The Challenge
- Firewall 18 months past end-of-life with firmware unable to be patched
- Flat network where guest Wi-Fi, VoIP, and business systems shared one broadcast domain
- Remote-access VPN with no MFA and a password policy from 2014
- No central visibility when a workstation showed signs of compromise
Assessment
- Reviewed firewall logs, rules, and VPN usage patterns
- Mapped existing VLAN structure (effectively none) and switch port assignments
- Reviewed endpoint protection coverage and identified unmanaged devices
- Modelled licensing for Sophos XGS with Xstream subscription and Sophos Intercept X
The Solution
- Sized and deployed a Sophos XGS appliance with documented rule set
- Implemented segmented VLANs for staff, VoIP, IoT, guest Wi-Fi, and management
- Replaced legacy VPN with Sophos Connect + MFA via Microsoft 365
- Rolled out Sophos Intercept X to every endpoint with Synchronized Security enabled
- Documented the design, including network diagrams and change-control procedures
- Established a quarterly firewall health and rule-review cadence
Results
100%
of remote-access sessions now MFA-protected
5
isolated VLANs replacing one flat broadcast domain
Auto-isolation
of compromised endpoints via Synchronized Security
Quarterly
documented firewall and rule reviews ongoing
Technologies Used
- Sophos XGS Firewall
- Sophos Central
- Sophos Intercept X
- Microsoft 365 MFA
- Managed Switching