1. Sophos Network Security
Michal Hebeda
Presales Engineer

2. Agenda Sophos UTM – Unified Threat Management Sophos TMG replacement
Sophos XG – Next Generation Firewall
Question & Answers

3. How to choose? Buy your favorite Sophos Firewall Platform
Both are amazing platforms
UTM 9
XG Firewall
How can you do this?
Well, we just want you to sell your favorite Sophos Firewall platform… whether you feel more comfortable selling UTM 9 or XG Firewall in any given opportunity, is up to you... Both are amazing platforms.
UTM 9 is a great trusted platform that you and everyone else is intimately familiar with, we have a new relaase coming out immanently that we;ll talk more about in a minute, and you’ll be thrilled to know that it represents a fantastic and rewarding cross-sell opportunity for you with integrated support for our new Sandstorm sandboxing technology.
XG Firewall will also make sense for you in some obvious situations like anywhere there’s a Cloud Endpoint cross-sell opportunity that can take advantage of the Security Heartbeat. It’s an innovative platform with lots of new capabilities, but we understand many partners are still getting up to speed on this platform and waiting until the next major release before fully embracing it, which is completely understandable.
Trusted platform
Intimate familiarity
New release with UTM 9.4
Sandstorm
Innovative platform
New features and capabilities
Major new release coming v16
Security Heartbeat

4. SG Series XG Series SG Series vs XG Series with UTM 9 with SF-OS
But before we dive into the new hardware, I want to take a moment to remind everyone that when selling UTM 9, you’re selling SG Series… they come pre-installed with UTM 9. There’s no need to get the XG Series appliances... Those are identical hardware but come pre-installed with XG Firewall firmware and as some of you have found out, it’s not possible to re-image these to run UTM 9, so just make sure you order the right hardware for the job. There’s nothing new or special about the letters XG other than the firmware that comes factory installed.
Identical Hardware
Different Firmware

5. Sophos UTM

6. Our all-in-one approach
Complete Network Protection
Complete , web & network protection
integrated
Endpoint and Mobile integration
Networking features for high availability
and load balancing
VPN & wireless
extensions
Central, browser-based
management & reporting of all applications
Through the Sophos UTM family, we are able to provide an integrated complete solution for , web and network security.
The browser-based management interface allows for easy configuration of all functions with just a few mouse-clicks - also without vast knowledge of technical IT know-how. The Sophos UTM Manager (SUM) enables a central establishment and overview for larger and more wide-spread installations of up to hundreds of Sophos UTMs.
Sophos UTM provides the same functions on all appliance models: hardware, software and virtual, allowing for more flexible deployment scenarios.
The Gateways are supported by tools which help extend your functionality for smooth daily business operations:
Sophos RED offers complete and centrally administered VPN connectivity and UTM security for remote offices and can be configured in minutes - without the need of local IT personnel.
With Sophos Wireless Protection, you are able to easily connect our Access Point devices with your UTMs security features.
Sophos VPN Clients provide mobile employees with secure and easy to administer remote access to the corporate network.
The Sophos UTM Smart Installer (SUSI) is a bootable USB device, with which you are able to easily install the latest version of UTM software.
Networking features such as high-availability (HA), clustering, server and WAN link balancing provide constant reliability and scalability for your deployment, usually available only to enterprise solutions.
Endpoint Protection offers the chance to use the UTM as a central controller for AV and Device Control on Endpoints.
Software Appliance
Flexible Deployment
Virtual Appliance
© Astaro 2008

7. Deployment models Flexible options for deployment Cloud Software
Virtual
Hardware

8. Hardware Licensing TOTAL PROTECT = FULLGUARD + SG APPLIANCE + SUPPORT
1. Choose your protection subscription (1-3 year terms)
2. Choose your Add-Ons
(Sold Separately)
3. Choose your appliance based on capacity
4. Choose your support level
Essential Firewall (Free)
Network Protection ($)
Web Protection ($)
Protection ($)
Wireless Protection ($)
Web Server Protection ($)
SUM (Free)
iView ($)
RED ($)
APs ($)
Endpoints ($)
UTM Standard
UTM Premium
For our smallest customers we offer BasicGuard – a FullGuard ‘lite’ subscription available with SG 105 and SG 115 models
After you have chosen your platform you can add subscriptions whenever needed.
Every UTM comes with a free Essential Firewall license which provides fundamental security features activated for the protection of company networks.
This basis can be flexibly extended through optional subscriptions for Network, Web, Mail, Webserver and Wireless Protection and also for Endpoint Protection.
Buying all subscriptions in one single Full Guard bundle provides complete security at a very attractive price.
FullGuard
TOTAL PROTECT = FULLGUARD + SG APPLIANCE + SUPPORT

