Sophos XG Firewall: From classic ME to NGFW with automatic response to information security incidents

Currently, there are changes in the architecture of threats and a sharp increase in the number and complexity of security systems and, of course, there is an evolution in the development of security tools, including firewalls.
Next-Generation Firewall (NGFW) is an integrated platform that combines classic ME and routing with the latest traffic filtering ideas, such as Deep Packet Inspection (DPI) traffic analysis, user authentication in any way, prevention system Intrusion Prevention System (IPS) intrusions, etc.
In this article I will try to reveal the features of both the NGFW class in general and the Sophos XG Firewall solution in particular. I’ll tell you about the interaction between the ME and the workplace, identifying risk users and conducting an audit - all the techniques in the complex allow you to automate the reaction to the incident, thereby significantly reducing the time it takes to resolve it.
Content
Firewalls Today
Sophos XG Firewall
Identification of Hidden Risks Synchronized Application Control Control
Center Top Users at Risk Wide Range of Out-of-Box Reports Blocking Unknown Threats Unified Rules Management Security Management at a Glance Enterprise-Level Web Filtering Business Application and NAT Rules Templates Sandstorm Advanced Threat Protection Sandbox 8-second automatic incident response Security Heartbeat Add XG Firewall to any network - just
Firewalls today
Previously, firewalls operated at the lower levels of the network stack, providing basic routing as well as packet filtering based on port and protocol checks to forward or reset traffic. They were effective for their time.
As threats have shifted from attacks directly to the network to infect internal systems, usually through vulnerabilities in applications and servers or using social engineering, network protection solutions must be developed to withstand new attack vectors. Organizations having to constantly add and update a fleet of network security devices to their network perimeter to prevent intrusions, web filtering, anti-spam and web application firewall (WAF) incurred material and time costs. The need to manage an array of network security products led to the creation of Unified Threat Management (UTM) - such solutions allowed organizations to combine everything in one device.
Firewall technology has also evolved, moving up the stack to level 7 and above in order to be able to identify and control traffic from applications. Firewalls have also begun to incorporate technologies for deeper understanding of the contents of network packets and the search for threats. They got the opportunity to classify and manage traffic generated by the user or application and not rely solely on protocols and ports. This transition has spawned a new category of network security: Next-Generation Firewall (NGFW) next-generation firewalls.
The next-generation firewall combines traditional methods along with in-depth packet inspection, including intrusion prevention, application information, user policies, and the ability to scan encrypted traffic.
Network security continues to change and grow in order to counter ever-changing threats. Modern threats, such as ransomware and botnets, are more advanced, elusive and targeted than ever before. These Advanced Threats (APTs) use zero-day methods and are extremely difficult to detect.
Many organizations at one “perfect” moment compromised the systems on their network, becoming victims of the APT or botnet, and in many cases they are not even aware of these infections. Unfortunately, this is a widespread problem.
The nature of current threats and modern network infrastructure creates the need for fundamental changes in the approach to network security:
- Network security systems today must integrate new technologies to detect malicious behavior among the payload network without using traditional antivirus signatures. Technologies such as the sandbox, until recently, were solutions that only large companies could afford, became accessible to small and medium-sized organizations and are an integral part of effective protection against modern malware.
- Security systems that used to be isolated and independent, such as a firewall and antivirus, now need integration and collaboration to quickly and efficiently detect, identify and respond to advanced threats before they can cause significant damage.
- New dynamic application management technologies are needed to correctly identify and manage unknown applications, given the growing inefficiency of signature mechanisms for identifying the latest application protocols, user applications, and applications using common HTTP / HTTPS protocols.
To make matters worse, most modern firewalls are becoming more complex, using several separate weakly integrated solutions against different threat vectors and meeting different requirements. As a result, managing such a zoo of solutions has become very difficult, and the amount of information and data produced by these systems is simply huge.
In fact, a recent Firewall Satisfaction Survey of IT administrators survey revealed a number of common problems with most firewalls in use today:
- It takes a long time to get the necessary information.
- An acceptable level of detection of threats and risks in the network is not provided
- Many functions, but too difficult to understand how to use them
Sophos XG Firewall
From the very beginning, Sophos XG Firewall was designed to address today's and emerging challenges, as well as to provide a platform that adapts to changing network architecture. XG Firewall offers a new approach to identifying hidden risks, protecting the network, identifying threats and responding to them.
XG Firewall provides unmatched visibility for at-risk users, unwanted applications, suspicious data, and persistent threats. It has a complete set of modern technologies for protecting against threats, and at the same time is easy to configure and maintain. Unlike any other firewall before it, XG Firewall interacts with other security systems on the network, which allows it to effectively become a reliable point of protection, deter threats, block malware from spreading or exfiltrating data from the network - automatically, in real time.
Sophos XG Firewall has three main advantages over other firewalls:
- Identification of hidden risks: XG Firewall does an excellent job of identifying hidden risks using a visual dashboard, a wide selection of reports out of the box and unique information about the risks.
- Block unknown threats: XG Firewall blocks unknown threats more easily and efficiently with the help of a full set of protection methods against advanced attacks, which are very easy to configure and manage.
- Automatic incident response: XG Firewall with Synchronized Security automatically responds to network incidents with Security Heartbeat technology.
Identification of hidden risks
It is critical that a modern firewall analyzes the large amounts of data that it collects, correlates the data where possible, and highlights only the most important that requires action - ideally, before it is too late.
Control center
The XG Firewall Management Center provides an unprecedented level of visibility into the activity, risks and threats on your network.

