Network Security

Reference Architecture
and Deployment Use Case Examples

Sophos Confidential
 Reference Architecture

2
Network Security Reference Architecture
SOPHOS NETWORK SECURITY

OR CUSTOMER
SECURITY OPERATIONS CENTER ▪ Full suite of products - uniquely integrated
XDR/SIEM/SOAR
CENTRAL ▪ Works with what you can customers have –
extensible and scalable

▪ The best protection and performance at

every price

▪ Unmatched visibility, protection, and

MAIN OFFICES response
PUBLIC CLOUD
REMOTE ▪ Making complex networks easy to deploy
and manage
WORKERS

ENDPOINTS (XDR) FIREWALL WORKOADS

SOPHOS PRODUCTS/SERVICES

▪ Firewall
▪ Switch
▪ Wireless
APs NDR SWITCHES SOPHOS FIREWALL
▪ ZTNA
▪ SD-RED
▪ Email
▪ DNS
SERVERS / APPLICATIONS BRANCH OFFICES SOPHOS FIREWALL SOPHOS
▪ NDR
SD-RED ▪ Endpoint
▪ Mobile
▪ Server
SWITCH
REMOTE DEVICES ▪ XDR
▪ MDR
 Active Threat Response

4
 Response Time is Critical
Every second matters when an
attack is discovered

5
 SOPHOS
CENTRAL
Active Threat Response
Now Including Sophos Switch and AP6

Cross-Product Automation
• MDR/XDR Analysts can trigger a response
via Sophos Central Threat Feed API
• Works with Sophos Firewall, Switch, AP6
SECURITY ANALYST
THREAT FEEDS
Automatic Response
• Firewall automatically blocks threats from YOUR NETWORK
communicating to other parts of the
network
• Firewall automatically coordinates with
managed endpoints to block traffic from
compromised hosts
• ZTNA automatically prevents connections
to applications
MANAGED ENDPOINTS
•
NEW Switch and AP6 automatically block
compromised device at the access layer –
completely isolating them - even within
the same LAN segment

COMPROMISED DEVICE
How it Works
UNIQUE TO SOPHOS

▪ Unique cross-product automation

OR CUSTOMER
SECURITY OPERATIONS CENTER ▪ Sophos Firewall, Endpoints, ZTNA, Email and
XDR/SIEM/SOAR Security Analysts (XDR or MDR) all
CENTRAL
interconnected through Sophos Central

▪ Continuously sharing health and threat

information

▪ No extra licenses or solutions required –

works with core Sophos products
MAIN OFFICES
PUBLIC CLOUD
? Active REMOTE
Threat WORKERS

ENDPOINTS (XDR) FIREWALL WORKOADS AUTOMATED THREAT RESPONSE

▪ When a threat is identified by an endpoint, a

firewall, NDR, or an XDR/MDR analyst an
automated threat response can be triggered

▪ Sophos Firewall automatically blocks all

SWITCHES SOPHOS FIREWALL threat related traffic from patient zero or
APs NDR
any other host
▪ Sophos Firewall initiates lateral movement
protection by informing all healthy endpoints
to ignore traffic from the compromised host
SERVERS / APPLICATIONS BRANCH OFFICES SOPHOS FIREWALL

SOPHOS PRODUCTS/SERVICES
SWITCH ▪ Sophos Firewall
▪ Sophos Endpoints
▪ Optional: Sophos ZTNA, Email, NDR, XDR, MDR
Threat Identification
UNIQUE TO SOPHOS

▪ Unique cross-product automation

OR CUSTOMER
SECURITY OPERATIONS CENTER ▪ Sophos Firewall, Endpoints, ZTNA, Email and
XDR/SIEM/SOAR Security Analysts (XDR or MDR) all
Threat Confirmed
! CENTRAL
interconnected through Sophos Central

▪ Continuously sharing health and threat

information

▪ No extra licenses or solutions required –

works with core Sophos products
MAIN OFFICES
PUBLIC CLOUD
? Active REMOTE
Threat WORKERS

ENDPOINTS (XDR) FIREWALL WORKOADS AUTOMATED THREAT RESPONSE

▪ When a threat is identified by an endpoint, a

! Threat Identified firewall, NDR, or an XDR/MDR analyst an
automated threat response can be triggered

