XG Firewall HeartBeat with existing Anti-Virus

nqserv,

It depends on where you are doubling up on your protection.  In other words we really need to know what Kaspersky products you have deployed or wish to use.

If you are talking about having dual End Point protection on your computers, most End Point protection systems don't allow other End Point protection systems to run on the same End Point.  You can only install one active vendor, but you can have as many different passive cleaners you want - like Sophos Clean.

If you are talking about running two Firewall scanning systems, this can cause problems.  To solve this, Sophos includes two Anti-Malware Scan engines in the Sophos XG Firewall: Sophos and Avira.  By default, your XG Firewall uses the Sophos scanning engine, but you can set your XG Firewall to use Avira or Dual Scan (both).

If you want to integrate your XG Firewall with your End Points, you can purchase Intercept X or Sophos EndPoint which integrates with the Sophos XG Firewall through Sophos Central and Security Heartbeat.  *In order to use Security Heartbeat with XG Firewall, you must set the scan engine to the default Sophos engine or Dual Engine protection.*  If you have 10 computers or less, you can use Sophos Home on your computers for free, but Sophos Home does't integrate with XG Firewall, Sophos Central, or Security Heartbeat.

So yes, you can use Sophos XG Firewall alongside Kaspersky depending on what Kaspersky products you have deployed.  Intercept X is also designed to be used alongside other AV products like Kaspersky.

I'm curious what you mean about 2 firewall scanning systems.

For example, I have Bitdefender which has a software "firewall". What I'm concerned about is whether the Sophos XG scanning clashes with the OS AV I have on my endpoint. 

I tried to download a test file to see if the Sophos XG scanning was working, but having problems confirming this. What happened when I downloaded the test malware was that Bitdefender picked up on it and disinfected it. I assume this just means I need to troubleshoot the XG, as it probably shouldn't have even tried to land on my desktop in the first place if the XG scanning had been working?

I also tested a webpage that should have been blocked, but I don't believe I got the right result.

Essentially what I'd like to know is if there would be any conflicts between a users personal choice of endpoint AV, and using the XG firewall WITHOUT heartbeat, and probably not requiring it.




Also can a home user buy a single license of Intercept X? It looks quite interesting.

Thanks

Mike,

Thanks for asking.  I my initial response was vague.  Im happy to explain in more detail:

First of all, the Sophos XG Firewall is a physical appliance.  It normally sits at the "head" of your network.  It can be the "active" gateway of your network, or it can be a "passive" device between your gateway and the ISP modem, between your gateway and the router, or between the Router/Gateway and the rest of your network.  You can buy an XG Firewall assembled by Sophos.  You download the Sophos XG Firewall software and install it into your own firewall appliance or PC (not a PC for a desktop).  You can deploy the XG firewall software or readily available virtual images in VMWare, Citrix, Hyper-V, Oracle, and other virtualization platforms such as in Amazon, Google, and Rackspace.  I assembled my own firewall at home, but I ordered two from Sophos for my office.  I have also deployed virtual firewalls for clients.  Regardless of which XG product you deploy, they all work the same. If you have multiple gateways/ISPs you can deploy an XG firewall on each of them and run the XG Firewalls in "active" parallel high-availability to share bandwidth and provide automatic failover.

Mike G said:

 For example, I have Bitdefender which has a software "firewall". What I'm concerned about is whether the Sophos XG scanning clashes with the OS AV I have on my endpoint.  Essentially what I'd like to know is if there would be any conflicts between a users personal choice of endpoint AV, and using the XG firewall WITHOUT heartbeat, and probably not requiring it.

Second, the XG Firewall doesn't install on end points, nor does it access them.  There is no XG Firewall agent.  This means the XG Firewall doesn't scan endpoints or any other device on your network.  The XG Firewall is a true firewall in that it merely scans the packets traveling through the firewall on the zones/interfaces/ports/vlans/services you choose.  Any Antivirus/AntiMalware you have on your endpoints, including software firewalls, will run separately. This means your existing Kaspersky and BitDefender end point software is separate and unaffected by your Sophos XG Firewall (unless you use the XG Firewall to block a service/port required by Kaspersky or Bitdefender).  I have Sophos Home on my personal Mac and the Macs of my relatives which run separately from the Sophos XG Firewalls at their locations and mine.

Mike G said:

 I'm curious what you mean about 2 firewall scanning systems.

I originally thought nqserve was deploying two firewall appliances.  That is not the case, but there is still a dual scan option that you should know about.  The XG Firewall comes with two scanning engines.  The default scan in the XG Firewall is conducted by the Sophos Scanning Engine. Sophos also includes another option.  You can choose to use the Avira engine instead . You can also choose to activate both in dual scanning.   This setting applies across the entire firewall regardless of other settings.  You can build more complex controls depending on the websites, services, VPNs, Intrusion Prevention, and Advanced Threats you wish to manage.  You can also integrate other Sophos products to work with your XG Firewall and extend coordinated security across the network.

