Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Also check out: XG Firewall on AWS: How to Deploy
Special thanks to BillProut!
Index
- Sophos Firewall on AWS Overview
- Do I need security solutions beyond what AWS provides?
- Why use a third-party security solution when I can use AWS Security Groups and/or Network Access Control Lists to protect my AWS workloads?
- What is Sophos Synchronized Security?
- How is Sophos Firewall on AWS different than the Sophos Firewall that can be run on-premises or in local Virtual environments?
- Sophos Firewall on AWS Licensing Options
- BYOL
- PAYG
- Are free trials available for AWS?
- Can I migrate my Sophos UTM license to the Sophos Firewall?
- Can I use an existing Sophos Firewall license for a new Sophos Firewall on AWS?
- Are there any prerequisites to deploy the Sophos Firewall on AWS Firewall?
Sophos Firewall on AWS Overview
The Sophos Next Generation Firewall for AWS bring innovative architecture and security services for customers that wish to add additional layers of security to help protect their AWS VPC’s. The Sophos Firewall on AWS is based upon the new v18 Sophos Firewall Operating System which integrates multiple leading security technologies into a single solution, reducing costs and simplifying your security architecture. Sophos Firewall is a provided as a virtualized security appliance that runs on an Amazon EC2 instance and deploys inline into an Amazon Virtual Private Cloud (VPC) to scan traffic entering and/or leaving.
Do I need security solutions beyond what AWS provides?
AWS espouses a shared responsibility model, so it is important to understand the difference between security measures AWS implements and manages, versus security measures that you must implement and manage. In a nutshell, while AWS actively manages the security of their cloud, you retain responsibility for managing and maintaining the security of your applications and data in the AWS cloud. You can learn more by visiting the AWS Shared Responsibility page.
Why use a third-party security solution when I can use AWS Security Groups and/or Network Access Control Lists to protect my AWS workloads?
AWS Security Groups and Network Access Control lists act as local firewalls for your hosts and VPC subnets. As basic firewalls, they do not perform deep packet inspection to identify malware, intrusion attempts, and do not provide the granular control needed to properly protect user or application traffic. Sophos Firewall augments these local firewall services by providing additional security features such as IPS, Web Filtering, Web Application Firewall, VPN gateway, and Sophos Synchronized Security.
What is Sophos Synchronized Security?
The AWS Shared Responsibility Model highlights the recommendation to secure not only the perimeter of your AWS Virtual Private Cloud (VPC), but also the protection of your AWS EC2 instances with a host-based security solution to guard against potential malicious activity. Sophos Synchronized Security addresses this key Shared Responsibility with an integrated security approach. When deploying Sophos Intercept X advanced security agents and Sophos Firewall, you have a solution to guard against a compromised system becoming the entry way for further malicious activity. The Sophos Firewall will prevent a compromised AWS EC2 instance with Sophos Intercept X Advanced from communicating with other AWS EC2 instances or sending traffic to the internet.
How is Sophos Firewall on AWS different than the Sophos Firewall that can be run on-premises or in local Virtual environments?
Sophos on AWS offers the same features and benefits as Sophos Firewall running on-premises but has been optimized to easily deploy and run in the AWS cloud. Currently the Sophos Firewall on AWS now support High Availability. Sophos Firewall on AWS also supports additional purchasing options as described below.
Sophos Firewall on AWS Licensing Options
Sophos Firewall on AWS is available via the AWS Marketplace and can be purchased using standard channels or directly from the AWS Marketplace. Software licenses purchased from a Sophos reseller and used in AWS are referred to as Bring your license (BYOL). When Sophos Firewall is purchased directly from the AWS Marketplace it is referred to as Pay as you go (PAYG).
BYOL
Customers that wish to purchase and use traditional term software licenses may do so using the Sophos partner network. Sophos Firewall software licenses offer a variety of bundles, subscription and support options as described in the Sophos Firewall licensing guide.
