INTELLIGENT NEXT GENERATION FIREWALL
WHY HILLSTONE NETWORKS?
You want to consolidate network security product into one solution.
You want to protect your network with behavioral-based machine learning technology.
You're looking for a micro-segmentation for virtualized data center.
The Hillstone Networks Technology
MICRO-SEGMENTATION FOR THE VIRTUALIZED DATA CENTER
Micro-Segmentation is critical in ensuring security in the cloud. It addresses the gaps in visibility and control of traffic at the virtual machine level. Hillstone leverages micro-segmentation to provide unparalleled visibility of live East-West traffic, protecting East-West traffic with L2-L7 security services. Active orchestration ensures that deployment and configuration overhead is minimized, without network interruption. With advanced micro-segmentation, Hillstone protects each virtual machine, enabling fully secured, scalable cloud services without disruption.
HILLSTONE NETWORKS EARNS “RECOMMENDED” RATING FROM NSS LABSFOR HILLSTONE NEXT-GENERATION FIREWALL
“The product’s overall value is compelling. The security, performance, and stability of the Hillstone next-generation firewall are excellent, earning Hillstone arecommended rating by NSS.”
— Vikram Phatak, CEO of NSS Labs.
HILLSTONE E-SERIES NEXT-GENERATION FIREWALLS
Hillstone E-Series next generation firewalls provide visibility and control of web applications regardless of port, protocol, or evasive action. It can identify and prevent potential threats associated with high-risk applications while providing policy-based control over applications, users, and user-groups. Policies can be defined that guarantee bandwidth to mission-critical applications while restricting or blocking inappropriate or malicious applications. Hillstone E-Series firewalls incorporate comprehensive network security and advanced firewall features. They provide superior price performance, excellent energy efficiency, and a smaller size when compared to competing products.
GRANULAR APPLICATION CONTROL
Hillstone E-Series firewalls provide fine-grained control of web applications regardless of port, protocol, or evasive action. It can identify and prevent potential threats associated with high-risk applications while providing policy-based control over applications, users, and user-groups. Policies can be defined that guarantee bandwidth to mission-critical applications while restricting or blocking inappropriate or malicious applications. Applications are classified by: name, category, subcategory, technology and risk. Policies can be created using one or more of these classifications to fine-tune permissible applications for selected users and groups. Policy based routing and bandwidth management can also be created for users/groups based on time of day and application attributes. In addition, selected features within an application (e.g., games, file sharing) can be blocked or bandwidth managed by user/group, time of day, and other criteria
PROACTIVE THREAT PROTECTION
Hillstone E-Series firewalls provide real-time protection for application and network attacks including viruses, spyware, worms, botnets, ARP spoofing, DoS/DDoS, Trojans, buffer overflows, and SQL injections. It incorporates a unified malware detection engine that shares packet details with multiple security defenses (IPS, URL filtering, and Anti-Virus), which significantly reduces latency.
VISIBILITY AND CONTROL
Hillstone E-Series provides visibility and control of network traffic. An intuitive user interface displays all applications traversing the network along with application categories and bandwidth. An administrator can quickly choose an application and see all the users who are accessing that application along with bandwidth consumption. If a particular user is of interest the administrator can see all the applications that user is using – now and in the past. Inappropriate applications can be blocked or limited by bandwidth or time of day. Multiple reports show top applications, top users, top URLs, top URL categories, top threats, etc.
HILLSTONE T-SERIES INTELLIGENT NEXT-GENERATION FIREWALLS
INTEGRATED BEHAVIORAL INTELLIGENCE
Hillstone Network’s T-Series Intelligent Next-Generation Firewall (iNGFW) is an application-aware firewall that continuously monitors the network. It can identify attacks on all operating systems, applications, devices and browsers. It provides visibility into every stage of an attack and it can detect security breaches within minutes/seconds. It prioritizes hosts with the greatest security risks and provides contextual information about the threat. Security administrators can drill-down into the attack, including packet captures, to analyze all threat details.
