Sophos UTM Home / Software Licensed IP Count Explained

For some users of the Sophos UTM running up to V9.3x at home using the very generous “home license”, the number of IP’s used against the allotted 50 is always a concern.  Some people have a hobby of collecting baseball cards, some fly model airplanes, and some construct an IT lab at home using Vmware’s ESX and hosting Sophos UTM with the Home license. Add a family with each member having from 2 to 4 devices, IOT, and 50 licensed IP addresses does not last long.  For this subset of users of the Sophos UTM, the question of “how long does an IP stay in the Active IP Addresses” and “what has to happen to get an IP address noticed (Read: added to the Active IP list)”.  I recently setup a few scenarios in my lab to answer this question.

How Does An IP Get Noticed?

From my testing, any time an IP address is processed on an interface on the UTM, the source/destination pair is logged in the accounting table. The UTM  uses a postgres database for its packet accounting. During debugging, all IP’s that are included that appear to be within the range of addresses defined in the objects on Interfaces & Routing -> Interfaces, then subtracting off the IP’s of the UTM interfaces. Only packets that have traffic, as a source or destination, within the last 7 days (from the time of the query), are included. Sophos access points and UTM interface IP addresses are subtracted off this list.

I ran some tests, where I setup a network and let the UTM handle DHCP services. I defined the scope to not include a gateway or DNS server settings. The device only received an IP and subnet mask. These devices were also included in the list of Active IP Addresses.

How Long Does An IP Stay Active?

As mentioned earlier, the packet level accounting is kept in a database. Based on the SQL query seen under the hood of the UTM, the query specifies a 7 day look back.

We Have A Guest Wifi Network – Any Tips On Lowering The IP Count?

If you have a guest wifi network and a large amount transit and short lived users, the user count can grow quickly. Imagine a House of Worship or other venue where the number of users have a quick but short lived peek. There is noting you can do to limit the number of IP’s added to the active list apart from “natting” that traffic behind another firewall, you can lessen the impact by making the DHCP lease time as short as the expected duration of that group’s visit. Lets look at an example.

Suppose a House of Worship holds two Sunday morning services and a Sunday night service and the lease is set for 24 hours (the default). Should they have 50 users at the first service, and 75 at the second, and 35 users for the evening service, 110 IP address would result in the Active list.  Now suppose the DHCP scope lease is set for 60 minutes. We would expect the Active list to top out at 75 users.

The DHCP lease time should not be made too short. If all the users have to renegotiate the IP too frequently, a lot of needless overhead would be created.

IOT, Printers, Cameras

How then does one prevent the IP addresses used on IOT, IP based cameras, and printers from burning one of the active IP address slots? It is not hard, but lets restate the question for clarity: How do you prevent ANY device that does not need to be on the internet from taking one of the Active IP address slots? Try one of the following:

  • Manually configure the IP settings on the device and do not include a “gateway of last resort”.
  • Use a DHCP server other than the UTM for your network, configuring the scope for these devices to not set a router.


Keeping the DHCP lease time short enough to prevent the build up of IP addresses in the Active list is one method of reducing the number of licenses for the home or software appliance installation, yet too short of lease creates a waste of resources and could inconvenience the user. Devices that do not need internet access can be configured such that the device has absolutely no interaction with the UTM. The bottom line is that it only takes one packet from a device to get listed in the accounting database, and it is from that database that the UTM checks when building the active ip list.


Sophos RED – Some Thoughts




I have supported clients who use the Sophos RED (Remote Ethernet Device) to securely connect a remote office back to their HQ.  This product does everything the product description says, and I’ve had few issues with the service, most of which were resolved through the evolution of the feature set. In a nutshell, the RED service sets up a SSL vpn between the remote site and HQ. What I like the most about the RED service, is that the RED device simply does not have an admin interface that the IT team needs to interact with at the remote site, it is configured via the UTM at HQ.  This cuts down on support costs and errors that might require a visit from the IT team after a misconfiguration and should a RED device fail, a replacement can be shipped to the remote office and installed via just about anyone, no configuration required at the remote site.

A Problem: Compliance Audit Scans

I’ve been hearing from my clients that the Sophos RED service back on the HQ UTM appliance is being flagged more frequently during PCI compliance audit scans, for exposing a port (3400/tcp) to the internet using a self signed certificate. I know that some of these audits are nothing more than an automated script running and flagging “issues” and does not take into account the use case or whether or not the issue is even a real issue. The consequence of failing this audit is a real concern for the client, as it can impact their ability to do business.

Self Signed vs CA Signed

As I understand certificates and how they work, the fact that the RED service uses a self signed certificate is not a problem. Why? Think back to why we use a public certificate authority (CA) signed certificate. When you’re surfing a website using SSL/TLS, you (the viewer of the content) needs to know that the certificate you’re using is from the site you are visiting. This is done via the public CA and since there needs to be more than one CA in the world.  The role of the public CA – to tie in a trustworthy way the entity’s identity to the certificate.  It is a “trust many” CA model. Your indication of that trust is when you see the “green lock” on  your web browser.

