Hillstone E-Series
Zapory nowej generacji (NGFW)

Kompleksowe bezpieczeństwo sieci z zaawansowanymi
funkcjami zaporowy

Hillstone Seria E:

Granularność aplikacji internetowych.
Firewall Hillstone z serii E są zoptymalizowane pod kątem dogłębnej analizy zawartości aplikacji na wartwie 7, zapewniając kontrolę nad aplikacjami internetowymi niezależnie od portu, protokołu, czy działań wymijających. Identyfikuje potencjalne zagrożenia związane z aplikacjami pod kątem poziomu ryzyka, oraz im zapobiegać. Pozwala tworzyć zasady i polityki dla konkretnych grup użytkowników, jednocześnie gwarantujac przepustowość krytycznym aplikacjom. Technologia ta nazywa się “granularnością aplikacji”.

Wykrywanie i zapobieganie zagrożeniom

Zapory sieciowe serii Hillstone E zapewniają ochronę w czasie rzeczywistym dla aplikacji i ataków sieciowych, w tym wirusów, programów szpiegujących, robaków, botnetów, fałszowania ARP, DoS / DDoS, trojanów, przepełnień buforów i wstrzyknięć SQL. Zawiera zunifikowany silnik wykrywania złośliwego oprogramowania, który dzieli dane pakietu z wieloma zabezpieczeniami bezpieczeństwa (IPS, filtrowaniem adresów URL i antywirusem), co znacznie zmniejsza opóźnienia.

