Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Special thanks to BillProut!
Table of Contents
- Sophos Firewall on AWS Overview
- Do I need security solutions beyond what AWS provides?
- Why use a third-party security solution when I can use AWS Security Groups and/or Network Access Control Lists to protect my AWS workloads?
- What is Sophos Synchronized Security?
- How is Sophos Firewall on AWS different than the Sophos Firewall that can be run on-premises or in local Virtual environments?
- Sophos Firewall on AWS Licensing Options
- BYOL
- PAYG
- Are Sophos Firewall free trials available for AWS?
- Can I migrate my Sophos UTM license to the Sophos Firewall?
- Can I use an existing Sophos Firewall license for a new Sophos Firewall on AWS?
- Are there any prerequisites to deploy the Sophos Firewall on AWS?
Sophos Firewall on AWS Overview
The Sophos Next Generation Firewall for AWS brings innovative architecture and security services for customers who wish to add additional layers of security to help protect their AWS VPC’s. The Sophos Firewall on AWS is based upon the new v18 Sophos Firewall Operating System, which integrates multiple leading security technologies into a single solution, reducing costs and simplifying your security architecture. Sophos Firewall is a virtualized security appliance that runs on an Amazon EC2 instance and deploys inline into an Amazon Virtual Private Cloud (VPC) to scan traffic entering and/or leaving.
Do I need security solutions beyond what AWS provides?
AWS espouses a shared responsibility model, so it is important to understand the difference between security measures AWS implements and manages versus security measures you must implement and manage. In a nutshell, while AWS actively manages the security of its cloud, you retain responsibility for managing and maintaining the security of your applications and data in the AWS cloud. You can learn more by visiting the AWS Shared Responsibility page.
Why use a third-party security solution when I can use AWS Security Groups and/or Network Access Control Lists to protect my AWS workloads?
AWS Security Groups and Network Access Control lists act as local firewalls for your hosts and VPC subnets. As basic firewalls, they don’t perform deep packet inspection to identify malware intrusion attempts or provide the granular control needed to properly protect user or application traffic. Sophos Firewall augments these local firewall services by providing additional security features such as IPS, Web Filtering, Web Application Firewall, VPN gateway, and Sophos Synchronized Security.
What is Sophos Synchronized Security?
The AWS Shared Responsibility Model highlights the recommendation to secure not only the perimeter of your AWS Virtual Private Cloud (VPC) but also the protection of your AWS EC2 instances with a host-based security solution to guard against potential malicious activity. Sophos Synchronized Security addresses this key Shared Responsibility with an integrated security approach. When deploying Sophos Intercept X advanced security agents and Sophos Firewall, you have a solution to guard against a compromised system becoming the entryway for further malicious activity. The Sophos Firewall will prevent a compromised AWS EC2 instance with Sophos Intercept X Advanced from communicating with other AWS EC2 instances or sending traffic to the internet.
How is Sophos Firewall on AWS different than the Sophos Firewall that can be run on-premises or in local Virtual environments?
Sophos on AWS offers the same features and benefits as Sophos Firewall running on-premises but has been optimized to easily deploy and run in the AWS cloud. Currently, the Sophos Firewall on AWS now supports High Availability. Sophos Firewall on AWS also supports additional purchasing options, as described below.
Sophos Firewall on AWS Licensing Options
Sophos Firewall on AWS is available via the AWS Marketplace and can be purchased using standard channels or directly from the AWS Marketplace. Software licenses purchased from a Sophos reseller and used in AWS are called Bring your license (BYOL). When Sophos Firewall is purchased directly from the AWS Marketplace, it’s called Pay as you go (PAYG).
BYOL
Customers wishing to purchase and use traditional term software licenses may use the Sophos partner network. Sophos Firewall software licenses offer a variety of bundles, subscriptions, and support options, as described in the Sophos Firewall licensing guide.