When visiting a website with a self signed certificate, on the other hand, the web browser does not have the “little green lock” because the certificate was not signed by a public Certificate Authority that your browser trusts. While this matters a great deal with the guy connecting to his bank or other websites, it doesn’t matter at all to the RED service, because of what a signed certificate does not do.  A publicly signed certificate does NOT make the certificate any more secure (read: make the crypto better), it simply vouches for the identity of the entity offering the certificate.

RED and Compliance Audits Scans

A publicly signed certificate would weakens the RED service because the RED service uses a “trust one CA” model. If the RED service used public CA’s, then many CA’s could mint certificates that the RED would trust. Trusting more CA’s weaken the over all security of the RED service.  A reasonable PCI compliance auditor would listen to this explanation and agree to note the exception. If you know of one that would entertain an explanation and note an exception in the audit, you should hang on to that auditor because what you really found was an unicorn, and we all know those don’t exist!

Since a one CA model is better than a “many” CA model for the RED service, lets move on to the entire point of this post: It is time for the RED service to be updated to include the standard access controls one would want anywhere a service is exposed to the world. Sophos should allow the RED service to be configured with more granularity, just like Sophos allows for their User Portal or Web Admin.  Because the controls are not present, time and hence money has been spent by my clients use these devices defending that the “strange port”, 3400/TCP, found on the UTM isn’t some back door to the company crown jewels, to the compliance auditors.

Suggestion for Sophos

The root of the compliance auditor issue is my only complaint with the RED service, that is that service follows the logic: All the “security eggs” are in “the code is correct” basket, and this is what I hope can be changed.  It would only take one vulnerability in the RED code or dependent library (remember Poodle, Heart Bleed, Ghost?) to be exploited from any IP and there are no other controls to prevent or lessen a compromise, other than the RED service OFF switch. With that in mind, here’s is my RED wish list:

  • Enable the RED service on the UTM to be optionally configured to only listen for incoming connect requests to specific IP’s, just like one can in the User Portal or Web Admin. I’d settle for a simple ACL in the UTM as the first step, but Sophos could automate it via the provisioning services.
  • Allow the port the RED listener service on the UTM uses to be arbitrary changed.
  • Allow the UTM to be configured to listen for incoming RED connections arbitrary IP’s hosted on the UTM, instead of ALL WAN interface IP’s.

Again, lets be clear, this is not criticism of the RED appliance and service, in fact, I’m quite the fan of the entire idea of the RED service. This post is to point out that more can be done to strengthen the foundation of the service by adding access control I would use on every RED that I would come into contact with.

New Phones For a Doctor’s Office

We were recently approached by a local physician’s practice concerning the cost of their phone service.  They were currently using a KEY system that has no more room to grow and are completing adding additional staff.

After a short meeting to determine their requirements, we determined that their key requirement was the ability to push calls to an answering service at a given time of day automatically, as well as, the ability to enable the forward and cancel the forward at arbitrary times.

We proposed a SIP based solution, using a combination of Cisco SPA 525G2 phones and SPA 504G phones, placing a call server on premise, and through the use of call routing features in the cloud, we met all the objective.

One of the interesting features of the Cisco SPA 525G2 phone is the bluetooth connectivity to a cell phone.  I personally did not see the benefit of the feature until the phone was configured. When the office manager gets to work, the cell phone binds to the 525G2 and all incoming and  on the cell can now be answers on the 525G2, now that’s hot!

Outbound calls can also go out via cell or via VoIP, just by pressing the appropriate button.

Cisco SPA525G2 5-Line IP Phone

Product by Cisco More about this product

List Price: $430.00
Price: $217.99
You Save: $212.01 (49%)

via Amazon

Hard Drive Recovery & WD My Passport 1TB Portable External Hard Drive Storage USB 3.0

My office smells like smoke. No not the 420 kind or some musty old cigar, but the kind that comes when an object has been in a structure fire. A month ago, a client’s place of business was broken into and set on fire. The fire department saved what they could, but the fire had progressed considerably.  The client asked if there was anything we could do to recover the data. We made no guarantees and took the melted remains. After cutting away the housing, we discovered that the drive was scorched and covered in filth. Initially the hard drive did not even spin up. After some cleaning, we attached the drive to a StarTech external USB drive caddie and copied the contents to a safe place. Once the data was safe, the data was copied to a WD ‘My Passport’ 1Tb external USB 3.0 drive. This product was chosen because it had enough capacity, Western Digital is a quality manufacturer, and the price was right (at the time of this writing, about just shy of $90.00).  We are very happy this one went so easily.

Here’s the hard drive we used as well as the StarTech USB drive caddie.

via Amazon