Move over, TMG! Replacing TMG with Sophos UTM Christoph Litzbach, Pre-Sales Engineer NSG 39
Key Features of TMG HTTP Antivirus/spyware URL Filtering HTTPS forward inspection Web Caching Role based access Stateful firewall VoIP traversal (SIP) Enhanced network address translation (NAT) ISP Link Redundancy Client authentication (through FW client) Exchange Edge/FSE integration Antivirus Anti-spam Network Inspection System (NIS) Signature based IDS Secure Web Access Firewall E-mail Protection Intrusion Prevention Secure web publishing VPN technology (IPSEC, L2TP, PPTP, SSTP) Network Access Protection (NAP) integration with VPN role Remote Access Scenario UI and wizards Change tracking + reporting Built-in NLB and failover Windows Server 2008 or R2, native 64-bit Hyper-V and VMware SQL logging Deployment and Management Web Protection: URL Filtering Anti malware Email Protection* E-mail AV Anti-spam Subscription Services 40
Key Features of Sophos UTM NGFW Wireless Protection Wireless Controller for Sophos Access Points Multi-SSID Support Captive Portal & Ticketingsystem Endpoint Protection Device Control AntiVirus Web Control optional Essential Firewall Stateful Firewall Network Address Translation PPTP/L2TP Remote Access Network Protection IPS with MAPP & LiveLabs IPSec/SSL/RED VPN WAN Link Balancing SSL Portal (HTML5) Adv. Threat Protection (ATP) Web Server Protection Reverse Proxy Web Application Firewall Dual Virus Protection Mail Protection optional Anti-Spam & Phishing Dual Virus Protection E-Mail Encryption Data Loss Prevention (DLP) Web Protection URL-Filter Dual Virus Protection Anti-Spyware Application Control 41
Let s compare! 42
Network firewall Feature comparison Stateful packet inspection H.323 transversal support (among others) Advanced NAT (SNAT, DNAT, 1:1 NAT, Full NAT, Masquerade) Client VPN with Windows Remote Access (PPTP and L2TP) Features gained IPv6 Support not supported in TMG Amazon Virtual Private Cloud Connector Two-Factor authentication with one-time password solution VPN Stateful technology firewall (PPTP, L2TP) VoIP traversal (SIP) Enhanced network address translation (NAT) Firewall Remote Access 43
Network protection Feature comparison Intrusion prevention system VPN (Site-to-site and client) IPSec, SSL, PPTP and L2TP WAN link balancing Client authentication (with AD SSO, LDAP, RADIUS and edirectory) Client authentication through SAA application Flexible load balancing and failover Features gained HTML 5 VPN portal Advanced Threat Protection Botnet/Command-and control detection Cloud-based selective sandbox (requires Web Protection) VPN ISP Built-in Network Link technology NLB Redundancy Inspection and (IPSEC, failover System (NIS) L2TP, Client PPTP, authentication SSTP) (through Signature FW based client) IDS Intrusion Deployment and Remote Firewall Access Prevention Management 44
Web protection Feature comparison Gateway anti malware URL Filtering Web application control User & group based access Interactive usage and user reporting Policy test tool for quick troubleshooting Features gained Integration for Sophos Enterprise Console managed clients Transparent user authentication with SSO for AD Device-specific authentication Change HTTP Antivirus/spyware tracking + reporting SQL URL logging Filtering and SNMP HTTPS forward inspection Web Caching Role based access Deployment Secure Web and Management Access 45
Email protection Feature comparison Filter spam and stop malware Features gained Let users manage their own quarantined items Detects phishing urls in emails Supports S/MIME and OpenPGP for encryption Simple SPX encryption requiring no infrastructure DLP for automatic policy-based encryption Exchange Edge/FSE integration Antivirus Anti-spam E-mail Protection 46
Web Server Protection Feature comparison Web application firewall Reverse proxy authentication (offloading and passthrough) Anti malware scanning Cookie protection Features gained Form hardening URL hardening Secure web publishing Remote Access 47
Functionality unique to UTM 48
Wireless Protection Easy central configuration for secure WiFi Central management Plug & play deployment Connect access points anywhere Easy hotspot configuration with full customization Wireless repeating and bridging (AP50) Fully customizable login pages and vouchers Support for backend authentication Support for two-factor authentication 49
Endpoint protection Stop threats wherever users are and however they connect Endpoint anti-malware Live protection Device control Manage anywhere through our LiveConnect service Integration of Sophos Enterprise Console managed endpoints Existing Endpoint customers can use the UTM for Web policy Allows larger deployments than UTM integrated Endpoint Admin alerts upon infection for UTM Endpoint clients 50
Web in Endpoint Safer surfing with increased web security and control Consistent protection everywhere Combines Gateway, Endpoint and Cloud Web in Endpoint set policy once to apply everywhere On or off the network, it doesn t matter Instant insight and visibility See user activity no matter where they are Activity from offsite endpoints is instantly available No extra cost With the following subscriptions: UTM Endpoint Protection UTM Web Protection Or add to an existing Sophos Endpoint deployment 51
Sophos RED Simple, plug & play branch office security Securely connect remote locations Completely configuration free Same protection for all offices Fully encrypted traffic 52
Summary 53
Sophos UTM vs Microsoft TMG A complete TMG replacement TMG Hyper-V Support Firewall (stateful packet filtering) IPS Exchange anti-spam, anti-malware Redundancy Logging/Reporting Client VPNs (PPTP/L2TP) Site-to-Site VPNs (IPSEC) URL Filtering Content Scanning Malware Scanning HTTPS Scanning User Authentication Reverse Proxy Reverse Proxy SSL Offloading Reverse Proxy Authentication UTM Adds even more More deployment choices (HW, SW, VM, Cloud) Advanced Routing, Country Blocking 11,000 IPS attack patterns Live Protection User Portal Quarantine, Email encryption WAN redundancy & load balancing Customizable reports, Drill-down, and more Added flexibility (SSL, HTML5) Broader VPN Support, Amazon VPC, RED Reputation filtering, Customizable categories Real-time App Control Dual Engine, Backed by Sophos Labs HTTPS Scanning in Transparent Mode Added flexibility, Transparent Mode WAF with server hardening Included feature of WAF Included in 9.2 54
what about the others? 55
Other TMG replacements How the competitors stack up against UTM Of all the UTM vendors, Sophos is the only one to include WAF and Reverse Proxy Authentication. Amongst other vendors competing for TMG business, only Bluecoat offers the full feature set and they are expensive! 56
How long do I have left? 57
well, that depends End of Sale TMG - 1 December 2012 Web Protection - 1 December 2012 End of support TMG - 14 April 2015 Web Protection 31 December 2015 End of life TMG & Web protection - 14 April 2020 58
Sophos Ltd. All rights reserved. 59