Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=appliance-hardening

Appliance hardening

This page describes the security hardening measures we take to protect Sophos integration appliances.

Currently, integration appliances use Canonical Ubuntu Server 20.04 LTS as the base OS image.

Security is a top priority for us. We follow NIST SP 800-123 and apply the relevant controls to our NDR product. The following controls are included:

  • Patching and upgrading
  • Removing or turning off unnecessary services, applications, and network protocols
  • Configuring OS user authentication
  • Logging security-related events

Disk encryption isn't needed because we don't store any Personally Identifiable Information (PII).

Backup isn't needed because we only store 24 hours of flow data, not packet data, for reporting purposes.

Authentication

Each appliance has an admin user for management tasks. This user is managed through Sophos Central, and we don't store the password.

If the appliance is connected to Sophos Central, the user password can be reset by using a Sophos Central user with the permissions to do so.

Communication with Sophos Central

All communication with the Sophos Central cloud environment uses HTTPS and TLS 1.2 or 1.3, depending on the service.

Appliance Manager

Appliance Manager uses a self-signed certificate and HTTPS. The self-signed certificate is generated on each appliance during the first startup, and TLS 1.2 and 1.3 are supported. You can sign in to Appliance Manager using the same sign-in credentials that were generated through Sophos Central.

Log collector integrations

The integration appliance can host a syslog event collector when configured to do so. Syslog collection is over a customer-assigned port and doesn't use TLS communication.

Identity Attack Surface Management (IASM)

All communications with Tenable are over TLS 1.2.

Penetration testing

The Sophos application security team performs at least one penetration test on the appliance each year. We address all critical and high-severity issues found within 30 days. The integration appliance is also part of the Sophos bug bounty program.