Next Generation Firewall



Similar documents
Product Overview. customers in the business of service provider, enterprise, financial services, and public sectors.

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

NGAF FIREWALL PLATFORM

NSFOCUS Web Application Firewall White Paper

Cybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com

Firewall and UTM Solutions Guide

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Load Balancing Security Gateways WHITE PAPER

INTRODUCTION TO FIREWALL SECURITY

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

USG6600 Next-Generation Firewall

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Introducing IBM s Advanced Threat Protection Platform

Securing Cisco Network Devices (SND)

The Hillstone and Trend Micro Joint Solution

Huawei Eudemon200E-N Next-Generation Firewall

Content-ID. Content-ID URLS THREATS DATA

SonicWALL Unified Threat Management. Alvin Mann April 2009

Gateway Security at Stateful Inspection/Application Proxy

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

PCI DSS Compliance. with the Barracuda NG Firewall. White Paper

USG6300 Next-Generation Firewall

Next-Generation Firewalls: Critical to SMB Network Security

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

BlackRidge Technology Transport Access Control: Overview

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway

CMPT 471 Networking II

85% of business networks identified with bot infections 63% of business networks identified to have downloaded malware files 89% of business networks

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

A Decision Maker s Guide to Securing an IT Infrastructure

Hillstone Intelligent Next Generation Firewall

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

The Cisco ASA 5500 as a Superior Firewall Solution

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

Log Audit Ensuring Behavior Compliance Secoway elog System

IBM Protocol Analysis Module

74% 96 Action Items. Compliance

Chapter 9 Firewalls and Intrusion Prevention Systems

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Astaro Gateway Software Applications

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Secure Cloud-Ready Data Centers Juniper Networks

IJMIE Volume 2, Issue 9 ISSN:

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Where every interaction matters.

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

McAfee Network Security Platform

Total Cost of Ownership: Benefits of Comprehensive, Real-Time Gateway Security

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

INTRUSION DETECTION SYSTEMS and Network Security

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Radware s Behavioral Server Cracking Protection

McAfee Next Generation Firewall (NGFW) Administration Course

On-Premises DDoS Mitigation for the Enterprise

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Firewall Architecture

Locking down a Hitachi ID Suite server

Sitefinity Security and Best Practices

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Achieve Deeper Network Security

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Achieving PCI-Compliance through Cyberoam

The Critical Importance of Three Dimensional Protection (3DP) in an Intrusion Prevention System

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

Cyberoam Next-Generation Security. 11 de Setembro de 2015

1. Built-In SPI Firewall to Protect Your Enterprise Network 2. Multi-Spam-Filtering Function Providing High Spam-Filtering Accuracy

NETASQ MIGRATING FROM V8 TO V9

Simple security is better security Or: How complexity became the biggest security threat

SonicWALL PCI 1.1 Implementation Guide

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Dell SonicWALL Next Generation Firewall(Gen6) and Integrated Solution. Colin Wu / 吳 炳 東 Colin_Wu1@dell.com

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Firewalls, Tunnels, and Network Intrusion Detection

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Transcription:

Next Generation Firewall Product Overview SANGFOR Next-Generation Firewall is designed with Application Control, Intrusion Prevention and Web Security in mind, providing deep and fine-grained visibility over Users, Applications and Contents. SANGFOR NGFW ensures end-to-end security from layer 2 to layer 7 in multi-gigabit speed, in-bound and out-bound, and distinguishes itself from traditional firewalls, and makes it the ideal choice for customers in the business of service provider, enterprise, financial services, and public sectors. Today s network attacks are getting more sophisticated. Traditional firewalls are no longer effective to cope with ongoing and emerging threats. As a platform of network security policies, SANGFOR NGFW enforces bidirectional security policy on users, applications, URLs, data payload and contents. Superior to traditional port and protocol based security policy, SANGFOR NGFW s approach allows IT organization to better defend increasingly sophisticated network threats, to identify and block misuses of applications precisely and effectively. SANGFOR NGFW is designed to defend attacks end-to-end from layer 2 to layer 7 with the focus on the application layer. The surging of application layer attacks are becoming growing concerns, and causing serious information leaks and infrastructure damages worldwide. SANGFOR s high scalable and extensible software and hardware architecture ensures high performance in application layer processing. Leveraging its innovative technology of Single-pass Analysis Algorithm and Multi-core Parallel Processing, SANGFOR NGFW delivers 10G throughput with low latency in microseconds when working in multifunctional protection mode.

