untangle box in favor of the Sophos UTM appliance in my home network.  Let me detail a few of the comparisons and my thoughts between the two firewalls/UTMs.

Installation

Both Untangle and Sophos have pretty rock solid installers, both being 64-bit capable and both can run well inside of a VM environment.  The install time for both appliances on my older VMware environment seemed to be on par with one another.  Untangle much like the GUI interface looks more polished in the install environment while the Sophos installer looks like the “blue background” linux installers that we are used to seeing for the most part.

The ISOs for the latest versions of both UTMs are very similar in size with the Sophos ISO for 9.304 being around 100MB larger than the Untangle 11 ISO.

Management

For starters the management differences and similarities between the two – Untangle can be managed from the actual console of your physical appliance or your virtual appliance, while Sophos requires that you have another machine that can connect to the WebUI management interface in order to manage.  This isn’t really that big of a difference since I imagine most admins are managing their UTM devices remotely from a management workstation any way, but it is a difference that is worth mentioning as sometimes it is handy to be able to just open the KVM console and connect to your machine to perform a task if need be.

Overview comparing the systems

Both Untangle and Sophos are what I would call polished interfaces.  However, Untangle definitely stands above on the look of the interface with the rack system design and clearly defined buttons on the rack modules which can activate and deactivate functionality.  The Sophos interface feels more like a webpage that is driven from a menu system.

I would say that both systems have functionality which is buried under non intuitive locations.  However, one of the strengths of the Sophos interface is the Search feature that is located on the top left of the interface.  If you don’t know where a menu that you are looking for is located, you can type in the keyword in the search box and it will pull up the menu for you!  That is a brilliant design IMO.  However, one flaw of this is that it doesn’t find everything.  It won’t find words or other smaller menus that are a sub tab from a menu for instance.  It will only search and filter for the major keywords on the left hand menu from my testing.  I will keep playing with this however and see if there is a way to broaden this feature possibly?

sophos03

Also, just my initial feel between the two systems, the Sophos UTM just feels like a more secure enterprise system out of the box compared to Untangle.  Untangle really doesn’t block much of anything out of the box, whereas the Sophos UTM basically blocks everything out of the box with the few exceptions that you allow on the initial install wizard.

With that being said, getting things working after an initial install of Sophos is much harder than Untangle.  For the most part, you can just stand up an Untangle box and network traffic continues to flow as long as network values are set correctly.  However, with Sophos, due to the nature of how it blocks everything out of the box, you may find yourself spending quite a bit of time poking holes in the firewall rules or adding other exceptions to allow certain traffic through.

Also in my opinion of comparing the two and how they work, changes made in network settings or other rules in Sophos are much quicker to apply than Untangle.  I have had issues in general since version 10 with making changes to any network settings and applying those changes.  It can take several seconds for changes to commit and then I have had traffic interrupted in the process.

With Sophos, I have not had these issues.  Also in their free versions, you get more with the Sophos UTM than Untangle.  Most of the really good stuff with Untangle is in the pay modules.  That is not the case with Sophos as basically there are no limitations in the key functionality besides the IP address limitation and some branding limitations.

The threat protection you get with the free Sophos UTM is much better than Untangle.  Not only will the Sophos system do dual scan virus scans with either the Sophos or Avira antivirus platforms, but included with the free home license, you get full Sophos Endpoint protection for up to 10 computers.  So essentially you are getting enterprise class virus scan software for your Windows computers for free with this UTM.

Also, I see further features in Sophos that you don’t get with Untangle, such as a web application firewall built in if you are running a webserver(s).  This WAF filters threats such as protocol violations, protocol anomalies, request limits, http policy, bad robots, generic attacks, sql injection attacks, xss attacks, tight security, trojans, and outbound threats.  Sophos WAF acts as a proxy in front of your real webserver to proxy traffic.

In the remote access field, there are hands down way more avenues for remote connectivity with the Sophos UTM than Untangle.  With free Untangle you get OpenVPN and that is it.  The IPSec VPN unfortunately is a pay for feature.  With Sophos you get Remote Access – SSL, PPTP, L2TP over IPsec, IPSec, HTML5 VPN Portal, and Cisco VPN client.  Also, you can download a full featured VPN client from Sophos to load on your Windows client to connect to the UTM.

From my testing, the logging and reporting that is found in the box with Sophos is better than Untangle.  I really like that most of the filters in Sophos, you have a “Live” view log that you can open and watch traffic live as opposed to a refresh interval with Untangle.  Also, the logs aren’t as intuitive as they are in Sophos.  Also, with Sophos a killer feature is the built in notifications where you can have your Sophos UTM email you when you have a failed web login, SSH login, system reboot, service restart, IPS alert, advanced threat management alert, firewall block, etc, and the list goes on.  That is killer.  I love notifications and the more information that can be gathered and proactively generated from the system the better.