It uses “traffic light” style indicators to draw your attention to what is really important:

If something is highlighted in red, it requires immediate attention. If something is highlighted in yellow, then this is an indication of a potential problem. If everything is green, no further action is required. Each widget in the Control Center offers additional information that is easy to open by simply clicking on this widget. For example, the status of interfaces on a device can be easily obtained by simply clicking on the “Interfaces” widget in the Control Center.

The host, user, and source of the advanced threat are also easy to identify by simply clicking on the ATP (advanced threat protection) widget in the dashboard.

System charts also show bandwidth on the timeline with a choice of the period whether it is necessary to look at the last two hours or the last month or year. And they provide quick access to commonly used troubleshooting tools.

Viewing logs in real time is available from each screen with just one click. You can open it in a new window to monitor the corresponding log while working on the console. It consists of two tabs, a simple column format based on the firewall module, and also provides a more detailed unified view with wide filter and sort options, which aggregates the logs from the entire system into one view in real time.

If you, like most network administrators, are probably wondering, are there too many rules, and which ones are really necessary and which ones are not actually used? With Sophos XG Firewall, this will stop you worrying.
The Active Firewall Rules widget shows the graphs of the flow of traffic processed in real time, sorted by the type of rule: business application, user and network rules. It also shows active totals for each rule and status, including unused rules that you can delete. As in other areas of the Control Center, clicking on any of them will expand the rules table sorted by the type or status of the rule.

Synchronized application control
Today, the problem of managing applications on every next-generation firewall is that most of the application traffic remains unrecognized.
This problem has a simple reason: all application control mechanisms use signatures and templates to identify applications. And, as you can expect, any custom marketing application, such as medical or financial applications, will never have signatures, and some types of applications, such as bittorrent clients or VoIP and messaging applications, constantly change their behavior and signatures to avoid detection and control. Many applications use encryption to avoid detection, while others simply resort to using common connections like a web browser to communicate through a firewall, because ports 80 and 443 are usually unlocked on most of them.
The end result is a complete lack of visibility of applications on the network, and you cannot control what you do not see.
The solution to this problem is very elegant and effective: Synchronized Application Control , which uses the unique Synchronized Security technology in conjunction with Sophos products on the end devices.

When the XG Firewall sees application traffic that it cannot identify by signature, it can ask the endpoint which application generates this traffic. Then the software at the endpoint can view the executable file, the path and, often, determine the category of the application and transfer this information back to XG. Then the XG Firewall, in most cases, can use this information to automatically classify and manage the application.

If the XG Firewall cannot automatically determine the appropriate category for the application, the administrator can set the desired category or assign an existing policy to the application.

After classifying the application — whether it is automatic or by the network administrator — the application is subject to the same policies as all other applications in this category, which makes it easy to block all unidentified applications that are not needed, and prioritize the necessary applications.
Synchronized Application Control is a breakthrough in the display and control of applications, providing absolute clarity of purpose for all applications that previously worked on the network and remained unidentified and uncontrolled.
Top users at risk
Research has proven that users are the weakest link in the security chain, and human behavior models can be used to predict and prevent attacks. In addition, usage patterns can help illustrate corporate resource efficiency and the need to fine tune user policies.
User Threat Factor (UTQ) helps the security administrator identify users who pose risks based on suspicious Internet behavior and a history of threats and infections. A high risk assessment of a user's UTQ may be a sign of unintentional action due to a lack of security awareness, malware infection, or deliberate action.
Awareness of the user's actions that caused the risk can help the network security administrator take the necessary actions and either educate their users with high UTQs or apply more stringent or more appropriate policies to control their behavior.

A wide range of reports out of the box
XG Firewall is a unique UTM product that provides a comprehensive, wide selection of out-of-box reports at no additional cost. Of course, a centralized, stand-alone Sophos iView reporting platform is also offered if you need to aggregate reports from different XGs on a separate server. Sophos iView is free up to 100 GB of logs. But most small and medium-sized organizations appreciate the ability to receive reports on the device itself, without the cost of additional storage systems.