9. Software/Virtual Licensing
Choose your protection subscription (pricing by # IP addresses and term)
2. Choose your Add-Ons
(Sold Separately)
3. Choose your support level
Essential Firewall (Free)
Network Protection ($)
Web Protection ($)
Protection ($)
Wireless Protection ($)
Web Server Protection ($)
SUM (Free)
iView ($)
RED ($)
APs ($)
Endpoints ($)
UTM Standard (Free)
UTM Premium ($)
After you have chosen your platform you can add subscriptions whenever needed.
Every UTM comes with a free Essential Firewall license which provides fundamental security features activated for the protection of company networks.
This basis can be flexibly extended through optional subscriptions for Network, Web, Mail, Webserver and Wireless Protection and also for Endpoint Protection.
Buying all subscriptions in one single Full Guard bundle provides complete security at a very attractive price.
FullGuard

10. Fullguard promo – till
With Fullguard or Fullguard Plus 3 years order
Discount 100% on HW SG series
Save 2x
Fullguard for 3 years is cheaper than 3 times 1 year
Hardware for free

11. SG Series Appliance Portfolio
Desktop
Rack 1U
Rack 2U
Hardware
Appliance
SG 105 / 115
SG 125 / 135
SG 210 / 230
SG 310 / 330
SG 430 / 450
SG 550
SG 650
Category
Small
Desktop
Medium
Midrange 1U
Large
High-end 2U
Network Ports (standard) 4 8 6
6 & 2 SFP
8 (FleXi Port)
FleXi Port Expansion Bays
n/a 1 2 3
Redundancy
2 SSD (RAID) &
2nd hot-swap power optional (SG 450 only)
2 hot-swap
SSD (RAID)
2 hot-swap power supplies
Software
Runs on dedicated Intel compatible PCs and servers
and within virtual environments like VMware, Citrix, Hyper-V, KVM and other virtual environments

12. Modular Security features
Enterprise-class security for small and mid-market organizations
Device Control
AntiVirus
Web-in-Endpoint
Endpoint
Protection
Wireless Controller for Access Points
Multi-Zone (SSID) support
Hotspot Support
Wireless
Protection
Network
Protection
Intrusion Prevention (IPS)
Client & Site-to-Site VPN
Quality of Service (QoS)
Advanced Threat Prot. (ATP)
Stateful Firewall
Object based rules
User self-service portal
Essential
Firewall
Reverse Proxy
Web Application Firewall
Antivirus
Web Server
Protection
URL Filtering Policies
Web Threat Protection
Application Control
Web
Protection
For every Sophos UTM, a free Essential Firewall license is available. This license provides the base functionality with fundamental security features activated for the protection of company networks. This basis can also be flexibly extended through optional subscriptions for Sophos Network, Web, Mail, Web Application and Wireless Security.
Many providers of UTM solutions list in their datasheets a large number of functions. Often enough however, certain product features are only rudimentarily implemented. For example, some manufacturers talk about spam protection when they only employ a single mechanism such as RBL lists. Effective spam protection is only reached however through a combination of different techniques, which are specialized in recognizing certain spam methodology. Enterprise solutions and Sophos UTM solutions work in this way.
Anti Spam & Phishing
Dual Virus Protection
DLP & Encryption
Mail
Protection
© Astaro 2008

13. Individual user portal
Simple management
Simple management is one of the most important aspects for an all-in-one security solution.
Esepcially designed for the requirements of small and middle sized companies, all features can be easily used without much technical security know-how. For this reason, every function can be configured via an intuitive browser-based user interface in many different languages.
The intuitive dashboard provides a quick overview about the current status of the Gateway, for example the resources used, active connections and recognized malware.
The UserPortal allows every user to see their individual mail log, manage their own spam quarantine or install their own VPN Client configuration with a single mouse click. This saves the administrator much time.
Extensive log data, which is stored in a local database, allows the generation of many easy to read reports.
Especially in their own user friendliness, many of today's UTM solutions come up short.
Intuitive Dashboard
Individual user portal
Extensive reporting
© Astaro 2008