Sophos has also made country blocking an easy thing to do.  With Untangle there is no feature that fills this need.  I have looked on Untangle forums and the answer I see given many times, is that it is a bad idea to block certain countries.  However, the bad thing for that type of response is that some companies and their compliance mandates that certain policies are employed which may include blocking certain countries, so it is a nice feature to have in the box when you need to have it.  Sophos has made this extremely easy with a very intuitive interface for blocking certain countries or whole geographic regions.

Final Pros and Cons

Untangle:

UPDATE 2/29/2016 – Untangle now offers a home use license for $5/mo or $50/yr which gives you the Untangle NG Firewall complete package with all the modules available with no limitations.  This may be a game change for some as Sophos currently has no affordable home solution that removes the 50 IP Address limitation.  I will follow with a post on Untangle 12 in the near future.

Pros:

  • Easy, to install, easy to use, nice streamlined interface
  • VM friendly
  • Can be controlled from the console
  • 64 bit capable
  • Offers free tools and capabilities
  • Just works out of the box without much tweaking

Cons

  • Doesn’t block much out of the box
  • Watered down features in the pay version
  • No notifications built in, reporting is so so
  • Remote connectivity is limited in free version
  • No built in Web Application Firewall or country blocking

Sophos:

Pros:

  • Easy to install, easy to use, interface is menu and web driven
  • GUI has a search feature which is very nice
  • 64 bit capable
  • VM friendly
  • The free tools and capabilities are very powerful and are actually most of everything you get in the pay version
  • Free endpoint protection with virus scan for 10 computers
  • Awesome remote access tools
  • Very powerful firewall

Cons:

  • Steeper learning curve
  • Things on your network won’t just work after you plug in the Sophos UTM
  • 50 IP limit in the free version
  • No console management

The winner is?

The verdict for the winner of a home UTM device for features, power, and capabilities from my recent review of both products is Sophos by a slight margin.  As always it depends on your use case and features/functionality you need for a particular environment.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

28 Comments

  1. I currently using the Untangle UTM for home network. I will give the Sophos UTM a try. Will I need to join forums to figured out, How to configure “port forwarding”?

    1. Mario, thanks for the comment….I have used Untangle UTM extensively for home use as well as in the enterprise. It is a good product. However, I feel like Sophos offers more granular and better tools for my tastes especially in the free version. Port forwarding is a little less intuitive in Sophos, however, it isn’t that bad. I will write up a post soon explaining how to set this up.

      1. Had issues with the Sophos UTM install from a CD and USB drive. Finally got it installed, not able to access the Internet or get the port forwarding to work. The Untangle UTM was much easier.

          1. Mario,

            Take a look at the post here we just posted a couple of days ago: http://www.virtualizationhowto.com/2015/02/configure-port-forwarding-sophos-utm/ …..also, on your Internet browsing issue – I figure you may have already covered the bases, however, Sophos by default doesn’t setup a DHCP server out of the box. Have you setup DHCP and your clients are grabbing an IP that can “talk” to the Sophos box? Take a look at Network Services >> DHCP. Also, out of the box, there are default rules that should take care of Internet traffic. Take a look on the left hand side – Network Protection >> firewall and make sure you have rules most likely at the top for DNS as well as “web surfing” which should let any host in your Internal network access hosts on the outside for port 53 and 80/443 traffic. Let me know what you find.

  2. hi!

    what about the limit?
    is the limit for external ip’s or internal ip’s?
    what if you make a torrent-session with many ip’s?
    … would be interesting

    1. Christoph,

      The limit is on internal ip addresses that are connected to the LAN interface, not how many external ips you are connected to. IPs from outside are unlimited, only limit is the devices on the inside (ip addresses). Hope this helps!

  3. Since there aren’t a lot of reviews on these products and since this was on my first hit of Googling, I figured I’d provide some insight as someone who’s recently used both products first quarter 2016.

    If you’re not looking for scheduled access by groups or reporting and want the best in everyone-blocking and protecting your network from malicious files, the Sophos unit is the better unit. Unfortunately their interface for configuring profile, policy, and scheduling is absolute garbage and not at all ‘advanced’; The words I’d use are ‘unintuitive’, ‘horrible design’, ‘inefficient’, etc. You can’t even block overall internet access per user, you can only block by network. Basically if you want to block malicious content, p2p file sharing, and VPNs without a concern for granularly configuring access per groups and users, this is a great product for filtering but if you want to block based on user groups and time of day rules, this product is the worst.

    Untangle has the superior product when it comes to efficiently configuring scheduling & user access with a moderately intuitive interface. For reporting, the Untangle IC control product blows Sophos’ out of the water with so much data, the downside is they broke the functionality some time in 2015 so it doesn’t always give you the data you want. With the Untangle NG product, it’s tough to say who’s better for reporting but I still find Untangle to have the more intuitively efficient product. The downside is their SSL filtering breaks the functionality of the majority of platforms and complex web sites that aren’t just HTTP. If you want to filter HTTPS sites, prepare for headaches and a long list of exceptions.