CONTINUOUS THREAT DEFENSE
Hillstone’s T-Series Intelligent Next-Generation Firewall (iNGFW) uses three key technologies to provide continuous threat defense. First, it uses statistical clustering to detect security breaches in near real-time. It prioritizes hosts with the greatest security risks and provides contextual information about the attack. Second, it uses behavioral analytics to detect anomalous network behavior. It provides visibility into every stage of an attack and gives the user multiple opportunities to stop the attack. Finally, it provides forensic analysis so that the user can determine the root cause of the attack. This allows an administrator to make policy changes to prevent similar incursions into his network.
Leveraging a proprietary statistical clustering algorithm that can quickly detects variants of known malware. Instead of searching for explicit signatures, it analyzes the behavior of malware and looks for recurring combinations of actions that are strongly related to known malware. When a close match is detected the system will send an alert and provide a complete description of the malware including packet captures. It also provides a confidence level and a severity level so that the administrator can take remedial action.
Using machine learning to establish a baseline of normal network activity and it uses big data analytics and mathematical modeling to detect anomalous network behavior that represents attacks at multiple stages in the attack lifecycle. This information is displayed on an intuitive dashboard and provides the user with multiple opportunities to stop the attack. Multiple mitigation technologies are built into the display so that the administrator can quickly limit potential damage while he investigates the abnormal traffic.
Hillstone’s T-Series provides a wealth of evidence that helps an administrator understand the root cause of the attack. Reports and logs provide an audit trail of the progression of attacks from initial compromise to the exfiltration of data. Hosts are prioritized by security risk and assigned a risk factor. The threats that contributed to the risk factor can be examined along with a detailed description of each attack, a confidence level, and packet captures.
HILLSTONE X-SERIES DATA CENTER FIREWALLS
HILLSTONE’S ELASTIC SECURITY ARCHITECTURE: A BREAKTHROUGH TECHNOLOGY FOR DATA CENTERS
Streaming media, web-based applications, VoIP, peer-to-peer file sharing, mobile devices, cloud computing, and international presence are all contributing to accelerating data center traffic. As core network traffic increases, the need for high-speed network interfaces and high port densities becomes critical. Mobile device traffic also requires more emphasis since network security solutions can degrade significantly when the traffic shifts toward a large number of users and smaller packet size. As a result, datacenter firewalls must provide high throughput, large numbers of concurrent sessions and high numbers of new sessions per second. More importantly, they must respond to the usage patterns of its customers, which are often highly unpredictable. Consequently, data center firewalls must also provide rapid elasticity and on-demand security.
The X7180 data center firewall is built on Hillstone’s Elastic Security Architecture. It can support up to 1000 virtual firewalls and it can be provisioned as an on-demand service option complete with service level agreements (SLAs). Service providers can dynamically adjust resource allocation (CPU, sessions, policies and ports) for each virtual firewall in response to SLAs. Hillstone’s X7180 hardware is composed of multiple security and networking blades that provide scalability for future growth. It leverages a distributed multi-core architecture enabling wire-speed performance up to 680 Gbps throughput, 240 million concurrent sessions and 4.8 million new sessions per second. The chassis supports up to 68×10-GbE ports or 144x1GbE ports.
The X7180 provides carrier-grade reliability. It supports High Availability (HA) in both active/passive and active/active modes, ensuring 24×7 operation. It also has redundant and hot swappable power supplies, fans, System Control Modules (SCM), Security Service Modules (SSM) and I/O Modules (IOM). The X7180 also has a multi-mode and single-mode fiber bypass module, to ensure business continuity during power outages.
NAT AND IPV6
The inevitable march to IPv6 is underway but service providers still need to deploy Carrier Grade NAT (CGN) and Large Scale NAT (LSN) to manage the IPv4 address shortage while the transition is underway. Hillstone’s X7180 supports a variety of transition technologies including Dual Stack, IPv6/IPv4 tunnels, DNS64/NAT64, NAT 444, full cone NAT, NAPT, etc. Session logging and address translation enable audit trails for record keeping and forensics.
The X7180 has slots front and rear, which saves rack space and facilitates cooling. It has a 5U form factor and a maximum power consumption of 1300W, which is 50–67% less power than other data center firewalls.
