Sophos upgrades on-prem firewalls with enhancements to Xstream architecture

The new release also adds SD-WAN load balancing and seamless integration with Microsoft Azure Active Directory.

Cybersecurity vendor Sophos has announced new performance enhancements to Sophos Firewall with its 19.5 release. These include accelerating encrypted traffic inspection, providing dynamic traffic routing for Internet Protocol version 6 (IPv6), adding resiliency with software-defined wide area network (SD-WAN) load balancing and providing seamless integration with Microsoft Azure Active Directory.

While the on-prem firewall is seen by many in the tech media as something of a dinosaur, on-prem firewalls continue to dominate the market.

“I’ve been in the firewall industry for 23 years now,” said Daniel Cole, vice president of network security product management at Sophos. “It’s a 16 billion TAM [Total Addressable Market] and 14 billion of that is on prem. You would think with COVID, it would have gone down – but it hasn’t. The cloud market is growing triple digits, but its TAM size is still much smaller than the on-prem market.”

Cole said there has been some changes in the on-prem use cases over time.

“There has been some shift, mostly in terms of where the data is being housed,” he noted. “It used to be in a closet or a server room. Now things have changes to respond to the need for a 4G or 5G link, and well as the shiftiness of attackers. It still protects traffic from the inside – but how you get to the data and protect the data has shifted.”

A key enhancement to this release impacts the Xstream architecture and Flow Processors that Sophos originally introduced two years ago.

“The great thing about our dual chip architecture is that we have a programmable architecture and an x86 architecture,” Cole said. “Each type has the ability to be better in different use cases, and we have the ability to program that. This means that performance gets better over time instead of getting worse, which is typical of most firewalls.”

This release adds a new high-performance dynamic routing engine and Xstream Transport Layer Security (TLS) FastPath acceleration, which improves encrypted traffic inspection. It also adds headroom for traffic that requires deep-packet inspection. The asymmetric cryptographic capabilities within Xstream Flow Processors, which are included in every XGS Series appliance, enable TLS inspection on even the most demanding networks.

“This release improves TLS performance so you can integrate architecture and optimize with each major release,” Cole said. “Our competitors tend to be set in stone in their architecture, and don’t have as much capability to make changes in architecture.”

The release also adds new SD-WAN load balancing for performance and reliability in the event of an internet service providers’ (ISP) outage.

“Many customers now buy more than one internet connection,” Cole said. “Sometimes they can have as many as five to ensure 5 9s uptime. This is  especially important in  e-commerce. This enhancement provides another way for customers who want zero downtime to get this needed stability.” Enhancements to high-availability clusters also ensure maximum business continuity and uptime.

Finally, ease of management is facilitated by new Microsoft Azure Active Directory integration for seamless administrator single sign-on and new host and service object search.