Sophos Intercept X Firewall

Sophos ZTNA is fully compatible with XG Firewall and Sophos Intercept X. In fact, it takes advantage of Security Heartbeat to assess device health which can be used in ZTNA policies. As mentioned above, deployment of the ZTNA client can easily happen as part of a CIX roll-out – it’s as simple as checking a box. A policy is a set of options (for example, settings for malware protection) that Sophos Central applies to protected users, devices, servers, or networks. Intercept X with EDR. Sophos Endpoint Detection and Response (EDR) lets you investigate detected threats (“threat cases”) and search for new threats.

Sophos Zero Trust Network Access (ZTNA) is a new product category that will soon have a presence on the Sophos Partner Portal and later on Sophos.com as well. Continue reading to learn more about what’s coming, access a collection of frequently asked questions and revisit the recent SophSkills recording in case you missed it.

What is ZTNA All About?

If you missed the recent SophSkills session, this video presentation covers everything you need to know about why ZTNA is so important and what Sophos ZTNA will look like. You can also grab the PowerPoint file here.

ZTNA is founded on the principle of zero trust. ZTNA is all about verifying the user, typically with multi-factor authentication to prevent stolen credentials from being a source of compromise, then validating the health and compliance of the device: is it enrolled, is it up to date, is it properly protected? And then using that information to make decisions based on policies to control access and privilege to important networked applications.

What are the Benefits of ZTNA (compared to remote access VPN)?

While remote access VPN continues to serve us well, ZTNA offers a number of added benefits that make it a much more attractive solution:

  • More Granular Control: ZTNA allows more granular control over who can access applications and data minimizing lateral movement and improving segmentation. VPN is all-or-nothing: once on the network, VPN generally offers access to everything.
  • Better Security: ZTNA removes implicit trust and incorporates device status and health in access policies that further enhances security. VPN does not consider device status which can put application data at risk to a compromised or non-compliant device.
  • Easier to Enroll Staff: ZTNA is much easier to roll-out and enroll new employees, especially if they are working remotely. VPN is more challenging and difficult setup and deploy.
  • Transparent to Users: ZTNA offers “just works” transparency to users with frictionless connection management. VPN can be difficult and prone to initiating support calls.

Overall, ZTNA offers a welcome and much better solution to connecting remote workers or the branch office of one.

What is Sophos ZTNA?

Sophos ZTNA is a brand new cloud-delivered, cloud-managed product to easily and transparently secure important networked applications with granular controls. It’s scheduled to enter early access in February.

Sophos ZNTA consists of three components:

  • Sophos Central – provides the ultimate cloud management and reporting solution for all Sophos products including Sophos ZTNA. Sophos ZTNA is a fully cloud enabled with Sophos Central providing easy deployment, granular policy management, and insightful reporting from the cloud.
  • Sophos ZTNA Gateway – will come as a virtual appliance for a variety of platforms to secure networked applications on-premise or in the public cloud with AWS and VMware ESXi support initially closely followed by Azure, Hyper-V, Nutanix, and others.
  • Sophos ZTNA Client – provides transparent and frictionless connectivity to controlled applications for end-users based on identity and device health. It will integrate with Synchronized Security for Heartbeat and device health. It is super easy to deploy from Sophos Central, with an option to easily deploy alongside Intercept X with just one click, or it can work stand-alone with any desktop AV client (obtaining health status from Windows Security Center). It will initially support Windows, followed by macOS and later Linux and mobile device platforms as well.

Here’s a basic block diagram of Sophos ZTNA at work:

Frequenty Asked Questions about Sophos ZTNA:

What are the key dates?

The Early Access Program (EAP) will get underway in February. Launch is expected to be around mid-year 2021.

What applications can be protected?

Sophos ZTNA can provide protection for any networked application hosted on the company’s on-premise network, or in the public cloud or any other hosting site. Everything from RDP access to network file shares to applications like Jira, Wiki’s, source code repositories, support and ticketing apps, etc.