    Support for both isn’t very good for the thousands you have to pay them. With Untangle you have to wait for a return phone call at undetermined times which can sometimes arrive at inconvenient periods; on the plus they’re domestic but unfortunately very arrogant, provide the wrong information, and sometimes won’t listen to you before they talk over you. With Sophos you have to wait on hold for at least an hour and deal with someone with a foreign accent that doesn’t seem to know the product very well.

    Sophos sadly scrapped what was once a great web site where plenty of experts helped out other experts or new users that were struggling, now all the Googling leads to dead links. This site was far better than their support personnel and probably cost them a whole lot less. They replaced it with a foul tablet style design that no Sophos expert wants to touch. Untangle on the other hand has a pretty good forum with some helpful folks, they fortunately have some folks over there that care for their community.

    Quite frankly both products aren’t worth the money they charge but the landscape of products that offer what these two offer is limited so you don’t have a lot of choice.

    So in summary if you want to protect an entire site without granularly adjusting user rights or schedules, the Sophos UTM based products will keep you safe. If you want advanced reporting and an intuitive way to configure active directory user rights based on scheduling, the Untangle IC product is great and the Untangle NG product is pretty good, both cheaper than Sophos.

  4. Would this be a good fit/ work for a small NGO 15-20-25 seater? They cannot afford an expensive solution and most likely if this cannot work then we’ll have to put it some open source stuff for them; pfsense or similar.

    1. XM, there is a 50 IP limit using the “home” free version and technically it would be outside of the scope of the home version license. With a 25 seat office, even the 50 IPs can be a bit restrictive due to other devices, peripherals taking IPs etc. However, out of the box Sophos is one of the most powerful UTM appliances I have worked with – very worthy of protecting an office environment. With Untangle, the free license has no IP restrictions, but some of the more powerful filtering comes with the pay modules so it is a toss up either way for the free versions of both products with the other pros and cons I mention in the post.

      1. I think 50 IPs will be more than enough for now. But, I guess it will make sense to have a small piece of dedicated hardware i.e. Mini ITX box to run stuff like that; Sophos, PFsense, Untangle etc.

  5. Have you tried Untangle recently? They have a new version out (12) that has much better reporting and a dashboard. They also have a home use license for $5/mo or $50/yr that gives you all the paid features.

    1. AA,

      Thank you for your comment and updated information. I have not as of yet tried version 12 and the release of a home use license is certainly a welcome addition. I will add this information to the post accordingly to help users make a decision.

  6. Installing Untangle in a ESXI VM was impossible, from my experience. I simply could not get the network connections configured. Checkingwith Untangle forum support did not help.

    Hopefully Sophos works a bit better. I’ll have to check it out.

      1. Brandon,

        What’s the VM requirement for Sophos on a home network?

        Does it include free Managed AV? I’d love to play around with this.

      2. I was able to get Sophos installed (There is no VMware appliance).
        However, Sophos wants to run as the main firewall. However, do you know
        how to run it in Bridge Mode like Untangle (behind the router).?
        Followed a couple of Sophos instructions for Bridge mode support but
        they wanted Free Ethernet NICS above and beyond the 2 used for
        installation.

        Untangle gives you the option of Bridge/Transparent
        or Gateway Mode during the installation using the original two network
        interfaces. Any ideas?

          1. Reason, thanks for the update and link. Looks to be a great resource for anyone wanting to setup in bridge mode. Keep everyone posted on your impressions.

    1. I recently configured untangle witg vmware esxi 5.5, with external static and internal private network. Its pretty straight forward

  7. Has anyone tested to see what happens when you hit the 50 IP limit? I think this limitation for the home license isn’t strictly enforced. I think it’s a theoretical/licensing limitation set for their sales and support team.

  8. Would be great if you can do a refresh of the article with Untangle new home edition (USD 50/year) and the new dashboard/reporting capabilities. As an average joe kinda home user I find it difficult to get meaningful reports from Sophos, as it needs another solution FastVue reporter to make real world sense out of technical stats captured, Untangle however seems provides much clear reporting all from within the same box.
    Thanks.

    1. AlterEgo,

      Look for this type of followup post soon in the future. The offering from Untangle for home users as well as the new 12.1 release does warrant a re-review of this comparison. Untangle has a very solid offering. These are two really good products that I personally like both and use. Look for a updated post soon in the future.

  9. I just installed Untangled today. Seems fine, but paying for “Apps” like squid caching etc is just hilarious. Before Untangled I was using Pfsense.

    Back to roots, which is Sophos.

    1. Betro, not sure of your environment that you are using Untangle, but they are now offering for home users a $5/mo subscription for all the apps. While not free, this is a great price for the complete NG firewall package.

  10. I totally agree on the sophos points in a business environment that is not so dynamic I would suggest and standby Sophos and its Implicit Deny rules out of the box but in a home network this type of policy can be a big pain in the butt think if you want to use a program that uses a port that you haven’t setup a rule for you have to go on a hunt to find out whats the issue

    I think for a home network with many dynamic things Untangle is better than Sophos but in the business a permit all mentality is a no no

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.