FortiGate 200F Delivers Faster ROI Benefits and High Security Compute Ratings, Expands F-series Product Portfolio Powered by Purpose-built SD-WAN ASIC
“Change is the only constant in life.” – Heraclitus, Greek philosopher
If anything, 2020 has been a year of change. Over the last 9 months, I have had an opportunity to interact with hundreds of customers – and “change” was the common thread connecting them all. Every organization irrespective of their business vertical or segment is undergoing a transformational change whether it’s an evolving business model, having to adapt to a largely remote workforce, or newer IT initiatives with WAN Edge at the center. At Fortinet, change is not resisted, we embrace change to solve the unmet and unarticulated needs of our customers.
Expanding the Fortinet Secure SD-WAN F-series Product Portfolio
Fortinet’s SD-WAN journey began years ago, led with a security-driven networking approach that enabled us to deliver the industry’s first Secure SD-WAN solution. We have continued to innovate since then, delivering the industry’s first purpose-built processor designed to accelerate SD-WAN functionality without compromising on security performance, and offering a fully self-healing SD-WAN solution combined with centralized orchestration to meet the diverse needs of global customers. We’ve had tremendous success with our FortiGate F-series product portfolio, which is powered by a purpose-built SD-WAN processor. Over the years, we have continued to expand the F-series portfolio to meet changing customer requirements and deployment needs at every edge with multiple variants from built-in LTE, wireless, POE and most recently built-in bypass to deliver reliable connectivity during planned or unplanned outages.
The FortiGate 200F – The Newest Addition to the FortiGate F-series Portfolio
Today, we are excited to launch the FortiGate 200F, powered by Fortinet’s purpose-built SD-WAN processor in a 1RU form factor with 10GE-interface support to expand the fast-growing FortiGate F-series product portfolio. The FortiGate 200F series continues to leverage our successful security-driven networking approach to deliver a simple, scalable, and flexible Secure SD-WAN solution that customers can deploy across the home, branch, campus and multi-cloud to achieve faster ROI benefits. The FortiGate 200F is ideal for large complex SD-WAN deployments to meet high performance and scalability requirements for mid-size to large enterprises deploying at the campus or enterprise branch level.
If you are wondering if the FortiGate 200F meets the high-performance needs for your large global WAN deployment, the answer is most likely “yes!” FortiGate 200F delivers high Security Compute Ratings, a benchmark that compares the performance of Fortinet’s purpose-built ASIC-based product portfolio to other SD-WAN and NGFW vendors in that same price range that utilize generic CPUs for networking and security capabilities. The FortiGate 200F powered by a purpose-built SD-WAN processor enables the following Security Compute Ratings:
We believe that this new product addition will help further accelerate our Secure SD-WAN momentum and help our customers achieve digital transformation at all edges.
Learn more about the FortiGate 200F and all Fortinet Secure SD-WAN appliances.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.
Today marks the final stretch of National Cyber Security Awareness Month (NCSAM), and for the final week, we decided to sit down with Sal Aurigemma, PhD, Associate Professor of Computer Information Systems at the University of Tulsa, to get his take on enterprise security training.
As with many other things that have been impacted by COVID, enterprise security training is no different. Many organizations are heavily reliant on training and preparedness programs at the moment to help employees navigate the adoption of new technologies and processes, as well as mitigate threats from the rising number of phishing and man-in-the-middle attacks. But just how effective are these programs, and are they actually influencing user behavior? We’ll find out.
Dr. Aurigemma has more than 20 years of experience in the information technology industry as both an educator and behavioral researcher. Dozens of students come through Dr. Aurigemma’s undergraduate and masters programs each year to learn about proper cyber security hygiene using tools like the YubiKey, and he’s explored topics related to security policy compliance and end-user security practices in his research over the years.
What is the biggest problem you see with employee training programs today?
Perhaps the most frustrating problem I see in the organizations I have worked for, and those I work with today, is a pervasive “check-box” approach to information security awareness training. By this I mean one of two things, and often both:
1) It is still somewhat treated as a one-and-done compliance checklist that is completed on an annual or quarterly basis. With the possible exception of anti-phishing testing where organizations use tools and services to run their own phishing campaigns, there is little to no reinforcement of the reason behind why it’s important to safeguard the organization.
2) A one-size-fits-all training doesn’t work. We know that we have certain sectors of our workforce that are more likely to be targeted by potential adversaries. Yet, in many cases, the training given across the workforce is largely the same, even though the threat and techniques can vary based upon the target.
What are three things organizations can do to improve the efficacy of their cyber security training programs?
My number one recommendation is the hardest to achieve – make sure that your infosec awareness training is properly resourced. This means that you have enough people running the program and those people are properly trained to create and administer effective training programs. If your organization treats security training as a collateral duty, do not be surprised when it fails to meet expectations.