Mike G said:

Also can a home user buy a single license of Intercept X? It looks quite interesting. 

Sophos specializes in Enterprise security.   Every XG Firewall is enterprise level security; including the "Home" evaluation version.  The XG Firewall is adaptable to be used in any environment from Enterprise down to SOHO.  The device in which you deploy the XG Firewall determines capabilities and limitations.  Better appliances with more powerful CPUs and more ports allows more complex security options to be built.  For home use, a small Firewall Appliance or an old PC with multiple network ports will suffice.

By default the XG Firewall scans outgoing data/requests and matches them to incoming responses.  Synchronized Services is not activated by default as it requires requires Sophos Central.  With the exception of Sophos Secure Wi-fi Access Points, coordinating the XG Firewall with Synchronized Services requires Sophos Central.  You also need to install Sophos End Point Protection on your End Points.  You can get Sophos End Point Protection separately, but if you purchase Intercept X, it comes with End Point Protection.  The smallest license pack in which you can get End Point Protection is 25 devices, but it is still very affordable for many home users with less than 25 devices.   If you deploy the End Point Protection or any other Sophos product on your End Point, it will ask you to remove your Kasperky, BitDefender, and other AV/AM products.

I hope this answers your questions . Since you are asking about some of the Synchronized Security, I wish to shed more light on the advanced ideas you wanted to test:

I like that no matter how complex I arrange Sophos security, the products continue to have little to no impact on system resources.  I love the synchronized security of Sophos XG Firewall with Intercept X and End Point Protection.  If an end point detects malware in itself or communicating from an a IOT device such as a printer, the End Point will alert the Firewall and other End Points.  If the firewall detects an infiltration, attack, or some other issue, the XG Firewall will alert your end points. If you have Intercept X, it gets even better.  Intercept X will give you the explanation of where the malware originated, where it went, what it did, and most importantly, what it reported or sent out of your network.  Did it come from an encrypted printer update through the firewall? Did it come from a smartphone or wireless device talking to the network through Wi-Fi? Did it come from a thumb drive in a USB port?  What did it do?  Are my files now encrypted in ransomware?  Did all my financial data and username/passwords get sent out to some hacker?  Did a bunch of invisible backdoors get installed on my devices and firewalls?  Intercept X will show you.  Not only will you be alerted to the issue and shown what happened, Sophos Synchronized Services can manage all your Sophos products to automatically manage the situation.  Chances are that the issue didn't affect you at all as the Sophos Central suite can automatically react to stop, clean, and reestablish proper security when it senses an issue.  For example, if Active X detects active ransomware, Sophos Central will direct End Point Protection to stop the ransomware, decrypt anything that was encrypted, replace any locked files with clean backups from just before the attack.  End Point Protection, Intercept X, and XG Firewall with Secure Wifi APs will work together to identify any data that was exfiltrated out of your network and secure all ports better. If you don't have the default automatic coordinated response turned on, you can control scanning, cleanup, and settings remotely without needing to go to every device - even when you're away from home.

If you have Sophos Secure Wi-Fi, Sophos Mobile Device Management, and Sophos Encryption deployed, it gets even easier to manage more concerns and solve the few remaining issues that pop up.  If you're only dealing with Home level needs, you probably don't need Sophos Encryption as is merely serves the need of Data Loss Prevention, and DLP is complex to deploy.   If you don't have any kids, you probably don't need Sophos MDM either.  You can use the free the Apple Configurator 2 for Apple Devices.  Free MDMs may be available for Windows, Chrome, and Android devices.   If you're looking to upgrade or extend your Wi-Fi, I highly recommend Sophos Secure Wi-Fi APs as they integrate directly with your XG Firewall without the need for Sophos Central.  You're Sophos XG Firewall will serve as the Secure Wi-Fi controller.  Since the most dangerous issues with network security have to do with guest devices and your own devices leaving the network for long periods of time and reentering the network through WiFi, Secure Wifi gives you extra layers of protection and response automatically coordinated with your XG Firewall.   This prevents malware from bypassing your firewall and entering your network behind your firewall.