Customers bringing their own Sophos Firewall license for use in AWS do not pay AWS Marketplace software charges but are still billed by AWS for the EC2 Instance used to run the Sophos Firewall software. Please see the Sophos Firewall on AWS BYOL listing page for more details. Sophos Firewall software licenses are provided in a variety of CPU/RAM combinations which can then be mapped to a supported EC2 Instance as shown below.
|
Supported EC2 Instance Types |
EC2 Instance Types CPU/RAM |
EC2 Instance Types Network Throughput |
Suggested Sophos License |
|
t2.medium |
2 vCPU 4 GB Memory |
Low to Moderate |
SFv2C4 |
|
m3.large |
2 vCPU 7 GB Memory |
Moderate |
SFv2C4 |
|
m3.xlarge |
4vCPU 15 GB Memory |
High |
SFv4C6 |
|
m3.2xlarge |
8vCPU 30 GB Memory |
High |
SFv8C16 |
|
m4.large |
2vCPU 8 GB Memory |
Moderate |
SFv2C4 |
|
m4.xlarge |
4vCPU 16 GB Memory |
High |
SFv4C6 |
|
m4.2xlarge |
8vCPU 32 GB Memory |
High |
SFv8C16 |
|
c3.xlarge |
4vCPU 7.5 GB Memory |
Moderate |
SFv4C6 |
|
c3.2xlarge |
8vCPU 15 GB Memory |
High |
SFv8C16 |
|
c3.4xlarge |
16vCPU 30 GB Memory |
High |
SFv16C24 |
|
c3.8xlarge |
32vCPU 60 GB Memory |
Very High (10 Gig Ethernet) |
SFvUNL |
|
c4.large |
2vCPU 3.75 GB Memory |
Moderate |
SFv2C4 |
|
c4.xlarge |
4vCPU 7.5 GB Memory |
High |
SFv4C6 |
|
c4.2xlarge |
8vCPU 15 GB Memory |
High |
SFv8C16 |
|
c4.4xlarge |
16vCPU 30 GB Memory |
High |
SFv16C24 |
|
c4.8xlarge |
36vCPU 60 GB Memory |
Very High (10 Gig Ethernet) |
SFvUNL |
PAYG
Customers that do not wish to purchase a traditional term license or that want to purchase directly from AWS can use the Pay as you go option licensing option. This method provides all Sophos Firewall functionality (FullGuard) for an additional hourly software charge which is added together with the cost of the EC2 instance used to run Sophos Firewall. Customers using this option will see this additional charge on their monthly AWS bill each month and can stop charges at any time by removing any Sophos Firewall instances from their AWS account. Sophos also supports the AWS Private offers program which allows customers and partners to negotiate custom pricing and terms. Please contact your Sophos sales rep for more information.
Are Sophos Firewall free trials available for AWS?
Yes, both the PAYG and BYOL licensing options allow for Sophos Firewall free trials. PAYG trials are provided directly from AWS Marketplace and are available for 30 days. After the first month AWS will automatically start charging customers for any Sophos Firewall PAYG usage incurred. BYOL customers have the option of either getting a trial license from the Sophos free trial link or by starting a trial during their initial configuration.
Can I migrate my Sophos UTM license to the Sophos Firewall?
Yes, Sophos UTM production licenses can be converted a Sophos Firewall license as detailed in the this KB. https://community.sophos.com/kb/en-us/124588
Can I use an existing Sophos Firewall license for a new Sophos Firewall on AWS?
Sophos Firewall license transfers are only supported under certain circumstances as described in the License transfer knowledge base article.
Are there any prerequisites to deploy the Sophos Firewall on AWS?
Yes, for both BYOL and PAYG Sophos Firewall on AWS deployments, the first step is to accept the AWS Marketplace software terms and subscribe to the software. This is done via the Sophos Firewall on AWS listing pages.
Updated Disclaimer
[edited by: Erick Jan at 9:01 AM (GMT -7) on 17 Apr 2023]