Sophos Firewall Security Heartbeat Quiz

Questions and Answers

What happens when malware is detected on a computer with Security Heartbeat?

• The infected computer will stop sending any event information to the firewall.
• The Sophos Firewall will automatically remove the malware from the infected device.
• The Sophos Firewall will block the infected computer from connecting to other devices. (correct)
• The Sophos Firewall will allow the computer to access other networks.

In which circumstance can healthy endpoints drop traffic from a computer with a red health status?

• When the traffic passes through a router.
• When the infected computer is connected to a switch.
• When the healthy endpoints can see the MAC address of the traffic source. (correct)
• When the infected computer has self-isolation enabled.

What is the function of self-isolation in Sophos Central?

• It permits the infected computer to connect to routers without restriction.
• It allows the infected endpoint to start sharing its traffic with other endpoints.
• It removes all firewall protections for the infected device.
• It causes the endpoint to isolate itself, communicating only with Sophos Central. (correct)

Why can't Sophos Firewall drop traffic based on MAC address when crossing routers?

MAC addresses are not transmitted over the internet. (A)

How does the Sophos Firewall identify devices and enforce blocking on the network?

Utilizing the IP address of the infected computer for device identification. (B)

What is the purpose of routing traffic to the heartbeat IP address when using Sophos Firewall via a VPN?

To facilitate the establishment of a Security Heartbeat. (D)

What does registering a Sophos Firewall with Sophos Central require?

A serial number and a one-time password or administrator credentials. (A)

Which of the following statements about Security Heartbeat is correct?

Computers will establish a heartbeat with all Sophos Firewalls they can reach. (A)

What is the significance of the 'SecurityHeartbeat_over_VPN' object in the Sophos Firewall setup?

It is a predefined host object for routing heartbeat traffic over the VPN. (A)

What limitation exists regarding destination-based rules in the context of Security Heartbeat?

They do not apply to traffic in the WAN zone. (A)

Flashcards

Central account

A Sophos Firewall can be connected to a central account and managed remotely. Only one Central account can be associated with a single Sophos Firewall, but multiple firewalls can be managed by the same Central account.

Security Heartbeat Routing

Traffic destined for the Security Heartbeat IP address should be routed to the Sophos Firewall when the computer connects via VPN. This can be achieved by making the Firewall the default gateway or by explicitly adding the heartbeat IP address to the VPN networks.

Security Heartbeat

The Security Heartbeat feature allows the Sophos Firewall to monitor the health status of client computers. It can detect if a computer is properly protected by Sophos software and if there are any connectivity issues.

Health-based Firewall Rules

Firewall rules can be configured to restrict traffic based on the health status of the client (minimum health status) or to require the client to establish a heartbeat with the Firewall (security heartbeat required).

Finding Heartbeat IP and Port

The Security Heartbeat IP address and port can be found in the Heartbeat.xml file on the client computer. The file is typically located in ProgramData\Sophos\Heartbeat\Config\Heartbeat.xml.

What is Security Heartbeat?

Security Heartbeat is a technology that uses a combination of Sophos Firewall and endpoint protection to prevent the spread of malware. It works by monitoring endpoints for suspicious activity and isolating infected devices from the network.

How does Security Heartbeat isolate infected devices?

When malware is detected on an endpoint, Security Heartbeat sends event information and the endpoint's health status to the Sophos Firewall. The Firewall then shares this information with healthy endpoints, allowing them to block traffic from the infected device.

What is self-isolation?

Self-isolation allows an infected endpoint to isolate itself from the network and only communicate with Sophos Central for updates and management. This enhances protection by preventing the infected device from spreading malware within the network.

How is self-isolation managed?

Self-isolation is configured through the Threat Protection policy in Sophos Central, allowing administrators to manage the isolation behavior of endpoints.

Does Security Heartbeat block network access for all devices on the same port?

The Sophos Firewall only blocks traffic from the infected device, allowing other devices connected to the same port to maintain network access.

Study Notes

Sophos Firewall Security Heartbeat

• Sophos Firewall uses Security Heartbeat to manage and deploy communication between endpoints managed in Sophos Central.
• Heartbeat communication is a few bytes every 15 seconds.
• Health status can be GREEN, YELLOW, or RED, indicating endpoint agent status (running/not running) and malware detection.
• GREEN indicates no active/inactive malware.
• YELLOW indicates inactive malware/PUA detected.
• RED indicates endpoint agent may not be running/active malware/malicious network traffic.
• Sophos Firewall shares MAC address of computer with red health status with healthy endpoints, preventing infected computers from connecting to other devices.
• Endpoint self-isolation can prevent traffic from infected hosts.
• Security Heartbeat functionality involves communication between Sophos Firewall and Sophos Central for threat response.
• Sophos Firewall registers with Sophos Central, receiving device identification certificates, IP addresses, and endpoint IDs.
• Sophos Central shares necessary information (e.g., certificates) with managed endpoints.
• Heartbeat connection starts with discovery message sent by endpoint to Sophos Firewall.
• Sophos Firewall validates endpoint identity and establishes bidirectional communication.
• Endpoint sends health status information (e.g., status of quarantine, network status, login status).
• Heartbeat communication is local between endpoint and firewall, even with multiple Sophos Firewall instances.
• Firewall rules can restrict traffic based on the Security Heartbeat status of the source/destination (GREEN, YELLOW, or NO restriction).

Firewall Rule Indicators

• Heartbeat indicator determines traffic restriction based on endpoint health status (RED, YELLOW, or GREEN).
• First rule indicator is YELLOW, blocking devices with a RED heartbeat status.
• Second rule indicator is GREEN, blocking devices with RED or YELLOW heartbeat status.
• Indicators block clients with missing heartbeats—a device that stopped sending heartbeat.
• Indicator with a plus sign means heartbeat is mandatory.
• Indicators apply only to source-based heartbeat rules.

Deploying Security Heartbeat

• Deploying Security Heartbeat involves considering how the technology works and using a conservative configuration.
• Employing firewall rules with high priority, and sparingly using the option to block clients with no heartbeat are good strategies.
• Reviewing current health status of the network.
• Determining the appropriate health status criteria (e.g., source, destination).
• Ensuring all devices can create heartbeats with the Sophos Firewall.
• Controlling access for compromised/infected computers from connecting to other network segments.
• Using managed switches to route inter-VLAN traffic via the Sophos Firewall to protect devices in different network segments (applicable to network connected users).
• Using bridge mode for installing firewall inline with existing firewalls.
• Using Discover Mode (TAP Mode), enabling the Sophos Firewall to connect to SPAN port on a switch if routing is done in an existing firewall solution (applicable for wireless users).

Security Heartbeat Status

• Sophos Firewall Control Center shows devices' heartbeat statuses (e.g., GREEN, YELLOW, RED) for various computers.
• This allows monitoring of network devices' health status, including computer hostname, IP address, and user status.

Active Source Identification

• Detects advanced attacks of unknown source.
• Sophos Firewall asks the targeted computer for information on the source of the attack.
• Compromised computer sends details like hostname, IP address, logged-in user, and process name to assist with attack identification.

Heartbeat Detections

• Heartbeat detections are prefixed with "C2/Generic", which includes various detection types.
• C2/Generic-A detects malicious traffic from an endpoint to a known C&C server, or a computer performing a DNS lookup for a known C&C server.
• C2/Generic-B is a detection where the endpoint agent detects process attempting connection to a known C&C server.
• C2/Generic-C is a detection reported on the computer where Sophos Firewall detected a C2/Generic-A threat.