Clavister Security Gateway

Transcription

1 Clavister Security Gateway Security with your business in mind

2 Multiple DMZs and symmetric design Clavister firewall supports a high number of network interfaces. All of the appliances deploy real firewall interfaces that may be used as a DMZ or in order to further segment the internal network. SG30 series are the smallest in their class including a real DMZ. Normally, competitors in this range offer products which only include 2 firewall interfaces and a hub (Symantec, Cisco PIX 501 and 506 and Watchguard, for instance). In this cases, if a customer needs to offer public services, these systems create a virtual DMZ (virtual server) which surely delivers lower security and convenience warranties. The introduction of the Gigabit Module (Mini GBIC) in SG 4200 and SG 4400 series increase the flexibility of the Clavister Security Gateway offering the chance to segment networks, while keeping high performance. Clavister Firewall has among its own features that of being designed in a symmetric way. This means that it is possible to have all firewall and VPN functionalities on whatever interface, being this physical or virtual. Through our solution, for instance, it is possible to have VPN functionality on whatever interface, something which is not so often available through other firewall and VPN solutions. Quite often our competitors implementations allow the creation of a VPN tunnel only on the external interface and not on the DMZ or on the internal interface. Else, they put strict constraints on the functionality of some interfaces having a fixed role. This feature is very useful, for example, when WLAN are employed, as shown on the scheme in Figure 1. As it can be noticed in this case, the user wants to install a WLAN in the enterprise network. With Clavister solution it is possible to certify the access point on one of the firewall interfaces and equipping wireless PCs with VPN clients. In this way, wireless traffic is protected by IP- Sec and any vulnerability or wireless protocol restriction is therefore eliminated. Another application, as shown in Figure 2, is that of videosurveillance. In this case it is the flexibility itself, introduced by this concept of interfaces symmetry, that makes it the ideal object for protecting a DVR (Digital Video Recording) and safely integrating wireless.

3 Figura 1: a wireless enterprise network protected by a firewall, all the mobile accesses are authenticated and, protected by a VPN tunnel, they can end on whatever firewall interface Figura 2 : a video-surveillance application, mobile or remote users can access DVR in an IPSec tunnel protected modality. Besides, through the functionality of VPN user-authentication it is possible to authenticate and authorize the different users accessing the images.

4 The best choice for ISP. Virtual Routing and Virtual System With the new virtual capabilities of Clavister Security Gateway, IT security managers get a completely new set of tools for administering the most advanced network structure with a minimum of effort. Virtual Routing enables, for instance, routing of overlapping IP spans, convenient segmentation of security polices as well as seamless transport of datagrams between various interface types. Naturally, each Virtual Router can also maintain its own dynamic routing process. OSPF OSPF is a routing protocol that determines the best path for routing IP traffic over a network. One of its primary uses is in semi-large organizations in need of automatic updates of network topology changes. From release 8.5, Clavister Security Gateway is able to actively participate in OSPF exchanges. In addition, by using a highly granular dynamic routing ruleset, interactions with the OSPF AS and the gateway's routing tables can be tightly controlled. Multiple OSPF processes may be executed simultaneously, each interacting with different virtual routing tables. DHCP over IPSec This feature, present on the whole range of the Clavister products, makes it easier to manage VPNs and mobile users access. DHCP over IPSec functionality, allows to terminate the VPN on a Clavister gateway and to assign an address belonging to the protected network. This allows mobile clients or remote offices to have the same address range as the protected network. In this way, remote clients or offices are able to launch applications, share printing queues and really act as PCs belonging to the network protected by the VPN gateway. This function makes it therefore easier to deploy VPN solutions in franchising chains, where stores are connected to a head office on which they are depending for management software and printing. It also makes Wi-Fi networks implementation easier and it simplifies remote access management, allowing the mobile users to fully take advantage of their enterprise network. L2TP/PPTP client and server. The support of L2TP/PPTP allows any Clavister Security Gateway to act as a full-fledged L2TP and PPTP Network Server. In an enterprise environment, this enables secure remote access for roaming clients by using, for instance, the built-in VPN client distributed with the Microsoft Windows operating system. Combine the L2TP and PPTP support with Active Directory authentication, and Clavister Security Gateway becomes a highly integrated component in any large-scale Windows network. For service providers, the new L2TP and PPTP Network Server capabilities in combination with the virtual routing support opens up new possibilities for lowering operational costs and creating additional revenue streams.

