Sophos has shipped an updated edition of its XG Firewall that’s designed to identify and block attacks hidden in encrypted network traffic without impacting performance.
Based on an all-new “Xstream” architecture, the latest version of the security vendor’s next-generation firewall can inspect Transport Layer Security (TLS) traffic, including streams using the latest TLS 1.3 standard, in real time. Comparable functionality is available in other firewalls, but isn’t widely used due to the processing slowdowns it creates, according to Sophos Chief Product Officer Dan Schiappa.
“A lot of customers just turn it off because the performance is so poor that they can’t afford to have it turned on,” he says. In fact, a Sophos survey of 3,100 IT managers from 12 countries found that while 82% of organizations agree that TLS inspection is a necessity, only 3.5% use it.
Disabling firewall decryption, however, leaves organizations dangerously exposed, according to a separate, newly published study from the SophosLabs threat intelligence unit, which found that 23% of malware families currently in circulation use encrypted communication for command and control or installation. Some 44% of prevalent information-stealing exploits use TLS encryption to exfiltrate data as well.
“Not only do you have some blind spots to the attack coming in, but you also have a blind spot to the critical company information going out,” Schiappa observes.
According to Schiappa, XG Firewall’s TLS decryption technology also scans more communication protocols and ports than products with similar capabilities. “Many devices only look at the web traffic,” he says. “Unless you really have the breadth of coverage across all the ports of inspection, then you’re going to leave an open area for the adversaries to go to.”
Other new features now available in XG Firewall include “FastPath” policy controls that let users prioritize SD-WAN, VoIP, and other traffic streams for quicker processing, and “adaptive traffic scanning” functionality that draws on real-time assessments of incoming packets to determine how great a risk they pose, and therefore how much further scrutiny they merit.
“If we know the traffic’s coming from a safe, well-authenticated, highly-secure environment, we’re not going to put that through the deepest level of inspection, whereas if it’s not then maybe we will put that through a deep packet inspection,” Schiappa explains. According to Sophos, the new feature can improve system throughput by as much as 33%.
New support for XG Firewall in the Sophos Central management console, meanwhile, lets administrators assign multiple firewalls to groups with shared policies, and view a new set of highly graphical reports. Sophos first added XG Firewall to Sophos Central a year ago.
The latest XG Firewall release also draws on threat intelligence from SophosLabs—powered by the same deep learning capabilities added to Sophos’s Intercept X endpoint security solution early in 2018—to respond faster and more effectively to potential threats. The new functionality might dynamically place especially risky files in an isolated sandbox for closer analysis by Sophos security specialists, for example.
New integration with the Managed Threat Response (MTR) service that Sophos introduced last October gives the vendor’s in-house experts more information to draw on when studying potential threats. “As the MTR analysts discover something that’s suspicious, they now have the network context to be able to pull that in and start to correlate what was happening on the network at the same time something suspicious was happening on the endpoint,” Schiappa says.
Current XG Firewall users will receive the system’s updated functionality within the next few weeks.
Private equity investor Thoma Bravo made a nearly $3.9 billion offer to purchase Sophos last October.
Untangle rolled out an updated edition of its own next-generation firewall with new threat prevention capabilities today as well.