Sophos UTM Elevated 9.4: Sandbox, User/Group Rules and WAF Cookies
The new Firmware version 9.4 for the UTM is ready to go. The final has already been released. Even though the XG series introduced the new operating system Sophos Firewall OS (SFOS), the UTM is far from dead. We can definitely confirm this at first hand. We were at the Sophos roadshow in Zurich last week. Both operating systems are being developed in parallel and the UTM roadmap goes at least until 2017. So it doesn’t look like a quick change of guard. Especially since we still recommend the SG-Series and would only consider a change with the upcoming update of the Sophos Firewall OS in summer 2016.
But let’s take a look at what the new Sophos UTM Elevated 9.4 firmware has to offer.
Sophos UTM Elevated 9.4 enhancements
1. Sophos Sandstorm
The main renewal comes with the sandboxing solution Sandstorm, which we have already announced in a previous post. With 9.4, Sandstorm is now integrated into the system and can be activated after purchasing a license. Licenses can be ordered immediately from our Sophos shop for SG Firewall or XG Firewall. Simply click on your hardware model and select the new
Sophos Sandstorm is currently only available for UTM 9.4. XG firewall owners with the Sophos Firewall OS must wait a little longer. Sophos Sandstorm is also not included in the FullGuard bundle and must be purchased separately.
Update: Sophos Sandstorm is now available for UTM and SFOS and can be purchased separately or in a bundle.
What exactly does Sophos Sandstorm do?
Sophos Sandstorm complements Sophos’s existing security products by providing additional protection against Advanced Persistent Threats (APT) and zero-day malware. All files downloaded, whether on the web or via mail protection, are handled as follows.
The firewall generates a hash value for the file and checks whether it has already been scanned. If the file has already been checked, it is already clear whether it should be allowed or blocked. If the file is unknown, it will be transferred to SophosLabs for analysis. After the analysis, a report is generated for this file, showing exactly what the file tried to do. Finally, the file is deleted from the Sophos servers.
What do I have to think of as a “sandbox”?
- Isolated, separated environment in which (unknown) files are executed. Clear, known malware is blocked immediately, so you don’t have to scan it first. But e.g. a new Randsomware, which downloads and executes code in the background, is recognized by this technique.
- Place for behavior-based, dynamic malware analysis. Each file is executed and analyzes what this does. Then a report is created and an evaluation is sent.
- Emulated analysis environment for Windows, Mac and Android
- Executable files like (32 or 64 bit), DLLs, Office documents and other file extensions (DF, HWP, XPF, CHM, JAR, APK Archives (ZIP, BZIP, GZIP, RAR, TAR, LHA / LZH, XZ)
2. User/group-based set of rules
There are now also new configuration options to define user- or group-based rules. Until now, it was only possible to assign a fixed IP address to a Device via DHCP or directly in the system and then create firewall rules with this object. However, this had the disadvantage that computers that were not assigned to a fixed employee always had the same rule. The Sophos Transparent Authentication Suite (STAS), known from XG, is now also available for UTM. This makes it possible to create transparent authentication for firewall and application rules with Microsoft Active Directory.
3. WAF Persistent Session Cookies
Improves collaboration with web applications and web server farms.
4. IPv6 SSL VPN Support
Adds the frequently requested support for IPv6 VPN.
All innovations in the video
When is the final release of version 9.4?
The first UTMs will receive the update in March. It will be available for everyone by April at the latest. If you can’t wait any longer and want to install version 9.4 now, feel free to contact us.