XG Firewall provides a complete set of reports, conveniently organized by type, with several built-in dashboards to choose from. There are literally hundreds of reports with customizable settings in all areas of the XG Firewall, including traffic activity, security, users, applications, web, networks, threats, VPNs, email, and compliance with industry requirements. Based on the audit results, you can easily generate a PDF report on the security status of the entire network - Security Audit Report. You can schedule periodic reports by e-mail to you or your intended recipients and save the reports in HTML, PDF or CSV formats.
Blocking Unknown Threats
Protection against the latest network threats requires a wide range of technologies that work together and are managed by the administrator. Unfortunately, most products are more like a “throwing knife juggling game,” with setting firewall rules in one area, web policy in another, SSL checking somewhere else, and application control in a completely different part of the product.
Sophos believes that there is an urgent need for the most advanced security technologies, that it should be easy to configure and manage, because improperly configured protection is often worse than not having it.
Commitment to simplicity has always been a key part of Sophos. But more importantly, Sophos is ready to accept the changes and take bold steps to provide the best level of protection and the best user interface.
Unified Rules Management
Firewall management can be incredibly complex. For these purposes, many rules, policies and security settings can be created that are distributed across different functional areas.

XG Firewall completely redefines how rules are organized and how security provisions are managed. Instead of looking for the right policies on the management console, everything is assembled in a single screen - both rules and controls. Now you can view, filter, search, edit, add, modify and organize all the firewall rules in one place.
Rules for users, business applications, NAT and networks make it easy to view only the necessary policies, providing one convenient screen for management.
Indicator icons provide important information about policies such as type, status, usage, and more.
Security management at a glance
XG Firewall simplifies the configuration and management of advanced protection by placing all settings on one screen.

You can configure security and management snap-ins for anti-virus, SSL, sandbox, IPS, traffic shaping, web filtering, application control, Heartbeat , NAT, routing and prioritization in one place, set user or group rules.
And if you want to see exactly what any of the policies are doing, or even make changes, you can edit them in place without having to leave the rule and move to another part of the product.

Flexible authentication options make it easy to find out who is who and includes directory services such as Active Directory, eDirectory and LDAP, as well as NTLM, RADIUS, TACACS +, RSA, workplace agents or the Captive Portal. Sophos Transparent Authentication Suite (STAS) also integrates with directory services, such as Microsoft Active Directory, for simple, reliable, and transparent user authentication. The SATC (Sophos Authentication For Thin Client) program installed on terminal servers allows you to filter a specific application on a terminal server on the XG — probably the most difficult situation of all.

Enterprise Web Filtering
Web filtering and control are the main element of any firewall, but, unfortunately, in most products the implementation of the function is secondary. The experience in creating enterprise web filtering solutions provided Sophos with the background and know-how to implement the web policy management functionality that you usually find only in SWG enterprise solutions worth ten times more. A completely new top-down model of inheritance policies has been introduced, which simply and intuitively builds complex policies. Pre-installed policy templates, available right out of the box, are included for most common deployments - such as typical work environments, data protection, and more. This means that you can deploy XG with fine-tuning options, literally at the click of a finger.

In fact, Sophos knows that web policy is one of the most frequently changed elements on your firewall — which is why considerable effort has been put into simplifying management and configuration based on user and business needs. You can easily configure users and groups, actions (blocking, permission or warning) by the contents of URLs, categories, content filters and file types, as well as add or configure restrictions on the time of day and day of the week.
Web policies now include the ability to register and monitor or even enforce policies related to dynamic content based on keyword lists. This feature is especially important in educational institutions to ensure the safety of children on the Internet and gives an idea of students using keywords related to suicide, bullying, radicalization or other inappropriate content. Keyword libraries can be uploaded to the XG Firewall and applied to any web filtering policy as additional criteria with actions for registering and monitoring or blocking search results or websites containing keywords of interest.
Integrated reporting is used to identify matches between keywords and users who are searching for or retrieving content that contains keywords of interest. This allows you to proactively intervene before a user at risk creates real problems.
These powerful web policies are implemented simply and clearly.
Business Application and NAT Rules Templates
Anyone who has tried to set up web application rules for something like Exchange, SharePoint or a web server knows how complicated and problematic this can be. The number of settings is perplexing. But predefined policy templates can help protect standard business application servers quickly, easily, and confidently. Just select the desired server type from the drop-down list.

