Skip to content
Avanet
Sophos UTM 9.4 update - Sandstorm integration and WAF improvements

Sophos UTM Elevated 9.4 - Sandbox, user/group rules and WAF cookies

The new firmware version 9.4 for the UTM is about to be released, and the final build has already been approved. Although the XG Series introduced the new operating system Sophos Firewall OS (SFOS), the UTM is far from obsolete - and we can now confirm this first-hand. We attended the Sophos roadshow in Zurich last week, where it was made clear that both operating systems will continue to be developed in parallel, with the UTM roadmap extending at least until 2017. There is therefore no sign of a rapid succession plan. In fact, we still recommend the SG Series and would only consider a migration once the Sophos Firewall OS update, expected in summer 2016, is available.

But now let’s take a look at the new features delivered with the Sophos UTM Elevated 9.4 firmware.

Sophos UTM Elevated 9.4 innovations

1. Sophos Sandstorm

The main enhancement is the sandboxing solution Sandstorm, which we already announced in an earlier post. With 9.4, Sandstorm is now integrated into the system and can be activated once you purchase a licence. The corresponding licences are available to order from our Sophos shop for the SG Firewall or XGS Firewall. Simply select your hardware model and choose the new Sandstorm licence.

Sophos Sandstorm is currently only available for UTM 9.4. Owners of an XG Firewall with Sophos Firewall OS will need to wait a little longer. Sophos Sandstorm is also not included in the FullGuard Bundle and must be purchased separately.

Update: Sophos Sandstorm is now available for UTM and SFOS and can be purchased either individually or as part of a bundle.

What exactly does Sophos Sandstorm do?

Sophos Sandstorm complements the existing Sophos security products and provides additional protection against advanced persistent threats (APTs) and zero-day malware. All files that are downloaded, whether via the web or Mail Protection, are processed as follows:

  1. The firewall generates a hash value for the file and checks whether it has already been inspected. If the file has already been checked, the system already knows whether it should be allowed or blocked.
  2. If the file is unknown, it is transferred to the Sophos Labs and analysed. After the analysis, a report is generated for this file that shows exactly what the file attempted to do. Finally, the file is deleted from the Sophos servers.
Sophos Sandstorm - how it works

What should I picture when I hear “sandbox”?

  • Isolated, segregated environment in which (previously unknown) files are executed. Of course, known malware is blocked immediately and does not need to be scanned first. But, for example, new ransomware that downloads and executes code in the background is detected using this technique.
  • Location for behaviour-based, dynamic malware analysis. Every file is executed and examined to see what it does. A report is then generated and an evaluation is sent.
  • Emulated analysis environment for Windows, Mac and Android
  • Executable files (32- or 64-bit), DLLs, Office documents and other file types (PDF, HWP, XPF, CHM, JAR, APK), plus archives (ZIP, BZIP, GZIP, RAR, TAR, LHA / LZH, XZ)

2. User-/group-based rule set

There are now new configuration options to define user- or group-based rules. Previously, the only way was to assign a fixed IP address to a device via DHCP or directly in the system and then create firewall rules based on that object. The drawback was that systems not permanently assigned to a specific employee always had the same rule. The new Sophos Transparent Authentication Suite (STAS), already familiar from the XG, is now also available for the UTM. This allows you to implement transparent authentication for firewall and application rules using Microsoft Active Directory.

3. WAF Persistent Session Cookies

Improves interoperability with web applications and web server farms.

4. IPv6 SSL VPN support

Adds the much-requested support for IPv6 VPN.

All new features in the video

When is the final release of version 9.4?

The first UTMs will receive the update in March. It will be available for everyone by April at the latest. If you do not want to wait and would like to install version 9.4 immediately, feel free to contact us.

Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.