▪ Sophos Firewall automatically blocks all

SWITCHES SOPHOS FIREWALL threat related traffic from patient zero or
APs NDR
any other host

▪ Sophos Firewall initiates lateral movement

protection by informing all healthy endpoints
to ignore traffic from the compromised host
SERVERS / APPLICATIONS BRANCH OFFICES SOPHOS FIREWALL

SOPHOS PRODUCTS/SERVICES
SWITCH ▪ Sophos Firewall
▪ Sophos Endpoints
▪ Optional: Sophos ZTNA, Email, NDR, XDR, MDR
Active Threat Response
UNIQUE TO SOPHOS

▪ Unique cross-product automation

OR CUSTOMER
SECURITY OPERATIONS CENTER ▪ Sophos Firewall, Endpoints, ZTNA, Email and
XDR/SIEM/SOAR Security Analysts (XDR or MDR) all
Threat Feed Sent
! CENTRAL
interconnected through Sophos Central

▪ Continuously sharing health and threat

information

▪ No extra licenses or solutions required –

works with core Sophos products
MAIN OFFICES
PUBLIC CLOUD
? REMOTE
WORKERS

ENDPOINTS (XDR) FIREWALL WORKOADS AUTOMATED THREAT RESPONSE

Active threat is ▪ When a threat is identified by an endpoint, a

! blocked
Threat Feed Received
firewall, NDR, or an XDR/MDR analyst an
automated threat response can be triggered

Firewall initiates ATR ▪ Sophos Firewall automatically blocks all

SWITCHES SOPHOS FIREWALL threat related traffic from patient zero or
APs NDR
any other host

▪ Sophos Firewall initiates lateral movement

protection by informing all healthy endpoints
to ignore traffic from the compromised host
SERVERS / APPLICATIONS BRANCH OFFICES SOPHOS FIREWALL

SOPHOS PRODUCTS/SERVICES
SWITCH ▪ Sophos Firewall
▪ Sophos Endpoints
▪ Optional: Sophos ZTNA, Email, NDR, XDR, MDR
ATR and Synchronized Security
UNIQUE TO SOPHOS

▪ Unique cross-product automation

OR CUSTOMER
SECURITY OPERATIONS CENTER ▪ Sophos Firewall, Endpoints, ZTNA, Email and
XDR/SIEM/SOAR Security Analysts (XDR or MDR) all
Threat Feed Sent
! CENTRAL
interconnected through Sophos Central

▪ Continuously sharing health and threat

information

▪ No extra licenses or solutions required –

works with core Sophos products
MAIN OFFICES
PUBLIC CLOUD
? REMOTE
WORKERS

Healthy endpoints ENDPOINTS (XDR) FIREWALL WORKOADS AUTOMATED THREAT RESPONSE

block traffic from
compromised device
Active threat is ▪ When a threat is identified by an endpoint, a
! blocked
Threat Feed Received
firewall, NDR, or an XDR/MDR analyst an
automated threat response can be triggered

Firewall initiates ATR ▪ Sophos Firewall automatically blocks all

SWITCHES SOPHOS FIREWALL threat related traffic from patient zero or
APs NDR
any other host

▪ Sophos Firewall initiates lateral movement

protection by informing all healthy endpoints
to ignore traffic from the compromised host
SERVERS / APPLICATIONS BRANCH OFFICES SOPHOS FIREWALL

SOPHOS PRODUCTS/SERVICES
SWITCH ▪ Sophos Firewall
▪ Sophos Endpoints
▪ Optional: Sophos ZTNA, Email, NDR, XDR, MDR
ATR Extended to Switch/AP6
OR CUSTOMER UNIQUE TO SOPHOS
SECURITY OPERATIONS CENTER
XDR/SIEM/SOAR
Threat Feed Sent
! CENTRAL ▪ Unique cross-product automation

▪ Automatic Threat Response feeds can now

be sent by XDR/MDR analysts to Sophos
Switch and AP6 via API

▪ A valid Switch/AP6 Support subscription is a

MAIN OFFICES prerequisite, but no other licenses required
PUBLIC CLOUD
? REMOTE
WORKERS

