Sophos XG Firewall: From classic ME to NGFW with automatic response to security incidents

At present, there are changes in the architecture of threats and a sharp increase in the number and complexity of security systems and, of course, there is an evolution in the development of protection tools, including firewalls.

Firewalls of the new generation (Next-Generation Firewall, NGFW) - integrated platforms in which classic ME and routing are combined with the latest ideas for filtering traffic, such as Deep Packet Inspection (DPI) advanced traffic analysis systems, user authentication in any way, prevention system Intrusion Prevention System (IPS) intrusions, etc.

In this article I will try to reveal the features of both the NGFW class in general and the Sophos XG Firewall solution in particular. I will talk about the interaction between the DOE and the workplace, identifying risk users and conducting an audit - all the equipment in the complex allows you to automate the response to the incident, thereby significantly reducing the time it was resolved.

Content

Firewalls today
Sophos XG Firewall
Identify hidden risks
Control center
Synchronized Application Control
Top users at risk
A wide range of out-of-the-box reports
Block Unknown Threats
Unified rule management
Manage security at a glance
Enterprise level web filtering
Patterns of business applications and NAT rules
Sandbox Sandstorm
Advanced threat protection
Automatic incident response in 8 seconds
Security heartbeat
Add XG Firewall to any network - just

Firewalls today

Previously, firewalls worked on the lower levels of the network stack, providing basic routing, as well as packet filtering based on ports and protocols for forwarding or dropping traffic. They were effective for their time.

Because threats have moved from attacks directly to the network to infecting internal systems, usually with the help of vulnerabilities in applications and servers or using social engineering, firewall solutions must evolve to counter new attack vectors. Organizations, being forced to constantly add and update the fleet of network security devices to their network perimeter for intrusion prevention, web filtering, spam protection and web application firewall (WAF), incurred material and time costs. The need to manage an array of network security products led to the creation of Unified Threat Management (UTM) - such solutions allowed organizations to combine everything in one device.

Firewall technology has also evolved, moving up the stack to level 7 and above to be able to identify and control traffic from applications. Firewalls also began to include technologies for more in-depth examination of the contents of network packets and the search for threats. They were able to classify and manage traffic created by a user or application and not rely only on protocols and ports. This transition spawned a new network protection category: Next-Generation Firewall (NGFW), next-generation firewalls.

The next-generation firewall combines traditional methods along with deep packet inspection, which includes intrusion prevention, application information, user policies, and the ability to scan encrypted traffic.
Network security continues to evolve and grow in order to counter ever-changing threats. Modern threats, such as extortionists and botnets, are more advanced, elusive and targeted than ever before. These Advanced Threats Advanced Threats (APTs) use zero-day methods and are extremely difficult to detect.

Many organizations have compromised systems in their network at one “wonderful” moment, becoming victims of an APT or botnet, and in many cases they are not even aware of these infections. Unfortunately, this is a widespread problem.

The nature of current threats and modern network infrastructure create the need for fundamental changes in the approach to network security:

1. Network security systems today must integrate new technologies to detect malicious behavior among the useful network load without using traditional antivirus signatures. Technologies such as a sandbox, until recently, were solutions that only large companies could afford, became available to small and medium-sized organizations and are an integral part of effective protection against modern malware.
   
2. Security systems that were previously isolated and independent, such as a firewall and antivirus, now need integration and collaboration to quickly and efficiently detect, identify and respond to advanced threats before they can cause significant damage.
   
3. New dynamic application management technologies are needed to correctly identify and manage unknown applications, given the growing inefficiency of signature mechanisms for identifying the latest application protocols, user applications, and applications using the common HTTP / HTTPS protocols.
   

Worse, most modern firewalls are becoming more complex, using several separate weakly integrated solutions against different threat vectors and different requirements. As a result, the management of such zoo solutions has become very difficult, and the amount of information and data produced by these systems is simply enormous.

In fact, a recent satisfaction survey with IT administrators' firewalls (Firewall Satisfaction Survey of IT administrators) revealed a number of common problems with most firewalls used today:

• It takes a lot of time to get the necessary information.
  
• An acceptable level of detection of threats and risks in the network is not provided.
  