The X7180 provides visibility and control of over 1,300 web applications including 200 mobile applications and encrypted P2P applications. It allows fine grain control of applications, bandwidth, users, and user/groups. The X7180 prevents users from accessing malicious or inappropriate applications and the embedded Intrusion Prevention System (IPS) protects the network from malicious activity. The X7180 supports deep packet inspection and standard-based IPsec VPN, which uses hardware based crypto acceleration to provide third-generation SSL VPN. Hillstone also offers a unique Plug-and-Play VPN solution that makes branch office VPN deployment a simple task.
The X7180 platform can manage bandwidth based on applications, users, and time of day. The system provides fine-grained policy control including guarantee bandwidth, bandwidth limit, traffic priority, and FlexQoS, which can dynamically adjust bandwidth based on utilization. These features, along with session limit, policy routing and link load balancing enable flexible bandwidth management.
MICRO-SEGMENTATION SOLUTION FOR VIRTUALIZED DATA CENTERS
ACHIEVE UNPARALLELED LIVE TRAFFIC VISIBILITY
All virtual machine access points can be monitored to provide visibility and control of traffic, applications and attacks inter-VM; which is the cornerstone for enabling East-West traffic control and protection. VM topology, traffic insight, application identification, as well as comprehensive log features allow Cloud Service Providers (CSPs) to meet compliance and security audit requirements.
REDUCE ATTACK SURFACE TO NEARLY ZERO
Each CloudHive Virtual Security Service Module (vSSM) is deployed on a physical server, enabling micro-segmentation for inter-VM communication. East-West traffic is secured with L2-L7 security services, including firewall features such as policy control and session limits, advanced security features such as Intrusion Prevention System (IPS) and Attack Defense (AD), as well as fine-grained application control. Real-time mitigation also blocks, impedes or quarantines active attacks.
EFFORTLESSLY SCALE SECURITY THROUGH ACTIVE ORCHESTRATION
On-demand security services can be applied to any and all new workloads and VMs through the scalability of vSSM. The deployment of vSOM enables unified security policy configuration for each VM. CloudHive supports vMotion to ensure security services persist in the event the VM moves.
IMPROVE EFFICIENCY WHILE REDUCING COSTS
CloudHive Layer 2 deployment does not impact existing network topology. It minimizes deployment and configuration overhead, without business impact or network interruption. In addition, the ease of management advantage of a single appliance reduces operational errors and improves overall efficiency. Total cost of ownership is also reduced as CloudHive security services do not need to upgrade to VMware’s NSX.
FEATURES AND BENEFITS
Over 3,000 applications that can be filtered by name, category, subcategory, technology and risk
Each application contains a description, risk factors, dependencies, typical ports used, and URLs for additional reference
Actions: block, reset session, monitor, traffic shaping
Cloud asset discovery: networks and VMs
Visualization of virtual network topology, VMs and traffic
Deep insight and monitoring of all traffic between VMs
Log support: session logs, threat logs and system logs
Supports Application Layer Gateway (ALG）
7,000+ signatures, including custom signatures
Protocol anomaly detection
Manual, automatic signature updates
Integrated threat encyclopedia
IPS Actions: default, monitor, block, reset with expiry time
Packet logging option
Filter Based Selection: severity, target, OS, application or protocol
IP exemption from specific IPS signatures
IDS sniffer mode
Protection from: Malformed packets, DOS/DDoS, DNS Query Flood, SYN Flood and (ARP) attacks
VIRTUAL NEXT-GENERATION FIREWALL
Businesses have been harnessing the advantages of virtualization for faster and more efficient, on-demand delivery of IT resources, but are still grappling with security in these dynamic virtual environments where virtual machines constantly get added, changed or moved, and visibility and security enforcement remain a challenge. Hillstone CloudEdge addresses this security gap and provides a complete virtual firewall solution available in a software form-factor. Hillstone CloudEdge provides advanced security services across Layer 2-7, in addition to core firewall features, which share a base technology as the Hillstone Next-Generation Firewall (NGFW), and provide the same robust set of security features offered for physical environments. It can be deployed via Cloud Management Platforms (CMPs) as a “Firewall as a Service” for a multi-tenant solution in the virtual environment. CloudEdge is also deployed as a security gateway for Virtual Private Cloud (VPC) in the public cloud.