Secondly, ditch the one-size-fits-all approach, at least when it comes to security training and attention. We know certain groups of employees are targeted more often than others, or targeted in different ways, so we need to prepare them accordingly. For example, senior executives, IT system administrators, and HR team members are the top three target populations, and they are typically targeted using different techniques. Their training should reflect that. The same goes for different employee demographics — the lessons or examples that are most impactful for one group of employees may be very different for others.
Finally, I would recommend that every organization develops a set of training outcome metrics and then use them to continually assess and improve your training programs. This can be challenging, but it is worth the effort. If you have certain employees or employee groups that keep “failing” some aspect of your training, that is a sign that your training and/or security mitigations are not sufficient. But, you won’t know that unless you measure and monitor.
How do you foresee the influx of remote work, spurred by COVID, impacting the approach to cyber security training? How should organizations adjust and what should they consider that maybe they haven’t before?
My primary fear is that the increase in remote work will further distance employees from the security training staff and the messages they bring. What we don’t want is more “watch this video to complete your training” requirements that replace impactful interactions with the organization’s security staff (whether face-to-face or virtual).
Given that the work-from-home movement is here for a while, or possibly here to stay for some organizations, it is somewhat critical to do a complete review of your security training needs and develop a plan to adjust accordingly. For example, does your current security training plan account for the significantly greater emphasis on remote connectivity and interactions, and the increasing threats — like phishing and man-in-the-middle attacks — that come with that? Do your employees understand which threats are now more prevalent or dangerous than before because of the extension of the workplace to their home office network?
In an ideal world, this shift to remote work would be the catalyst organizations need to embrace a more tailored security awareness training approach that accounts for an employee’s job role, location, access, experience level, and other demographic characteristics. If and when we return to a more normal workplace life, we will be better positioned to continue to adapt and improve our security awareness programs.
Not all employees will follow through with best practices, even with a perfect training program. What are the primary factors that inhibit users from adopting new security technologies or practices?
A significant portion of my research activities are focused on better understanding inhibitors and facilitators of sound security behaviors, and if I had to narrow it down to three potential reasons why people do not take security actions, even when they know they should, I would say it is due to:
1) Threat apathy
2) Response efficacy
3) Inconvenience
Threat apathy occurs when individuals do not pay attention to security because they do not consider the recommended or required security action (and its related threat) to be important. It could be because they don’t feel important enough to be a target of cybercriminals, or that they believe their online accounts aren’t worth stealing. Overcoming threat apathy requires the use of convincing and compelling security messaging that explains why the action is important, on a personal and organizational level, and the potential consequences of failure.
Response efficacy is an academic way of saying that people may not know enough about, or have confidence in, a particular recommended security action. A great example of this is two-factor authentication (2FA). It is not a secret that we should use 2FA wherever and whenever we can. However, most people don’t know the differences between the various types of 2FA mechanisms, which ones are more secure than others, or how they work. Security training programs should not just articulate the threat and required security actions; they must also make it clear that the requested actions are sufficient to the task and, to some extent, explain how.
Inconvenience is a real factor that influences our security behaviors. As humans, we are constantly calculating the costs and benefits of doing things and we generally know what happens when the costs outweigh the benefits. Enterprises have to design and implement security mitigations with this in mind and work to balance maximizing the security benefit while minimizing or eliminating the inconvenience factor. If we don’t design security mitigations with the end-user in mind, the end-user may find ways to avoid or diminish the effectiveness of those mitigations.
On the contrary, what have you observed to be primary motivators for adopting new security technologies or practices?
One of the latest research trends in behavioral information security that I feel strongly about is a shift from sanction or threat-based compliance to one that adds positive reinforcement and messaging. By this I mean that many security policies and training programs are focused on “compliance-or-else” messaging. In short, employees have something to fear if they don’t follow the rules. Fear-uncertainty-doubt (FUD) is used too much in the cyber security literature and it also lives in our training programs.
While I do believe that there needs to be some actual consequences for willful and malicious non-compliance with security rules, we also know that fear alone is not a good enough motivator. We see that in many aspects of modern society, not just in cyber security. My fellow researchers and I have conducted numerous experiments that show that building up and emphasizing the positive psychological capabilities of end-users to combat a security threat is significantly more effective than relying on fear and promises of reprisal alone. We have found that end-users are much more likely to adopt new security technologies and practices when they feel:
1) More capable of taking security actions and working through issues related to the required tasks
2) More hopeful that their actions are effective
3) More optimistic about their resulting security posture
It’s impossible to eliminate the element of human error, especially when it comes to protection against sophisticated phishing or man-in-the-middle attacks, so what other steps should organizations be taking — outside of training — to ensure they have a comprehensive approach to security?