• Many functions, but too difficult to understand how to use them
  

Sophos XG Firewall

From the very beginning, Sophos XG Firewall was designed to solve current and re-emerging problems, as well as to provide a platform that adapts to changing network architecture. XG Firewall offers a new approach to identifying hidden risks, protecting the network, identifying and responding to threats.

XG Firewall provides unrivaled visibility of at-risk users, unwanted applications, suspicious data and persistent threats. It has a full set of modern technologies for protection against threats, and at the same time is easy to configure and maintain. Unlike any other firewall before it, XG Firewall interacts with other security systems on the network, which allows it to effectively become a reliable point of protection, deter threats, block malware from spreading or exfiltering data from the network - automatically, in real time.

Sophos XG Firewall has three main advantages over other firewalls:
')

1. Revealing hidden risks: XG Firewall does an excellent job of identifying hidden risks using a visual dashboard, a wide selection of out-of-the-box reports and unique risk information.
   
2. Block unknown threats: XG Firewall blocks unknown threats easier and more efficiently using a complete set of protection methods against advanced attacks that are very easy to configure and manage.
   
3. Automatic incident response: XG Firewall with Synchronized Security automatically responds to network incidents with Security Heartbeat technology.
   

Identify hidden risks

It is critical that a modern firewall analyze the large amounts of data it collects, correlate data where possible, and highlight only the most important ones that require action — ideally, before it is too late.

Control center

The XG Firewall Control Center provides an unprecedented level of visibility of activity, risks and threats on your network.

It uses the “traffic light” style indicators to sharpen your attention on what is really important:

If something is highlighted in red, it requires immediate attention. If something is highlighted in yellow, this is an indication of a potential problem. If everything is green, no further action is required. Each widget in the Control Center offers additional information that is easy to open by simply clicking on this widget. For example, the status of interfaces on a device can be easily obtained simply by clicking the Interfaces widget in the Control Center.

The host, user and source of advanced threats are also easy to identify by simply clicking on the ATP (advanced threat protection) widget in the dashboard.

System charts also show bandwidth on a timeline with a choice of period, whether to look at the last two hours or the last month or year. And they provide quick access to frequently used troubleshooting tools.

View logs in real time is available from each screen with just one click. You can open it in a new window to keep track of the relevant log while working on the console. It consists of two tabs, a simple column format based on a firewall module, and also provides a more detailed unified view with broad filter and sorting options that aggregates logs from the entire system into one view in real time.

If you, like most network administrators, are probably wondering, aren't there too many rules and which ones are really needed, and which ones are not actually used? With Sophos XG Firewall this will stop worrying you.

The Active Firewall Rules widget displays flow graphs of traffic processed in real time, sorted by rule type: business application, user and network rules. It also shows active totals for each rule and status, including unused rules that you can delete. As in other areas of the Control Center, when you click on any of them, the rules table will be expanded, sorted by type or state of the rule.

Synchronized Application Control

Today, the problem of managing applications in every next-generation firewall is that most application traffic remains unrecognized.

There is a simple reason for this problem: all application control mechanisms use signatures and patterns to identify applications. And, as you can expect, any custom marketing application, such as medical or financial applications, will never have signatures, and some types of applications, such as bittorrent clients or VoIP and messaging applications, constantly change their behavior and signatures to avoid detection and control. Many applications use encryption to avoid detection, while others simply resort to using common connections, like a web browser, to communicate through a firewall, because ports 80 and 443 are usually unlocked on most of them.

The end result is the complete lack of visibility of applications on the network, and you cannot control what you do not see.

The solution to this problem is very elegant and effective: Synchronized Application Control , which uses the unique technology of Synchronized Security in conjunction with Sophos products on the end devices.

When XG Firewall sees application traffic that it cannot identify by signature, it can ask the endpoint which application generates this traffic. The software on the endpoint can then view the executable file, the path and, often, determine the category of the application and transfer this information back to the XG. The XG Firewall can then, in most cases, use this information to automatically classify and control the application.

If the XG Firewall cannot automatically determine the appropriate category of application, the administrator can set the desired category or assign an existing policy to the application.

After the application has been classified — either automatically, by the method or by the network administrator — the application is subject to the same policies as all other applications in this category, which makes it easy to block all unidentified applications that are not needed and prioritize the necessary applications.

Synchronized Application Control is a breakthrough in the display and control of applications, providing absolute clarity of the purpose of all applications that previously worked on the network and remained unidentified and uncontrollable.