Since most people have never heard about or used Sophos, many people will immediately balk and recommend other products. The truth is that Sophos is the OEM for most products that people will recommend to you.  Norton's BlueCoat is Sophos.  Cisco, Juniper, and IBM security are all Sophos.  FireEye products are made from Sophos. The security at Rackspace is Sophos.  TrustWave Products and Services as well as Ivanti's Heat Software are Sophos. There are very few big names in security that don't use a Sophos OEM.  Many people stare at me in utter disbelief when I tell them this, especially if they know that Sophos is from the UK.  They are still hesitant to try the products as it's simplicity and speed seems like a home level product compared to the clunkiness to which they are accustomed.  But once they try it, they are usually impressed, even if they have a few remaining reservation.  I love installing Sophos Central and it's related products for clients.  It never gets old hearing them tell me how their problems have been eliminated with an automated system they feel they can deploy without affecting user's devices and easily control however they wish.

That leads me to:  Why are you using multiple brands of products? The days of not using the same company for everything due to fears of the same hole being replicated from product to product are long gone for Sophos.  Sophos developed it's scanning engine and several of it's OEM products for End Points.  Along the way, Sophos smartly acquired other great technologies, like Astaro firewall (UTM and XG Firewalls) and SurfRight CryptoGuard (Intercept X), and developed them from great products that filled the gaps into into more amazing products that integrate and coordinate effectively.  I am not saying you can't use Kasperky or BitDefender with your XG Firewall.  It's your network - I encourage you to experiment and figure out what works best for your needs.  If you do want to purchase End Point Protection to coordinate with your XG Firewall, then you you will be asked to remove Kaspersky, BitDefender, and other antimalware.  If you leave Kasperky or BitDefnder in place, you may have problems diagnosing issues when things don't communicate. Is the issue in Kasperky?  IS it in BitDEfender?  Is it in Sophos?  Is it in all?  You will also suffer from slowdown do to loss os system resources.

That's It.

David

Thanks for your detailed reply, I only just got around to reading it all. I will re-read for sure.

On some levels you sound like a Sophos rep! ;)

To answer you about why using Bitdefender? Mostly because I am used to it, I have a lot of it set up how I like it, and I have a license that still has another year on it. I also think it's a great product, and yes there is some element of thinking that Bitdefender scanning will cover what XG might miss.

Also it's quite a big deal for me learning XG alone. So to expand my network and include more products, is quite a task. For now I'm happy learning how to implement the XG at home. But I would like to know what issues/conflicts there might be, and other ways I can improve the network over time. I have had a lot of false positives already... so I'm just getting to grips with things.

Also I have just realised that the virus scanner doesn't work if I'm running my VPN client software, which makes perfect sense. But it's a shame and I thought I might be able to setup openvpn or something.

So I may end up using XG in bridge mode and setup some kind of dual gateway. The possibilities are endless, so for now just trying to get stable and will take time to consider what is next and what is best.

Thanks for your detailed reply, I only just got around to reading it all. I will re-read for sure.

On some levels you sound like a Sophos rep! ;)

To answer you about why using Bitdefender? Mostly because I am used to it, I have a lot of it set up how I like it, and I have a license that still has another year on it. I also think it's a great product, and yes there is some element of thinking that Bitdefender scanning will cover what XG might miss.

Also it's quite a big deal for me learning XG alone. So to expand my network and include more products, is quite a task. For now I'm happy learning how to implement the XG at home. But I would like to know what issues/conflicts there might be, and other ways I can improve the network over time. I have had a lot of false positives already... so I'm just getting to grips with things.

Also I have just realised that the virus scanner doesn't work if I'm running my VPN client software, which makes perfect sense. But it's a shame and I thought I might be able to setup openvpn or something.

So I may end up using XG in bridge mode and setup some kind of dual gateway. The possibilities are endless, so for now just trying to get stable and will take time to consider what is next and what is best.

Mike,

Mike G said:

 Thanks for your detailed reply, I only just got around to reading it all. I will re-read for sure.  On some levels you sound like a Sophos rep! ;) 

You're welcome.  I'm not a Sophos rep; though they are continually asking me to be.  I've been using Sophos for a long time, even when I was a fan of other brands/products.  I have never had any big issues with Sophos.  I've had very few small issues too.  If I had a problem, it was usually failure to follow directions or finding something modified to operate outside of industry standards.  For me, Sophos products have always been extremely effective, reliable, and simple to use without ever becoming a resource hog.  Sophos never asks my clients or employees what to do when encountering a problem.  It makes the right decision automatically, every time.

Mike G said:

To answer you about why using Bitdefender? Mostly because I am used to it, I have a lot of it set up how I like it, and I have a license that still has another year on it. I also think it's a great product, and yes there is some element of thinking that Bitdefender scanning will cover what XG might miss.

Also it's quite a big deal for me learning XG alone. So to expand my network and include more products, is quite a task. For now I'm happy learning how to implement the XG at home. But I would like to know what issues/conflicts there might be, and other ways I can improve the network over time. I have had a lot of false positives already... so I'm just getting to grips with things.