ZTNA cannot protect SaaS applications like SalesForce.com or Office365 because customers don’t own these applications which are public internet facing applications servicing many clients by design. Controlling access to these applications is already done effectively through multi-factor authentication, and if customers need more granular controls, then CASB is the technology that can help with access control to these types of applications. Sophos is also working on a SASE strategy that will include CASB as well in the future.

What client, gateway and identity platforms will be supported?

Client platforms will initially include a clientless option across all client platforms (EAP1), Native Windows and Mac support (EAP2) and then Linux and mobile device platforms (iOS and Android) following launch.

Gateway platforms will initially include AWS (public cloud) and VMware ESXi (virtual appliance) for EAP. This will be expanded to include other platforms like Azure, Hyper-V, Nutanix, K8S, and GCP following launch.

For identity, Sophos ZTNA will initially support Azure Active Directory (AD) for EAP 1 and Okta in EAP2. Supported directory services include Azure and on-premise AD. Customers can take advantage of Azure’s MFA options right away with support for third-party MFA solutions coming in a future release.

Is the Sophos ZTNA gateway hardware, virtual or cloud?

The Sophos ZTNA gateway is a virtual appliance only. There is no hardware version and it is not a hosted service. Customers can deploy as many Sophos ZTNA gateways as they need (for free) on any of the platforms mentioned above to protect their applications in the cloud (AWS, Azure, Nutanix, etc) or hosted in their data center or on-premise (using a virtual appliance).

Intercept

Is ZTNA a stand-alone product or does it require another Sophos product?

Sophos ZTNA is a stand-alone product and does not require any other Sophos Products. It is managed by Sophos Central which is free, and obviously offers a ton of benefits when customers have other Sophos products. It can easily deploy alongside Intercept X, but Intercept X is not a requirement. Sophos ZTNA can work alongside any vendor’s desktop AV or firewall.

How will Sophos ZTNA client deployment work?

Sophos ZTNA will be an option to deploy alongside Intercept X and device encryption when protecting devices from Sophos Central. It will be added to this list…

Will ZTNA integrate with Sophos XG Firewall and Intercept X?

Sophos ZTNA is fully compatible with XG Firewall and Sophos Intercept X. In fact, it takes advantage of Security Heartbeat to assess device health which can be used in ZTNA policies. As mentioned above, deployment of the ZTNA client can easily happen as part of a CIX roll-out – it’s as simple as checking a box. Of course Sophos ZTNA can also work perfectly with other vendor desktop AV or firewall products, but it will work better together with other Sophos products such as XG Firewall and Intercept X.

There are plans to ultimately include ZTNA gateway functionality in the firewall, but for now, the biggest opportunity for ZTNA is providing it as a stand-alone solution that can work with any firewall.

How will licensing and pricing work?

Sophos ZTNA will be licensed on a user basis like our Endpoint products. And it is not per user-device, just per user, so if a user has 3 devices, they only require one license.

Customers can deploy as many ZTNA gateways as they need to protect all their apps. There is no charge for the gateway or for Central Management.

There will be a free trial at launch.

More of Your Frequently Asked Questions:

