Sophos UTM – Endpoint meets Gateway
Jonathan Hope Channel Manager – Network Security UK & Ireland
Email Data Endpoint Mobile Web
Complete Security
UTM
Sophos UTM
Sophos UTM Sophos complete security integrated into a single appliance
3
UTM 9:
Endpoint Protection and Mobile Control
Protecting communication and data directly at the endpoint
Web and Email Protection
optional features
for flexible
UTM protection
at the perimeter
Network Protection
Firewall, intrusion
prevention,
VPN & wireless
protection
at the perimeter
Web
Endpoint
Data Mobile
Network
UTM
Flexible Licensing
Flexible Deployment
Hardware Appliance Software Appliance Virtual Appliance
Flexible Management Resellers
End-User Managed
MSPs Cloud Service
Resellers & MSPs Outsourced
Product Certifications VMware Ready
Recognizes solutions that are interoperable and optimized
for VMware platforms.
ICSA Labs Firewall Certification
Security industry's central authority for research,
intelligence, and certification testing of products.
Common Criteria – EAL 4+
First Unified Threat Management appliance to receive the
coveted Common Criteria certification.
TOLLY Up-to-Spec Certified
Certificated by an independent test lab.
IPv6 Ready
Certificated by an independent test lab.
Reference Customers
Essential Firewall
Network Security
Web Security
Mail Security
Web Application Security
Wireless Security
RED – Branch Security Reinvented
Routers for private users
Low-end UTM Appliances
MPLS and Managed VPN Services
Available Options
The easiest and most economic way to secure your branch offices in a few
minutes – without the need for technical personnel at the remote site!
Sophos RED
Appliance can be delivered without configuration
A0410230401
Internet
TUNNEL
Computer
Headquarters
Branch Office
Simple Depolyment
Astaro Command Centre
• Real-Time Monitoring
• Aggregated Reporting
• Inventory Management
• Device Maintenance
• Central Configuration
• Access Management
Complete Security, the unfair advantage
20
Sophos UTM V9
Product Rebranding
Redesign
• Change the look of Webadmin GUI
(color, fonts and icons, no structural changes) -> Sophos UTM 9
• Change the look of appliances (colors and logos)
-> Sophos UTM110/120, 220, 320, 425, RED10 & AP10/30/50 done
21
Sophos UTM 220
UTM Web (Email…) Protection
Sophos RED10
Sophos AP30
Sophos...
Astaro Security Gateway 220
ASG Web (Mail…) Security
Astaro RED10
Astaro AP30
Astaro Command Center
Renaming
New Hardware Design
23
New GUI
24
New GUI
25
New GUI
26
New GUI
27
Sophos AV Engine integration • Add Sophos Anti-Virus (SAV) Engine as Secure-Mode
• Pattern-based engine
• Sophos Live-Protection Engine (SXL) will be added as
Fast-Mode
• Realtime-Lookup of File/URL Checksums against Sophos Labs
• Needs no Pattern Update
• Detection rate at >99% compared to SAV
• 5-6x times faster
• Avira becomes secondary AV engine for dual-scan mode
• ClamAV engine removed
28
The marriage of gateway and endpoint protection
Central, browser-based
management & reporting
of all applications
VPN & wireless
extensions Software Appliance
Flexible Deployment
Virtual Appliance
Complete email, web
& network protection
at the gateway
Networking features
for high availability
and load balancing
Endpoint Security
& Mobile Control
Integral Endpoint Management
Sophos UTM V9 Endpoint Security in UTM
29
Branch office
Internet
Central office
Roadwarrior
Broker
Service
Mobile user
(UTM 9.2)
Policies
Policies, Events,
Updates
Policies, Events,
Updates
30
PROTOTYPE
Sophos UTM V9 Endpoint Security in UTM
31
PROTOTYPE
Sophos UTM V9 Endpoint Security in UTM
UTM 9.0: Clientless SSL-VPN
• Browser-based, Pure HTML
(NO Java or Active-X required)
• Support for
VNC, RDP, SSH, Telnet, WebUI
and WebApps
• Mobile Support for
Apple iOS, Android
Grant secure, trusted access to internal systems for maintenance
#1 Feature Request at
http://feature.astaro.com
UTM 9.0: Hotspot support
• Aka „Captive Portal“
• Operating-Modes:
• Disclaimer-Page
• Password of the Day
• Guest-Registration within the
EndUser-Portal
• Customization of the Portal-Site
• Part of the Wireless Subscription
Protect Internet Access for Guest in Companies, Hotels and other places
#2 Feature Request at
http://feature.astaro.com
Easy Setup
34
UTM 9.0: Hotspot support
