- Corporate. Network. Sophos Products. Sophos named a Visionary in the 2020 Gartner Magic Quadrant for Network Firewalls. How to upgrade to XG.
- Network objects let you enhance security and optimize performance for devices behind the firewall. You can use these settings to configure physical ports, create virtual networks, and support Remote Ethernet Devices. Zones allow you to group interfaces and apply firewall rules to all member devices. Network redundancy and availability is provided by failover and load balancing.
As we get closer to launching the early-access program (EAP) for Sophos ZTNA, we wanted to answer a lot of your questions about our solution and what to expect.
You can learn more about ZTNA and register for the early-access program today to stay informed and be the first to know when the EAP starts.
You can create a mesh network only with Sophos access points. For setting up a mesh network, you must create a new SSID. You can have only one mesh SSID. At least one access point must have a. Sophos ZTNA is a brand new cloud-delivered, cloud-managed product to easily and transparently secure important networked applications with granular controls. It’s scheduled to enter early access in February. Sophos ZNTA consists of three components.
Early-access program registration
The early-access program is expected to start in early March. Learn more and register for the EAP today at sophos.com/ztna!
Frequently asked questions about Sophos ZTNA
What is ZTNA all about?
Please review this previous article for a great overview of Zero Trust Network Access.
What are the benefits of ZTNA compared to remote-access VPN?
While remote-access VPN continues to serve us well, ZTNA offers a number of added benefits that make it a more attractive solution for connecting users to important applications and data:
- More granular control: ZTNA allows more granular control over who can access applications and data, minimizing lateral movement and improving segmentation. VPN is all-or-nothing: once on the network, VPN generally offers access to everything.
- Better security: ZTNA removes implicit trust and incorporates device status and health in access policies that further enhances security. VPN does not consider device status, which can put application data at risk to a compromised or non-compliant device.
- Easier to enroll staff: ZTNA is much easier to roll out and enroll new employees, especially if they are working remotely. VPN is more challenging and difficult to set up and deploy.
- Transparent to users: ZTNA offers “just works” transparency to users with frictionless connection management. VPN can be difficult and prone to initiating support calls.
What does Sophos ZTNA include?
Sophos ZTNA is a brand new cloud-delivered, cloud-managed product to easily and transparently secure important networked applications with granular controls. It’s scheduled to enter early access soon.
Sophos ZTNA consists of three components:
- Sophos Central provides the ultimate cloud management and reporting solution for all Sophos products, including Sophos ZTNA. Sophos ZTNA is fully cloud-enabled, with Sophos Central providing easy deployment, granular policy management, and insightful reporting from the cloud.
- Sophos ZTNA Gateway will come as a virtual appliance for a variety of platforms to secure networked applications on-premise or in the public cloud, with AWS and VMware ESXi support available initially, closely followed by Azure, Hyper-V, Nutanix, and others.
- Sophos ZTNA Client provides transparent and frictionless connectivity to controlled applications for end users based on identity and device health. It will integrate with Synchronized Security for Heartbeat and device health. It is super easy to deploy from Sophos Central, with an option to deploy alongside Intercept X with just one click, or it can work stand-alone with any desktop AV client (obtaining health status from Windows Security Center). It will initially support Windows, followed by macOS, and later Linux and mobile device platforms as well.
When will Sophos ZTNA be available?
The first phase of the early-access program (EAP) is targeted for early March. Launch is expected to be around mid-year 2021. You can register now for the EAP.
Which types of applications are ideal for ZTNA?
Sophos ZTNA can provide secure connectivity for any networked application hosted on the company’s on-premise network, or in the public cloud or any other hosting site. Everything from RDP access to network file shares to applications like Jira, wikis, source code repositories, support and ticketing apps, etc.
ZTNA does not control access to SaaS applications like Salesforce.com or Office365, which are public internet-facing applications servicing many customers by design. Secure access to these applications is provided by the SaaS vendor and the application, and is often further enhanced through multi-factor authentication.
Which client, gateway, and identity platforms will be supported?
- Client platforms will initially include a clientless option across all client platforms (EAP1), native Windows support (EAP2 and GA), macOS support (early 2022), and then Linux and mobile device platforms (iOS and Android) in the future. Device health will initially be assessed via Synchronized Security Heartbeat status (EAP2 and GA), followed by Windows Security Center (early 2022), with additional device assessments to be integrated in the future.
- Gateway platforms will be virtual appliances only (no hardware) and initially include VMware ESXi for EAP1, then AWS public cloud for EAP2 and GA. This will be expanded to include other platforms like Azure, Hyper-V, Nutanix, K8S, and GCP following launch.
- For identity, Sophos ZTNA will initially support Azure Active Directory (AD) for EAP 1 and Okta in EAP2. Supported directory services for EAP 2 and GA include Azure and on-premise AD (including AD Sync supported by Sophos Central today). Customers can take advantage of Azure’s MFA options right away, with support for third-party MFA solutions coming in a future release.
Is ZTNA a stand-alone product or does it require another Sophos product?
Sophos ZTNA is a stand-alone product and does not require any other Sophos Products. It is managed by Sophos Central, which is free, and obviously offers a ton of benefits when customers have other Sophos products. It can easily deploy alongside Intercept X, but Intercept X is not a requirement. Sophos ZTNA can also work alongside any vendor’s desktop AV or firewall.
How will Sophos ZTNA client deployment work?
Sophos ZTNA will be an easy-to-deploy option alongside Intercept X and device encryption when protecting devices from Sophos Central, as shown below…
Will ZTNA integrate with Sophos XG Firewall and Intercept X?
