Sophos XG Firewall (v17.5): Lateral Movement Protection

Sophos XG Firewall (v17.5): Lateral Movement Protection


In large organizations there are many computers
within the internal network, so if any computer is compromised and if there are any communication
that happens between the compromised computer and the other computers such as a file transfer,
there is a high possibility of the threat spreading throughout the entire network. If that threat is spread to an internal server,
it could make the situation even worse. Therefore, in order to prevent the threat
from spreading further throughout the network, we have come up with a new feature called
lateral movement prevention or Endpoint Stonewalling. Once a threat is detected on any endpoint,
the Sophos Endpoint software installed on the computer will change its heartbeat status
to red. Then its MAC address will be blacklisted by
the XG firewall and further shared with other computers in the same network so that they
won’t be able to communicate with the compromised computer anymore. The Pre-requisites for lateral movement protection
are: A Sophos Central Account with a valid Intercept
X or Central Endpoint license A Sophos XG Firewall with firmware version
17.5 GA and registered in the same Central account. And the supported Operating Systems are windows
8 and windows 10 for now. The configuration for Lateral Movement prevention
is available in Sophos Central First you need to login to Sophos Central
Accout Then you need to navigate to Global Settings
–>Endpoint Protection—>
And then select Reject Network Connections From here you need to enable the option to
allow computer to reject connections from the computers with red health So this is the network that we will be using
for this example. We have two computers, computer 1 has an ip
address of 192.168.16.30 and computer 2’s ip address is 192.168.16.20. Both are behind a Sophos XG firewall. As you can see, Computer 1 is able to communicate
with computer 2 and vice versa because both the computers currently have a green health
status. To demonstrate lateral movement protection,
I have a sample file in VBS format on Computer 2, and upon its execution, this will generate
an attack. So now when I try to access this file, it
will generate an alert in the bottom right corner stating that a C2/ Generic B type of
malicious traffic is detected and an event is also generated for this detection. Now you can see that the ping from Computer
2 to Computer 1 has stopped. The reverse is also true. You can also view the alert on the Sophos
XG Dashboard stating that computer 2 with an ip of 192.168.16.20 has a Red Health status. An alert is also generated in Sophos Central
since the Sophos XG firewall is integrated with this Sophos Central account
So this is how we can stop the treat spreading in the same network by preventing the uninfected
computer from communicating with the compromised computer

Leave a Reply

Your email address will not be published. Required fields are marked *