UTM 9 5 Expanded Web Application Firewall Expanding
UTM 9. 5 Expanded Web Application Firewall Expanding our WAF & TMG Replacement Opportunities ü WAF URL Redirection for back-end servers ü WAF policy and authentication templates ü True-File-Type and TLS version options Sandboxing Management & Reporting Expanding Sandstorm Sandboxing Expanding Performance & Usability ü Sandstorm datacenter selection ü Sandstorm scanning file-type exceptions ü Sandstorm email activity reporting ü New 64 -bit database architecture ü Aggregate log download in a single archive ü RESTful API and certificate expiry notifications 2
UTM 9. 5 Expanding our industry-leading Protection and Performance Web Application Firewall Expanding our WAF & TMG Replacement Opportunities ü WAF URL Redirection for back-end servers ü WAF policy and authentication templates ü True-File-Type and TLS version options Sandboxing Management & Reporting Expanding Sandstorm Sandboxing Expanding Performance & Usability ü Sandstorm datacenter selection ü Sandstorm scanning file-type exceptions ü Sandstorm email activity reporting ü New 64 -bit database architecture ü Aggregate log download in a single archive ü RESTful API and certificate expiry notifications 3
UTM 9. 5 Timeline Current Timeline (subject to change!) 3 -Apr 10 -Apr 6 -Apr Public Beta Starts Web Application Firewall Expanding our WAF & TMG Replacement Opportunities ü WAF URL Redirection for back-end servers ü WAF policy and authentication templates ü True-File-Type and TLS version options 17 -Apr 24 -Apr 1 -May 8 -May 15 -May 26 -April Staging Sandboxing Management & Reporting Expanding Sandstorm Sandboxing Expanding Performance & Usability ü Sandstorm datacenter selection ü Sandstorm scanning file-type exceptions ü Sandstorm email activity reporting ü New 64 -bit database architecture ü Aggregate log download in a single archive ü RESTful API and certificate expiry notifications
Web Application Firewall Enhancements 5
WAF URL Redirection What is it? • Ability to redirect traffic for a WAF protected URL to a different backend system/URL Benefits • Simplify setup of backend systems User requests • Close a gap for TMG deployments https: //exchange. sophos. local How it works • Incoming URL is redirected within WAF to different paths/servers/ports UTM requests https: //exchange. sophos. local/owa internally or externally
WAF URL Redirection Configuration Path to redirect (path must not be used in Site Path Routing) Where to redirect the request Type of redirection
WAF protection and authentication policy templates What is it? • Templates for common MS services for protection and authentication Benefit • Faster deployment time with prefilled policies for common services How it works • Additional protection and authentication templates will be made available, based on the existing KBAs
Configure minimum allowed TLS version in WAF What is it? • Ability to control which TLS version is minimally allowed per WAF virtual server Benefits • PCI Compliance by excluding TLS 1. 0 • Choose the right allows TLS version for each application How it works • Dropdown selection of the TLS version(s) to allow for connections with the server
WAF TFT What is it? • Downloads/Uploads can be blocked based on MIME type Benefits • Protection from possible harmful files being pushed to protected applications • Better control over what is exchanged with protected applications How it works • SAVI scanning detects the true filetype, based on the result the file is allowed or blocked
WAF Proxy Protocol Support What is it? • WAF reads and respects the Proxy. Protocol header, and uses the client IP info inside the Proxy. Protocol header to make policy decisions & logging. Benefits • Get information on the real request origin on WAF protected servers • Get better insights into usage on the server itself How it works Client • Client IP • Loadbalancer IP Loadbalancer • Loadbalancer IP • WAF IP • Proxy. Protocol Header Client IP WAF • Loadbalancer IP • Real Webser IP • Proxy. Protocol Header Client IP Webserver • Loadbalancer IP • Proxy. Protocol Header Client IP
Sophos Sandstorm Enhancements 12
Datacenter location selection for Sophos Sandstorm What is it? • Ability to select which datacenter should be used for Sophos Sandstorm processing, without relying on DNS based location detection Benefits • Datacenter location selection no longer relies on DNS detection allowing better compliance • Customers can select a different location than DNS detection would provide How it works • Dropdown box to select the datacenter or rely on automatic selection • Each datacenter has a dedicated domain that is being used
Scan exceptions for Sophos Sandstorm What is it? • Exclude specific filetypes from being sent to Sophos Sandstorm analysis Benefits • Control which files are being sent to Sophos Sandstorm • Privacy and data protection concerns can be better addressed • Independent control of what is being AV scanned and sent to Sophos Sandstorm
Scan exceptions for Sophos Sandstorm How it works • Global configuration of MIME types that should be excluded, before uploading information to Sophos Sandstorm the MIME type is checked for a block
Sophos Sandstorm E-Mail reporting improvement* What is it? • Activity Report page also contains the information on Sophos Sandstorm results for E-Mail Protection Benefits • Better insights into Sophos Sandstorm activities for E-Mail Protection • Better ability to display value of Sophos Sandstorm How it works • E-Mail Protection also provides the data for the Sophos Sandstorm Activity Page, as Web Protection does *This feature was added in a recent UTM 9. 4 Maintenance Release
Management & Reporting Enhancements 17
64 -bit Postgre. SQL Database What is it? • Architecture change for reporting database in UTM Benefits • Performance and reliability improvements • Faster report generation • Ability to generate reports with bigger datasets How it works • On new installation the 64 -bit Postgre. SQL Database is installed and used • On existing installations the admin will need to run a migration tool that will create a database dump and change the architecture and import the database dump – NO DATA WILL BE LOST
Certificate Expiration Notification What is it? • UI notification on certificates about to expire • E-Mail notification on certificates about to expire Benefits • React early on certificate renewal for UTM services • Keep secure connections up without disruption How it works • The system is checking expiration dates on certificates • Starting at 30 days a notification is displayed an E-Mail notification is sent
Download all UTM logs What is it? • Ability to download all UTM log files in a single archive Benefits • Easier import into Sophos i. View of historical log data • Easier archiving of historical UTM logdata How it works • All UTM log files are combined in one archive and provided as download
Support Access with SSH What is it? • Extension to the existing Support Access feature • Allows support to have access to UTM with SSH Benefits • No need to provide login credentials to support • Easily provide support with the proper access to resolve support issues quicker How it works • UTM builds a secure connection to a proxy operated by Sophos • Support can use the Access ID to get access to Web. Admin and SSH via the proxy • Only Sophos Support has access to the systems
SNMP Monitoring of full Filesystem What is it? • SNMP options will be made available to check the filesystem usage Benefit • Integrate UTM filesystem monitoring in regular SNMP based monitoring solutions How it works • Filesystem usage information will be available via SNMP using the default Linux MIBS
Management & Reporting RESTful API 23
RESTful API What is it? • Full REST API to configure Sophos UTM 9 Benefits • Automation for UTM configuration without the need for specific tools • Integration of UTM configuration into 3 rd party configuration management systems • Integration of UTM configuration within own deployment scripts (Dev. Ops) What is a REST API? https: //en. wikipedia. org/wiki/Representational_state_transfer
RESTful API
RESTful API https: //<IP or URL of UTM>: 4444/api/
RESTful API
- Slides: 28