Sophos Central Wireless: Version 2.0 with Security Heartbeat
Sophos Central Wireless 2.0 is in the starting blocks and will be rolled out across all accounts from 30 July to 31 August. Besides new features and improvements, the new APX Access Points with Wave 2.0 are supported. In this Blogpost you will find a summary of the functions you can look forward to.
Synchronized Security for Endpoint and Mobile
The Security Heartbeat is now available for Sophos Central Wireless. The idea behind it is basically the same as on the XG Firewall. Infected clients or clients that do not comply with the specified policies are restricted or completely blocked in their network behavior.
With the Security Heartbeat in Central Wireless, a compromised device can be isolated from the WiFi so that it does not become a threat to other devices that are also in the same wireless network. For this interaction to work, the end devices must of course also be equipped with the corresponding software. Computers and laptops should therefore have at least Sophos Central Endpoint and smartphones and tablets Sophos Central Mobile installed. As a final requirement, however, you must also use one of the new APX access points, because only these support the Security Heartbeat. 😅
Enhanced Rogue AP Detection
With Enhanced Rogue AP Detection, your Sophos access points scan all channels and list nearby wireless networks. That doesn’t sound very exciting for now. The aim, however, as the name suggests, is to detect so-called “rogue APs”, as these could open up a security flaw in the protected network.
The sometimes harsh but of course justified restrictions in a company WiFi often let employees come up with creative ideas. It is not unusual to find a colleague setting up his own access point in the office to access the Internet with his private devices. This would be such a “rogue AP”, because it was installed in a secure network without permission.
With the Enhanced Rogue AP Detection you can detect such unauthorized access points on your network from now on. If the use of a device has been approved, it is of course also possible to put such an AP on a “Known AP list”.
In addition to the features mentioned above, there are two other significant improvements in version 2.0:
- Bulk Provisioning: Up to 30 APs can now be added in one step by uploading a CSV file with the serial numbers.
- Revised Dashboard: You now have a better overview of network threats and the status of devices with Synchronized Security.
In September, version 2.1 will be released, which will bring improved debugging and troubleshooting tools. In November the small APX 120 Access Point is expected, whose support is then guaranteed in version 2.1.1.
We’ve always thought Sophos Central Wireless was a very cool product! Buy as much access points as you like, plug them in and you are ready to go! With Sophos Central Wireless, there is no need for a physical controller and you can easily manage your wireless networks across multiple locations.
The only problem we have with Sophos Wireless is the price. In our opinion, even the new features in version 2.0 cannot yet fully justify the price. Apart from the fact that you only benefit from Synchronized Security if you buy the new APX series.
What’s more, Sophos is not alone in this wireless management market. There were solutions before Sophos Wireless that they should compare themselves to. Even Google sells its own access points, of which I could buy three compared to the price of one Sophos AP. I can then also administrate these via the cloud and handle several locations. Encryption is also secure (WPA2).
We just don’t find it particularly attractive to have recurring costs for wireless. We see wireless a bit like “air”. It just has to be there for us to exist. However, this attitude could undoubtedly change if more security features, such as in version 2.0, are added in the future. Then we also see a clear added value for which it is perfectly legitimate to charge additional costs for Sophos Central Wireless.
We must also acknowledge that Sophos has come down a bit on price, at least for the new APX access points. While Sophos still differentiates between the AP 15 and the AP 100 in price, the annual costs will be the same for all APX models, whether they are the small APX 320 or the large 740.
Finally, we can say that Sophos Central Wireless has great potential. No physical console is required and the new APX access points add additional security features such as synchronized security. From our point of view, this could become very interesting in the future! But if that doesn’t matter, you simply buy a small XG firewall (XG 115) and easily manage 10 access points. This solution will only cost the APs once because the wireless license is included free of charge in the Sophos Firewall OS on XG.
Hinweis: Sophos contacted us personally on 31 July 2018 about our conclusion of Sophos Central Wireless. Since we noted the high price as a point of criticism, Sophos gave us some interesting information on this topic. The annual cost of Sophos Wireless per access point includes insurance for the access point. If a device breaks down, Sophos will replace it free of charge within 24 hours. This service is therefore also included in the price. Unfortunately, this is not mentioned in the data sheets or anywhere else on their website. Therefore, we cannot guarantee it in black and white, but according to Sophos, the access points are insured under a valid Sophos Central Wireless license.
Known bugs in version 2.0
In the following list you will find already known bugs that may still occur in version 2.0. However, work is already in progress and the following bugs should be fixed soon.
- CWIFI-9228 Generate new password will send email twice to the configured address with the same info
- CWIFI-7643 Captive portal will not work with the combination of Guest network and VLAN
- CWIFI-9216 Client Vendor filter not working as expected when more than 8 characters are used to filter
- CWIFI-9080 Clients are unable to access the internet when static vlan is changed in Guest NAT SSID
- CWIFI-8958 AP Name and Serial Number Overlap on Access Points Page when AP’s name is longer.
- CWIFI-8821 Apply Button does not work for Voucher End Duration Configuration
- CWIFI-9101 SSID(Network) information is not properly displayed for about 5 minutes under clients page
- CWIFI-9198 If the MacOS has Mobile SMC and Endpoint, the status keep toggling if one of them has RED status
- CWIFI-9048 Sync Security with Dynamic VLAN configurable when we use WPA2-Enterprise as the Encryption Mode
- CWIFI-8657 Discrepancy between APX320 and APX530/740 in LED behavior during hard reset
- CWIFI-7336 DHCP client on the AP needs to be restarted if the AP is not reachable to the gateway
- CWIFI-7301 Duplicate SSID name should not be allowed
- CWIFI-8914 APX320 reboots after band change of radio-0 from 2.4 to 5Ghz and vice versa
- CWIFI-7591 Users must re-enter Captive Portal password after roaming even