Definition of Next-Generation Firewall Next Generation Firewall was defined by Gartner based on the requirements of customers, the deep understanding of security industry, and the vision of security market trends. With more than 10 years of technology innovation, accumulated knowledge and experience of serving customers in the network security business, SANGFOR believes that NGFW should be characterized by following features: Defending against Application Layer Attacks As 75% of overall attacks or threats targeting on application layer, next generation firewalls should be capable with full stack visibility, able to identify and authenticate application layer protocols and contents, able to provide end-to-end solution to defend against network threats especially on application layer. Traditional security devices are vulnerable to the application layer threats due to the limitation of its network layer focus. Bidirectional Contents Inspection Superior to traditional firewall that mainly focusing on inbound threats, NGFW consolidates security with bidirectional contents inspection function. Outbound dataflow responded by server are also monitored. Potential sensitive information leaks, webpage tampering, and other threats are detected and prevented. Traditional Firewall Capability Although threats on application layer become prevailing, traditional threats on network layer should not be discounted, as they are still causing serious damages. NGFW provides traditional security functions such as Stateful FW, IPS, and VPN to ensure higher ROI and lower TCO for our customers in long-term. Application Layer High Performance Superior to traditional UTM devices whose performance degrades significantly in multi-functional mode, SANGFOR s comprehensive approach provides the capability of 10G throughput with low latency in microseconds when working in multifunctional mode. Authentication of Thousands of Applications Enhanced Wed Defense SQL Anti-attack Defending against IPS Based on Applications Application Anti CC Attack Layer Attacks Malware and Trojan Filtering Traditional Security Capability DOS, DDOS Attack Protection Stateful Inspection Access Control Intergrade IPsec VPN Router & NAT NGFW Single-pass Analysis Algorithm Data Leak Protection Unsafe URL Filtering Application Info Hide Anti Webpage Tampering Bidirectional Contents Inspection Application Layer High Performance Multi-core Parallel Processing 10G throughput Stable performance Low latency

Defending against Application Layer Attacks L7&above: Data layer L5-L7: application layer Business content WEB application Architecture WEB Service Architecture Operations System High risk requires more protection Sensitive information leakage Web page tampering Vulnerability attack SQL injection cross-site scripting Apps/server scanning Weak password attack Application layer DDoS Worms, Viruses, Trojans L4: transport layer L3: network layer TCP/IP protocol stack Access control, Protocol anomaly, Network layer DDoS L2: link layer Network interface ARP cheating, broadcast storm L1: physical layer Network Cable Physical damage Enhanced Web Anti-attack By combining the static validating and filtering rule with the dynamic intelligence against attack processes of hackers, SANGFOR NGFW s comprehensive approach performs excellently in defending the top 10 mainstream security threats released by OWASP as well as other common web attacks. The WEB system entirely protects against SQL injection, XSS cross-site scripting, cross-site request forgery, malware, Trojans and other security issues. Application Based Deep Intrusion Prevention System Leveraging SANGFOR s unique Six-Threat-Detection-Mechanisms (Signature based attack detection, Special attack detection, Correlation analysis, Abnormal traffic detection, Abnormal protocol detection, and Deep content analysis), NGFW enables the IT organization to consolidate its system security, and to identify attacks and high-risk security breaches, such as: buffer overflow attacks, vulnerability attacks, abnormal protocols, worms, Trojans, back door programs, DOS/DDOS attacks, scanning, spywares and other kinds of threats. Comprehensive Anti-virus Detection SANGFOR NGFW enables IT organization to detect viruses that originated from the well-known protocol (HTTP / FTP / SMTP / POP3) and deeply hidden into the compressed files (ZIP / RAR / GZIP), to ensure timely and precise response against viruses. By leveraging highly effective stream scanning technology, SANGFOR NGFW delivers great performance in application layer, which significantly distinguishes it from traditional methods that easily become the bottleneck of the whole network. DOS/DDOS Attack Protection Abnormal dataflow and DOS/DDOS attacks are detected and filtered by SANGFOR NGFW. Security and stability of the server are ensured. SANGFOR NGFW provides protection against DOS/DDOS attacks from layer 2 to layer 7, and ensures all the DOS attacks based on data packages, IPs, TCP and HTTP protocols being blocked. Database updated by dedicated R&D team. SANGFOR NGFW s comprehensive signature database of 3,000+ vulnerabilities, 300,000 virus/trojan/malware, and 2,000+ WEB application threats provides IT organization with great ability to defend threats in various layers. Partnered of MAPP (Microsoft Active Protections Program), SANGFOR s vulnerability signature database is certified with compatibility certificate from CVE (Common Vulnerabilities and Exposures). SANGFOR provides best-in-quality of products and services.

Traditional Firewall Capability Complete Firewall Capabilities Customers can migrate from their traditional firewalls to SANGFOR NGFW without compromise of any current networking functioning, such as ACL, NAT, router, VLAN. These functions are fully supported by NGFW. Smooth deployment and easy management from day one. Integrated IPsec VPN Function Leveraging SANGFOR s integrated IPsec VPN function, more effective and secured wide area network can be built up with higher ROI. Flexible Deployment Modes SANGFOR NGFW supports several deployment modes such as gateway, bridge, bypass, virtual-wire and hybrid as well as multiple link aggregation and asymmetric routing function, which ensures a good adaptability to complex-networking environments. Cross-modules Intelligent Defense Strategy Advanced Cross-modules Security Defense strategy can be generated automatically by active defense technology. For example, the FW can generate a new firewall rule to block a certain IP if dangerous dataflow or attacks are identified from this IP by other modules. It performances well against automatic attacks or tools and ensures system security with easy maintenance and management. Intelligent Network Security Defense System Access Security Network Security Application Security Business Security Application route Network ACL Application Access control Enhanced web security IPSEC VPN NAT IPS based on applications SQL protection OSPF / RIP DOS / DDOS CC anti-attack sensitive information User authentication Flow filtering Anti-virus, Anti-Trojans webpage ADS AD domain integration BM based on applications Apps layer DOS/DDOS Web shell upload URL filtering Malicious plug-in One time analysis algorithm Strategy linkage port / server scanning weak password scanning server risk assessment server/terminal security report Flow/site/apps statistic report SMS/ email alarm Safety analysis and audit

