Today, we’re launching the first of our new XGS Series next-gen firewall appliances with Sophos Firewall OS version 18.5.
For network admins, this completely re-engineered hardware platform finally takes a common dilemma off the table: how to scale up protection for today’s highly diverse, distributed, and encrypted networks without throttling network performance.
Coupled with a highly attractive price, the new XGS Series is guaranteed to reshuffle the pack in the network firewall space.
Here are just three key highlights of this new release.
Every XGS Series appliance has two hearts beating at its core: a high-performance multi-core x86 CPU, and an Xstream Flow processor to intelligently accelerate applications by offloading security-verified and trusted traffic to the FastPath.
This architecture allows us to retain the same flexibility to extend and scale protection as purely x86-based firewalls while also providing a performance boost that’s unhampered by the limitations of some legacy platform designs.
For example, with the programmable Xstream Flow processors, we can extend the offload capabilities in future software releases, providing additional performance improvements without changing the hardware.
As much as we like to talk about speeds and feeds in the firewall space, the additional performance headroom in the XGS Series is there for a purpose: protection.
With about 90% of network traffic encrypted (source: Google Transparency Report) and almost 50% of malware using TLS to avoid detection (source: SophosLabs), organizations are leaving huge blind spots in their network visibility by not activating TLS inspection.
Just going by our own telemetry, about 90% of organizations don’t have TLS inspection activated on their firewalls. Even if we take into account that some of those may have separate solutions doing TLS inspection, it’s likely to be the minority rather than the majority. And aside from the security risk that poses, it’s pretty hard to create a policy for traffic that shows as “general” or “unknown”.
Before you all scream, “but TLS inspection breaks the internet,” Sophos Firewall includes native support for TLS 1.3 and provides a user interface which clearly shows if traffic has caused issues and how many users were affected. With just a couple of clicks, you can exclude problematic sites and applications without reverting to a less-than-adequate level of protection.
The XGS Series includes multiple form factors that beat the all-important price per protected Mbps of many competitive models.
XGS Series appliances are equipped with high-speed interfaces to meet the diverse connectivity requirements of businesses large and small. In addition to the built-in copper, fiber, and a range of other ports on every model, add-on modules provide the flexibility to tailor your device connectivity to your unique environment – both today and in the future.
The XGS Series integrates further with edge infrastructure devices such as APX access points and our SD-RED Remote Ethernet Devices. With cloud-managed Zero-Trust Network Access and access layer network switches coming later this year, we’re bringing your network security to every edge.
The new appliances come with the latest v18.5 software release, which not only provides support for the new hardware but also includes all the 18.x maintenance releases – many new capabilities and security improvements – since the v18 release.
For further information about Sophos Firewall and the XGS Series or to request a quote visit Sophos.com/Firewall or Sophos.com/Compare-XGS.
For the latest SophosLabs research on TLS, check out this article.
XGS and it's "new" features sound not much exiting. More likely this is a new approach to push some sales.
Using a different architecture on the hardware is a big step for every vendor, going through this process. There are not many going down this road to archive more performance.
Is IPsec being offloaded to Xstream or It's still being processed on x86?
It would be good if Sophos provided what kind of traffic are being processed over the NPU on XGS.
Currently, IPsec (VPN) is not offloaded but the second NPU is "ready" to do this with a software update. Hence it can be easily implemented later down the road.