ENDPOINTS (XDR) FIREWALL WORKOADS AUTOMATED THREAT RESPONSE

▪ When a threat is identified by an endpoint, a

firewall, NDR, or an XDR/MDR analyst an
! automated threat response can be triggered

▪ Sophos Switches and AP6 Access Points

automatically block infected host
APs NDR SWITCHES SOPHOS FIREWALL dramatically limiting opportunity for lateral
Threat Feed Received Threat Feed Received movement

▪ The compromised device can be wireless,

wired, managed, or unmanaged – it will be
blocked
SERVERS / APPLICATIONS BRANCH OFFICES SOPHOS FIREWALL

SOPHOS PRODUCTS/SERVICES
SWITCH ▪ Sophos Switch
▪ Sophos Wireless (AP6 Access Points)
▪ Sophos XDR, MDR
 Result: Rapid Response Time
Uniquely Integrated
Sophos Active Threat Response
works across products and services
to dramatically improve response
times from hours or days to just a few
seconds.

No manual rule configuration is

required.

With Sophos MDR or XDR,

and Sophos Network Security,
you get the best:
• Protection
• Detection
• AND Response

12
 What You Need Xstream Standard Available
Protection Protection Separately

Base License (Stateful Firewall, Networking and SD-WAN, Wireless, VPN)

Network Protection (Xstream TLS, DPI, IPS, X-Ops Feeds, Security Heartbeat, SD-RED Mgmt)

Web Protection (Xstream TLS, DPI, Web security and Control, Application Control)

Zero-Day Protection (Static ML-based and dynamic (sandboxing) file analysis, reporting)

Central Orchestration (SD-WAN Orchestration, Central Reporting Adv (30-day), MDR/XDR/ATR)

Enhanced support (24x7 phone/email support, Advance RMA, required for firmware updates)

Sophos Central Email Advanced (Sophos Central antispam, AV, DLP, encryption)

Firewall Email Protection (on-box antispam, AV, DLP, encryption)

Firewall Web Server Protection (web application firewall)

Sophos Central Reporting Advanced (additional longer-term storage)

Enhanced Plus Support Upgrade (VIP support, warranty for add-ons, TAM option)

Additional options are available for MSPs

13 Sophos Confidential
 High Availability Networking

14
High-Availability Networking
EASY DEPLOYMENT

▪ Plug-and-Play High Availability – Firewalls

OR CUSTOMER automatically sync via HA link
SECURITY OPERATIONS CENTER
XDR/SIEM/SOAR ▪ Single console management for Firewalls and
CENTRAL
Switches

▪ Flexible multi-ISP WAN support for cable,

DSL, fiber, copper, LTE, MPLS, etc.

MAIN OFFICES

PERFORMANCE AND RESILIENCY

ENDPOINTS (XDR)
▪ Active-Passive HA = Affordable reliability
from a device failure or necessary down-
time. One device is active, one on passive
standby. Only one license required for active
device

▪ Active-Active HA = Added performance and

reliability as both devices are active and
APs NDR SWITCHES SOPHOS FIREWALLS sharing the traffic and processing load.

▪ Multiple SD-WAN link support with

performance-based selection for added
resiliency from ISP brown-outs or outages

SERVERS / APPLICATIONS BRANCH OFFICES SOPHOS FIREWALL

SOPHOS PRODUCTS/SERVICES
SWITCHES ▪ Sophos Firewall
▪ Sophos Switch
▪ Sophos SD-WAN and Orchestration
 Firewall High Availability Support

Active-Passive
Add a failover appliance/standby
Subscription Licenses: Only required for active (Primary) box
Support minimum: Enhanced on the Active (Primary) box
Recommended Support: Enhanced Plus required on the Active (Primary) box to allow
advance RMA for the Passive (auxiliary) box

Active-Active Cluster
Divide the traffic
Improve performance
Subscription Licenses: For both boxes and must be identical (term can differ)
Support: Enhanced support required for both boxes

Add Enhanced Plus Support to every Active/Passive cluster to ensure that the passive appliance is covered for advance RMA
16
Sophos Firewall and Sophos Switch HA
EASY DEPLOYMENT
Example: Core Hub Basic Layer 1 and 2 Topology
▪ Plug-and-Play High Availability – Firewalls
automatically sync via HA link

▪ Single console management for Firewalls and

Switches

▪ Flexible multi-ISP WAN support for cable,

DSL, fiber, copper, LTE, MPLS, etc.