After selecting one of the common business applications that you want to protect, the configuration screen is pre-populated with the appropriate fields to make the job a lot easier. Then you need to enter a few details, such as domain, path and server information, and you're done.
Compare this with the need to configure WAF policies in any other product that typically requires multiple screens. This is complicated and confusing. But not with the XG Firewall.
Sandstorm Sandbox
Advanced threats such as ransomware are becoming more targeted and secretive, there is an urgent need for behavioral analysis of the payload (files downloaded and received by mail). Until recently, sandbox technology needed to provide this protection was available only to the largest companies. But now, thanks to cloud-based sandbox solutions like Sophos Sandstorm, it’s available for even the smallest business. For the first time, small and medium-sized organizations gain access to a sandbox with deep learning technology that goes far beyond specialized local sandbox solutions.
Sophos Sandstorm provides a powerful sandbox solution in the cloud, simple and affordable, while providing the necessary protection with in-depth training against the latest zero-day threats hiding in email and web traffic - the main attack vectors. It is tightly integrated into the XG Firewall and is incredibly easy to configure, and since it is cloud-based, it does not require additional software or hardware and does not affect the performance of the firewall. Suspicious email and download attachments are automatically analyzed and run in the cloud sandbox to determine their behavior before they are allowed to be downloaded to your network.

Sophos Sandstorm provides payload analysis results at the XG Firewall Control Center and a wide range of detailed reporting on all files and threats analyzed and processed by the firewall.

While sandbox technology is becoming more common, XG Firewall and Sophos Sandstorm provide better protection at an attractive price, making it affordable for everyone.
Advanced threat protection
Advanced Threat Protection is necessary to identify advanced threats, bots and other malicious programs hiding in your network. XG Firewall uses a sophisticated combination of malware detection, botnet detection and C&C traffic. It combines the analysis of IPS, DNS and URLs to identify malicious traffic and immediately identify not only the infected host, but also the user and the process.

This sophisticated, basic security technology provides a very simple but useful insight into advanced network threats. As mentioned earlier, the XG Firewall Control Center is a simple traffic-style indicator for advanced threats on the network. When it is red, it means that the firewall has identified and blocked the advanced threat. And if you use Sophos Synchronized Security with the XG Firewall, it can take it one step further and isolate the compromised system until it is cleaned up to prevent data leakage or further communication with the hacker servers.

Automatic incident response in 8 seconds
One of the most requested features for network administrators is the ability to automatically respond to security incidents on the network.
Sophos XG Firewall is a network security solution that can fully identify the source of infection on your network and automatically restrict access to other network resources in response. This is made possible thanks to the unique Sophos Security Heartbeat technology , which transfers telemetry and status between endpoints and a firewall.
XG Firewall uniquely integrates the health information of connected hosts into its rules, allowing you to automatically restrict access to sensitive network resources from any compromised system until it is cleared. The reaction time is reduced from a few hours to a few seconds.

Security heartbeat
Sophos Security Heartbeat ( an article on the hub about Synchronized Security) exchanges information in real time, using secure https communication, between endpoints and a firewall. This simple step of synchronizing security products that previously worked independently creates more effective protection against malware and targeted attacks.


Security Heartbeat can not only instantly detect the presence of advanced threats, but also can be used to transmit important information about the nature of the threat, the host system and the user. And, perhaps most importantly, Security Heartbeat can also be used to automatically take measures to isolate or restrict access to a compromised system until it is cleaned. This is an exciting technology that changes the way information security solutions work and respond to complex threats.
Security Heartbeat runs on workstations or servers. Heartbeat can be in one of three states:
Green Heartbeat status indicates that the workplace is healthy and access to all relevant network resources will be allowed.
Yellow heartbeatthe status indicates a warning that the system may have a potentially unwanted application (PUA), is inadequate, or has any other problem. You can choose which network resources are allowed to access systems with a yellow status until the problem is resolved.
Red Heartbeat status indicates a system that is at risk of infection with advanced threats and may try to contact a botnet or C&C server. Using Heartbeat security policies, you can easily isolate systems with this status until they are cleaned to reduce the risk of data loss or further infection.

Only Sophos can provide a solution like Security Heartbeat, because only Sophos is a leader in software for both endpoints and network security solutions. For example, you can see the testing of NSS Labs Advanced Endpoint Protection, 2019:
- No. 1 safety performance rating and
- Rating No. 1 at the best price offer

Add XG Firewall to any network - just
The latest XG Series hardware offers more flexible deployment with fail-open ports on all 1U models as well as on the latest 2U devices of the new FleXi Port. The new ports allow the XG Firewall to be installed in bridge mode with existing equipment, and if the XG Firewall is turned off or rebooted to update the firmware, the ports will allow traffic to continue to go without failures - hardware bypass. This feature allows you to use new installation parameters that are completely safe and simple, without replacing the existing network infrastructure. And what's more, the next-generation antivirus, Intercept X , works with any existing antivirus product, allowing you to deploy the complete Sophos Synchronized Security solution on any network without replacing anything.
It's Security Made Simple.

This article was written using Sophos XG Firewall Solution Brief .
If you are interested in a solution, you can contact us - Factor Group , a distributor of Sophos. It is enough to write in free form to sophos@fgts.ru .