Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 701 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Security Heartbeat, Client isolated, Lateral movement in one subnet

Dr Brezner

Hello Community,


I am looking for a technical description of Security Heartbeat, more precisely: How far is the client isolated in the subnet?

If I have an environment with only one subnet where clients and servers reside (all with Sophos Central AV), with XG Firewall: Can the XG isolate a client and prevent communication to another client/server on the same subnet?

No, the XG only prevents communication to the WAN or other Subnets. The client can still reach all other clients/servers on the same subnet. To prevent this the client must isolate itself and "Lateral Movement" (Central: Reject Networkconnections) must be active. Do I see this correctly?

The smartest solution would be a network segmentation where the XG controls the communication, security heartbeat dependent, between the networks.

Thanks for a few thoughts

Best

Matthias



This thread was automatically locked due to age.
  • 0

    Hi Dr. Brezner,

    yes you are right, isolation with XG is only possible, if the XG is between the communication. So a network segmentation is a useful step and if you keep the servers in the main subnet and move only the clients (dhcp based) to a new subnet, it should not be a hard task.

    We have some setups with Sec Heartbeat in the wild and it will give you several challenges. 

    An example what we disovered at a customers self deploy side:

    - Client doesn not have the current update or has a small missfuncion after the sophos engine update -> means going to RED

    - all other devices will block traffic from the endpoint (including servers)

    - After a reboot the client is healthy but still blocked and not able to communicate with the internet

    Reason: the DNS Servers run Sophos IXA and do not accept any traffic from the "red" Endpoint

    - Client can not submit that he is in "green" condition to central

    This scenario ends in a chicken - egg problem ;)

    Solution is to set the firewall as a DNS (wich also is better for advanced security)

    So we prefer to do a "treasure" firewalling. Protecting the servers & services with detailed application ans userbased policys. It is easy to set & monitor a fallbackscenario in case of getting a bad heartbeat reputation.

    hope that is helpful for your task

  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    "Lateral Movement Protection extends Security Heartbeat auto-isolation feature by also informing all healthy endpoints to further isolate a compromised device at the endpoint. This has the added benefit of working on the same network segment also known as a broadcast domain or subnet where endpoint computers are typically connected together through a switch. Lateral Movement Protection can dramatically reduce the exposure to threats spreading within the network."

    Please check out the following document for more info: FAQ on Synchronized Security features in SFOS version 17.5.

    Thanks,