Sophos Intercept X Firewall Download

How does ZTNA compare to…

  • DUO is an identity technology provider focused on multi-factor authentication (MFA) to help users verify their identity. Identity and MFA and thus DUO, are a part of a ZTNA solution. ZTNA also verifies device health. Sophos ZTNA will initially support Azure MFA and ultimately support Duo and other MFA solutions as well.
  • NAC and ZTNA technologies may sound similar as they are both about providing access, but that’s where the similarities end. Network Access Control (NAC) is concerned about controlling physical access to a local on-premise network. ZTNA is concerned about controlling access to data and specific network applications regardless of what network they are on.
  • While remote-access VPN has served us well, ZTNA has a number of benefits when compared to VPN as outlined above. Of course there will be some situations where VPN continues to be a good solution… where a relatively small number of people (e.g. the IT department) need broad access to network applications and services to manage them. And of course, VPN will still be instrumental for site-to-site connectivity. But for most organization’s users, ZTNA can replace remote-access VPN to provide a better, more granular security solution while being more transparent and easier for users.
  • ZTNA is complimentary to a Firewall just like VPN is complimentary to a Firewall. Of course, the Firewall still plays a critically important role in protecting corporate network and data center assets from attacks, threats and unauthorized access. ZTNA bolsters a Firewall by adding granular controls and security for networked applications in the cloud or on-premise.
  • ZTNA and Synchronized Security are both conceptually similar in that they both can use device health to determine network access privileges. In fact, Sophos ZTNA will use Security Heartbeat as a key component in assessing device health. If a user has a device with a Red Heartbeat, their application access can be limited through policy, just as their network access can be limited on the firewall. However, ZTNA goes further than Synchronized Security by also integrating user identity verification. ZTNA is also more about controlling privilege and access to applications while Synchronized Security is more about automated response to threats and preventing threats from moving or stealing data.
  • SASE (pronounced “sassy”) or Secure Access Service Edge, is about the cloud delivery of networking and security and includes many components such as Firewalls, SD-WAN, Secure Web Gateways, CASB, and ZTNA designed to secure any user, on any network, anywhere through the cloud. So as you can see, ZTNA is a component of SASE and will be our initial offering into this segment and an essential part of our overall SASE strategy.

Competitors:Can i delete google chrome dmg.

We know questions about competitors are always top of mind. We will be developing comprehensive competitive analysis as we get underway with the EAP and share that information soon.

You must set up your firewall or proxy to allow these domains and ports.

This lets you protect your devices and communicate between Sophos Central Admin and your managed endpoints.

Note All features route traffic using the same proxy.

Some of the domains you need to allow are owned by Sophos Central Admin. Others aren't, but are needed for essential operations such as checking that installations work or recognizing certificates.

Sophos Central Admin domains

You must allow these domains and ports through your firewalls and proxies for your protection to work correctly.

If you're a partner managing accounts for customers, you must do this for each customer's firewall or proxy.

  • central.sophos.com
  • cloud-assets.sophos.com
  • sophos.com
  • downloads.sophos.com
Note If your proxy or firewall supports wildcards, you can use the wildcard *.sophos.com to cover these addresses.

Then enter the following non-Sophos addresses.

  • az416426.vo.msecnd.net
  • dc.services.visualstudio.com
  • *.cloudfront.net

You must also review the other sections in this page and allow the appropriate domains and ports for all your licenses.

If you're a partner managing accounts for customers, you must do this for each customer's firewall or proxy, matching each customer's licenses.

Endpoint domains

If your proxy or firewall supports wildcards, use the following wildcards to cover these Sophos endpoint domains.

  • *.sophos.com
  • *.sophosupd.com
  • *.sophosupd.net
  • *.sophosxl.net

Then enter the following non-Sophos addresses.

  • ocsp2.globalsign.com
  • crl.globalsign.com

If your proxy or firewall doesn't support wildcards, you must identify the exact Sophos endpoint domains you need, then enter them manually.

To identify the server address that Sophos Management Communication System uses to communicate with Sophos Central Admin securely, do as follows:

  1. Open SophosCloudInstaller.log. You can find it in the following locations:

    Windows 2008 R2 and later: C:Documents and SettingsAll UsersApplication DataSophosCloudInstallerLogs

    Windows 7 and later: C:ProgramDataSophosCloudInstallerLogs

  2. Look for the following lines:
    • line starting Model::server value changed to:
    • line starting Opening connection to

    They should have a value that looks like this dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com.

You must add this address and the following addresses to your firewall or proxy allow list.