14. High availability (Active/Passive)
deactivated
Master
Internet
Status & config synchronization
Sophos UTM Protection makes it easy to keep your inboxes clear of viruses and spam. Dual yet individual virus engines operate in parallel to scan and block threats in content before it has a chance to enter the network. Astaro Mail Security stops spam, phishing and other unwanted before it gets delivered and clutters up mailboxes. The combination of many different recognition mechanisms offer a high hit rate and low amount of false positives.
We give you handy management tools to make life easier for you and your users. And we let you secure that leaves your business with encryption options.

15. High availability (Active/Active)
High Availbility
Active / Active
Master (balancing)
Slave
Cluster nodes
Sophos UTM Protection makes it easy to keep your inboxes clear of viruses and spam. Dual yet individual virus engines operate in parallel to scan and block threats in content before it has a chance to enter the network. Astaro Mail Security stops spam, phishing and other unwanted before it gets delivered and clutters up mailboxes. The combination of many different recognition mechanisms offer a high hit rate and low amount of false positives.
We give you handy management tools to make life easier for you and your users. And we let you secure that leaves your business with encryption options.
Scalability
Fully meshed
Fully meshed
LAN

16. Overview Other devices and software… Access Points
RED (Remote Ethernet Device)
In addition to the Sophos UTM itself, there are additional devices and software that can be used with it:
The Sophos RED, Remote Ethernet Device, provides plug and play layer 2 VPNs for small branches and acts like a virtual Ethernet cable back to the main office
Sophos wireless access points provide centrally managed, plug and play secure Wi-Fi
Sophos’ SSL and IPsec VPN clients for remote access
The Sophos UTM Manager software, SUM, provides central management of multiple UTM appliances
Sophos Firewall Manager
VPN Clients

17. Sophos RED Simple, plug & play branch office security
Securely connect remote locations
Completely configuration free
Flexible deployment options
Same protection for all offices
Fully encrypted traffic
Centrally managed
No added licenses or maintenance
Tunnel compression for RED RED 50
Sophos RED offers you a centrally managed appliance that makes it easy and affordable to connect branch offices back to your headquarters and keep their Internet access secure.
- No local IT knowledge is required at the remote site
- There are no maintenance and no recurring costs for branch offices
- They can plug&play UTM security direct from your head office
- You only need one global security policy

18. Sophos RED – how to deploy
RED Provisioning Service
3. RED device deployment
1. Cconfigure RED device
2. Configuration save
5. Sign in using RED ID
6. Configuration download
Main office
Branch office
Internet
Enable RED Management on the UTM and add the RED using its unique ID
The UTM will register itself with the RED Provisioning Service using TCP 3400 & UDP 3400/3410 If registration fails use the RedAlert.exe to check connectivity to the RED Provisioning Service:
Ensure the correct public IP/hostname for the UTM is in the UTM hostname field
The UTM will send the configuration to be stored on the RED Provisioning Service with the RED ID
Deploy the RED in the branch office by connecting it to an Internet router and power
The RED will get a local IP address from DHCP
The RED requires DHCP to provide an IP address and route to the Internet
If there is no DHCP, the RED will try a 3G/UMTS connection. If there is no connection or no 3G stick it will reboot
If there is no DHCP and no 3G, the RED will try default static network configuration of:
IP: /24
GW:
If this does not work it will fail back to DHCP
Ensure it can connect to the RED Provisioning Service and use the RedAlert.exe tool again if required
The RED will connect to the RED Provisioning Service and sends its unique ID to download the configuration data using TCP 3400
The RED will receive its configuration from the provisioning server. At this point the RED will usually have to update its firmware
A firmware update is indicated by all the LEDs flashing. Do not unplug the RED while it is updating
The RED will create a tunnel to the UTM using TCP/UDP If this fails:
Check configuration of IP/hostname for the UTM
Check DHCP server to see if RED has received an IP address
Try to ping the RED on the WAN port
Interface of router connected to RED WAN port is down
Deactivate authentication mechanisms on the interface of the router connected to the RED WAN port
7. Setup Layer 2 Tunnel
RED
4. Obtain local IP
(DHCP)
Internet Router
UTM