In my opinion, the best way to minimize the effect of human error (or conscious rebellion) on security practices is to reduce the opportunities to make bad decisions. This means designing your security mitigations in a way that reduces the cognitive load and choices your end-users have to make.
A perfect example of this is having your employees use YubiKeys for 2FA or passwordless login. At a time when phishing attacks are virtually undetectable — even to the most well-trained eye — this is exactly the type of technology that you should be using to support your training initiatives. But make sure that the burden of configuring the YubiKeys does not fall all on the end-user and make sure that you are using the right form factor for the employee’s electronic devices.
Likewise, you don’t want your employees or end-users choosing passwords that are weak or previously compromised. But, don’t put the onus on the end-user to know what that means – do it for them when you are registering accounts or during password changes. Offloading as many volitional security activities as possible from your end-users and limiting the opportunities to deviate from strong security practices should be primary considerations for every security activity.
—
Learn more about how the YubiKey can complement your organization’s cyber security training endeavors with a fool-proof 2FA solution proven to eliminate account takeovers from phishing and man-in-the-middle attacks.
Earlier this year, we analyzed the inner workings of LockBit, a ransomware family that emerged a year ago and quickly became another player in the targeted extortion business alongside Maze and REvil. LockBit has been quickly maturing, as we observed in April, using some novel ways to escalate privileges by bypassing Windows User Account Control (UAC).
A series of recent attacks detected by Sophos provided us with the opportunity to dive deeper into LockBit’s tools, techniques and practices. The actors behind the ransomware use a number of methods to evade detection: calling scripts from a remote Google document, using PowerShell in a way that may foil some efforts at monitoring and logging to establish a persistent backdoor—by using renamed copies of PowerShell.exe. The attack scripts also attempt to bypass Windows 10’s built-in anti-malware interface, directly applying patches to it in memory. Internally, we’ve referred to this style of LockBit attack as “PSRename.”
Based on some artifacts, we believe that some components of the attack were based on PowerShell Empire, the PowerShell-based penetration testing post-exploitation tool. Using a series of heavily obfuscated scripts controlled by a remote backend, the PowerShell scripts collect valuable intelligence about targeted networks before unleashing the LockBit ransomware, checking for signs of malware protection, firewalls and forensic sandboxes as well as very specific types of business software—particularly, point-of-sale systems and tax accounting software. The series of attack scripts only deploys ransomware if the fingerprint of the target matches attractive targets.
Aside from the initial point of compromise and registry key entries, these attacks left little in the way of a file footprint for forensic analysis. The ransomware was pulled down by scripts and loaded directly into memory, and then executed. And the attackers did a thorough cleanup of logs and supporting files when the attack was executed.
These highly automated attacks were fast—once the ransomware attack was launched in earnest, LockBit ransomware was executed across the targeted network within 5 minutes, leveraging Windows administrative tools.
Layers of obfuscation
The organizations hit in the eight attacks we analyzed were smaller organizations with only partial malware protection deployed. None of them had public Internet facing systems on their networks, though one had an older firewall with ports open for remote administration by HTTP and HTTPS.
It’s not clear what the initial compromise was across these organizations, as we had no visibility into the event. But it appears all of the activity in the attack we analyzed here were initiated from a single compromised server within the network used as the “mothership” for the LockBit attack.
While analyzing one of the attacks, we found traces of a number of PowerShell scripts that were launched against systems that had malware protection in place. The scripts gave a clear picture of the degree of automation of the attack, and also demonstrated the lengths the LockBit operators had gone to make forensic analysis of their attacks as difficult as possible.
In the first stage of the attack, a PowerShell script connects to a Google Docs spreadsheet, retrieving a PowerShell script encoded in Base64 from the body of the spreadsheet.
The code is hidden in cell B1 of this Google Sheets document.
The script fetches the contents of cell B1 in the sheet and executes it. The retrieved script makes a copy of PowerShell in the system’s TMP folder, and executes Base64-encoded contents with that copy:
The code concealed in the Google Sheets document’s cell, with Base64-encoded content.The contents of the encoded section.
Decoding the script reveals it uses a System.Net.ServicePointManager object to create a session connecting to hxxps://142[.]91.170.6, downloading yet another stream of encoded script. This much larger chunk of code contains a function that creates a persistent backdoor. Using a template, the function selects a new name and path to create copies of PowerShell.exe and the Microsoft Scripting Host mshta.exe, as well as fictional agent descriptions to make them look like other legitimate processes. It also creates a Task Scheduler manifest file that uses the renamed executables, scheduling a VBscript command to be executed by the scripting host that invokes the backdoor with the renamed PowerShell executable:
We also found the LockBit attackers use another form of persistent backdoor, using an LNK file dropped into Windows’ startup commands folder. The LNK file launches Microsoft Scripting Host, to run a VBScript, which in turn executes a PowerShell script to read data stored in the link file itself encoded in Base64. The extra LNK bytes decode to yet another encoded chunk of PowerShell, decoded below:
PowerShell code stored in the end of the LNK file used by Lockbit to create a persistent backdoor.