ISP A

LAN PERFORMANCE AND RESILIENCY

▪ Active-Passive HA = Affordable reliability

from a device failure or necessary down-
time. One device is active, one on passive
standby. Only one license required for active
HA LINK device

▪ Active-Active HA = Added performance and

reliability as both devices are active and
sharing the traffic and processing load.

▪ Multiple SD-WAN link support with

DMZ performance-based selection for added
ISP B resiliency from ISP brown-outs or outages

SOPHOS PRODUCTS/SERVICES

▪ Sophos Firewall
▪ Sophos Switch
▪ Sophos SD-WAN and Orchestration
 SD-WAN

18
Fully Integrated SD-WAN Solution

SOPHOS FIREWALL SD-WAN HARDWARE SOPHOS CENTRAL SD-WAN MANAGEMENT

SD-WAN SD-WAN
Orchestration Reporting

Sophos Firewall XGS Series SD-RED 20/60

Xstream FastPath Acceleration
Zero-Touch Remote Edge Devices
SD-WAN | Apps | Cloud | IPsec

SOPHOS FIREWALL INTEGRATED SD-WAN FEATURES

Performance SLA Link Management Real-time Monitoring

Link Selection and Enhanced Routing and Logging
Jitter | Lat ency | Packet Loss App | User | Service Link Performance | Routing
Zero-Impact Transitions Failover | Failback

SD-WAN Profiles Link Load Balancing Synchronized App Control Awareness

with Multiple Gateways Simultaneously routing of application Obscure and Custom Apps
Up to 8 Gateways traffic across multiple links
MPLS | WAN | VPN | RED
SD-WAN Orchestration in Sophos Central
Distributed Enterprise SD-WAN EASY (ZERO-TOUCH) DEPLOYMENT

▪ Zero-Touch deployment of branch office

firewalls

▪ Sophos Central point-and-click orchestration

OR CUSTOMER supports hub-and-spoke, full-mesh or any
SECURITY OPERATIONS CENTER other topology with fully redundant links
XDR/SIEM/SOAR
CENTRAL ▪ Easy on-ramp to Cloudflare, Akamai, Azure
or other backbone networks

ORCHESTRATION ▪ Zero-Touch SD-RED deployment for remote

devices (low cost – no additional license)

▪ Easy deployment to public cloud from

MAIN OFFICES marketplace
PUBLIC CLOUD

OPERATIONAL EFFICIENCY AND

ENDPOINTS (XDR) FIREWALL WORKOADS
RESILIENCY
VPN
INTERNET ▪ SD-WAN integrated with your network
BACKBONE
security
VPN
▪ WAN routing by application, service, or user

NDR SWITCHES SOPHOS FIREWALL ▪ Automated performance-based link selection

APs
based on jitter, packet-loss, latency
VPN VPN ▪ Link load-balancing across multiple link types

▪ Maximum performance and resiliency

SERVERS / APPLICATIONS BRANCH OFFICES SOPHOS FIREWALL SOPHOS
SD-RED

SOPHOS PRODUCTS/SERVICES
SWITCH ▪ Sophos Firewall with Xstream Protection
REMOTE DEVICES
▪ Includes Sophos Central Orchestration

▪ Optional: Sophos SD-RED

HA SD-WAN Example for Demo EASY (ZERO-TOUCH) DEPLOYMENT

▪ Zero-Touch deployment of branch office

firewalls

▪ Sophos Central point-and-click orchestration

OR CUSTOMER supports hub-and-spoke, full-mesh or any
SECURITY OPERATIONS CENTER other topology with fully redundant links
XDR/SIEM/SOAR
CENTRAL ▪ Easy on-ramp to Cloudflare, Akamai, Azure
or other backbone networks

ORCHESTRATION ▪ Zero-Touch SD-RED deployment for remote

devices (low cost – no additional license)