19. Sophos RED – specification

20. Sophos Access Points Portfolio
New AP 15C (Support with UTM 9.4 only)
AP 15
AP 15C
AP 55
AP 55C
AP 100
AP 100C
AP 100X
Deployment
Desktop/wall
Ceiling
Outdoor wall-mount
SOHO
Larger offices, high density
Ceiling-mounted for larger offices
Enterprise dual-band/dual-radio
Maximum throughput
300 Mbps
867 Mbps Mbps
1.3 Gbps Mbps
Multiple SSIDs 8
8 per radio (16 in total)
Tech. Specification
Supported WLAN Standards
2.4 GHz
2.4 GHz or 5 GHz
2.4 and 5 GHz
Number of radios 1 2
MIMO capabilities
2x2:2
3x3:3
The Sophos Access Point portfolio also gains a new member of the family, the AP 15 gets a ceiling mound model with similar specs to the desktop AP 15 however, this new AP offers the choice of either 2.4GHz or 5GHz operation for it’s single radio.
As with the RED 15w, the AP 15C will be supported first in UTM 9.4 and will come to XG Firewall in a future update to SF-OS.

21. Available as a Software/Virtual ISO
Sophos iView
Dedicated Reporting Appliance for Centralized Reporting
Added Visbility
Increased depth and breadth of reporting
Over 1000 built-in reports and views
Compliance reporting: HIPAA, PCI DSS, GLBA, SOX
Fully customizable reports & views with extensive drill-down capabilities
Consolidated Reporting
Centralized reporting across multiple UTMs
Works out-of-the-box with all Sophos UTMs
Single centralized view of all network activity
Great for larger organizations and MSPs
Security Intelligence
Identify issues before they become problems
Rich dashboard and detailed traffic reports offer intelligent insights
Easily monitor suspect users or traffic anomalies
Quickly identify attacks on your network
Log Management
Backup and long-term log storage
Automated backups of all UTM logs for long-term storage
Eliminates reporting gaps if replacing/upgrading a UTM
Quick access and retrieval of historical data for audits and forensics
For those of you that may not know… Sophos iView is our first product collaboration with Cyberoam. This is a product that we’ve worked with them on bringing to the sophos UTM product line as an add-on that extends and enhances our on-box reporting. It will be sold as a virtual appliance only with licensing including support and based on term and storage needs. It will work out of the box with Sophos UTMs and offers a number of great features that will appeal to many organizations such as…
Added visibility, adding a bunch of additional reports and views, including reporting that meets compliance requirements for standards like HIPAA, PCI, and a few others.
It also offers a lot of additional views and customization options that will appeal to the nerdy IT admin.
Another key benefit it provides is consolidated reporting across multiple UTMs which will be huge for MSPs and larger organizations with more than one UTM.
It also provides some good insights into traffic trends that may allow admins to identify problem users or attacks on their network
And it provides great log management for backup and long-term storage so if a UTM needs to be replaced all the historical reporting is not lost and makes retrieval easy for audits or forensics
It’s a great new addition to the UTM line up, particularly for customers wanting more breadth and depth of reporting, those who need to meet compliance requirements, or those managing networks with multiple UTMs. It’s coming at the end of Sept.
Available as a Software/Virtual ISO

22. Sophos UTM Manager (SUM) – No Charge
Centralized Management of Multiple UTMs
Multi-tenant
Real-time monitoring
Aggregated reporting
Inventory management
Device maintenance
Configuration templates
Access management
New automated licensing
Included at no extra charge!
Available as a Software/Virtual ISO

23. Elevated Threat Protection made Simple
Sophos Sandstorm
Elevated Threat Protection made Simple
New breach detection platform
Powerful cloud-based next generation sandbox
Targeted attack protection, visibility and analysis
Detects , blocks and responds to evasive threats
Sophos UTM is one of our first products to benefit
So what does Sophos Sandstorm bring to the table?
It… <read bullets>
Ultimately Sophos Sandstorm will be integrated into several Sophos products and platforms, but Sophos UTM is one of the first, which just reinforces our commitment to this platform.