Bidirectional Contents Inspection Scanning Process Prevent port/server scanning Prevent app vulnerability scanning Weak password protection Anti brute force attack Core URL protection website structure anti-scanning Web Crawler defense Web application server Server outbound content filtering Webpage Defender: Static, Dynamic Sensitive information leakage prevention: ID Card, Credit card number, Financial data... Attacking Process Destroy Process Enhanced Web Defense - SQL injection defense - OS command injection defense - XSS attack, CSRF attack IPS based on application - Server vulnerability defense - Terminal vulnerability defense DOS attack Application layer DOS attack CC attack Authority control Exe file upload filtering Upload viruses/trojans filtering Prevent web shell dataflow Users Hackers NGAF depth content detection technology: analyzing each application command and scanning the content carried to check for sensitive data, threat. Features: - The data is copied to the application layer - Restore data content and realize the deep content detection - Understand the HTTP protocol, defense hidden attack Webpage Protection against Tampering Anti webpage tampering is a sub-function of NGFW, applying afterwards compensatory approach to protect the security of the website. That means even though the hacker had circumvented the security defense system and tampered the webpage, the modified webpage cannot be delivered to end users. By this method, the damage and economy loss can be reduced to the least. Meanwhile, the administrator will be informed at runtime by NGFW alarm service, allows the administrator to resolve the issue in time. Furthermore, NGFW provides redirection function that redirects end users to the backup server to ensure normal operation of the business. Compared with the traditional approach of installing anti webpage tampering software, SANGFOR NGFW s solution is more user-friendly and easy to maintain, no plugins required and no performance impact to the server. User Defined Sensitive Info Leak Protection SANGFOR NGFW can protect sensitive information defined by the user against leaks. The sensitive information can be identified, blocked and alarmed in different ways (SMS, E-MAIL ) by SANGFOR NGFW, ensuring an entire security for data like user information / email accounts / MD5 encryption key / bank card / ID number / social security account /credit card / mobile phone number. Application Protocol and Content Concealing Auto response information from WEB, FTP, MAIL or other servers, which may turn out to be a guideline for hackers to process the attack, can be concealed by NGFW. For example, HTTP error page concealing, FTP information hiding. Enhanced User Login Authentication Protection NGFW is flexible and allows various levels of security priority on user-defined services or webpages. When accessing services or webpages of higher priorities, strict authentication rules are enforced, such as SMS token or other two-factor authentications. That means hackers cannot access the sensitive and important data or webpages even if they have your username and password.

Application Layer High Performance FW IPS WAF Policy layer CPU1 CPU2 performance Network layer CPU3 CPU Networking Hardware I/O parallel processing 1 2 3 N Multi-core Parallel Processing SANGFOR s advanced multi-core parallel processing hardware architecture enables high performance computing in application layer, outperforms traditional NP or ASIC architecture. Furthermore, the Lock-free Parallel Processing technology is implemented to the computing process, produces real multi-core parallel processing, and significantly enhances system throughput. Single-pass Analysis Algorithm Unlike UTM, NGFW significantly enhances the performance in application layer processing with the advanced Single-pass Analysis Algorithm. Various threats are detected in single parsing without unpacking and packing the message repetitively as in UTM. Hopping Scan Technology Leveraging the application authentication technology that has been accumulated for years, all packages passing through the NGFW will be tagged with SANGFOR proprietary protocol during its core computing process. With the proprietary protocol, threats can be identified more efficiently and precisely during the content detecting process. For example, the FTP server-u related vulnerability that exists in the HTTP dataflow cannot generate threats to servers. This is a guideline to optimize the algorithm and enhance the efficiency.

Scenarios Internet access zone Entire security for internet access. DMZ zone Website one-stop security protection. Anti Webpage tampering. Sensitive business information leak protection. Data center security zone Entire security for internet access. Security reinforcement for core business system. Sensitive business information leak protection. WAN edge security zone WAN dataflow filtering. WAN edge security protection.

Founded in 2000, SANGFOR set a clear goal to build high-performance, reliable and secure network devices that can increase the business growth of our clients while decrease the Total Cost of Ownership (TCO) at the same time. For more information, please kindly visit our official website at www.sangfor.com or contact your local SANGFOR office in Mainland China, Hong Kong, US, UK, Singapore, Indonesia, Malaysia and Thailand. Copyright 2000-2013 SANGFOR Inc. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information