The script connects to the remote server and pulls down the backdoor script as a stream, then executes the downloaded script with the command line interpreter.
Empire building
The backdoor stub downloads more obfuscated code, establishing a proxy connection to the command and control server, and creating a web request to pull down more PowerShell code. One of the modules downloaded is a collection functions used to perform reconnaissance on the targeted system and to disable some of its anti-malware capabilities.
One of the functions in the module aims to disable Microsoft Windows’ Antimalware Scan Interface (AMSI) provider by changing its code in memory. The backdoor uses a script to load a Base64-encoded DLL into memory, and then executes a PowerShell code that invokes C# code calling the DLL’s methods to patch the copy of the AMSI library already in kernel memory. This code is repeated in another module discovered during our analysis:
A portion of the script used by LockBit actors to attempt to “patch” AMSI.
Another module downloaded by the backdoor checks for anti-malware software and artifacts that indicate it is running on a virtual machine, but also checks for software that may indicate the system is of greater value—using a regular expression to look for tax accounting and point-of-sale software, specific web browsers, and other software:
VM detection function in the scripts downloaded by the LockBit backdoor.Code that searches the WIndows registry for software that is interesting to the LockBit attackers.
The regular expression parses the local Windows registry, looking for matches to the following keywords:
Keyword
Target
Opera
Opera browser
Firefox
Mozilla Firefox browser
Chrome
Google Chrome browser
Tax
Search for any tax-related software process
OLT
OLT Pro desktop tax software
LACERTE
Intuit Lacerte tax software for accountants
PROSERIES
Intuit ProSeries tax software
Point of Sale
Search for point-of-sale (retail) software
POS
Search for point-of-sale (retail) software
Virus
Search for anti-malware processes
Defender
Microsoft Windows Defender
Secury
Anti
Search for anti-malware processes
Comodo
Search for Comodo antivirus or firewall
Kasper
Kaspersky anti-malware software
Protect
Search for anti-malware processes
Firewall
Search for firewall processes
If and only if the fingerprint generated by these checks indicate the system is what the attackers are looking for, the C2 server sends back commands that execute additional code.
Wrecking crew
Depending on what responses come back from the C2, the backdoor can execute a number of tasks, designated by a numeric value. They include simply forcing a logoff, grabbing hash tables to apparently exfiltrate for password cracking, attempting to configure a VNC connection, and attempting to create an IPSEC VPN tunnel. These tasks are executed using variables and modules pushed down by the C2, obfuscating most of their functionality.
Instrumented backdoor script used by LockBit.
In the attacks we analyzed, the PowerShell backdoor was used to launch the Windows Management Interface Provider Host (WmiPrvSE.exe). Firewall rules were configured to allow WMI commands to be passed to the system from a server—the initially compromised system—by creating a crafted Windows service.
And then, the attackers launched the ransomware via a WMI command, filelessly—without dropping a single file artifact on the disk of the targeted systems. In one case, the WMI commands used port 8530 to reach back to the initially compromised server—the port used for Windows Server Update Service. The server was running Internet Information Server but had never been fully configured to run WSUS. The .ASP file on the server contained a key which was loaded into memory and used to unlock additional operations by the dropper code and trigger the ransomware.
All of the targets were hit within five minutes over WMI. The server-side file used to distribute the ransomware, along with most of the event logs on the targeted systems and the server itself, were wiped in the course of the ransomware deployment. Sophos Intercept X stopped the attack on systems it was installed upon, but other systems did not fare as well.
A moving target
It’s not a surprise to see yet another ransomware operator using repurposed code from the offensive security tools world—we recently saw Ryuk using Cobalt Strike post-exploitation tools to great effect. PowerShell Empire is easily modified and extended, and the LockBit crew appears to have been able to build a whole set of obfuscated tools just by modifying existing Empire modules.
It’s also not a real surprise that ransomware actors would want to target AMSI, the interface used by many anti-malware tools (including Sophos’) to monitor potentially malicious processes running on Windows 10. By combining the use of native tools, logging evasion, and the blinding of AMSI, the LockBit gang has made it increasingly difficult to detect and defeat their attacks once they’ve established a foothold.
The only way to defend against these types of ransomware attackers is to have defense in depth and to have consistent implementation of malware protection across all assets. Not having a handle on what services are exposed on a network makes modeling for threats like these difficult. And if services are misconfigured, they can easily be leveraged by attackers for ill purpose.
Sophos detects these abuses of PowerShell and the LockBit ransomware. A list of IOCs for these attacks is posted on the Sophos GitHub here.