CloudEdge provides independent management as well as remote security access for each tenant, in multi-tenanted virtual and cloud environment. CloudEdge supports major hypervisor technologies including KVM, Xen, and VMware ESXi. It is also tightly integrated and supports cloud management platforms (CMP) such as AWS, OpenStack and VMware vCenter.
Hillstone’s Security Manager enhances network security by allowing businesses to segment their networks into multiple virtual domains. Domains can be based on geography, business unit or security function. It provides the versatility needed to manage Hillstone’s infrastructure while simplifying configuration, accelerating deployment cycles, and reducing management overhead.
HILLSTONE SECURITY MANAGEMENT PLATFORM
HILLSTONE SECURITY AUDIT PLATFORM
ISPs, universities, large enterprises, government agencies, and large data centers generate millions of events everyday. They require high performance log storage and near instantaneous query results to analyze an explosion of data generated by today’ s Next Generation Firewalls. Hillstone’s Security Audit Platform transforms log data into security intelligence with split-second searches that provide instant visibility into billions of log records. Hillstone’s Security Audit Platform collects and collates NAT, Threat, URL and Session logs and provides granular search capabilities that provide real-time visibility into network traffic.
ADDING INTELLIGENCE TO THE FIREWALL
By applying its advanced behavioral analytics to network traffic, Hillstone’s iNGFW can discover exact or approximate network behavior that matches or approaches that of a malware family and one of its behavior clusters stored in its database.
An exact behavioral match produces a very high level of confidence that an actual attack is in process. If there’s an approximate match, Hillstone calculates a numeric distance to the closest cluster and assigns a percentage confidence level to warn the user of the likelihood an attack has occurred.
By applying these analytics, Hillstone’s iNGFWcan not only identify a potential attack in minutes, it can provide a complete description of the closest known attack, including forensic information and level of criticality, that IT can use to address it.
NSS Labs performed an independent test of the Hillstone Networks Next-Generation Firewall. The product received a “Recommended” rating and was among the top scoring solutions in security effectiveness and value in the latest NSS Labs Next Generation Firewall test. Its high marks include lowest for Total Cost of Ownership (TCO) per Protected Mbps, blocking 99.6% of exploits from the NSS exploit library and blocking 98.32% of live exploits over a 2-month period from December 1, 2015 – January 31, 2016.
NSS Labs’ results found that the Hillstone Next Generation Firewall has the lowest TCO per Protected Mbps and excels in Security Effectiveness and Value for Next-Generation Firewalls. The “Recommended” rating reinforces Hillstone Networks’ security leadership and the company’s commitment to provide the highest levels of protection and best value to its more than 12,000 customers globally.
Hillstone Networks’ X7180 data center firewall offers outstanding performance, reliability, and scalability, for high-speed service providers, large enterprises and carrier networks. It provides flexible firewall security for multi-tenant cloud-based security-as-a-service environments. The X7180 platform is based on Hillstone’s Elastic Security Architecture (ESA), which offers highly scalable virtual firewalls, exceptional firewall throughput, massive concurrent sessions and very high new sessions per second. The X7180 also supports Deep Packet Inspection (DPI), next generation application control and Quality of Service (QoS). The system delivers exceptional performance in a small form factor with low power requirements.
Hillstone CloudHive provides micro-segmentation to secure each virtual machine (VM) in the cloud. It provides comprehensive visibility of East-West traffic and provides complete protection to stop lateral attacks between VMs. In addition, the CloudHive security service can scale easily to meet demand without business interruption.
Hillstone CloudHive is comprised of three types of virtual modules that work together as a single appliance to provide complete security to each virtual machine.
The virtual Security Orchestration Module (vSOM), integrated and connected with Cloud Management Platforms (CMPs), manages the CloudHive service lifecycle.
The virtual Security Service Module (vSSM) is deployed on each physical server to provide L2-L7 security services.
The virtual Security Control Module (vSCM) is the control panel, supporting policy configuration and distribution, as well as managing the lifecycle of the vSSM.