UTM 9.0 – other new features
Networking
• DHCP Options Support
• DHCP Server "Relay Mode"
• Network Definition Ranges
• Export of Netflow/IPFIX Records
• Interface Groups in Multi-Path rules
• IPv6 Support for Dynamic Interfaces
• DHCPv6: Clients with static mappings only
• Improved 3G Modem Support
• Load Sharing between multiple BGP uplinks
• Various QoS Improvements
• Bridge
Network Security
• 1:1 NAT Rules
• Reorganize NAT Tab
• Multiple Objects in packetfilter rules
• Make user VPN configs available to admin
• SSL VPN Client without admin rights
• Update OpenSSL to > 1.0
• Cyrilic langugage support for SSL-VPN
• Add hidden confd flags to limit/disable logging
functionality
• Ship Snort engine as a pattern [PADLOCK]
• IPv6 NAT
• ICMP forward should only be outgoing
• NAT: Show rule numbers for "log initial
packets"
• IPv6 Support for GEOIP
35
Web Security
• AppAccuracy Program
• Configurable NAVL Classifier connlimit
• 'Youtube for Schools' Support
Web Application Security
• Site Path Routing
• Hot-Standby support for backend servers
• Form hardening: check HTTP request method
Mail Security
• Improve Listbox Widget
• Notifications for blocked outgoing mail
Logging/Reporting
• Show license info in Executive Report
• Improve performance of userlog_read for the
Management tab
WebAdmin/GUI
• Customize Title for WebAdmin
• Add “+” expanders to customization GUI
• Add constant Live-Log button to WebAdmin TOP
• Show active sessions and logged in users
• Customizable Dashboard
• Global Object Search
• LCD4Linux Improvements
HA/Cluster
• Keep unit reserved during Up2Date (Cold-
rollback)
• Sync conntrack node id
Kernel
• Kernel Update
• Performance: AFC low hanging fruits
• Performance: MMAPed nfnetlink
• Drop uniprocessor kernels
Installer
• Improve SSD support
Up2Date
• Support installation of newer revisions of the same
version
Confd/Middleware
• Store shell login passwords in the Confd storage
• Hide passwords from debug log
Infrastructure
• Patterns
• Misc
LCD: integrate new LCD program
36
Nov Dec Jan Feb Mar
2012
Oct Apr May Jun Jul Aug Sep Jan Feb Mar Apr
2013
May Jun
Release 9.0
• GUI in Sophos Design
• SAV Integration
• UTM Endpoint Protection
• Device Control
• AV & HIPS
• Clientless SSL VPN
• Hotspot support
Release 9.0
Release 9.1
• Improved Endpoint Protection
• Web Filtering (policy sync.)
• Client Firewall (policy sync.)
• DLP
• Full Disk Encryption
• MAC OS support
• Improved Wireless Security
• Repeater, Wireless IDS,
Rogue AP detection
Release 9.1
Release 9.2
• Improved Endpoint Protection
• App.Ctrl (client/GW comm.)
• Device & Media Encr.
• VPN client
• UTM Mobile Control
• Remote Lock & Wipe
• Central App. Mgmnt.
• Email Access Mgmnt.
Release 9.2
UTM 9.X Roadmap
• UTM 110/120, 220, 320 rev.5
• Rebranded versions of existing ASG appliances
• Double RAM size
• UTM 425 rev.5
• New model with Intel Sandy Bridge platform
• Intel Quad Core i5 CPU
• 8 GB RAM
• 6 GE Copper + 2 SFP Ports
• UTM 525/625 rev.5/2
• New models with Intel Sandy Bridge e5 platform
• Multiple 10G ports
• Modular Interfaces
37
GA: Mid Feb.
GA: Mid Feb.
GA: Q3
Hardware Roadmap
Access Points
• AP 50
• Supports 5 & 2.4 GHz bands
• GE interface
• POE+ injector included
• For medium sized offices (~50 users)
• AP 5
• USB Access Point
• Add wireless capabilities to every RED 10 rev.2/3
• Centrally Managed out of UTM
• Pricing < 100 €/$
Shipping
GA: Q3
RED
• RED 10 rev.3
• Rebranded version of existing RED 10
• RED 50
• For medium sized offices (~50 users)
• 1 USB
• 4 GE LAN ports
• 2 GE WAN ports for load balancing and failover
• VRED 10
• Virtualized Version of RED10
• Used to interconnect virtualization environment
• VMware Image
39
Shipping
GA: Q2/Q3
Upon request
Planned features:
• Rebranded version -> Sophos UTM Central Manager?
• Increased Bandwidth efficiency
• Increased Scalability
• Central license management
• MSP license management
• Global EP policy management
40
Astaro Command Centre
Gateway Products
41
Sophos and the Cloud
• Cloud Connectors
• RED Product Line
• Astaro Security Gateway with VPC Connector
• Cloud Security
• UTM in the Cloud
• Live Protection
• Cloud Management
• Astaro Command Center in the Cloud
• Security as a Service product (Endpoint & UTM)
42