Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 9 subscribers
  • Views 1394 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Severely restrict computers unless Endpoint/Intercept is installed/updated

ITProFL

I'm managing a network for a new client that retained our services after a serious malware incident took down their network. Approximately 40 users and 5 servers at headquarters on a Windows domain, and approximately 30 branch locations. Branch location employees sometimes visit HQ and need access to IT resources. Client also have some internal break fix staff that travel between stores and HQ. 

HQ has a reasonably new Sonicwall and isn't interested in upgrading. Nearly all branches have new Sonicwalls. At some point down the road we will talk about an XG at headquarters and RED devices at the stores but we aren't there yet.

Due to some transient employee traffic on the network with endpoints I can't be sure are properly protected, I need to restrict those users to a locked down corner of the network UNLESS they install Endpoint. Until they do so, they get hotspot access only. No servers, no sharepoint, no printers, etc. 

Purchased products- Endpoint Advanced; Server Advanced; Safeguard Encryption

Obviously I do not have an XG Firewall in the equation yet and may not have one as the edge device for some time yet. I would like to use Heartbeat to make sure only Green/Yellow status PC's can access servers or other computers on the network. This would prevent computers with no protection or those shadow IT protection from infecting my network. 

Would a virtual XG or a small XG in Discovery/TAP mode enable Heartbeat functionality on the network while allowing me to leave the Sonicwall in place? Is there another possibility I'm missing? 

The "new security" we've implemented hasn't made me many friends in that office, and their staff IT who know just enough to be dangerous are doing whatever they can to circumvent installing Endpoint on their machines. I have C suite buy in but I'd prefer to not have their boss tell them they have to do it, prefering to simply restrict them out of the network until they comply. I'm trying to figure out a reasonable way to protect the network by simply keeping non-compliant endpoints off of it. Ideally they'd install Endpoint from a captive portal and everything would just work for them. 



This thread was automatically locked due to age.
  • 0

    Hey there,

    I want to preface this that I am an endpoint engineer, who is moving into the Network team & has prior XG knowledge. Take what I say with a small grain of salt :)

    The XG in Discovery/TAP is going to be unable to accomplish what you want here due to not being able to control the actual flow of traffic in your network. You will need to have Gateway (route) or Bridged (transparent) mode as that way you can apply security policies and firewall rules. Please see a KB article here: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/SynchronizedSecurityinDiscoverTAPMode.pdf with a bit more info on Synchronized Security in TAP mode. In short, I don't think TAP mode is going to be able to provide the functionality you require here, or at least the proactive auto-isolation.

    Within Intercept X with EDR you can have client auto-isolation but that doesn't solve the issue of clients that do not have Sophos. The only other option I can think of -- And this goes out of the realm of Sophos here so I don't know how this would apply for you.

    Wireless Authentication requiring a certificate? EAP-TLS that is deployed via a group policy, and, as such you can have the same policy deploy Sophos too? So all computers that are "managed" by the domain will install Sophos, get the wireless certificate & can then have client auto-isolation then.

    The presence of an XG firewall in Gateway/Bridged would make this significantly easier as you know, but those are my thoughts on it. I don't think a simple, easy option is available without the XG being in-line & managing inbound/outbound traffic

    I hope that makes some sense?

    Let me know if I can answer anything else.

  • 0 in reply to Rintendo

    It would seem, then, that the only way to truly take advantage of the client isolation aspect of the system I need to put an XG unit in the gateway position to achieve isolation of an unsafe/unverified endpoint. I wonder then if the Safeguard key revocation function would operate from a Discovery/TAP configuration. Unfortunately, a staged rollout is the only thing that is going to be acceptable at this point and the client has too much invested in Sonicwall to mothball them this early into their lifecycle. I appreciate your observations, Riley. 

    I.T. Professionals of Florida 

Unfiltered HTML