Azure Sophos

Posted on  by admin

Businesses move to the Public Cloud for a variety of reasons, whether it’s flexibility, the ability to customize, or lower costs. That’s why Sophos XG Firewall has been available through the Microsoft Azure Marketplace for some time, offering pay-as-you-go (PAYG) and bring-your-own-license (BYOL) options, providing industry leading price-performance, and the ultimate in flexibility.

  1. Azure Sophos Xg Pricing
  2. Azure Sophos Download
  3. Sophos Central

Best value in price-performance on Azure

Sophos offers two pricing options for XG Firewall on Azure: pay-as-you-go and bring-your-own-license. PAYG allows you to pay only what you use, with no minimum commitment and stop at any time. BYOL allows you to use your existing investment in XG Firewall. Azure Firewall is rated 7.4, while Sophos XG is rated 8.0. The top reviewer of Azure Firewall writes 'Easy to set up, good integration, and the technical support is good'. On the other hand, the top reviewer of Sophos XG writes 'Light and stable with excellent real-time control '.

XG Firewall for PAYG delivers all features and functionality of XG Firewall on Azure (FullGuard License), including Network Protection, Web Protection, Email, and Web Server Protection modules ­– already installed and ready to go. And we’re pleased to announce we recently updated the template package for our Azure Marketplace offer of XG Firewall.

New PAYG pricing and recommended VM performance tiers

You now have complete flexibility to select any virtual machine series* for your XG Firewall, allowing you to fine-tune your virtual machine selection and compute costs to meet your exact requirements. Plus, our recommended Fsv2-series has been chosen to provide the best value in price-performance in the Azure portfolio based on the Azure Compute Unit (ACU) per vCPU.

Azure Sophos Xg Pricing

Recommended VM sizesPerformancePrice per hour**
Standard_F2s_v2Dev/Test (<50 users)$0.575
Standard_F4s_v2Small (50-200 users)$1.15
Standard_F8s_v2Medium (200-4000 users)$2.30
Standard_F16s_v2Large (400-1500 users)$4.60
Standard_F32s_v2Extra Large (1500 – 5000 users)$9.20
Standard_F64s_v2Enterprise (5000+ users)$18.40

*Virtual machine series exceptions A0, A1, B1 and B1ms
** Prices listed are in U.S. dollars. You can find pricing in your local currency by using the Azure Pricing Calculator

In the same update, your current PAYG pricing for new and existing XG Firewall Azure VMs may change dependent on the country where you purchase Azure services. From March 10, 2020 Sophos will use standardized currency exchange rates to localize your pricing based on the U.S. dollar pricing in the table above. This will not affect services currently payed for in US Dollars. Microsoft will notify you of any changes to pricing affecting your bill prior to the correction.

Now sell XG Firewall in more regions than ever

Providing our partners with greater flexibility will also extend to licensing in this update, with two major improvements to PAYG and BYOL options.

PAYG is now available in 12 additional regions:

  • Armenia
  • Belarus
  • Brazil
  • Croatia
  • Monaco
  • Russia
  • Saudi Arabia
  • Serbia
  • South Africa
  • South Korea
  • Turkey
  • United Arab Emirates

BYOL availability grows from 90, to all 141 Azure enabled countries – a huge expansion to help you become more competitive than ever selling Sophos XG Firewall on Azure. See all 51 new countries below:

  • Afghanistan
  • Albania
  • Andorra
  • Angola
  • Armenia
  • Azerbaijan
  • Bangladesh
  • Barbados
  • Belize
  • Bermuda
  • Bolivia
  • Bosnia and Herzegovina
  • Botswana
  • Brunei
  • Cabo Verde
  • Cameroon
  • Cayman Island
  • Côte d’Ivoire
  • Curaçao
  • Ethiopia
  • Faroe Islands
  • Fiji
  • Georgia
  • Honduras
  • Iraq
  • Jamaica
  • Kyrgyzstan
  • Lebanon
  • Libya
  • Macao SAR
  • Mauritius
  • Moldova
  • Mongolia
  • Namibia
  • Nepal
  • Nicaragua
  • Palestinian Authority
  • Rwanda
  • Saint Kitts and Nevis
  • Senegal
  • Tajikistan
  • Tanzania
  • Turkmenistan
  • Uganda
  • Uzbekistan
  • Vatican City
  • Vietnam
  • Virgin Islands of the United States
  • Yemen
  • Zambia
  • Zimbabwe

We hope this important update enables you to be more competitive as a Sophos Partner, and provide a service that meets the exact requirements of your customers’ who have already moved or are planning to move to Microsoft Azure.

Remember when as a server operator all you had to worry about were people scanning for open ports and then stealing secrets via telnet shells? Those were the days, eh?

Things got a lot more complicated when the cloud got popular. Now, hackers are gaining access to cloud-based systems via the web, and they’re using them to mine for cryptocurrency. Microsoft just found a campaign that exploits Kubernetes to install cryptomining software in its Azure cloud. That could generate some mad coin for attackers – and cost legitimate cloud users dear.

Software containers are small collections of software that run in isolation from each other, making it easier for lots of them to coexist on the same system. Kubernetes is an open source project that lets administrators manage software containers en masse, and it runs in cloud infrastructures like Microsoft’s Azure. Kubeflow is an open source framework that implements Tensorflow on top of Kubernetes, and Tensorflow is a system originally developed by Google for training AI systems.

AI training jobs need lots of computing power, so they generally use graphical processing units (GPUs), which can chew through floating point calculations very quickly. That’s great for mining some cryptocurrencies that use proof of work algorithms. They too rely on lots of computing power. While GPUs aren’t appropriate for mining all proof of work-based cryptocurrencies, they’re great for some like Monero and (for the time being until a long-planned algorithmic changeover kicks in) Ethereum.

The Azure Security Center found a malicious container running as part of a Kubeflow implementation. The container was running a cryptominer to use the same computing power that Kubeflow was using to train AI. Sneaky. So how did it get there?

As is often the case, user misconfiguration was the culprit. Kubernetes uses something called Istio, which is a framework to connect container-based software services. Kubeflow uses Istio to expose an administrative dashboard. For security, it uses something called Istio-ingressgateway to do this. That service is only accessible internally, and this is key, because the only way to access it is via port-forwarding over the Kubernetes API.

Azure SophosSophos

Azure Sophos Download

That should make the management interface for Kubeflow secure, but some admins apparently modified Istio to make Istio-ingressgateway directly accessible from the public internet. That’s convenient, but not a good idea from a security perspective because it means attackers can see the management interface from the public internet. From there, they could manipulate the system to install their malicious container on the Kubernetes system.

Sophos Central

This isn’t the first time that people have hacked Kubernetes or used it to mine for cryptocurrency. Someone pwned a Tesla Kubernetes Amazon Web Services deployment in 2018, exploiting an administrative console that wasn’t password protected and then installing a miner on the system.

More recently in April this year, Microsoft identified a large-scale attack in which the attacker installed tens of malicious pods (collections of containers) on tens of clusters (groups of machines running containers).

Earlier this month, Sophos also documented a cryptomining campaign called Kingminer that attacked servers using exploits including brute forcing RDP, the mechanism used to access Windows machines remotely.