Facilitating remote working with Sophos XG Firewall
As organizations look to keep their workforce connected and productive, the ability for employees to work from home or any another location has become critical. While coronavirus (COVID-19) is driving the current increase in remote working, long commute times, severe weather and the need for greater flexibility are just some of the other reasons companies are looking at alternatives to working in an office.
Sophos XG Firewall and SD-RED devices provide businesses, schools, hospitals and other organizations with multiple solutions for secure remote connectivity. Employees can have access to applications, email and resources on the network from their own home, just as if they were onsite. And, you can keep them safe with features like web filtering which controls access to websites containing harmful and inappropriate content. Here’s how:
XG Firewall and Connect client
If you own an XG Firewall (hardware or virtual appliance), you have a perpetual Base license that includes both IPsec and SSL VPN connectivity. You can choose either or both to provide your remote workers with access to the corporate network.
Setting up IPsec-based remote access is managed through Sophos Connect client on XG Firewalls running v17.5 or newer firmware. Connect client is focused on ease of use and reliability to ensure an extremely positive user experience. Just select your desired network or office and click “Connect” to establish an encrypted VPN tunnel that secures the transmission of traffic (data, applications, etc.) between the firewall and remote device. On the client side, the remote device uses free Connect client software for either Windows or macOS to create the VPN connection.
SD-RED
An alternative solution for connectivity from home is Sophos SD-RED. These low-cost Remote Ethernet Devices create a secure Layer 2 VPN tunnel to a central XG Firewall. SD-RED makes a great remote access solution for connecting remote sites, as well as for individual employees who deal with particularly sensitive information, such as executives.
No technical expertise is needed to connect the device. Simply note the device ID in your XG Firewall and ship it to the employee. As soon as it’s plugged in and connected to the internet, the SD-RED appliance contacts your XG Firewall and establishes a secure dedicated VPN tunnel. You can connect to the device directly or wirelessly through a Sophos APX wireless access point.
IPsec or SSL VPN: Which remote access solution is right for me?
With both IPsec and SSL VPN options available to you in XG Firewall, how do you choose the one that’s right for you? Here are some points to consider when evaluating your environment:
IPsec VPN – Sophos Connect client
Strengths:
- Easy for administrators to bulk deploy and provision
- Intuitive to use
- Consistent performance
- Windows and macOS support
Challenges:
- IPsec occasionally blocked on hotel/public hotspot networks
- No automated user group provisioning
- Currently limited to 255 simultaneous connections
SSL VPN
Strengths:
- Provision access by user groups
- Works in more restricted environments
Challenges:
- Agent deployment geared to end user self-installation
- User action required to deploy VPN policies
- Windows-only support
Resources
Sophos has a series of tools to help you learn more about configuring IPsec and SSL VPN connections for secure remote access using your XG Firewall:
• XG Firewall: Useful links for configuring VPN remote access – Community article
• Using Sophos Connect VPN client – Community article
• XG Firewall: Sophos Connect client – Knowledge Base article
• Sophos Connect client – User Assistance article
• Sophos Connect VPN client – Video
• XG Firewall: How to deploy Sophos Connect via Group Policy Object (GPO) – Knowledge Base article
• XG Firewall: How to configure SSL VPN remote access – Knowledge Base article and video
• XG Firewall: Licensing guide – Knowledge Base article
• XG Firewall: Performance testing methodology – Knowledge Base article
Securing remote connections
With sensitive information travelling back and forth between the firewall and remote devices over the internet, ensuring the traffic is secured from threats is critical. If your XG Firewall has a TotalProtect Plus or FullGuard Plus license, traffic is scanned for ransomware, viruses, intrusions, and other threats in both directions, providing comprehensive protection.
Extend your protection with Synchronized Security
When your remote device has an active Sophos Intercept X license, it can share real-time threat, health and security information with XG Firewall via the Security Heartbeat ™. If a remote device becomes infected, XG Firewall isolates the device until it is cleaned, preventing the infection from moving laterally to other devices on the network.
Stay home, stay connected
Whatever reason your workforce is at home, you can help them stay connected with your XG Firewall. Check out the resources in this article, and for more information, speak with your local Sophos sales team. Stay tuned for enhancements to Connect client in an upcoming XG Firewall v18 maintenance release.