24. How it works Sophos Sandstorm Determine Behavior Suspect Control
Cloud
Determine Behavior
HASH
How does it work?
First of all, if the file contains known malware or bad URLs it will be blocked by the threat protection engine.
Then if it’s a suspicious file like a PDF with active content, a hash is generated from the file and sent to Sandstorm to see if this file has been seen before. If it has, a decision can be rendered to allow or block it right away.
If it hasn’t been seen before the file is sent up to Sandstorm for analysis. There it will be detonated and monitored for a few minutes, during which time the user sees a patience screen in their browser keeping them appraised of what’s going on.
Once a decision is made, the file is either blocked or allowed accordingly and a report generated.
Suspect
Control
Report

25. Advanced Sandboxing made Simple
Enabling Sandboxing
Then enabling it is as simple as selecting the option to use it in Web or filtering

26. Advanced sandboxing made Simple
Monitoring Activity
The admin can monitor Sandstorm activity to see how the solution is peforming… including the number of suspicious files detected, those excluded by policy, those that were determined malicious and those that were cleaned or sent for further analysis.

27. Advanced sandboxing made Simple
User Patience Page
End users who download content that requires sandboxing will see a patience screen appear while the file is analyzed in Sandstorm. The whole process can take a few minutes, but it’s well worth the wait for suspicious content.
When the analysis is finished and the file is determined safe, the user can access the file.

28. Advanced sandboxing made Simple
Detailed visibility
There’s a full history of all the analysis done by Sandstorm with complete details on the result of each file analyzed.

29. Advanced sandboxing made Simple
Detailed visibility
There’s a full history of all the analysis done by Sandstorm with complete details on the result of each file analyzed.

30. How Sophos Sandstorm Rises Above the Competition
Simple
Easy to try – sign up easily for a free trial in MyUTM
Easy to deploy – simply activate the policy
Easy to manage – all from within the UTM console – no special staff required
Effective
Blocks evasive threats - detects threats designed to evade sandboxes that other solutions miss
Effective control – simple, efficient policy control
Visible protection – granular incident based reports anyone can understand
Cloud-based
Rapid deployment - instant protection with no hardware to deploy or appliance upgrade needed
Minimal impact on performance – all processing done in cloud
Collective intelligence – benefit from all customer threat analysis
Sophos Sandstorm offers a number of compelling advantages over competitors sandboxing solutions.
It’s simpler than any other sandboxing solution out there, it’s very effective, and it’s cloud based with one of the benefits being that all customers instantly gain the benefits of any analysis being done on any other customer’s suspicous files, ultimately providing better, faster protection.

31. Elevated Threat Protection made Simple
Sophos Sandstorm
Elevated Threat Protection made Simple
Enterprise-grade protection without the enterprise price-tag or complexity!
But best of all, Sandstorm is super affordable for small and medium sized businesses to deploy in their environments. They don’t need specialized infrastructure or staff. It really is enterprise-grade protection without the enterprise price tag or complexity.

32. TMG replacement

33. TMG replacement

34. TMG replacement

35. TMG replacement

36. TMG replacement Next steps: Visit www.sophos.com/TMG
TMG replacement guide available
TMG replacement administrators guide available

37. Sophos XG

38. XG Firewall – The next-thing in next-gen
Heartbeat
Coming Soon!
Sophos Firewall OS (SF-OS) New Firewall Operating System and Software Platform
Proven Appliances Identical to SG Series except come preloaded with SF-OS
Security Heartbeat Support for Security Heartbeat with Sophos Cloud Endpoints
Migration Tools Enabling an easy migration from UTM 9 to SF-OS
Sophos Firewall Manager (SFM) New on-premise Centralized Management
Sophos Central Firewall Manager (CFM) Centralized Firewall Management in the Cloud (for partners only initially)
Sophos iView Reporting Updated on-premise Centralized Reporting

39. Familiar Deployment Options: Software, Virtual, Hardware
Similar Deployment Options to UTM 9
Software
Bring your own hardware
Compatible with Intel x86 platforms
Virtual
Vmware, Hyper-V, Citrix XEN, KVM
Flexibility regarding resource assignment and high availability
Great for demos, testing
XG Series Hardware
Full range of hardware appliances
Same as SG Series – come pre-installed with SF-OS
SG Series are upgradable to SF-OS
Deployment options with XG Firewall should be familiar. Like UTM 9, the XG Firewall offers industry leading deployment flexibility as a software, virtual or hardware appliance.
In fact, XG Series supports all the same deployment options as the UTM 9 product with the exception of Amazon Web Services…
<advance>
AWS and Azure cloud support will follow in a subsequent release of XG firewall.
Amazon Web Services (AWS) and Azure Support Coming Soon!

