technical overview - endpoint protection 10.3.3

1
TO10 – Technical Overview – Endpoint Protection
Endpoint Protection 10

5
Solution architecture

7
• Malware
(Virus, Worms, Trojans, Rookits, Spyware)
• Adware
• HIPS Rules
• Malicious URLs
• Spam Campaigns
• DLP (Sensitive data types)
• Application control
• Device control
• Web URL database
• Anonymising proxies
• Application patches
SophosLabs expertise (1)
SophosLabs
Active Protection
Malware
Data
Website URL
Database
HIPS
Rules
Reputation
Data
Malicious
URLs
Spam
Campaigns
Sensitive
Data Types
Application
Categories
Device
Data
Mobile
Application
Reputation
Anonymizing
Proxies
Application
Patches

8
SophosLabs expertise (2)
SophosLabs
Active Protection
Identities
Genotype
Website URL
Database
HIPS
Rules
Reputation
Data
Malicious
URLs
Spam
Campaigns
Vancouver
Canada
Oxford
UK
Budapest
Hungary
Sydney
Australia
Live Cloud
Lookups
Continuous
Protection
Updates
Endpoint Endpoint Endpoint

9
￮ <server name>SophosUpdateCIDs
￮ Web CIDs
Central installation directories
Endpoint Endpoint Endpoint
SophosLabs
Active Protection
Sophos Update
Manager CID

11
• Sources
• Subscriptions
• Distribution
• Schedule
• Logging
• Self update
Sophos Update Manager

12
Updating multiple CIDs
HTTP
Office 1
UNC HTTP UNC
Office 2 Office 3
HEADQUARTER
S
CID
SUM
CID
SUM
CID
SUM
Warehouse
Sophos

13
• Controls the version of endpoint software
• Controls the network bandwidth
Updating multiple CIDs (continued)

14
• Find and populate endpoints and groups
• Deploy
• Configure the client software
• Configure SUM
• Monitor the network
• Take actions
• Generate reports and alerts
• Store all data in SQL server database
Sophos Enterprise Console

15
Sophos Antivirus / Sophos Endpoint client
Sophos Client FireWall (optional)
Patch agent (optional)
Encryption agent (optional)
Sophos AutoUpdate
Sophos RMS agent
Client side components

16
Message
router
Agent
Sophos
Antivirus
Client
Firewall
AutoUpdate
Message
router
Management
server
Enterprise
Console
Client
side
Server
side
Console
RMS
SEC
database
Sophos Update
Managers
COM + HTTP
Server
side
RMS (8192, 8194)

18
With virtual platforms
Message
router
Auto
Update
Sophos
AntiVirus
VM (on all supported OS)
Management server CID
RMS
VMware , HyperV or Xenserver
UNC or HTTP
Virtualization Scan
Controller (optional)
Message
router
Auto
Update
Sophos
AntiVirus
VM (on all supported OS)

19
With VMware vShield Endpoint
• Same AV policy
• Alerts reported per VM
• Max 2 simultaneous
scheduled scans
Management server CID
RMS
VmTools
vShield drivers
VM (Windows only)
VmTools
vShield drivers
VM (Windows only)
vSphere/vShield
VMware ESX Server
UNC or HTTP
Message
router
Auto
Update
SAV for
vShield
SSVM (Linux)

20
Endpoint
+ Message relay server
Endpoint Endpoint
REMOTE OFFICE
• Required above 10,000 endpoints
Message relays
Endpoint
+ Message relay server
Endpoint Endpoint
Management server
REMOTE OFFICE
HEADQUARTERS
RMS
RMS
RMS
RMS
RMS
RMS

22
System requirements and deployment

23
Upon completion of this section you will be able to:
• qualify the main system requirements for the management software
components and endpoint software components
• list the main steps of a simple deployment
• list additional steps required for advanced deployments
and for upgrades
• list the main steps involved in a typical endpoint deployment
Section objectives

24
Management software version 5.2.1 R2
Windows XP, Vista and 7 have performance limitations, especially with CIDs

25
Endpoint client for Windows version 10.3
http://www.sophos.com/en-us/support/knowledgebase/118620.aspx for more details

26
Endpoint client for Windows (continued)
Operating system Client
Firewall
Patch
Assessment
Web
Control
Full Disk
Encryption
Windows 2000
Professional Y Y Y
Windows XP / Vista / 7
Home Y Y
Windows XP
Professional Y Y Y 32bit only
Windows Vista / 7
Professional / Enterprise / Ultimate Y Y Y Y
Windows 8
Home / Professional / Enterprise Y Y
Y
(desktop mode)
Windows 2003/R2/2008/R2/2012
Standard / Enterprise / Web Y Y
Windows 2003/R2/2008/R2/2012
Datacenter Y
Windows 2000/2003/2008/2011
Small Business Y

27
Antivirus on other platforms
Other platforms supported
Mac OS 10.6 or later (Intel and PowerPC)
Linux with libc6 on Intel
UNIX Solaris, AIX, HPUX, FreeBSD
NetApp with ONTAP 7.x and 8.x (off-board)
EMC VNX with CAVA
Sun Storage with ICAP
VMware ESX server with vShield Endpoint 5.1 or later