SophosLabs would like to acknowledge the contributions of Vikas Singh, Felix Weyne, Richard Cohen and Anand Ajjan to this report.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
We’re pleased to announce the addition of bulk firmware updating to Sophos Central firewall management! This feature is available today, for all grouped firewalls, and allows you to trigger immediate firmware updates in one action, for any number of grouped firewalls that have firmware updates available. We’re also pleased to announce the arrival of Scheduled firmware updates! for firewalls running XG v18 MR3 or newer, the time when firmware updates may be installed, may be scheduled from Central.
What’s New and How to Use it:
Bulk Firmware Upgrades – On the Group menu, Firmware Upgrades may now be selected. This option will bring up a list of firewalls with pending updates. You may select any or all of the firewalls, then with “immediately” selected for the schedule, click Schedule Upgrade. All selected firewalls will begin upgrading shortly, and you will se a spinning gear icon once the upgrade has started.
Scheduled Firmware Upgrades – Requires firewalls to be running at least v18 MR3 or newer. When upgrading the firmware for a single firewall by clicking the upgrade icon, or when bulk updating firmware, you may now choose to install immediately, or schedule the update to occur at a future time and date. The schedule will be run based on the firewalls local time zone.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
Fortinet has announced that it has maintained its position as a Challenger in Gartner 2020 Magic Quadrant for Web Application Firewalls.
Organizations continue to rely on internet-facing web applications and APIs to achieve their digital innovation goals, and as a result, web application and API protection continues to grow in importance for businesses worldwide. Web applications support a wide range of critical line-of-business functions, including ecommerce, payroll, inventory management, learning management systems, and more.
FortiWeb, Fortinet’s Web Application Firewall solution, was created to protect these business-critical web applications and APIs from cyber attacks targeting both known and unknown vulnerabilities, while also ensuring business continuity and productivity. FortiWeb leverages advanced machine learning (ML) techniques to customize protection of each application, saving organizations staff hours by cutting out the need for the time-consuming manual tuning required by other solutions. FortiWeb ML identifies anomalous behavior and determines whether it is malicious or benign, enabling security staff to rapidly address malicious activity.
Customers can select the FortiWeb option that best fits their use case given its flexible deployment options. This includes hardware appliances, virtual machines, and containers that can be deployed in the data center, cloud environments, or the cloud native Security-as-a-Service (SaaS) solution FortiWeb Cloud, our WAF as a Service offering.
As customers increasingly deploy applications in multiple environments that include both private data centers and public clouds and continue to push application changes at an ever increasing pace, they face the challenge of implementing consistent application security across these diverse environments. To help those teams keep pace, our WAF-as-a-Service offering, FortiWeb Cloud, leverages public cloud infrastructure to deliver the same application and API protection as our physical and virtual appliances, but without the requirement to maintain and manage infrastructure. In fact, Fortinet uses this very service to protect our own website as well as for protecting critical departmental line-of-business web applications.
Fortinet continues to invest in the innovative WAF capabilities that our customers require as they continue their digital transformation journeys, including these key enhancements from 2020:
Deep learning capabilities that continuously model users’ behaviors to detect anomalies and block threats without creating the false positives that drive administrative overhead
Expanded options for deploying FortiWeb Cloud on AWS, Azure and Google Cloud
As a result of this continued innovation, Fortinet delivers FortiWeb customers with advanced threat protection for web applications while ensuring business continuity and productivity. Read the full Gartner 2020 Magic Quadrant for Web Application Firewalls report to learn more about our placement in the Challengers quadrant.
Learn how Fortinet’s Dynamic Cloud Security solutions provide increased visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud.
Gartner, Magic Quadrant for Web Application Firewalls, 19 October 2020, Jeremy D’Hoinne, Adam Hils, Rajpreet Kaur, John Watts
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Fortinet.
Internet security myth-busters: Debunking 3 common misconceptions about two-factor authentication | Yubico
Internet security myth-busters: Debunking 3 common misconceptions about two-factor authentication | Yubico
Responding to the rising wave of social engineering attacks against remote …
We use cookies to ensure that you get the best experience on our site and to present relevant content and advertising. By browsing this site without restricting the use of cookies, you consent to our and third party use of cookies as set out in our Cookie Notice. Accept Settings
Working remotely and using VPN has become an important part of everyday life. With XG Firewall it’s extremely easy – and free!
XG Firewall is the only firewall to offer unlimited remote access SSL or IPSec VPN connections at no additional charge.
And we’ve significantly boosted SSL VPN capacity across our entire product range in XG Firewall v18 MR3 through several optimizations.
Our new Sophos Connect v2 remote access VPN client also adds new features that make remote access faster, better and easier.