If you feel BitDefender meets your needs, use up the license.  You can use your BitDefender firewall as an extra layer on your endpoints behind your XG Firewall. This is especially important if any of those endpoints leave your network and go to other networks.

You're going about learning and testing the way I do.  I want to know where failures and issues will be, and how difficult will it be to handle them.  The problem is that you're comparing product to product; in this case, firewall to firewall.  All you're doing is choosing which security holes and shortcomings you want to deploy from this product or from that one.  You're also improperly comparing a firewall appliance for a network against a software firewall on an endpoint that may move to other networks with unknown security.  You should be comparing the XG Firewall against the firewall at the head of your network which is in or near your gateway or router.  Regardless, it's not wise to do this anymore unless you're only considering swapping one product for another.  You should compare combinations of products.  For example, I have recently been comparing Sophos XG Firewall, Intercept X, and Endpoint Protection against any band Firewall, Darktrace Immune System, & Darktrace Antigena.  Both do the job effectively.  Both wow the clients.  The difference is that Sophos also integrates the firewall with the machine learning and the automated response system.  Darktrace does not have a firewall and expects you manage your own prevention.

Make a list of needs and problems you have.  Figure out a combination of products that will fix that list.  Test and evaluate that solution in its ability to maintain security on your network across many different situations, configurations, settings, changes, and failures.  Then, compare that complete solution against other complete solutions based on the same list and lessons learned in your test.  A solution can be a suite from one company.  A solution can be a series of products assembled from different providers. The advantage of using one company is that some of products may integrate and allow more complex capabilities and features.  You also have one number to call to get all the experts together as in "one throat to choke".  This is why Fortinet, Palo Alto, Sophos, and Darktrace are brands you will find or often hear recommended in small to medium business and in large estates where multiple family members are conducting many types of private and enterprise business.

Mike G said:

Also I have just realised that the virus scanner doesn't work if I'm running my VPN client software, which makes perfect sense. But it's a shame and I thought I might be able to setup openvpn or something.

You have discovered one of the reasons why you must evaluate security in groups of products.  Until now, single solutions solved one problem but created ways for other threats to get around that solution.  The most common example is the use of encryption (by Google, Facebook, Apple, Yahoo, AT&T, Verizon, Sprint, T-Mobile, Amazon, Wikipedia, online banking, online shopping, and everyone else) has allowed threats to easily travel unimpeded past firewalls, through networks, to end points.  By default firewalls don't decrypt and scan your emails as your email client downloads from the email server.  This is why you still get malware infected spam in your inbox even though you may be using a firewall appliance on the network and a software firewall on your endpoint.   Your endpoint protection is usually the first thing that finds and reacts to issues on your network.  You can turn on decrypt and scan on your XG Firewall, but you also must do a lot of work with certificates and settings before you can effectively scan your VPN traffic,   This is difficult and complicated even for experts.

What if a threat gets in past your current security.  Well, the damage isn't done.  The malicious code must execute and corrupt files, encrypt files, send files out, or change settings before it can hurt you.  If the malware just sits there inactive, it's harmless. This is the philosophy behind Minerva.  Minerva makes malware feel it is surrounded by software trying to find and destroy it, so malware remains inside its cocoon.   *Minerva claims this is effective against malware you can't see or detect, but how does one ensure that is true?

What if the malware goes active on an end point?  Sophos EPP will prevent the malware from communicating out to the network and internet and infecting the rest of the network . Sophos EPP on other endpoints will be directed to look for the same issue/file/activity seen on the infected device and clean it up or mitigate it.  If the issue can't be stopped, XG Firewall will ensure the the infected endpoints and all other affected endpoints can't communicating across the network or to the internet until EPP or you can mitigate the issues.  Intercept X will continue to watch the network for bad traffic and malicious activity as it goes back through network history to find out how the malware got in.  Once the origin is determined, Intercept X will notify the EPP on the endpoint to deal with the malware. If the malware came in through an endpoint that is inaccessible by Sophos or is no longer on the network, you will be notified with the information.  If that endpoint or malware shows up on any other network protected by Sophos Central suite, that network will be notified the issue.

Mike G said:

So I may end up using XG in bridge mode and setup some kind of dual gateway. The possibilities are endless, so for now just trying to get stable and will take time to consider what is next and what is best.

You can't do dual gateway in Bridge mode.  The XG Firewall is made for use with dual gateways in Gateway mode; however, the best thing to do is to use two XG Firewalls in Gateway mode.   Assign one XG Firewall to each gateway.  Both firewalls will coordinate to work together in parallel, so that if one gateway or firewall fails, the other gateway and firewall continue.  If you want more redundancy, you can cross-wire both gateways to both firewalls in fabric form, so that losing any one gateway and any one firewall still does hurt you.