Sophos ZTNA is fully compatible with XG Firewall and Sophos Intercept X. In fact, it takes advantage of Security Heartbeat to assess device health, which can be used in ZTNA policies.
As mentioned above, deployment of the ZTNA client can easily happen as part of an Intercept X roll-out: it’s as simple as checking a box. Of course, Sophos ZTNA can also work perfectly with other vendor desktop AV or firewall products, but it will work better together with Sophos products such as XG Firewall and Intercept X.
How will licensing and pricing work?
Sophos ZTNA will be licensed on a user basis like our endpoint products, not per user-device. So if a user has three devices, they only require one license.
Customers can deploy as many ZTNA gateways as they need to protect all their apps. There is no charge for the gateway or for Sophos Central management.
How does ZTNA compare to…
DUO?
DUO is an identity technology provider focused on multi-factor authentication (MFA) to help users verify their identity. Identity and MFA – and thus DUO – are parts of a ZTNA solution. ZTNA also verifies device health. Sophos ZTNA will initially support Azure MFA and any identity provider that integrates with Azure, including Duo and other MFA solutions as well.
NAC?
NAC and ZTNA technologies may sound similar as they are both about providing access, but that’s where the similarities end. Network access control (NAC) is concerned with controlling physical access to a local on-premise network, while ZTNA is concerned with controlling access to data and specific network applications regardless of which network they are on.
VPN?
While remote-access VPN has served us well, ZTNA has a number of benefits when compared to VPN, as outlined above. Of course, there will be some situations where VPN continues to be a good solution: where a relatively small number of people (e.g. the IT department) needs broad access to network applications and services to manage them.
VPN will still be instrumental for site-to-site connectivity but for most organizations’ users, ZTNA can replace remote-access VPN to provide a better, more granular security solution – all while being more transparent and easier for users.
Firewalls?
ZTNA is complimentary to a firewall just like VPN is complimentary to a firewall. The firewall still plays a critically important role in protecting corporate network and data center assets from attacks, threats, and unauthorized access. ZTNA bolsters a firewall by adding granular controls and security for networked applications in the cloud or on-premise.
WAF?
WAF and ZTNA are designed to protect different types of applications from different types of users. WAF is designed to protect and secure public applications by providing firewall, threat detection, and other hardening like SQL injection attack defenses. ZTNA is designed to control access to internal applications. It is not designed to provide public access; in fact, it is designed to ensure public users cannot access ZTNA-protected apps.
Synchronized Security?
ZTNA and Synchronized Security are both conceptually similar in that they both can use device health to determine network access privileges. In fact, Sophos ZTNA will use Security Heartbeat as a key component in assessing device health.
If a user has a device with a red Heartbeat, their application access can be limited through policy, just as their network access can be limited on the firewall. However, ZTNA goes further than Synchronized Security by also integrating user identity verification.
ZTNA is also more about controlling privilege and access to applications, while Synchronized Security is more about automated response to threats and preventing threats from moving or stealing data.
SASE?
SASE (pronounced “sassy”) or secure access service edge, is about the cloud delivery of networking and security, and includes many components such as firewalls, SD-WAN, secure web gateways, CASB, and ZTNA. It’s designed to secure any user on any network, anywhere through the cloud. So as you can see, ZTNA is a component of SASE and will be an essential part of our overall SASE strategy.
To learn more about Sophos ZTNA and sign up for the early-access program, visit our ZTNA website.
View deployment scenarios for configuring access points as root, repeater, or bridge.
An access point which is configured to use the mesh network turns into a repeater and scans for the mesh network, if it fails to connect. If a mesh network is found, the access point joins it as a client. An access point can be configured as root, repeater (mesh), or bridge. The role of access points gets determined on the network.
We recommend that you set the root access point to 5 GHz and client to 2.4 GHz. The maximum throughput of a mesh client, configured with 5 GHz, gets reduced by 50% per hop. This happens because data packets sent to the access point are forwarded to other access points which adds up to the airtime.
Deployment possibilities
In mesh mode, you can configure multiple mesh (repeater) access points with one root access point. There can be multiple root access points. A mesh access point can broadcast the SSID from the root access point to cover a larger area without using cables.
A mesh network can also be used to bridge Ethernet networks without laying cables. To run a wireless bridge, you have to plug in your second Ethernet segment into the Ethernet interface of the mesh access point. The first Ethernet segment is the one on which the root access point connects to Sophos Central.
Good to know
Sophos Network Extension
There are some things you should know about mesh networks:
Sophos Network Security
- You can create a mesh network only with Sophos access points.
- For setting up a mesh network, you must create a new SSID.
- You can have only one mesh SSID.
- At least one access point must have a LAN connection.
- Mesh access points must be on the same channel.
- Avoid using dynamic channel selection as channels of access points may differ after a restart.
- The mesh network may need up to five minutes to be available after configuration.
- There is no automatic takeover of the root access point. The connection to a mesh occurs during a boot.
- For APX access points, there is no need to specify the mesh role. If the mesh-enabled SSID is pushed to 2 APXs, the one with the existing ethernet connection becomes the root AP. Once the mesh-enabled SSIDs are pushed to the APXs, we recommend that you reboot them. During the boot sequence, if the AP has ethernet connectivity, then it becomes the root and the one without ethernet becomes the mesh client.
- Mesh networks can only be created between access points of the same series. For example, APX access points can only create a mesh network with other APX access points.