What’s new in Sophos Connect v2
SSL VPN support for Windows
Bulk deployment of SSL VPN configurations (as with IPSec) via an enhanced provisioning file
Enhanced DUO token multi-factor authentication support
Auto-connect option for SSL
Option to execute a logon script when connecting
Remote gateway availability probing
Automatic failover to the next active firewall WAN link if one link fails
Automatic synchronization of the latest user policy if the SSL policy is updated on the firewall (when using the provisioning file to deploy) as well as a manual re-synchronization of the latest policy
File extension association for policy files – import a policy file into Sophos Connect just by double-clicking it in Windows Explorer, or opening the file attached in an email
XG Firewall v18 MR3 remote access enhancements:
Enhanced SSL VPN connection capacity across our entire firewall lineup. The capacity increase depends on your firewall model: desktop models can expect a modest increase, while rack mount units will see a 3-5x improvement in SSL VPN connection capacity.
Group support for IPSec VPN connections, which now enables group imports from AD/LDAP/etc. for easy setup of group access policy.
Making the most of Sophos Connect remote access
The first decision you will want to make is whether you wish to use SSL, IPSec, or both. Then set up your firewall to accept Sophos Connect VPN connections before deploying the client and connection configuration to your users.
SSL vs IPSec
With Sophos Connect v2 now supporting SSL (on Windows) and with the enhanced SSL VPN capacity available in XG Firewall v18 MR3, we strongly encourage everyone to consider using SSL to get the best experience and performance for your remote access users.
While macOS support for SSL remote access via Sophos Connect is expected soon, we recommend any organizations using macOS take advantage of the new OpenVPN macOS client in the interim.
XG Firewall setup
SSL VPN Setup is very straightforward:
Follow these initial setup instructions for creating an IP address range for your clients, user group, SSL access policy, and authentication.
2. SSL VPN requires access to the XG Firewall User Portal. For optimal security, we strongly advise the use of multi-factor authentication. Set up two-factor authentication via Authentication > One-time password > Settings to ensure you’re only allowing MFA access to the user portal.
3. Create a firewall rule that enables traffic from the VPN zone to access your LAN zone (or whatever zones are desired).
Deployment of the client is equally easy:
Client installer: The client installer is available by navigating to VPN > Sophos Connect Client on your XG Firewall. Sophos Connect documentation is available here.
Connection configuration: The SSL VPN connection configuration (OVPN) file is accessible via the user portal, but we strongly encourage the use of a provisioning file to automatically fetch the configuration from the portal. This requires a bit more up-front effort, but greatly simplifies the deployment process and enables changes to the policy without redeploying the configuration. Review the full instructions on how to create a provisioning file with samples.
Group Policy Management: The best way to deploy the remote access client and provisioning file is via Microsoft Group Policy Management. You will need the files mentioned in the steps above and then follow these step-by-step instructions. You can also use any other software deployment tool you have available – even email.
Monitoring active usage:
You can monitor connected remote users from the XG Firewall Control Center…
And click to drill down to get the details…
Sophos Connect resources and helpful links
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
Unlike previous mobile generations, 5G is touted as a game changer for both mobile network operators (MNOs) and enterprises in many verticals.
For MNOs, 5G has the potential to deliver a whole new scope of enterprise-facing, value added services, generating new revenue streams and driving growth.
For medium to large enterprises in different industries and verticals, harnessing 5G technology and capabilities will further help to increase efficiency, automation, safety, sustainability and overall innovation.
This is the promise of 5G and it raises some important question: if 5G is to play such a central and critical role, what is the role of security in 5G’s adoption and penetration in the business market? Does 5G have an acceptable set of built in security capabilities in order to safeguard itself, and the business customers it serves from harm’s way? Or is an additional layer of security is required in order to capture the 5G business market?
At Fortinet, we strongly believe that although 5G delivers inherent security capabilities, these by themselves should not and cannot be considered as the only line of defense against 5G infrastructure and services misuse, cyber threats and risks. An additional layer of security visibility and control is required.
In order to get a larger view from MNOs and the overall 5G ecosystem partners, Fortinet commissioned TelecomTV, in association with ETSI and HardenStance, to perform a survey to better understand their view on the target business market for 5G and the role of 5G security in the industry’s ability to capture the 5G business market. The survey, concluded in May 2020, highlights the following:
Use cases tailored to unique vertical industries are key to the success of 5G in the business market.
Security plays a central role in 5G’s success with almost 90% of respondents stated that an operator’s security capabilities are either critical or very important.
Implementing 3GPP 5G security features is a key baseline requirement but additional security is required as enterprise 5G use cases will require more security capabilities.
Mobile operators should offer a comprehensive, full-stack, end-to-end security with 5G enterprise use cases.
