You sure are tenacious for someone who said "I really don't expect this to be answered". lol William and I may have our occasional disagreements on things, but after 10-odd years on the forums together, there's still respect. He knows more about some things than I do (like about the latest CPU that came out 2 minutes ago) and vice-versa. Nobody is an expert on everything. That's why this user to user forum is a community. Different views, ideas, theories, and information are part and parcel. About the banter with William. Firstly, the OP wasn't asking about functional components, which William misunderstood, we were talking about the actual code base, which is a very different thing. Secondly, he may have forgotten that my info doesn't come 2nd hand, I have seen and reviewed the base code for the web proxy, and we'll leave it at that. There are large portions that were written from scratch in-house, more now with the last couple of v9 major versions, but large pieces were also used from/based on code from Squid, and of course it still uses some linux standard runtime libraries to function. It's a hybrid, like other components such as App Control, some in-house, some from elsewhere. A/V of course is not open source, but commercial. WebAdmin is a proprietary locally hosted script based web site, that also uses open-source components to do its' thing. "So there is not even a list for paid customers? If that is true, the Sophos UTM is pretty much a closed system." Not true, you can enter the shell and look around to see what's in there. Don't change anything or, as a paying customer, you will violate your support agreement, per the warning at the shell. Sophos doesn't actively hide what's in there. The base distro is SUSE, SSL VPN is OpenVPN, DNS is Bind, IPS is Snort, WAF is ModSecurity, and so on. Each of those named has been mentioned dozens if not hundreds of times on the forums. With the exception of the "big boys", it is extremely common in the software world to license code/programs from 3rd party vendors and not overtly document this to the public. In this specific market segment, Sonicwall (Dell), Watchguard, Checkpoint, etc. all do this. Even if they don't license complete products/applications/modules, many companies, including Cisco and Juniper, will have 3rd party companies code some new feature sections of their products because they do not have the internal experience/resources in those areas to do it themselves. Of course those companies tend to eventually buy out their vendors. :) As a paid user, you do have the ability to open up a case with Support to request a complete list of all software in the UTM that was not coded 100% by Sophos. Whether you'll get it or not is another story. "And for me, as a paying customer,..." Paid license or home license, everyone has equal importance and value on these user-to-user forums. I've spent 60 seconds helping someone who I know is a large enterprise customer with multiple top tier appliances (and the licensing subscriptions that go with it) and I've spent hours real-time doing replication tests to solve an issue for a free home user. "...your answer doesn't really answer the original question." As mentioned previously, Sophos does have a code vetting process for its' code. What hasn't been said is that Sophos does work closely with many of the component suppliers, both commercial and open source to ensure that both existing and potential issues are resolved. These are things that are constant and ongoing, not a knee-jerk reaction to the fallout for a competitor having not followed secure coding practices for a significant period of time. Sophos is a security company, not just a firewall vendor. We've really beat this one to death Bloudraak. Hopefully this has allayed your fears and concerns. If you want to attempt to get more detailed information, you'll need to go through the official communication channels to Sophos for paid licensees. Either via your reseller or via a support case.
↧