Review: Security firewall distributions

Sophos UTM

Sophos brings its experience and reputation to bear on its own Linux-based firewall product.

Formerly Astaro Security Gateway before being acquired by Sophos, this router distribution provides a stateful firewall along with packet inspection, web content filtering, anti-spam and anti-virus, intrusion prevention, and load balancing among other features. On the Sophos website it's marketed as Sophos UTM, primarily as a hardware appliance with optional modules for web, email and wireless protection. However, under 'Free Tools' on you can download two versions of the Sophos UTM operating system stand-alone to run on your own boxes.

This includes a completely free and fully functional version, albeit limited to 50 IP addresses and billed as the 'Home Edition', though it would certainly be ideal for small businesses too. The other free version is titled Essential Firewall and has no IP address limits, but lacks some of the more advanced features of the full Sophos UTM version. This can be extended with modules from the full version at a price depending what you need.

Either of these are easily viable options for a small business using in-house support for a completely free solution.

For hardware appliances there are eight levels of devices, levelled by firewall throughput and maximum concurrent connections to suit various enterprise requirements. Alternatively, as with most other products we're covering here, Sophos UTM can be installed as a virtual appliance, or hosted in the cloud.

With the catchphrase ‘This is where network threats go to die' Sophos is confident its product does live up it to the brand name it bears.


Untangle has two core products -- the Next Generation (NG) Firewall, and Internet Control (IC) appliance. It's interesting to note that the latter is doesn't include a firewall component, and focuses instead on web filtering, endpoint management, and bandwidth control. The NG Firewall product however provides a stateful firewall along with routing, intrusion prevention and anti-virus features and can be had as one of three software packages -- Lite, Standard and Premium -- which provides various levels of pre-installed functionality. The Lite version is free to download and use, includes all the core functionality of firewall, intrusion prevention, web filtering and application control, and can still be easily upgraded once installed through paid-for packaged add-ons. As with other examples of freely downloadable firewall products here, commercial support is not included in the Lite version.

Hardware appliances are also available, ranging from low-end boxes for small business to powerful rack-mounts for enterprise.

Untangle is unique among the products covered here in that, in addition to providing a remotely accessible web-based GUI -- which is among the most impressive we've seen here -- it also includes a full graphical desktop for the machine itself, rather than booting to a command-line. This makes managing the machine directly a little bit more user-friendly, and certainly helps initial setup and configuration of an install.

Finally a wide range of installable add-ons are available, some free and some paid-for, to extend the functionality of a an Untangle server to suit your business needs.


Vyatta is yet another example of an open-source firewall gone commercial, and here provides the free unsupported edition while (now adds commercial level support, official updates, and subscription-only benefits.

Beyond the expected stateful firewall features -- common to all these products, as it's a core feature of Linux itself -- Vyatta adds web filtering, load balancing, and fail-over support, remote accessible web-based GUI, VPN support and QoS-based traffic management. The web filtering option uses URL blacklisting, with pre-defined filters for known spyware and other optional categories that make it easy to block particular traffic with a minimum of configuration effort. Setting it apart, however, from the other products covered here is that the web-based UI -- the standard mechanism for setting up and configuring these firewall distributions -- has only been made available to the subscription version of the operating system. The free version must be configured from the command-line.

There is however a strong focus on providing support for virtualised installations, with the main Vyatta 5400/5600 vRouter product being a software router designed to be deployed on a wide range of supported hypervisors from VMWare and Microsoft Hyper-V to Citrix Xen and Red Hat KVM.

Zeroshell is unique in that aims to be a compact distribution small enough for embedded devices, yet still provide essential features like a stateful firewall, load balancing and fail-over support, QoS and traffic shaping, and captive portal for Wi-Fi networks. Unlike other products here however, Zeroshell is designed as a live distribution, meaning it can simply runs directly from the media, no installation on a hard drive required.

And, despite the name -- and while it's still possible to configure it via a command shell -- Zeroshell still provides a web-based interface. It's not as pretty as some of the others we've seen here, but it's still comprehensive and remarkable given the small footprint Zeroshell provides. Zeroshell is heavily community driven with extensive guides available from other Zeroshell users, while a community-made add-on called Zerotruth ( provides captive portal support for Wi-Fi hotspots.

There are no commercial support options or hardware appliances, but then again it's such a compact distribution -- needing less than 100M of RAM -- that it will run on the smell of an oily rag. If only oily rags had processors.

While likely not ideal for anything larger than small businesses, and certainly some experience with Linux would be beneficial, Zeroshell is a great way to cut your teeth on firewall distributions, and its small size and focus on low-resource usage make it ideal for embedded applications. It's also regularly updated, with the latest version 3.0 just released in January of this year.

Tags firewalls

Show Comments