The survey demonstrates the central role security has to play in an MNO’s ability to successfully deliver 5G to the business market. To be able to deliver, MNOs and the overall 5G ecosystem must ensure that security capabilities that complement 3GPP’s 5G security recommendations are put in place to provide threat visibility, control and mitigation against a growing set of sophisticated cybersecurity risks, such as:
Control and user plane security
IoT/OT misuse, signaling storm and bots
API exposure attacks in the SBA core and the multi-access edge compute (MEC) sites
Application-level security for the overall ecosystem and industry use cases’ applications
Security and NAT services for packet data networks connectivity
Security for non-public mobile networks, also known as 5G private mobile networks
Fortinet is ideally positioned to provide an end to end security for the 5G ecosystem and use cases in the business market segment. Fortinet’s leading position in providing security for both small to very large enterprises and MNOs provides us with a unique understanding as to the security needs in industry use cases and the ability to deliver the solutions and know how to fulfill them.
FortiGate and FortiWeb provide a common security platform for both MNOs and businesses considering/using 5G in multiple industries and use cases. It enables the MNO to secure its 5G infrastructure and ensure service availability and continuity to its enterprise customers. It also provides the opportunity to deliver revenue-generating managed security services on top of 5G for enterprise use case consumption. And the same platforms can be implemented or co-managed by the enterprise customers when required – in securing 5G private mobile networks for example.
Read more about the Fortinet-commissioned study by TelecomTV about Leveraging Security to Capture the 5G Business Market.
Download the whitepaper to explore considerations and requirements for Securing 5G Private Mobile Networks.
Learn more from this survey in the infographic.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.
Digital innovation and increasing cloud application bandwidth demands have led network infrastructure and operations leaders to turn to SD-WAN as a de-facto solution for their WAN transformation and roadmap efforts. In a crowded SD-WAN market of over 80 vendors, it’s more critical than ever for organizations to be able to identify the right solution that best fits their specific use cases. The Gartner September 2020 Critical Capabilities for WAN Edge Infrastructure report offers essential research that we believe helps organizations to differentiate between vendors based on their deployment, operational flexibility, and application performance requirements.
The Gartner Magic Quadrant and Critical Capabilities Reports
Gartner’s well-known annual Magic Quadrant reports recognizes vendors in a variety of key technical markets based on key factors, like their ability to execute and the completeness of their vision. However, there are additional Gartner reports that may provide further insight for those organizations looking to select and deploy a solution that best suits their specific use case. Gartner’s “Critical Capabilities” reports use proprietary methodologies to score organizations in critical subcategories within each Magic Quadrant area based on more granular criteria. These reports extend the value of the more general Magic Quadrant recognitions by providing deeper insight into providers’ product and service offerings for key market segments.
Fortinet Scores Highest in “Security-Sensitive WAN” (4.26/5) and” Small Footprint Retail WAN” (4.14/5) Use Cases and Scored Third Highest in the “Large Global WAN” (4.09/5) Use Case in Gartner 2020 Critical Capabilities for WAN Edge Infrastructure Report
This September, Fortinet was identified as a Leader in the Gartner 2020 Magic Quadrant for WAN Edge Infrastructure. But just as importantly, Fortinet also received the highest scores in two use cases in the Gartner September 2020 “Critical Capabilities for WAN Edge Infrastructure” report. In that analysis, Fortinet’s SD-WAN solution scored highest in the “Security-Sensitive WAN” (4.26/5) and “Small Footprint Retail WAN” (4.14/5) use cases and scored the third highest for the “Large Global WAN” (4.09/5) use case.
These three use cases are characterized by key requirements, as outlined below:
Security-Sensitive WAN: A security-sensitive WAN typical in some mid- to large-scale organizations from 25 sites and higher that are focused on securing branch offices as the main priority where network and security procurements are increasingly converging.
Small Footprint Retail WAN: This category is a representative of small site/mass deployment needs that are common in such retail markets as convenience stores, quick service restaurants, gas stations, specialty retail, bank ATMs and independent insurance agents.
Large Global WAN: This category looks at the needs of larger multinational organizations with a global WAN requirement for more than 200 sites, and that spans at least two continents.
We believe that, with our Security-Driven Networking approach and custom-built ASICs, Fortinet delivers a scalable, flexible Secure SD-WAN solution that customers can deploy across the home, branch, campus and multi-cloud.
According to Gartner, “SD-WAN product differentiation is primarily based on feature breadth and/or depth, specifically on security, application performance optimization, and cloud features.” In addition, they cite that “simplified and unified security is a main driver for customers as they determine the best architectural approach for the integration of networking and security.” As an industry leader in both security and SD-WAN, we believe Fortinet offers the most comprehensive SD-WAN solution available, enabling customers to achieve best user experience at reduced cost and complexity, while delivering on our strong vision of providing a flexible and secure solution anywhere.
