Skip to content
Avanet
Sophos Central Wireless - Version 2.0 with Security Heartbeat

Sophos Central Wireless - Version 2.0 with Security Heartbeat

27. JULY 2018

Sophos Central Wireless 2.0 is ready to launch and will be rolled out across all accounts between 30 July and 31 August. In addition to new features and improvements, the new APX Wave 2.0 access points will also be supported. In this blog post we summarize the features you can look forward to.

Synchronized Security for Endpoint and Mobile

Security Heartbeat is now also available for Sophos Central Wireless. The concept is basically the same as on the XG Firewall. Network access for infected clients, or clients that do not comply with configured policies, is restricted or blocked completely.

With Security Heartbeat in Central Wireless you can isolate an at-risk device from the WLAN so that it cannot pose a threat to other devices that are also connected to the wireless network. For this interaction to work, the endpoints naturally need to be equipped with the appropriate software. Therefore, desktops and laptops should have at least Sophos Central Endpoint installed, while smartphones and tablets require Sophos Central Mobile. Finally, you must use one of the new APX access points, as only these support Security Heartbeat. 😅

Enhanced Rogue AP Detection

With Enhanced Rogue AP Detection, your Sophos access points scan all channels and list nearby wireless networks. At first glance, this might not sound particularly exciting. However, as the name suggests, the goal is to detect “rogue APs” that could create security vulnerabilities in an otherwise protected network.

Strict, yet justified, restrictions in a corporate WLAN can occasionally inspire employees to get creative. For instance, a colleague might set up their own access point in the office to get private devices onto the Internet. This would be a “rogue AP” because it was installed in a secure network without permission.

With Enhanced Rogue AP Detection, you can track down such unauthorized access points in your network. If a device is approved, you can add that AP to a “known AP list”.

Other improvements

In addition to the features mentioned above, version 2.0 includes two more noteworthy enhancements:

  • Bulk provisioning: You can now add up to 30 APs in a single step by uploading a CSV file with their serial numbers.
  • Redesigned dashboard: You now get a better overview of threats in the network and the status of devices using Synchronized Security.

Upcoming features

Version 2.1 is scheduled for release in September and will bring improved debugging and troubleshooting tools. In November the small APX 120 access point is expected, whose support will then be guaranteed in version 2.1.1.

Conclusion

We have always thought Sophos Central Wireless was a very cool product. Buy APs, plug them in, and you’re ready to go! With Sophos Central Wireless you don’t need a physical controller and you can manage your wireless networks across multiple sites in a wonderfully simple and clear way.

Our only reservation regarding Sophos Wireless is the price. In our opinion, even the new features in version 2.0 don’t quite justify the cost. Furthermore, you only truly benefit from Synchronized Security if you purchase the new APX series.

Moreover, Sophos is by no means alone in the wireless management market. Long before Sophos Wireless, comparable solutions existed. Even Google sells its own access points; for the price of a single Sophos AP I could buy three of them. I can also manage those via the cloud and operate multiple sites. Encryption is secure as well (WPA2).

We simply don’t find recurring costs for wireless particularly attractive. We see wireless a bit like “air”: it just has to be there. That view could certainly change if more security features like those in version 2.0 are added in the future. In that case, the added value would be clear, justifying the additional costs for Sophos Central Wireless.

We also have to acknowledge that Sophos has at least reduced the price somewhat for the new APX access points. While Sophos still differentiates in price between the AP 15 and the AP 100, the annual costs will be the same for all APX models, regardless of whether it is the small APX 320 or the large 740.

In conclusion we can say that Sophos Central Wireless has a lot of potential. It does not require a physical console and the new APX access points bring additional security features such as Synchronized Security. From our point of view this could become very interesting in the future. If that doesn’t matter to you, you can simply buy a small XG Firewall (XG 115) and manage 10 access points without any trouble. With this solution you only pay for the APs once, because the wireless license is included free of charge in the Sophos Firewall OS on the XG.

Note: On 31 July 2018 Sophos contacted us personally about our conclusion on Sophos Central Wireless. Because we had mentioned the high price as a point of criticism, Sophos shared an interesting piece of information with us. The annual cost you pay per access point for Sophos Wireless also includes insurance for the access point. If a device fails, Sophos will replace it free of charge within 24 hours. This service is therefore factored into the price. Unfortunately this is not mentioned in the data sheets or anywhere else on their website. We therefore cannot guarantee it to you in black and white, but according to Sophos the access points are insured as long as you have a valid Sophos Central Wireless license.

Known issues in version 2.0

The following list shows known issues that can still occur in version 2.0. Work is already under way and the following problems should therefore be fixed soon.

  • CWIFI-9228 Generate new password will send email twice to the configured address with the same info
  • CWIFI-7643 Captive portal will not work with the combination of Guest network and VLAN
  • CWIFI-9216 Client Vendor filter not working as expected when more than 8 characters are used to filter
  • CWIFI-9080 Clients are unable to access the internet when static vlan is changed in Guest NAT SSID
  • CWIFI-8958 AP Name and Serial Number Overlap on Access Points Page when AP’s name is longer.
  • CWIFI-8821 Apply Button does not work for Voucher End Duration Configuration
  • CWIFI-9101 SSID(Network) information is not properly displayed for about 5 minutes under clients page
  • CWIFI-9198 If the MacOS has Mobile SMC and Endpoint, the status keep toggling if one of them has RED status
  • CWIFI-9048 Sync Security with Dynamic VLAN configurable when we use WPA2-Enterprise as the Encryption Mode
  • CWIFI-8657 Discrepancy between APX320 and APX530/740 in LED behavior during hard reset
  • CWIFI-7336 DHCP client on the AP needs to be restarted if the AP is not reachable to the gateway
  • CWIFI-7301 Duplicate SSID name should not be allowed
  • CWIFI-8914 APX320 reboots after band change of radio-0 from 2.4 to 5 GHz and vice versa
  • CWIFI-7591 Users must re-enter Captive Portal password after roaming even

More information

Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.