5 VLAN Clavister Security Gateway is fully compliant with the IEEE 802.1Q specification for Virtual LANs. You can define and manage up to 4096 Virtual LANs. Each Virtual LAN interface is interpreted as a logical interface by the firewall, with the same filtering, traffic shaping and configuration capabilities as regular interfaces. VLANs support starts from the SG 33 appliance, in the table below the number of VLANs that you can define for each appliance. Clavister Gateway VLANs SG 33 4 SG 35 4 SG SG SG SG SG SG SG SG SG SG SG SG SG With this functionality you can leave the VLANs routing to the firewall. Doing this, in a corporate scenario, Clavister firewall will be responsible for filtering and controlling the traffic between VLANs. You can also set traffic limits to the different VLANs optimizing the use of the resources.

6 Pay per use. Clavister has designed the Clavister X-PANSION LINES concept which not only does it make it possible to offer the award winning products at the best price / performance ratio and lowest TCO possible, but it also enables a highly balanced choice between current system requirements and financial resources. All this without compromising the natural need for increasing performance and functionality in the future, conceptualizing the slogan - Buy and Grow not buy and Throw. With Clavister X-PANSION LINES you can perform remote upgrade of the software license in few mouse clicks. This will let your customers grow as network needs increase. As shown in table the X-PANSION LINES concept allows you to double the firewall performance and increase VPN capabilities of the Security Gateway without changing the hardware platform. With Clavister X-PANSION LINES you can start out from the product that best matches your current needs. Upgrade your product to a larger model within the same series by only replacing the license file.

7 Clavister Security Gateway SG 31 Throughput : 50 Mbps Throughput VPN: 7 Mbps VPN Tunnels: 1 SG 220 Throughput : 100 Mbps Throughput VPN: 20 Mbps VPN Tunnels : 100 SG 3105 Throughput : 100 Mbps Throughput VPN: 30 Mbps VPN Tunnels : 150 SG 4205 Throughput : 400 Mbps Throughput VPN: 200 Mbps VPN tunnels: 150 SG 4410 Throughput : 500 Mbps Throughput VPN: 200 Mbps VPN tunnels: 750 License Upgrade SG 33 Throughput : 50 Mbps Throughput VPN: 7 Mbps VPN Tunnels: 25 SG 35 Throughput : 50 Mbps Throughput VPN: 7 Mbps VPN Tunnels: 50 SG 240 Throughput : 200 Mbps Throughput VPN: 20 Mbps VPN Tunnels:: 200 SG 3110 Throughput : 200 Mbps Throughput VPN:70 Mbps VPN Tunnels: 300 SG 3150 Throughput : 300 Mbps Throughput VPN:100 Mbps VPN Tunnels: 300 SG 4210 Throughput 500 Mbps Throughput VPN: 200 Mbps VPN Tunnels: 750 SG 4230 Throughput 1 Gbps Throughput VPN:300 Mbps VPN Tunnels: 1000 SG 4250 Throughput 2 Gbps Throughput VPN: 1 Gbps VPN Tunnels: 1500 SG 4430 Throughput 1 Gbps Throughput VPN:300 Mbps VPN Tunnels: 1000 SG 4450 Throughput 2 Gbps Throughput VPN: 1 Gbps VPN Tunnels: 1500 SG 4470 Throughput 4 Gbps Throughput VPN: 1,2 Gbps VPN Tunnels: 2000

8 Route Fail-Over Traditionally, connections provided by ISPs have been a single point of failure for corporate communications. With the introduction of route fail-over Clavister eliminates this single point of failure in a company s critical e-business operation. With route fail-over a company can connect the firewall to two different ISPs. This will make the firewall monitor the two ISP and in case of failure the firewall will use the next best instead of the failed one. Often route fail-over is also required in a wireless scenario. Usually wireless service providers need a security gateway for their customers who are able to manage a wireless connection and a wired connection used as a backup.

9 Third party reporting tools The Clavister Firewall management software includes tools for graphically monitoring firewall status parameters as well as extensive monitoring of network traffic. The firewall Log data can be analyzed using the advanced log analyzer tool integrated in the Firewall Manager and may also be exported using text format to any third-party application, such as Microsoft Excel or SQL server, for further analysis. Furthermore, NetIQ s WebTrends for Firewalls product suite, eiqnetworks' FirewallAnalyzer and SawMill are supported in order to generate graphical usage reports and graphs. SawMill was the latest Clavister integration with an advanced reporting tool. Sawmill was designed with ISPs/ASPs in mind. A quick look through Sawmill's features shows that it has everything an ISP/ASP needs to easily set up an automated, multi-user, multi- Please Recycle