Sophos Firewall Security Heartbeat Quiz

Questions and Answers

What happens when malware is detected on a computer with Security Heartbeat?

The infected computer will stop sending any event information to the firewall.

The Sophos Firewall will automatically remove the malware from the infected device.

The Sophos Firewall will block the infected computer from connecting to other devices. (correct)

The Sophos Firewall will allow the computer to access other networks.

In which circumstance can healthy endpoints drop traffic from a computer with a red health status?

When the traffic passes through a router.

When the infected computer is connected to a switch.

When the healthy endpoints can see the MAC address of the traffic source. (correct)

When the infected computer has self-isolation enabled.

What is the function of self-isolation in Sophos Central?

It permits the infected computer to connect to routers without restriction.

It allows the infected endpoint to start sharing its traffic with other endpoints.

It removes all firewall protections for the infected device.

It causes the endpoint to isolate itself, communicating only with Sophos Central. (correct)

Why can't Sophos Firewall drop traffic based on MAC address when crossing routers?

MAC addresses are not transmitted over the internet.

How does the Sophos Firewall identify devices and enforce blocking on the network?

Utilizing the IP address of the infected computer for device identification.

What is the purpose of routing traffic to the heartbeat IP address when using Sophos Firewall via a VPN?

To facilitate the establishment of a Security Heartbeat.

What does registering a Sophos Firewall with Sophos Central require?

A serial number and a one-time password or administrator credentials.

Which of the following statements about Security Heartbeat is correct?

Computers will establish a heartbeat with all Sophos Firewalls they can reach.

What is the significance of the 'SecurityHeartbeat_over_VPN' object in the Sophos Firewall setup?

It is a predefined host object for routing heartbeat traffic over the VPN.

What limitation exists regarding destination-based rules in the context of Security Heartbeat?

They do not apply to traffic in the WAN zone.

Study Notes

Sophos Firewall Security Heartbeat

• Sophos Firewall uses Security Heartbeat to manage and deploy communication between endpoints managed in Sophos Central.
• Heartbeat communication is a few bytes every 15 seconds.
• Health status can be GREEN, YELLOW, or RED, indicating endpoint agent status (running/not running) and malware detection.
• GREEN indicates no active/inactive malware.
• YELLOW indicates inactive malware/PUA detected.
• RED indicates endpoint agent may not be running/active malware/malicious network traffic.
• Sophos Firewall shares MAC address of computer with red health status with healthy endpoints, preventing infected computers from connecting to other devices.
• Endpoint self-isolation can prevent traffic from infected hosts.
• Security Heartbeat functionality involves communication between Sophos Firewall and Sophos Central for threat response.
• Sophos Firewall registers with Sophos Central, receiving device identification certificates, IP addresses, and endpoint IDs.
• Sophos Central shares necessary information (e.g., certificates) with managed endpoints.
• Heartbeat connection starts with discovery message sent by endpoint to Sophos Firewall.
• Sophos Firewall validates endpoint identity and establishes bidirectional communication.
• Endpoint sends health status information (e.g., status of quarantine, network status, login status).
• Heartbeat communication is local between endpoint and firewall, even with multiple Sophos Firewall instances.
• Firewall rules can restrict traffic based on the Security Heartbeat status of the source/destination (GREEN, YELLOW, or NO restriction).

Firewall Rule Indicators

• Heartbeat indicator determines traffic restriction based on endpoint health status (RED, YELLOW, or GREEN).
• First rule indicator is YELLOW, blocking devices with a RED heartbeat status.
• Second rule indicator is GREEN, blocking devices with RED or YELLOW heartbeat status.
• Indicators block clients with missing heartbeats—a device that stopped sending heartbeat.
• Indicator with a plus sign means heartbeat is mandatory.
• Indicators apply only to source-based heartbeat rules.

Deploying Security Heartbeat

• Deploying Security Heartbeat involves considering how the technology works and using a conservative configuration.
• Employing firewall rules with high priority, and sparingly using the option to block clients with no heartbeat are good strategies.
• Reviewing current health status of the network.
• Determining the appropriate health status criteria (e.g., source, destination).
• Ensuring all devices can create heartbeats with the Sophos Firewall.
• Controlling access for compromised/infected computers from connecting to other network segments.
• Using managed switches to route inter-VLAN traffic via the Sophos Firewall to protect devices in different network segments (applicable to network connected users).
• Using bridge mode for installing firewall inline with existing firewalls.
• Using Discover Mode (TAP Mode), enabling the Sophos Firewall to connect to SPAN port on a switch if routing is done in an existing firewall solution (applicable for wireless users).

Security Heartbeat Status

• Sophos Firewall Control Center shows devices' heartbeat statuses (e.g., GREEN, YELLOW, RED) for various computers.
• This allows monitoring of network devices' health status, including computer hostname, IP address, and user status.

Active Source Identification

• Detects advanced attacks of unknown source.
• Sophos Firewall asks the targeted computer for information on the source of the attack.
• Compromised computer sends details like hostname, IP address, logged-in user, and process name to assist with attack identification.

Heartbeat Detections

• Heartbeat detections are prefixed with "C2/Generic", which includes various detection types.
• C2/Generic-A detects malicious traffic from an endpoint to a known C&C server, or a computer performing a DNS lookup for a known C&C server.
• C2/Generic-B is a detection where the endpoint agent detects process attempting connection to a known C&C server.
• C2/Generic-C is a detection reported on the computer where Sophos Firewall detected a C2/Generic-A threat.

Description

Test your knowledge of the Sophos Firewall Security Heartbeat system. This quiz covers the communication processes, health statuses, and threat response mechanisms involved in managing endpoints via Sophos Central. Understand how endpoint self-isolation and health status management contribute to network security.