Sophos Central Wireless 2.0 is waiting in the wings and will be launched by the July 30 until August 31 rolled out across all accounts. In addition to new features and improvements, the new APX access points with Wave 2.0 will then also be supported. In this blog post we summarize which features you can look forward to.
Synchronized Security for Endpoint and Mobile
The Security Heartbeat is now also available for Sophos Central Wireless. The idea behind it is basically the same as on the XG Firewall. Infected clients or those that do not comply with the specified policies have their network behavior restricted or are completely blocked.
So with the Security Heartbeat in Central Wireless, a compromised device can be isolated from the WLAN so that it does not become a threat to other devices that are also on the WLAN. For this interaction to work, the end devices must of course also be equipped with the appropriate software. Computers and laptops should therefore have at least Sophos Central Endpoint installed, and smartphones and tablets Sophos Central Mobile. As a final requirement, however, you must also use one of the new APX access points, because only these support the Security Heartbeat. 😅
Enhanced Rogue AP Detection
With Enhanced Rogue AP Detection, your Sophos access points scan all channels and list neighboring wireless networks. That doesn’t sound particularly exciting at first. However, as the name suggests, the goal is to detect so-called “rogue APs”, as these could open a security hole into the secured network.
The sometimes strict, but of course also justified, restrictions in a company WLAN sometimes give employees creative ideas. It can happen that a colleague sets up his own access point in the office in order to access the Internet with his private devices. This would be such a “rogue AP”, since it was installed in a secure network without permission.
With Enhanced Rogue AP Detection you can detect such unauthorized access points in your network in the future. If the use of a device has been approved, it is of course also possible to place such an AP on a “Known AP List”.
In addition to the features mentioned above, there are two other notable improvements in version 2.0:
- Bulk Provisioning: Up to 30 APs can now be added in one step by uploading a CSV file with the serial numbers.
- Revised dashboard: You now have a better overview of threats on the network and the status of devices with Synchronized Security.
Version 2.1 is scheduled for release in September, which should bring improved debugging and troubleshooting tools. Then in November, the small APX 120 access point is still expected, whose support is then guaranteed in version 2.1.1.
We always thought Sophos Central Wireless was a very cool product! Buy APs, connect and go! With Sophos Central Wireless, there’s no need for a physical controller and you can manage your wireless networks across multiple sites with wonderful ease and clarity.
The only problem we have with Sophos Wireless is the price. Even the new features in version 2.0 can’t quite justify the price in our opinion. Apart from the fact that you only benefit from Synchronized Security, for example, if you buy the new APX series.
In addition, Sophos is by no means alone in this wireless management market. There were solutions before Sophos Wireless, and they should be compared with them. Even Google sells its own access points, of which I could buy three compared to the price of a Sophos AP. I can then also manage these via the cloud and manage multiple locations. The encryption is also secure (WPA2).
We just don’t find it particularly attractive to have recurring costs for wireless. We see wireless a bit like “air”. It simply has to be there for us to exist. However, this attitude could undoubtedly change somewhat for us if even more security features are added in the future, as in version 2.0. Then we also clearly see an added value for which it is quite legitimate to charge extra for Sophos Central Wireless.
We also have to acknowledge that Sophos has come down a bit on price, at least with the new APX access points. While Sophos still differentiates between the AP 15 and AP 100 in terms of price, the annual cost will be the same for all APX models, whether it’s the small APX 320 or the large 740.
In conclusion, we can say that Sophos Central Wireless has a high potential. There is no need for a physical console and with the new APX access points, additional security features such as Synchronized Security are added. From our point of view, this could become very interesting in the future! But if that doesn’t matter to you, you can simply buy a small XG Firewall (XG 115) and easily manage 10 access points. For this solution, there is then only a one-time cost for the APs, because the wireless license is included free of charge in the Sophos Firewall OS on the XG.
Note: Sophos still contacted us personally on July 31, 2018 about our conclusion of Sophos Central Wireless. Since we noted the high price as a point of criticism, Sophos gave us another interesting info on this topic. The annual cost paid for Sophos Wireless per access point also includes insurance for the access point, he said. So if a device breaks, Sophos will replace it free of charge within 24 hours. So they add this service to the price. Unfortunately, however, this is not mentioned in the data sheets or anywhere else on their website. Therefore, we cannot guarantee it in black and white, but according to Sophos, the access points are insured within a valid Sophos Central Wireless license.
Known bugs in version 2.0
In the following list you can find already known bugs that can still occur in version 2.0. However, they are already working on it and the following bugs should therefore surely be fixed soon.
- CWIFI-9228 Generate new password will send email twice to the configured address with the same info
- CWIFI-7643 Captive portal will not work with the combination of Guest network and VLAN
- CWIFI-9216 Client Vendor filter not working as expected when more than 8 characters are used to filter
- CWIFI-9080 clients are unable to access the internet when static vlan is changed in Guest NAT SSID
- CWIFI-8958 AP Name and Serial Number Overlap on Access Points Page when AP’s name is longer.
- CWIFI-8821 Apply Button does not work for Voucher End Duration Configuration
- CWIFI-9101 SSID(Network) information is not properly displayed for about 5 minutes under clients page
- CWIFI-9198 If the MacOS has Mobile SMC and Endpoint, the status keep toggling if one of them has RED status
- CWIFI-9048 Sync Security with Dynamic VLAN configurable when we use WPA2-Enterprise as the Encryption Mode
- CWIFI-8657 Discrepancy between APX320 and APX530/740 in LED behavior during hard reset
- CWIFI-7336 DHCP client on the AP needs to be restarted if the AP is not reachable to the gateway
- CWIFI-7301 Duplicate SSID name should not be allowed
- CWIFI-8914 APX320 reboots after band change of radio-0 from 2.4 to 5Ghz and vice versa
- CWIFI-7591 Users must re-enter Captive Portal password after roaming even