New versions of the Endian and Sophos UTM solutions



In the form of Sophos Labs, the manufacturer maintains a worldwide big data analysis network that examines email, URLs, files, and IP addresses, in terms of reputation and potential malware, and identifies botnets and their control server (Command and Control sites) 24/7. The new version of Sophos UTM integrates Sophos Labs and detects data from botnets, even without extensive analysis of the data traffic. The dashboard has a new icon that alerts you if the firewall detects botnet traffic and outlaws the infected hosts into the bargain.

At the same time, performance of the Intrusion Prevention System (IPS) has improved noticeably. It now automatically adjusts the system settings to match the hardware appliance model, while also automatically disabling patterns that are no longer relevant for intrusion detection and prevention based on a pattern-aging system. Command-line enthusiasts will enjoy the new ipsctl tool, with which the IPS system can be easily managed in the shell.

Another great achievement is new two-factor authentication with one-time password (OTP) tokens. It safeguards, for example, VPN connections and access to the User Portal or to the admin console with an additional one-time password, which is appended to the previously used static password. The Google Authenticator app is one potential one-time password generator (Figure 6), but you can also use hardware tokens and other applications that support the OATH/TOTP standard.

Figure 6: The setup of the new two-factor authentication feature, using Google Authenticator, is handled by means of an automatically generated QR code.

Integrated two-factor authentication, however, is used exclusively with the firewall's own services, but not with external applications such as Outlook Web Access.

The following steps illustrate an example using Google Authenticator:

1. If you have not already done so, enable the User Portal (Management | User Portal | Global | Enable User Portal ). Under Approved networks add at least Internal (Network) .

2. Enable the  Definitions & Users | Authentication Services | One-Time Password function and uncheck the All users must use one-time passwords box.

3. Drag and drop all users you want to authenticate via OTP into Users & Groups to add them.

4. Enable Auto-create OTP tokens for users and check User Portal .

5. Install the Google Authenticator app following the instructions online [11].

6. Log on to the User Portal with the previously selected user and password on https://IP web interface . This displays a QR code for scanning by the Google Authenticator app.

7. In the Google Authenticator app, press the pencil icon, then click the plus sign at the very bottom and scan the QR code.

8. Sign in with the username and password and append the one-time code from the Google Authenticator to the password.

These steps enable two-factor authentication for a user of the user portal.

More Control for the Web

In version 9.2, Sophos has also fundamentally revamped the GUI of the Web Protection module. The Filtering Options submenu now combines several functions, such as the URL filter categories and the exception list. Another new addition is Policy Test , which allows admins to test the effect of a policy change in the context of a client (IP address), a user, and a defined period (Figure 7).

Figure 7: With the new policy tester, admins test the effect of content filters in advance in the context of devices, users, and time schedules.

This feature lets you check, for example, whether a new rule allows a user access to a web address at a specific time of day. Additionally, the web filter in the Web Filtering | Policies | Additional Options section now also provides a Google Apps domain filter. It limits access to Google applications by domain and thus blocks, for example, access to Gmail and other services with private accounts.

If the Sophos Engine is selected as the virus scanner under Management  | System Settings , the UTM automatically transfers suspicious files to Sophos, where they are executed in a sandbox and analyzed. Also, only the Sophos virus scanner can now also block PUA (Potentially Unwanted Applications). What Sophos means by this is programs that are not really harmful but are undesirable – at least in a business context (e.g., hacking tools, adware, and remote maintenance tools). Moreover, you can now manually classify the URL filtering websites in different categories. In this way, for example, sites from the uncategorized category can be assigned to existing filter categories.

Transparent HTTP and HTTPS proxies were already available in previous Sophos UTM versions. Now, these connections can authenticate against Active Directory using single sign-on (SSO). The prerequisite is that the clients can resolve the local network domain name (FQDN) of the firewall. This feature only works reliably for the browser; programs that establish an HTTPS connection to the Internet  – for example, to retrieve automatic updates – are not correctly identified.

Furthermore, thanks to multidomain Active Directory user support, users who log in via SSO can now use the same usernames in different Windows domains; thus far, usernames had to be unique. Admins can also choose from multiple HTTP authentication methods for different types of devices in the new UTM version. In this way, for example, smartphones, tablets, Kindles, and other devices that do not support SSE can be networked using an alternative authentication method.

Protection of Confidential Information

Sophos has two more new features that can help enterprises fight against the disclosure of confidential information, whether intentional or accidental. The Data Leakage Prevention (DLP) function investigates outgoing email messages and their attachments for data that should not leave the enterprise at all or that should be encrypted before doing so.

Depending on the industry and the country, this type of information includes credit card numbers, phone numbers, and other personal information that Sophos provides in a series of Content Control Lists, which you can enable to suit your individual needs. Custom strings complement the supplied lists, whereas the DLP feature also supports regular expressions. Thus, you can analyze outgoing email traffic for company-specific data and specific keywords, for example. If the Sophos UTM finds a matching email, it stops the delivery and notifies the sender, the administrator, or a third party.

Another option in the DLP settings supports automatic encryption of confidential data before sending email using the new SPX Encryption feature. SPX stands for Secure PDF Exchange, a symmetric encryption method for outgoing email. The recipient does not need an encryption program, just a PDF reader.

Sophos UTMs have supported gateway-to-gateway-based email encryption on the basis of OpenPGP and S/MIME for years, but this functionality does not help in the context of data leakage prevention. SPX closes the gap and only allows messages with content identified by the DLP module to be sent if encrypted. It bundles the contents of the email into a PDF file that the recipient can only open if they have the matching password (Figures 8 and 9).

Figure 8: The firewall automatically activates SPX for data leakage prevention.
Figure 9: Thanks to SPX, Sophos UTM 9.2 symmetrically encrypts outgoing messages.

The password policies are configured up front by the administrator in Email Protection | SPX Encryption . In addition to password complexity, SPX templates also define whether the firewall generates a new password for each outgoing email or whether each recipient receives a static password that remains the same for all their email. With both methods, the sender of the message receives the password by email and then communicates it to the recipient in a secure way. If the sender wants to define a password, she must add it to the subject line of the message:


The UTM replaces the actual content of the email with PDF reader instructions for the receiver; these instructions can be customized in detail in terms of content and appearance.

The beta version, to which ADMIN magazine had access for this article, still had a bug that I hope will disappear in the final version: The brackets used in the schematic also needed to be specified for defining the password and automatically became part of the password, thereby forcing the recipient to enter them in order to open the encrypted message.

You can use SPX encryption without the DLP function, if so desired. Users then decide for themselves which messages they SPX-encrypt before sending. To this end, they add an additional header field to an outgoing email:

"X-Sophos-SPX-Encrypt: yes"

Sophos provides Outlook users with a plugin for this purpose. Thunderbird users need to add the header field manually in the configuration dialog Preferences | Advanced | General | Config Editor (about:config ) until Sophos provides the announced plugin for this mail client.

If you enable the SPX reply portal, the receiver can also respond with SPX-encrypted, secure email. For this purpose, the PDF includes a Reply button that calls the URL of the portal response in the browser. This process also works with devices like the iPad. The SPX reply portal then provides the unencrypted reply to the original sender.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus