Recent events with F5 and SonicWall underline a continuing issue: network infrastructure is constantly under attack, and the cybersecurity industry continues to grapple with deep product security challenges.
Our adversaries are targeting the very tools designed to defend us. These are not opportunistic attacks: they’re a long-term strategy requiring years of research and are increasingly involving direct breaches of vendors’ own engineering and product environments.
As disclosed in our Pacific Rim research from last year, Sophos has direct experience with this. We discovered an internal breach of our firewall division in 2018, followed by attacks against customer devices that demonstrated an uncanny knowledge of our product architecture. A handful of other vendors have disclosed similar internal intrusions but this likely only scratches the surface of a wider issue.
What can we do? As Ollie Whitehouse at the National Cyber Security Centre has pointed out, this is ultimately a market incentives problem. Buyers need to demand better. Not by punishing vendors who disclose breaches, but by rewarding vendors who embrace transparency and demonstrate a real commitment to Secure by Design principles.
Over the last several releases, we have continued to invest in implementing Secure by Design principles into all our products, including Sophos Firewall. Sophos Firewall has had numerous updates in the last few years to aggressively harden the product, make it easier to patch vulnerabilities, and to identify when a customer is under attack.
As you probably know, Sophos Firewall is unique in offering zero-touch over-the-air hotfixes that can be used to patch new vulnerabilities without scheduling downtime. Sophos is also the only vendor that is actively monitoring our install base to help identify signs of an attack early.
Sophos Firewall v22 takes Secure by Design to a new level with several important enhancements:
Improved workload isolation – With our next-gen Xstream Architecture, SFOS v22 introduces an all-new control plane re-architected for increased defense-in-depth and scalability. The new control plane enables deeper modularization, isolation, and containerization of services.
Hardened kernel – The next-gen Xstream Architecture in Sophos Firewall OS is built upon a new hardened kernel (v6.6+) that provides enhanced security, performance, and scalability to maximize current and future hardware. This new kernel offers tighter process isolation and better mitigation for side-channel attacks as well as mitigations for CPU vulnerabilities. It also offers hardened usercopy, stack canaries, and Kernel Address Space Layout Randomization (KASLR).
Remote integrity monitoring – Sophos Firewall OS v22 now integrates our Sophos XDR Linux Sensor that enables real-time monitoring of system integrity, including unauthorized configuration, rule exports, malicious program execution attempts, file tampering, and more. This helps our security teams – who are proactively monitoring our entire Sophos Firewall install base – to better identify, investigate, and respond more quickly to any attack. This is an added security capability that no other firewall vendor provides.
Sophos Firewall Health Check – A strong security posture depends on ensuring your firewall and other network infrastructure is optimally configured. Sophos Firewall v22 makes it much easier to evaluate and address the configuration of your firewall with the new Health Check feature, which checks dozens of different configuration settings on your firewall and compares them with CIS benchmarks and other best practices, providing immediate insights into areas that may be at risk.
Be sure to get involved in the Sophos Firewall v22 Early Access Program to better secure your network and help make this release the best it can be.