Specyfikacje modeli: Datasheet

Hillstone E-PRO Series Next-Generation Firewall

Hillstone E-1000 Series Next-Generation Firewall

Hillstone E-2000 Series Next-Generation Firewall

Hillstone E-3000 Series Next-Generation Firewall

Hillstone E-5000 Series Next-Generation Firewall

Hillstone E-6000 Series Next-Generation Firewall

Systemy ochrony i usługi

Network services
  • Dynamic routing (OSPF, BGP, RIPv2)
  • Static and policy routing
  • Route controlled by application
  • Built-in DHCP, NTP, DNS server and DNS proxy
  • Tap mode—connect to SPAN port
    Interface modes: sniffer, port aggregated, loopback, VLANS (802.1Q and trunking)
  • L2/L3 switching & routing
  • Virtual wire (Layer 1) transparent inline deployment
Firewall
  • Operating modes: NAT/route, transparent (bridge), and mixed mode
  • Policy objects: predefined, custom, and object grouping
  • Security policy based on application, role and geo-location
  • Application Level Gateways and session support: MSRCP, PPTP, RAS, RSH, SIP, FTP, TFTP, HTTP, dcerpc, dns-tcp, dns-udp, H.245 0, H.245 1, H.323
  • NAT and ALG support: NAT46, NAT64, NAT444, SNAT, DNAT, PAT, Full Cone NAT, STUN
  • NAT configuration: per policy and central NAT table
  • VoIP: SIP/H.323/SCCP NAT traversal, RTP pin holing
  • Global policy management view
  • Security policy redundancy inspection, policy group, policy configuration rollback
  • Policy Assistant for easy detailed policy deployment
  • Policy analyzing and invalid policy cleanup
  • Comprehensive DNS policy
  • Schedules: one-time and recurring
Intrusion Prevention
  • Protocol anomaly detection, rate-based detection, custom signatures, manual, automatic push or pull signature updates, integrated threat encyclopedia
  • IPS Actions: default, monitor, block, reset (attackers IP or victim IP, incoming interface) with expiry time
  • Packet logging option
  • Filter Based Selection: severity, target, OS, application or protocol
  • IP exemption from specific IPS signatures
  • IDS sniffer mode
  • IPv4 and IPv6 rate based DoS protection with threshold settings against TCP Syn flood, TCP/UDP/SCTP port scan, ICMP sweep, TCP/UDP/SCIP/ICMP session flooding (source/destination)
  • Active bypass with bypass interfaces
  • Predefined prevention configuration
Anti-Virus
  • Manual, automatic push or pull signature updates
  • Flow-based Antivirus: protocols include HTTP, SMTP, POP3, IMAP, FTP/SFTP
  • Compressed file virus scanning
Attack Defense
  • Abnormal protocol attack defense
  • Anti-DoS/DDoS, including SYN Flood, DNS Query Flood defense
  • ARP attack defense
URL Filtering
  • Flow-based web filtering inspection
  • Manually defined web filtering based on URL, web content and MIME header
  • Dynamic web filtering with cloud-based real-time categorization database: over 140 million URLs with 64 categories (8 of which are security related)
  • Web filtering profile override: allows administrator to temporarily assign different profiles to user/group/IPAdditional web filtering features:
    • Filter Java Applet, ActiveX and/or cookie
    • Block HTTP Post
    • Log search keywords
    • Exempt scanning encrypted connections on certain categories for privacy
  • Web filter local categories and category rating override
Cloud-Sandbox
  • Upload malicious files to cloud sandbox for analysis
  • Support protocols including HTTP/HTTPS, POP3, IMAP, SMTP and FTP
  • Support file types including PE,ZIP, RAR, Office, PDF, APK, JAR and SWF
  • File transfer direction and file size control
  • Provide complete behavior analysis report for malicious files
  • Global threat intelligence sharing, real-time threat blocking
  • Support detection only mode without uploading files
Botnet C&C Prevention
  • Discover intranet botnet host by monitoring C&C connections and block further advanced threats such as botnet and ransomware
  • Regularly update the botnet server addresses
  • prevention for C&C IP and domain
  • Support TCP, HTTP, and DNS traffic detection
  • IP and domain whitelists
IP Reputation
  • Identify and filter traffic from risky IPs such as botnet hosts, spammers, Tor nodes, breached hosts, and brute force attacks
  • Logging, dropping packets, or blocking for different types of risky IP traffic
  • Regular IP reputation signature database upgrade
SSL Decryption
  • Application identification for SSL encrypted traffic
  • IPS enablement for SSL encrypted traffic
  • AV enablement for SSL encrypted traffic
  • URL filter for SSL encrypted traffic
  • SSL Encrypted traffic whitelist
  • SSL proxy offload mode
Endpoint Identification and Control
  • Support to identify endpoint IP, endpoint quantity, on-line time, off-line time, and on-line duration
  • Support 10 operation systems including Windows, iOS, Android, etc.
  • Support query based on IP, endpoint quantity, control policy and status etc.
  • Support the identification of accessed endpoints quantity across layer 3, logging and interference on overrun IP
  • Redirect page display after custom interference operation
  • Supports blocking operations on overrun IP
Data Security
  • File transfer control based on file type, size and name
  • File protocol identification, including HTTP, FTP, SMTP and POP3
  • File signature and suffix identification for over 100 file types
  • Content filtering for HTTP-GET, HTTP-POST, FTP and SMTP protocols
  • IM identification and network behavior audit
  • Filter files transmitted by HTTPS using SSL Proxy
Application control
  • Over 3,000 applications that can be filtered by name, category, subcategory, technology and risk
  • Each application contains a description, risk factors, dependencies, typical ports used, and URLs for additional reference
  • Actions: block, reset session, monitor, traffic shaping
  • Identify and control applications in the cloud
  • Provide multi-dimensional monitoring and statistics for applications running in the cloud, including risk category and characteristics
Quality of Service (QoS)
  • Max/guaranteed bandwidth tunnels or IP/user basis
