Sophos Switches with Synchronized Security
In case anyone up high at sophos is listening, how about this idea: Sophos is already in the firewall and AP business. Now we just need switches managed through Sophos Central with Sophos Synchronized Security added.
Ports to infected endpoints could be shutdown when the XG or the endpoint see a device in an unhealthy state.
There would be better visibility with Synchronized Applications, seeing traffic that the firewall can't see.
Partners could offer a complete "Network in a box" solution for every point of endpoint connectivity, whether wired or wireless!
Your approach is basically using 802.11x standard. Cisco did this with their NAC product, which was the predecessor to ISE.
Good points. But I would argue that Sophos has focus, but not in the way you're thinking of it. Sophos' focus is on security. With its varied products providing endpoint protection, email protection, encryption management, phish training, wireless protection and management, I don't think you can say that Sophos has product focus, but instead is focused on managing all aspects of network security. Adding one more layer to the mix, with a single pane of glass to manage, a holistic approach to security, and controlling each entry to the network or device is a win-win in my opinion.
You make a good point about the value of detection and enforcement at switch level.
I'm not sure Sophos getting into expanding their focus from the core endpoint / boundary enforcement into switching would be a good move though. I think Sophos' strength is that it has product focus, it hasn't gone down the route some vendors have e.g. the "Forti-everything" approach.
Looking at methods of integrating Sophos protections from central endpoint / XG with existing best of breed switches might be a better approach. The APIs for XG and central could already be used with vendor agnostic switch management software suites to achieve this.
API says endpoint health has gone red, API knows endpoint IP and MAC, switch management integration to API picks up the change, identifies access port by MAC, applies ACL to port to restrict traffic only to the XG, XG restricts communication only to Sophos to support EDR / endpoint recovery.
Cisco are trying to do something similar as an eco-system with their ISE product.