28
Product and platform retirement

29
• Main steps:
￮ Components Selection
￮ System Property Checks
￮ Database details
￮ Communication settings
￮ SUM Credentials
￮ Optional feedback to Sophos
￮ Software installation
including SQL Express 2008 R2
￮ Sophos download account
￮ Selection of client platforms
￮ Download of client software
Management server setup

30
• Setup.exe to deploy
• Cac.pem & Mrinit.conf
• Managed SUM via SEC
• SEC manages:
￮ subscriptions between parent
and child SUM
￮ SUM configuration
￮ updating hierarchy report
￮ alerts
• Unmanaged SUM via XML
Additional SUM deployment

31
• Additional versions and platforms: Subscription tab
• Additional CIDs on remote server: Distribution tab
• Web CIDs: Manual configuration on a web server
or on a reverse proxy*
Additional CIDs
*Web CIDs on a reverse proxy is
only supported by Sophos pro services

32
• Upgrade guide
• Automatic upgrade
• System Property check
• Upgrade center
http://www.sophos.com/en-us/support/resource-
centers/endpoint/upgrade-center.aspx
Upgrades

33
Steps for endpoint deployment
• Find new computers
• Create groups
• View/Edit policy
• Protect:
￮ Sophos Enterprise Console’s Protect
￮ Sophos Enterprise Console’s Synchronization with Active Directory
(see the slide on Finding new computers in the next section)
￮ Using alternative deployment mechanisms
(see the next 2 slides)
￮ option to specify the “group path” for unassigned endpoints
For more details on deployment from Sophos Enterprise Console:
http://www.sophos.com/en-us/support/knowledgebase/29287.aspx

34
• Manual installation from one of the bootstrap locations
• Scripting
• Third party desktop deployment tools
(Including GPO, SCCM on Windows or Apple Remote desktop on Macintosh)
• Packaged self-extracting files
• Disk imaging and cloned virtual machines
Alternative mechanisms

35
• Sophos Deployment Packager tool
Alternative mechanisms

36
• detects 3rd party Antivirus
• detects 3rd party firewalls
(except Windows FW & VPN clients)
• stops installation upon detection
• optionally removes 3rd party security software
• can be customized
by Sophos
• Run avremove.exe
to test
Competitor Removal Tool (CRT)

37
• List the operating systems supported by
￮ Sophos endpoint client version 10
￮ Other versions of Sophos Antivirus
￮ Sophos Client-Firewall
￮ Sophos Enterprise Console
• List 6 types of endpoint deployment mechanisms
Section review

38
Management from Sophos Enterprise Console

39
Upon completion of this section you will be able to
• describe the main management tasks which can be completed from
Sophos Enterprise Console
Section objectives

40
• Update Manager
• Find new computers
• Create groups
• Updating
• Antivirus and HIPS
• Firewall
• Application Control
• NAC
• Data Control
• Device Control
• Tamper Protection
• Full disk encryption
• Patch
• Web Control
• Dashboard and Alerts
• Smart views
• Right click actions
• Event viewers
• Reports
• Role based administration
Section agenda

41
• Centrally managed from SEC
• Control of Endpoint software versions and size of updates
(software subscription)
Update Manager

42
Endpoints connected to the network can:
• be found on demand (Find new computers)
• be found, deployed, moved and removed on scheduled
(Synchronize with AD)
• be imported
(Import computer from file)
• appear automatically
(deployment using
alternative mechanisms)
Find new computers

43
• Generally created:
￮ By location
￮ By computer role
￮ By security
privileges
Create groups

45
• Viruses
• Trojans
• Worms
• Spyware
• Rootkits
• Adware
• PUA
Antivirus and HIPS

47
Antivirus and HIPS (Web components)

48
Antivirus and HIPS (Authorization)

49
• Monitor operational mode: Easily create rules
Firewall

50
NAC (unavailable to new customers)

52
Data control
Files transferred only by
Windows explorer

58
Patch
• What is a patch?
• Can prevent 90% of vulnerabilities
• What patches are needed?
• Are computers correctly patched?
• SophosLabs patch rating:
￮ Vulnerability severity
￮ Software popularity
￮ Access conditions
￮ Threat prevalence

61
Sophos Web LENS agent
• LENS: Lightweight Endpoint Network Scanner
• LSP: Layered Service Provider
• Scans pre-execution
• Browser agnostic and Tamper resistant
• BHO now retired
• One SXL lookup:
￮ Known malicious website
￮ Website category
• Scans content for:
￮ Malicious files and scripts
￮ Unauthorized content type

62
Sophos Web LENS (continued)

63
Inappropriate and Full web control

64
Inappropriate website control

65
Inappropriate website control - reporting

67
Full web control – Live connect
HTTP HTTPS

68
Full web control - Reporting

69
Full web control
• Use case for the Web Appliance as a proxy
• Still need the web appliance as gateway:
￮ Mac + Linux endpoints
￮ Guests