▪ Easy deployment to public cloud from

WIESBADEN marketplace

OPERATIONAL EFFICIENCY AND

ENDPOINTS (XDR) RESILIENCY

FIBER INTERNET ▪ SD-WAN integrated with your network

BACKBONE
security

COPPER VPN ▪ WAN routing by application, service, or user

NDR SWITCHES ▪ Automated performance-based link selection

APs
SOPHOS FIREWALLS based on jitter, packet-loss, latency
(HIGH AVAILABILITY)
▪ Link load-balancing across multiple link types

▪ Maximum performance and resiliency

SERVERS / APPLICATIONS BERLIN HAMBURG
SOPHOS FIREWALL SOPHOS FIREWALL

SOPHOS PRODUCTS/SERVICES
SWITCH SWITCH ▪ Sophos Firewall with Xstream Protection
▪ Includes Sophos Central Orchestration

▪ Optional: Sophos SD-RED

 Remote Workers

23
Remote Workers – Mid-Large – Hybrid Cloud EASY DEPLOYMENT

▪ Supports on-prem or public cloud application

access control – wherever a Sophos Firewall
can be deployed

▪ No agent – or single agent – integrated with

OR CUSTOMER Sophos Endpoint
SECURITY OPERATIONS CENTER
XDR/SIEM/SOAR ▪ Single gateway – ZTNA gateway integrated
CENTRAL
with Sophos Firewall

▪ Single cloud management console in Sophos

POLICY Central

▪ Supports Azure AD or okta IDP

ZTNA CONTROL
MAIN OFFICES
PUBLIC CLOUD
REMOTE TRANSPARENT ENHANCED
WORKERS SECURITY

ENDPOINTS (XDR) FIREWALL APPS ▪ Zero-trust principles – trust nothing – verify

everything: user identity, device health

IDENTITY ▪ Only access specific apps and resources –

not the whole network

▪ Eliminates vulnerable old VPN clients

NDR SWITCHES SOPHOS FIREWALL ▪ Device health integrated into policy to

APs
prevent unhealthy devices from connecting

SERVERS / APPLICATIONS BRANCH OFFICES SOPHOS PRODUCTS/SERVICES

SOPHOS FIREWALL
▪ Sophos ZTNA (per remote user license)

▪ Optional:
▪ Sophos Firewall (ZTNA gateway)
SWITCH
▪ Sophos Endpoint

▪ Third-Party Integrations:
▪ Azure AD / okta IDP
Remote Workers – Mid-Large – SaaS Apps ▪
EASY DEPLOYMENT

Supports on-prem or public cloud application

access control – wherever a Sophos Firewall
can be deployed

▪ No agent – or single agent – integrated with

OR CUSTOMER Sophos Endpoint
SECURITY OPERATIONS CENTER
XDR/SIEM/SOAR ▪ Single gateway – ZTNA gateway integrated
CENTRAL
with Sophos Firewall
▪ Single cloud management console in Sophos
POLICY Central

▪ Supports Azure AD or okta IDP

ZTNA CONTROL
MAIN OFFICES
PUBLIC CLOUD
REMOTE TRANSPARENT ENHANCED
WORKERS SECURITY

ENDPOINTS (XDR) FIREWALL APPS ▪ Zero-trust principles – trust nothing – verify

everything: user identity, device health
IP ACCESS
IDENTITY CONTROL ▪ Only access specific apps and resources –
not the whole network

▪ Eliminates vulnerable old VPN clients

NDR SWITCHES SOPHOS FIREWALL ▪ Device health integrated into policy to

APs
prevent unhealthy devices from connecting

SERVERS / APPLICATIONS BRANCH OFFICES SOPHOS PRODUCTS/SERVICES

SOPHOS FIREWALL
▪ Sophos ZTNA (per remote user license)

▪ Optional:
▪ Sophos Firewall (ZTNA gateway)
SWITCH
▪ Sophos Endpoint

▪ Third-Party Integrations:
▪ Azure AD / okta IDP
Remote Workers – ZTNA and Active Threats EASY DEPLOYMENT