  • dci.sophosupd.com
  • d1.sophosupd.com
  • d2.sophosupd.com
  • d3.sophosupd.com
  • dci.sophosupd.net
  • d1.sophosupd.net
  • d2.sophosupd.net
  • d3.sophosupd.net
  • t1.sophosupd.com
  • sdu-feedback.sophos.com
  • sophosxl.net
  • 4.sophosxl.net
  • samples.sophosxl.net
  • cloud.sophos.com
  • id.sophos.com
  • central.sophos.com
  • downloads.sophos.com
  • amazonaws.com
  • *.hydra.sophos.com

If you want to be more specific about the domains you allow for hydra.sophos.com you can use the following domains.

  • *.mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
  • *.mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
  • *.mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
  • *.mcs2-cloudstation-us-west-2.prod.hydra.sophos.com

You must also add the following non-Sophos domains. You must not use wildcards for these domains.

  • ocsp.globalsign.com
  • ocsp2.globalsign.com
  • crl.globalsign.com
  • crl.globalsign.net
  • ocsp.digicert.com
  • crl3.digicert.com
  • crl4.digicert.com
Note Some firewalls or proxies show reverse lookups with *.amazonaws.com addresses. This is expected as we use Amazon AWS to host several servers. You must add these URLs to your firewall or proxy.

Endpoint ports

You must add the following ports.

  • 80 (HTTP)
  • 443 (HTTPS)

AD Sync

If you're using the Active Directory service, you must also add the following pre-signed s3 domains:

  • tf-presigned-url-eu-west-1-prod-*-bucket.s3.eu-west-1.amazonaws.com
  • tf-presigned-url-eu-central-1-prod-*-bucket.s3.eu-central-1.amazonaws.com
  • tf-presigned-url-us-east-2-prod-*-bucket.s3.us-east-2.amazonaws.com
  • tf-presigned-url-us-west-2-prod-*-bucket.s3.us-west-2.amazonaws.com

If your proxy or firewall supports wildcards you can add the following wildcards:

  • *.s3.eu-west-1.amazonaws.com
  • *.s3.eu-central-1.amazonaws.com
  • *.s3.us-east-2.amazonaws.com
  • *.s3.us-west-2.amazonaws.com

Intercept X Advanced with EDR

Note Add the domains and ports listed in Endpoint domains and Endpoint ports before adding the domains listed below.

If you have an Intercept X Advanced with EDR license, you must also add the following domains:

  • tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.com
  • tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
  • tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
  • tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
  • live-terminal-eu-west-1.prod.hydra.sophos.com
  • live-terminal-eu-central-1.prod.hydra.sophos.com
  • live-terminal-us-west-2.prod.hydra.sophos.com
  • live-terminal-us-east-2.prod.hydra.sophos.com
  • *.mcs-push-server-eu-west-1.prod.hydra.sophos.com
  • *.mcs-push-server-eu-central-1.prod.hydra.sophos.com
  • *.mcs-push-server-us-west-2.prod.hydra.sophos.com
  • *.mcs-push-server-us-east-2.prod.hydra.sophos.com

Intercept X Advanced with EDR and MTR

Note Add the domains and ports listed in Endpoint domains, Endpoint ports, and Intercept X Advanced with EDR before adding the domains listed in this section.

If you have an MTR license and are using TLS inspection or have a firewall that uses application filtering, you must also add these domains:

  • prod.endpointintel.darkbytes.io
  • kinesis.us-west-2.amazonaws.com

To confirm you need to add those exclusions, or to test that the exclusions are effective, you need to check your DNS and your connectivity on an endpoint.

Sophos Intercept X Windows Firewall

On Windows, do as follows:

  1. To check your DNS, open PowerShell and enter the following commands:

    You should see a DNS response message from each domain.

  2. To check your connectivity, enter the following commands:

    You should see the following response: {message: 'running..'}.

    You should see a response containing 'Missing Authentication Token'.

Sophos Intercept X Firewall Settings

On Linux, do as follows:

Sophos Intercept X Firewall Software

  1. To check your DNS, enter the following commands:

    You should see a DNS response message from each domain.

  2. To check your connectivity, enter the following commands:

    You should see the following response: {message: 'running..'}.

    You should see a response containing 'Missing Authentication Token'.