Recent Recognitions for Fortinet Secure SD-WAN
We are absolutely thrilled to be positioned as a Leader in the 2020 Gartner WAN Edge Magic Quadrant, to be named as a 2020 Gartner Peer Insights Customers Choice for WAN Edge Infrastructure, and to be recognized in the 2020 Gartner Critical Capabilities for WAN Edge Infrastructure report!
Read the full 2020 Gartner Critical Capabilities for WAN Edge Infrastructure report.
Learn more about Fortinet Secure SD-WAN.
Gartner Critical Capabilities for WAN Edge Infrastructure, Jonathan Forest, Andrew Lerner, Naresh Singh, 30, September 2020.
Gartner, Gartner Peer Insights ‘Voice of the Customer’: WAN Edge Infrastructure, PEERS, Published 13 April 2020
Gartner, Magic Quadrant for WAN Edge InfrastructurePublished 23, September 2020, Jonathan Forest, Andrew Lerner, Naresh Singh
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Fortinet.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advice technology users to select only those vendors with the highest ratings or other designations. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to its research including any warranties of merchantability or fitness for a particular purpose.
Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.
Based on a comprehensive survey of 5,000 IT managers across 26 countries, Cybersecurity: The Human Challenge provides brand new insights into the state of cybersecurity skills and resources across the globe.
It reveals the realities facing IT teams when it comes to the human-led delivery of cybersecurity, and explores how organizations are responding to the skills challenges they face.
The study also exposes unique insights into the relationship between an organization falling victim to ransomware and their day-to-day cybersecurity practices.
Key findings
IT teams are showing progress in many battles
IT teams are on top of patching. Three-quarters of IT teams apply patches to desktops, servers, applications, and internet-facing assets within a week of release. Servers and internet-facing assets are patched most quickly, with 39% of respondents patching them within 24 hours.
Prevention is prioritized. On average, IT teams dedicate nearly half their time (45%) to prevention. After that, 30% of time is spent on detection and the remaining 25% is spent on response.
IT managers are keeping up to date with cybersecurity. The majority (72%) say that they and their teams are up to date with or ahead of cybersecurity threats. Just 11% think they are significantly behind.
Improving cybersecurity requires people – who are in short supply
There is an urgent need for human-led threat hunting. Forty-eight percent of respondents have already incorporated human-led threat hunts in their security procedures and a further 48% plan to implement them within a year.
The cybersecurity skills shortage is directly implementing protection. Over a quarter (27%) of managers said their ability to find and retain skilled IT security professionals is the single biggest challenge to their ability to deliver IT security, while 54% say it is a major challenge.
Organizations are changing the ways they deliver security
Improving operational efficiency is a key priority. Four in ten (39%) respondents said that improving operational efficiency and scalability is one of their biggest priorities for the IT team this year.
Outsourcing IT security is rising fast. Currently, 65% outsource some or all of their IT security efforts. This is set to rise to 72% by 2022. The percentage of organizations that exclusively uses in-house staffing will drop from 34% to 26%.
Ransomware victims display different behaviors and attitudes than those who haven’t been hit
Ransomware victims are more exposed to infection from third parties. Twenty-nine percent of organizations hit by ransomware in the last year allow five or more suppliers to connect directly to their network – compared to just 13% for those that weren’t hit.
Ransomware damages professional confidence. IT managers whose organizations were hit by ransomware are nearly three times as likely to feel “significantly behind” on cyberthreats than those that weren’t (17% vs. 6%).
Being hit accelerates implementation of human-led threat hunting. Forty-three percent of ransomware victims plan to implement human-led hunting within six months, compared to 33% for those that didn’t suffer an attack.
Victims have learned the importance of skilled security professionals. More than one-third (35%) of ransomware victims said recruiting and retaining skilled IT security professionals is their single biggest challenge when it comes to cybersecurity, compared to just 19% who hadn’t been hit.
Download the full PDF report for more findings, including results for each of the 26 countries surveyed.
About the survey
Sophos commissioned specialist research house Vanson Bourne to survey 5,000 IT managers during January and February 2020. Sophos had no role in the selection of respondents and all responses were provided anonymously.
Respondents came from 26 countries across six continents: Australia, Belgium, Brazil, Canada, China, Colombia, Czech Republic, France, Germany, India, Italy, Japan, Malaysia, Mexico, the Netherlands, Nigeria, the Philippines, Poland, Singapore, South Africa, Spain, Sweden, Turkey, UAE, the UK, and the US.
Fifty percent of respondents were from organizations of between 100 and 1,000 employees, and 50% were from organizations of between 1,001 and 5,000 employees. Respondents came from a range of sectors, both public and private.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Working remotely and using VPN has become an important part of everyday life. With XG Firewall it’s extremely easy – and free!