Top users at risk

Research has proven that users are the weakest link in the security chain, and human behaviors can be used to predict and prevent attacks. In addition, usage patterns can help illustrate the efficiency with which corporate resources are used and the need to fine tune user policies.

User Threat Ratio (UTQ) helps security administrators identify users who present risks based on suspicious Internet behavior and history of threats and infections. A high UTQ risk assessment of a user can be a sign of unintended actions due to lack of security awareness, malware infection, or deliberate actions.

Awareness of the user actions that caused the risk can help the network security administrator take the necessary actions and either educate their users with high UTQ or apply stricter or more appropriate policies to control their behavior.

A wide range of out-of-the-box reports

XG Firewall is a unique UTM product that provides a comprehensive, wide selection of out-of-the-box reports at no additional cost. Of course, the Sophos iView centralized standalone reporting platform is also offered if you need to aggregate reports from different XGs on a separate server. Sophos iView is free up to 100 GB of logs. But most small and medium-sized organizations value the ability to get reports on the device itself, without the cost of additional storage systems.

XG Firewall provides a complete set of reports, conveniently organized by type, with several built-in dashboards to choose from. There are literally hundreds of reports with customizable settings in all areas of the XG Firewall, including traffic activity, security, users, applications, web, networks, threats, VPN, email, and compliance. Based on the audit results, you can easily generate a PDF report on the security status of the entire network - Security Audit Report. You can schedule periodic reports by e-mail to you or to designated recipients and save reports in HTML, PDF or CSV formats.

Block Unknown Threats

Protection against the latest network threats requires a wide range of technologies that work together and are managed by the administrator. Unfortunately, most products are more like “throwing knives juggling game”, with setting firewall rules in one area, web policies in another, checking SSL somewhere else and controlling applications in a completely different part of the product.

Sophos believes that there is an urgent need for the most advanced protection technologies, that it should be easy to set up and manage, because an incorrectly configured protection is often worse than its absence.

Commitment to simplicity has always been a key part of Sophos. But more importantly, Sophos is ready to accept the changes and take bold steps to provide the best level of protection and the best user interface.

Unified rule management

Managing a firewall can be incredibly difficult. For these purposes, multiple rules, policies, and security settings can be created, distributed across different functional areas.

XG Firewall has completely redesigned how rules are organized and how security provisions are managed. Instead of looking for the right policies on the management console, everything is collected in a single screen - both the rules and the controls. Now you can view, filter, search, edit, add, change and organize all firewall rules in one place.

Rules for users, business applications, NAT and networks make it easy to view only the necessary policies, providing one convenient screen to manage.

Indicator icons provide important information about policies such as their type, status, usage, and more.

Manage security at a glance

XG Firewall simplifies the configuration and management of modern protection, placing all the parameters on one screen.

You can configure security and management snap-ins for antivirus, SSL checks, sandboxes, IPS, traffic shaping, web filtering, application control, Heartbeat , NAT, routing and prioritization in one place, set user or group rules.

And if you want to see exactly what any of the policies are doing, or even make changes, you can edit them on the spot, without having to leave the rule and move to another part of the product.

Flexible authentication options make it easy to find out who is who, and include directory services such as Active Directory, eDirectory and LDAP, as well as NTLM, RADIUS, TACACS +, RSA, agents in the workplace or Captive Portal. Sophos Transparent Authentication Suite (STAS) also provides integration with directory services, such as Microsoft Active Directory, for simple, reliable, and transparent user authentication. The SATC (Sophos Authentication For Thin Client) program installed on terminal servers allows you to filter a specific application on an XG from a specific user on a terminal server — probably the most difficult situation of all.

Enterprise level web filtering

Web filtering and control are the main element of any firewall, but, unfortunately, in most products, the implementation of the function is secondary. The experience of creating corporate web filtering solutions provided Sophos with the background and know-how for implementing the web-management policy functionality that you usually find only in corporate SWG solutions worth ten times more. A completely new top-down inheritance policy model has been introduced, which simply and intuitively builds complex policies. Pre-installed out-of-the-box policy templates are included for most common deployments — such as typical production environments, data protection, and more. This means that you can expand the XG with fine tuning of the parameters, literally at the click of a finger.