40. Security Heartbeat™ Advanced Threat Protection
Network and Endpoint working better together to revolutionize advanced threat protection
Advanced Threat Protection
Accelerated Discovery Endpoint and network protection combine to identify unknown threats faster.
Active Identification Reduces time taken to identify infected or at risk device or host by IP address alone.
Automated Response Compromised endpoints can be automatically isolated or restricted by firewall policies based on Heartbeat™ status.
Suspect Endpoint
XG Firewall
1. ATP detects and blocks suspect C&C connection
2. Context requested from Endpoint
3. Full information exchanged (user, process, etc.)
4. Admin notified about ATP event including context
Heartbeat in Network Policies
Endpoints
Internet
XG Firewall
No Security issues
Unwanted Application
Compromised
Automatically isolate systems with Red Heartbeat
Set more restrictive policies for systems with Yellow Heartbeat
Infected
Server

41. XG 85
XG 105 XG 115
XG 125 XG 135
XG 210 XG 230
XG 310 XG 330
XG 430 XG 450
XG 550
XG 650
XG 750

42. Positioning for new models – XG 85(w)
XG 85/ XG 85w
Introduced due to demand for lower cost model
Same chassis as XG/SG 105/115 but no VGA port
Some differences to other models:
8 GB Flash memory
Does not support on-box reporting (use iView free option)
No dual AV, Sophos only
‘w’ model 2 x 2:2 MIMO
Who to target
Price sensitive small office, retail, home office
The XG 85w was introduced to help meet demand in some opportunities for a lower cost model. It shares the same chassis as the 105 and 115 but lacks a VGA port. Some other differences include a limited amount of storage, meaning that iView is required to do reporting from XG 85 devices. It also only supports single AV engine scanning… no dual engine scanning, and is 2x2 MIMO with Wireless N support up to 300Mbps.
It’s really ideal for very price sensitive opportunities where a low cost device is required for multiple retail operations or very small offices or even home office use.

43. Positioning for new models – XG 750
Opens up additional enterprise opportunities
2U chassis
8 FleXi Port bays (1 x 8 GE copper included) – max 64 ports
Hot swap SSDs, redundant power supplies and fans
Different manufacturer, so different FleXi Ports
Who to target
Large enterprise, datacenters, MSPs
The XG 750 sets a new bar for high-end firewall performance and features that will appeal to larger enterprise customers. It has a 2U chassis with 8 flexi-ports that means it can be equipped with up to 64 Gigabit ethernet ports. It also offers hot-swap redundancy for the SSD drives and power supplies.

44. Welcome to XG v16!

45. Synchronized Security
What’s new in v16…
Key Focus Areas
User Experience
Feature Gaps
Synchronized Security
Addressing your top concerns across all areas of the product from navigation to policy to logging and more.
Over 100 new features and closing 35 feature gaps with UTM 9 across web, , OTP, and many other areas.
Adding new Synchronized Security Features to the arsenal to improve protection, enforcement, and reporting

46. Top New UX Features New Left Nav
Tabs for 2nd Level Nav Enhanced Control Center Widgets
Redesigned Web Policy
Direct access to live log viewer from any screen

47. New Firewall Network and Device Feature
Firewall Hostname
Cloning of rules, objects, and policies
Per-rule routing
Policy routes
Firewall-to-Firewall RED Tunnels
Country filtering improvements
Improved NAT Business Rule Creation

48. New Email Features Per domain routing Full MTA – store and forward
Enhanced anti-spam
SPX Reply Portal

49. Security Heartbeat Analytics Next-Gen Firewall Wireless Web Email
Disk Encryption
UTM
File Encryption
Endpoint
Next-Gen Endpoint
Mobile
Server
Cloud
Intelligence
Centralized Policy
Management