Customers bringing their own Sophos Firewall license for use in AWS do not pay AWS Marketplace software charges but are still billed by AWS for the EC2 Instance used to run the Sophos Firewall software. Please see the Sophos Firewall on AWS BYOL listing page for more details. Sophos Firewall software licenses are provided in a variety of CPU/RAM combinations, which can then be mapped to a supported EC2 Instance, as shown below.
|
Supported EC2 Instance Types |
EC2 Instance Types CPU/RAM |
EC2 Instance Types Network Throughput |
Suggested Sophos License |
|
t2.medium |
2 vCPU 4 GB Memory |
Low to Moderate |
SFv2C4 |
|
m3.large |
2 vCPU 7 GB Memory |
Moderate |
SFv2C4 |
|
m3.xlarge |
4vCPU 15 GB Memory |
High |
SFv4C6 |
|
m3.2xlarge |
8vCPU 30 GB Memory |
High |
SFv8C16 |
|
m4.large |
2vCPU 8 GB Memory |
Moderate |
SFv2C4 |
|
m4.xlarge |
4vCPU 16 GB Memory |
High |
SFv4C6 |
|
m4.2xlarge |
8vCPU 32 GB Memory |
High |
SFv8C16 |
|
c3.xlarge |
4vCPU 7.5 GB Memory |
Moderate |
SFv4C6 |
|
c3.2xlarge |
8vCPU 15 GB Memory |
High |
SFv8C16 |
|
c3.4xlarge |
16vCPU 30 GB Memory |
High |
SFv16C24 |
|
c3.8xlarge |
32vCPU 60 GB Memory |
Very High (10 Gig Ethernet) |
SFvUNL |
|
c4.large |
2vCPU 3.75 GB Memory |
Moderate |
SFv2C4 |
|
c4.xlarge |
4vCPU 7.5 GB Memory |
High |
SFv4C6 |
|
c4.2xlarge |
8vCPU 15 GB Memory |
High |
SFv8C16 |
|
c4.4xlarge |
16vCPU 30 GB Memory |
High |
SFv16C24 |
|
c4.8xlarge |
36vCPU 60 GB Memory |
Very High (10 Gig Ethernet) |
SFvUNL |
PAYG
Customers who don’t wish to purchase a traditional term license or who want to purchase directly from AWS can use the Pay-as-you-go option licensing option. This method provides all Sophos Firewall functionality (FullGuard) for an additional hourly software charge, which is added together with the cost of the EC2 instance used to run Sophos Firewall. Customers using this option will see this additional charge on their monthly AWS bill and can stop charges at any time by removing Sophos Firewall instances from their AWS account. Sophos also supports the AWS Private offers program which allows customers and partners to negotiate custom pricing and terms. Please contact your Sophos sales rep for more information.
Are Sophos Firewall free trials available for AWS?
Yes, the PAYG and BYOL licensing options allow Sophos Firewall free trials. PAYG trials are provided directly from AWS Marketplace and are available for 30 days. After the first month, AWS will automatically start charging customers for any Sophos Firewall PAYG usage incurred. BYOL customers can either get a trial license from the Sophos free trial link or start a trial during their initial configuration.
Can I migrate my Sophos UTM license to the Sophos Firewall?
Yes, Sophos UTM production licenses can be converted to a Sophos Firewall license as detailed in this KB. https://community.sophos.com/kb/en-us/124588
Can I use an existing Sophos Firewall license for a new Sophos Firewall on AWS?
Sophos Firewall license transfers are only supported under certain circumstances, as described in the License transfer knowledge base article.
Are there any prerequisites to deploy the Sophos Firewall on AWS?
Yes, for both BYOL and PAYG Sophos Firewall on AWS deployments, the first step is to accept the AWS Marketplace software terms and subscribe to the software. This is done via the Sophos Firewall on AWS listing pages.
Related Info
Also, check out Sophos Firewall on AWS: How to Deploy
Horizontal Line, Grammar, Table of Content
[edited by: emmosophos at 8:35 PM (GMT -8) on 16 Nov 2023]