In fact, Sophos knows that the web policy is one of the most frequently changed elements in your firewall — which is why considerable effort has been made to simplify management and customization based on user and business needs. You can easily configure users and groups, actions (blocking, allowing or warning) according to the contents of URLs, categories, content filters and file types, as well as add or configure restrictions on the time of day and day of the week.

Web policies now include the ability to register and monitor or even apply policies related to dynamic content based on keyword lists. This feature is especially important in educational institutions to ensure the safety of children on the Internet and provides insight into students using keywords related to suicide, bullying, radicalization, or other unacceptable content. Keyword libraries can be uploaded to the XG Firewall and applied to any web filtering policy as additional criteria with actions to register and monitor or block search results or websites containing keywords of interest.

Comprehensive reporting is used to identify matches between keywords and users who are searching for or receiving content with the content of keywords of interest. This allows you to intervene proactively before a user at risk creates real problems.

These powerful web policies are implemented simply and visually.

Patterns of business applications and NAT rules

Anyone who has tried to set up web application rules for something like Exchange, SharePoint or a web server knows how complicated and problematic it can be. The number of settings is puzzling. But predefined policy templates can help protect standard business application servers quickly, easily, and confidently. Simply select the type of server you need from the drop-down list.

After selecting one of the common business applications that need to be protected, the configuration screen is pre-populated with the appropriate fields to make work much easier. Then you need to enter a few details, such as the domain, the path and information about the server, and everything is ready.

Compare this with the need to customize the WAF policy in any other product where multiple screens are usually required. It is complicated and confusing. But not with XG Firewall.

Sandbox Sandstorm

Such advanced threats, like extortionists, are becoming more targeted and secretive, there is an urgent need for behavioral analysis of the payload (files downloaded and received by mail). Until recently, the sandbox technology needed to provide this protection was available only to the largest companies. But now, thanks to cloud solutions for the sandbox, such as Sophos Sandstorm, it is available even for the smallest business. For the first time, small and medium-sized organizations have access to a sandbox with deep learning technology that goes far beyond specialized local solutions for sandboxes.

Sophos Sandstorm provides a powerful sandbox solution in the cloud, simple and affordable, while providing the necessary protection with deep training against the latest zero-day threats lurking in email and web traffic — the main attack vectors. It is closely integrated into the XG Firewall and is incredibly easy to configure, and since it is cloudy, it does not require additional software or hardware and does not affect the performance of the firewall. Suspicious email attachments and downloads are automatically analyzed and run in the cloud sandbox to determine their behavior before they are allowed to download to your network.

Sophos Sandstorm provides analysis of the payload on the XG Firewall Control Center and a wide range of detailed reporting on all files and threats analyzed and processed by the firewall.

While sandbox technology is becoming increasingly common, XG Firewall and Sophos Sandstorm provide better protection at an attractive price, making it accessible to everyone.

Advanced threat protection

Advanced Threat Protection is needed to detect advanced threats, bots, and other malware hiding in your network.XG Firewall uses a sophisticated combination of detecting malicious traffic, detecting botnets and traffic to C & C. It combines IPS, DNS, and URL analysis to identify malicious traffic and immediately identify not only the infected host, but also the user and the process.

, . , XG Firewall Control Center . , , . Sophos Synchronized Security XG Firewall, , , .

8

.

Sophos XG Firewall — , . Sophos Security Heartbeat , .

XG Firewall , , . , .

Security Heartbeat

Sophos Security Heartbeat ( Synchronized Security) , https , . , , .

Security Heartbeat , , - . , , Security Heartbeat , . , .
Security Heartbeat . Heartbeat :
Green Heartbeat , .
Yellow Heartbeat , (PUA), - . , , .
Red Heartbeat , C&C. Heartbeat, , , .

Sophos , Security Heartbeat, Sophos , , . , NSS Labs Advanced Endpoint Protection, 2019:

• № 1
  
• № 1
  

XG Firewall —

XG fail-open 1U , 2U FleXi Port. XG Firewall XG Firewall , — hardware bypass. , , . , Intercept X , , Sophos Synchronized Security -.
It's Security Made Simple.

The article was prepared using the Sophos XG Firewall Solution Brief material .

If you are interested in the decision, you can contact us - Factor Group , Sophos distributor. It is enough to write in free form at sophos@fgts.ru .