The new Sophos firewall architecture addresses a persistent problem of decryption engines, that they cause lag which have encouraged admins to turn them off to avoid the hit to performance.

Today, cybersecurity vendor Sophos is announcing the new version of their Next Generation XG firewall. It features a new “Xstream” architecture, which significantly improves Transport Layer Security [TLS] traffic decryption capabilities. The new XG Firewall also accelerates application performance, deepens integration with SophosLabs threat analysis, and improves firewall management and reporting capabilities.

Sophos originally moved into firewalls with its 2011 acquisition of Astaro, which made a UTM product with firewall capability. That became the SG firewall line, and Sophos subsequently expanded into Next Generation firewalls with its 2014 purchase of Cyberoam, although that XG firewall line has been substantially recreated by Sophos’s own engineers since then.

“We have had tremendous success with the XG firewall, which is now very close to our endpoint business in terms of revenues,” said Dan Schiappa, chief product officer at Sophos. “Synchronized security has been a big deal for us. It was a challenge to create app-specific firewall rules, but since we sit on the endpoint, we can share that information more granularly with the firewall.”

The new Xstream architecture that Sophos is now announcing for the XG Firewall extends its functionality with high performance TLS traffic decryption capabilities and support for the TLS 1.3 standard.

“This is a watershed release for us,” Schiappa said. “For many years, we have had a very good firewall. Now it is a very differentiated firewall, because this version will be a big differentiator for us. “With XG v19, we have introduced the ability to use TLS across all protocols and all standards. Most firewalls just support HTTP traffic. We now support all transport protocols. We think this is a broad differentiator, because it opens us up to see more traffic than competitors.”

Along with the enhanced firewall, Sophos announced the publication of a complementary SophosLabs report, “Nearly a Quarter of Malware now Communicates Using TLS.”

“This SophosLabs report indicates that 23% of malware is hidden inside transport protocols,” Schiappa said. “If you can’t see into that, all you see is an encrypted blob going by.”

Decryption products have been around for years, but the problem of course has been that they cause latency, so that admins typically turn them off. In another Sophos survey, which questioned 3,100 IT managers in 12 countries, they found that while 82% of respondents agreed TLS inspection is necessary, only 3.5% of organizations are decrypting their traffic to properly inspect it.

“The ability to provide workable encryption is a raw security benefit,” Schiappa stressed. A new port-agnostic TLS engine doubles crypto operation performance over previous XG versions.

The improved decryption isn’t the only new thing here, however. Sophos is also emphasizing the improved scanning speeds that come from the enhancements to their Deep Packet Inspection [DPI] engine, which the company says will enhance throughput by up to 33%.

“This provides ‘FastPath,’  a productivity and performance acceleration of SD-WAN applications and traffic where we increase the ability to look at network traffic to near-wire speed,” Schiappa said. “This optimized  Deep Packet Inspection will drive up cost performance per dollar.”

The other major enhancement in this version is enhanced integration with SophosLabs AI intelligence.

“This wires data science and threat intelligence much deeper into the product than ever before,” Schiappa noted. “We have also deepened the reporting capabilities in Sophos Central to improve group firewall management.”

For Sophos partners, who are the company’s entire route to market, Schiappa said that the new version of the XG firewall presents multi-faceted advantages.

“The improved management capabilities are especially important for partners,” he said. “The ability to have to have this deep firewall management inside Sophos Central, which was more limited before, will make it much easier for partners to manage. The reporting capabilities are also of significant value to them.”

Schiappa also emphasized that partners are already receiving extensive training around the new capabilities.

“This is something that we always do when we introduce something that’s more bleeding edge, put a lot of training and investment into arming partners,” he said. “This will allow the partner to be a stronger trusted advisor, which is important for us, since we are 100% dependent on the channel for our success.”