Sophos Firewall is a comprehensive network security device with a zone-based firewall and identity-based policies that protects both wired and wireless networks by functioning as a wireless controller for Sophos access points. Management of Sophos products, including the firewall, is easy and scalable through a single cloud-based platform.
2. 1. Sophos Firewall is a comprehensive network security
device, with a zone-based firewall, and identity-based
policies at its core.
2. Sophos Firewall does not only protect wired networks, but
as a wireless controller for Sophos access points, can
provide secure wireless networking functionality.
3. Protection is provided through a single cloud-based
platform, making day-to-day management of all your
Sophos products (including Sophos Firewall) easy and
scalable
Editor's Notes
Sophos Firewall analyzes incoming and outgoing network traffic (for example, DNS requests, HTTP requests, and IP packets) for sophisticated attacks by using a full suite of protection technologies.
TLS inspection provides transparency into all the encrypted traffic on the network.
Deep packet threat protection is provided in a single engine for anti-virus, intrusion protection, web protection, application control and TLS inspection.
Network Fastpath accelerates SaaS, SD-WAN, cloud traffic such as VoIP and video and other trusted applications automatically or via defined policies.
These are placed on the Xstreme Fastpath to optimize performance.
However you choose to deploy Sophos Firewall, it uses the same software and provides the same functionality regardless of form-factor.
protect your internal network. Sophos Firewall is deployed to handle both the core routing and as the first-line of defense against network threats.
there is an existing firewall that handles the WAN connectivity that is not going to be replaced.
inline mode
web application from common attacks including buffer overflows and SQL injection.
The last type of deployment we will look at is generally used for evaluating the capabilities of Sophos Firewall without the need to make any changes to the network.
SD-WAN routes provide a much wider range of traffic selection criteria. You can select the traffic you want to route based on:
• The interface it arrives at the Sophos Firewall on
• The source and destination networks
• The service
• DSCP marking
• User
• And application
system route_precedence command.
With the increasing move to using cloud services it is important to prioritize and guarantee bandwidth for these business critical applications.
Another approach is to limit bandwidth of non-business critical heavy bandwidth applications, such as streaming and downloads.
Reflexive rules create an SNAT from internal sources, for example, from a protected server to the Internet. In our previous example it would effectively create a masquerading rule for traffic from the application server.
Loopback rules are used when internal users use the public IP address or hostname to access a resource, and it performs an SNAT on the connection.
Intrusion prevention on Sophos Firewall has three parts:
• Intrusion prevention system, or IPS, policies that are applied to firewall rules to protect against exploits and malformed traffic
• Spoof protection, which drops traffic that is trying to pretend to come from a different MAC or IP address to bypass protection
• And denial-of-service DoS protection, which drops traffic that is maliciously trying to prevent legitimate traffic from being able to access services
These policies cover most of the everyday scenarios that you would encounter on an average network. You can edit the included policies or create new ones to meet your security needs.
When you create a route-based VPN, an xfrm tunnel interface is created on the Sophos Firewall. This can be configured like any other interface, except it is always in the VPN zone. You can create routes, NAT rules, and firewall rules in the same way you would for any other traffic.
If you also have firewall acceleration enabled, offloading to the FastPath, the NPU will do the packet encapsulation and the encryption. This is the ideal scenario.