▪ Supports on-prem or public cloud application

access control – wherever a Sophos Firewall
can be deployed

▪ No agent – or single agent – integrated with

OR CUSTOMER Sophos Endpoint
SECURITY OPERATIONS CENTER
XDR/SIEM/SOAR ▪ Single gateway – ZTNA gateway integrated
Threat Confirmed
! CENTRAL
with Sophos Firewall

▪ Single cloud management console in Sophos

POLICY Central

▪ Supports Azure AD or okta IDP

ZTNA CONTROL
MAIN OFFICES
ZTNA Prevents PUBLIC CLOUD
Connection
REMOTE TRANSPARENT ENHANCED
WORKERS SECURITY

ENDPOINTS (XDR) FIREWALL APPS ▪ Zero-trust principles – trust nothing – verify

everything: user identity, device health

IDENTITY ▪ Only access specific apps and resources –

not the whole network

▪ Eliminates vulnerable old VPN clients

NDR SWITCHES SOPHOS FIREWALL ▪ Device health integrated into policy to

APs
prevent unhealthy devices from connecting

SERVERS / APPLICATIONS BRANCH OFFICES SOPHOS PRODUCTS/SERVICES

SOPHOS FIREWALL
▪ Sophos ZTNA (per remote user license)

▪ Optional:
▪ Sophos Firewall (ZTNA gateway)
SWITCH
▪ Sophos Endpoint

▪ Third-Party Integrations:
▪ Azure AD / okta IDP
Remote Workers – Mid-Large – On-Prem AD EASY DEPLOYMENT

▪ Supports on-prem or public cloud application

access control – wherever a Sophos Firewall
can be deployed

▪ No agent – or single agent – integrated with

OR CUSTOMER Sophos Endpoint
SECURITY OPERATIONS CENTER
XDR/SIEM/SOAR ▪ Single gateway – ZTNA gateway integrated
CENTRAL
with Sophos Firewall

▪ Single cloud management console in Sophos

POLICY Central

▪ Supports Azure AD or okta IDP

ZTNA CONTROL
MAIN OFFICES
REMOTE TRANSPARENT ENHANCED
WORKERS SECURITY

ENDPOINTS (XDR) ▪ Zero-trust principles – trust nothing – verify

everything: user identity, device health

▪ Only access specific apps and resources –

not the whole network

▪ Eliminates vulnerable old VPN clients

NDR SWITCHES SOPHOS FIREWALL ▪ Device health integrated into policy to

APs
prevent unhealthy devices from connecting

ACTIVE DIR SERVERS / APPLICATIONS BRANCH OFFICES SOPHOS PRODUCTS/SERVICES

SOPHOS FIREWALL
▪ Sophos ZTNA (per remote user license)
▪ Optional:
▪ Sophos Firewall (ZTNA gateway)
SWITCH
▪ Sophos Endpoint

▪ Third-Party Integrations:
▪ Azure AD / okta IDP / On-Prem AD
Remote Workers – Small – VPN
OR CUSTOMER DEPLOYMENT
SECURITY OPERATIONS CENTER
XDR/SIEM/SOAR ▪ Users can download Sophos Connect VPN
CENTRAL
client and config directly from VPN user
portal on firewall

▪ Firewall supports both SSL and IPSEC remote

access VPN

MAIN OFFICE
REMOTE
WORKERS
INTEGRATED, AFFORDABLE
VPN REMOTE ACCESS
ENDPOINTS (XDR)
▪ No extra infrastructure required
VPN
▪ Remote access VPN included in Base License

SOPHOS FIREWALL
APs NDR SWITCHES (VPN CONCENTRATOR)

SERVERS / APPLICATIONS SOPHOS PRODUCTS/SERVICES

▪ Sophos Firewall

▪ Sophos Connect VPN Client

Sophos ZTNA Deployment and Licensing

Sophos ZTNA Agent Sophos ZTNA Management Sophos ZTNA Gateways

Agent or Agentless Access Managed from Sophos Central Integrated into Sophos Firewall
(for web apps from mobile devices)
Also runs on popular Virtual/Cloud platforms
Integrated with Intercept X Simple per-user license (VMware, Hyper-V)
Windows or macOS Free – No Charge
Term or MSP Flex Licensing Available