70
Inappropriate and Full web control
• Main differences
Inappropriate Full web control
Console SEC only SEC +
Web or Management Appliance
Reports SEC event viewer Web or Management Appliance
Number of categories 12 54
Policies By computer groups by users, by user groups
by time of the day
Policy communication Via RMS Via Live Connect

73
Right click actions
Includes malware cleanup

78
• Separate tool used to:
￮ Extract data from the Sophos Database
￮ Create customized reports for Crystal report
￮ Create customized logs for Splunk
Reporting interface

79
Role based administration - roles

80
Role based administration - sub-estates

82
Management at endpoint

84
• Installing
• Client installed
• Message for user
• Failing to update
End user experience on Windows

87
• User alerts
• Automatic clean up
• Quarantine manager
• Command line scanner
• Sophos Bootable Antivirus CD
• Further instructions and tools
from the website
Management of threats

88
Features by platform
ManagedbySEC
UpdatedviaSUM
On-access
Scheduledscan
Liveprotection
Automatic
Cleanup
WebProtection
DeviceControl
HIPS/Patch/NAC
Tamperprotection
Web/App/Data
Control
Endpoint 10.x for Windows Y Y Y Y Y Y Y Y Y
SAV 9.x for Macintosh Y Y Y Y Y Y Y
Coming
Soon
SAV 9.x for Linux Y Y Y Y Y Y
SAV 9.x for Solaris / HP-UX / AIX Y Y Y Y
SAV 4.x for FreeBSD Y
Via
cron Y
SAV for VMware vShield Y Y Y Y Y
SAV for NetApp Off-board
Except
reports Y
Via
ONTAP
SAV for EMC VNX
Except
reports Y
Via
CAVA
Sav for Sun storage systems
Except
reports Y
Via
ICAP
August 2013

90
Full Disk Encryption

91
Section agenda
• Sophos POA
• Other recovery options
• Architecture
• Deployment
• Management from Sophos Enterprise Console
For more information on our Full encryption suite:
• Check the TO20 SafeGuard Enterprise technical cover course

92
• Power on Authentication :
￮ Increases security
￮ With a user friendly interface
￮ Provides multiple recovery features
￮ Manages user machine assignment
Sophos POA

93
• Before the operating system starts up
• Tampering protection
• Logon delays on false entries
• Legal text (optional)
• Audit logs
• Wake-on-LAN support
Sophos POA - Security
Computer
BIOS
Master
Boot
Record
Sophos
POA
Operating
System

95
• POA Challenge/Response
Sophos POA - Recovery

96
• POA Local Self Help:
Sophos POA - Recovery (continued)

98
• Recovery via Sophos tools (including POA)
• Integration with 3rd party recovery tools:
￮ Windows WinPE and Bart PE
￮ Lenovo Rescue and Recovery (RnR)
￮ AbsoluteSoftware Computrace
• Integration with 3rd party forensic tools:
￮ Encase
￮ AccessData
• Help from Sophos technical support
Recovery - Damaged disk

99
Installation at the management server

100
Endpoint deployment
• Via the console
• Setup.exe, manually or via 3rd party deployment tool
• Computer MBR and volumes need to be checked before deploying
http://www.sophos.com/en-us/support/knowledgebase/57554.aspx

104
Sophos Cloud and Sophos UTM

105
• On premise Endpoint Protection
￮ Managed via Sophos Enterprise Console
• Sophos Cloud Endpoint
￮ Managed via Sophos Cloud
• Endpoint Protection in Sophos UTM
￮ Managed via Sophos UTM
Main endpoint solutions

106
Main differences
Cloud Endpoint 1.5 UTM 9.1 On-premise
with SEC 5.2.1
Console Web console
in the Cloud
Web console
in the UTM
SEC console
on Windows server
Centralized update
repository
Web proxy cache
(optional)
Web proxy cache
(optional)
Update Manager
on file servers
or on web servers
Endpoint platforms Windows
Mac
Windows Windows, Mac,
Linux, UNIX, Storage
(Netapp, EMC, Sun)
Main features Anti-Malware,
Device Control
(AD Sync coming
soon)
Anti-Malware,
Device & Web Control
Anti-Malware,
Device, Web &
Application Control,
Client Firewall, DLP,
Patch assessment,
Encryption, AD Sync
Management by Users
with simple policies
Computers
with detailed policies
Computers
with detailed policies
Target market Up to 1,000 users Up to 1,000 users Up to 25,000 users

108
Online resources

110
• Rollout and configuration best practice
• Advanced configuration
• Disaster recovery planning
• Significant files and registry keys
• Troubleshooting
Online knowledgebase

111
• Email notification
http://www.sophos.com/security/notifications
• Product and software retirement
http://www.sophos.com/support/lifecycle
• Upgrade guides
http://www.sophos.com/support/docs
• Upgrade center
http://www.sophos.com/en-us/support/resource-centers/upgrade-
center.aspx
Product upgrades

117
End

118
Feedback
educationrequests@sophos.com

technical overview - endpoint protection 10.3.3

More Related Content

What's hot (20)

Similar to technical overview - endpoint protection 10.3.3 (20)

Recently uploaded (20)

technical overview - endpoint protection 10.3.3