  • Tunnel allocation based on security domain, interface, address, user/user group, server/server group, application/app group, TOS, VLAN
  • Bandwidth allocated by time, priority, or equal bandwidth sharing
  • Type of Service (TOS) and Differentiated Services (DiffServ) support
  • Prioritized allocation of remaining bandwidth
  • Maximum concurrent connections per IP
  • Bandwidth allocation based on URL category
  • Bandwidth limit by delaying access for user or IP
  • Automatic expiration cleanup and manual cleanup of user used traffic
Server Load balancing
  • Weighted hashing, weighted least-connection, and weighted round-robin
  • Session protection, session persistence and session status monitoring
  • Server health check, session monitoring and session protection
Link Load balancing
  • Bidirectional link load balancing
  • Outbound link load balancing includes policy based routing, ECMP and weighted, embedded ISP routing and dynamic detection
  • Inbound link load balancing supports SmartDNS and dynamic detection
  • Automatic link switching based on bandwidth, latency, jitter, connectivity, application etc.
  • Link health inspection with ARP, PING, and DNS
VPN
  • IPSec VPN:
    • IPSEC Phase 1 mode: aggressive and main ID protection mode
    • Peer acceptance options: any ID, specific ID, ID in dialup user group
    • Supports IKEv1 and IKEv2 (RFC 4306)
    • Authentication method: certificate and pre-shared key
    • IKE mode configuration support (as server or client)
    • DHCP over IPSEC
    • Configurable IKE encryption key expiry, NAT traversal keep alive frequency
    • Phase 1/Phase 2 Proposal encryption: DES, 3DES, AES128, AES192, AES256
    • Phase 1/Phase 2 Proposal authentication: MD5, SHA1, SHA256, SHA384, SHA512
    • Phase 1/Phase 2 Diffie-Hellman support: 1,2,5
    • XAuth as server mode and for dialup users
    • Dead peer detection
    • Replay detection
    • Autokey keep-alive for Phase 2 SA
  • SSL VPN realm support: allows multiple custom SSL VPN logins associated with user groups (URL paths, design)
  • IPSEC VPN configuration options: route-based or policy based
  • IPSEC VPN deployment modes: gateway-to-gateway, full mesh, hub-and-spoke, redundant tunnel, VPN termination in transparent mode
  • One time login prevents concurrent logins with the same username
  • SSL portal concurrent users limiting
  • SSL VPN port forwarding module encrypts client data and sends the data to the application server
  • Supports clients that run iOS,Android,and Windows XP/Vista including 64-bit Windows OS
  • Host integrity checking and OS checking prior to SSL tunnel connections
  • MAC host check per portal
  • Cache cleaning option prior to ending SSL VPN session
  • L2TP client and server mode, L2TP over IPSEC, and GRE over IPSEC
  • View and manage IPSEC and SSL VPN connections
  • PnPVPN
IPv6
  • Management over IPv6, IPv6 logging and HA
  • IPv6 tunneling, DNS64/NAT64 etc.
  • IPv6 routing including static routing, policy routing, ISIS, RIPng, OSPFv3 and BGP4+
  • IPS, Application identification, URL filtering, Anti-Virus, Access control, ND attack defense
  • Track address detection
VSYS
  • System resource allocation to each VSYS
  • CPU virtualization
  • Non-root VSYS support firewall, IPSec VPN, SSL VPN, IPS, URL filtering
  • VSYS monitoring and statistic
High availability
  • Redundant heartbeat interfaces
  • Active/Active and Active/Passive
  • Standalone session synchronization
  • HA reserved management interface
  • Failover:
    • Port, local & remote link monitoring
    • Stateful failover
    • Sub-second failover
    • Failure notification
  • Deployment options:
    • HA with link aggregation
    • Full mesh HA
    • Geographically dispersed HA
Twin-mode HA
  • High availability mode among multiple devices
  • Multiple HA deployment modes
  • Configuration and session synchronization among multiple devices
User and Device Identity
  • Local user database
  • Remote user authentication: TACACS+, LDAP, Radius, Active
  • Single-sign-on: Windows AD
  • 2-factor authentication: 3rd party support, integrated token server with physical and SMS
  • User and device-based policies
  • User group synchronization based on AD and LDAP
  • Support for 802.1X, SSO Proxy
  • WebAuth page customization
  • Interface based Authentication
  • Agentless ADSSO (AD Polling)
  • Use authentication synchronization based on SSO-monitor
  • Support MAC-based user authentication
Administration
  • Management access: HTTP/HTTPS, SSH, telnet, console
  • Central management: Hillstone Security Manager (HSM), web service APIs
  • System integration: SNMP, syslog, alliance partnerships
  • Rapid deployment: USB auto-install, local and remote script execution
  • Dynamic real-time dashboard status and drill-in monitoring widgets
  • Language support: English
Logs & reporting
  • Logging facilities: local memory and storage (if available), multiple syslog servers and multiple Hillstone Security Audit (HSA) platforms
  • Encrypted logging and log integrity with HSA scheduled batch log uploading
  • Reliable logging using TCP option (RFC 3195)
  • Detailed traffic logs: forwarded, violated sessions, local traffic, invalid packets
  • Comprehensive event logs: system and administrative activity audits, routing & networking, VPN, user authentications, WiFi related events
  • IP and service port name resolution option
  • Brief traffic log format option
  • Three predefined reports: Security, Flow and network reports
  • User defined reporting
  • Reports can be exported in PDF, Word and HTML via Email and FTP
Statistics and Monitoring
  • Application, URL, threat events statistic and monitoring
  • Real-time traffic statistic and analytics
  • System information such as concurrent session, CPU, Memory and temperature
  • iQOS traffic statistic and monitoring, link status monitoring
  • Support traffic information collection and forwarding via Netflow (v9.0)
CloudView
  • Cloud-based security monitoring
  • 7/24 access from web or mobile application
  • Device status, traffic and Threat monitoring
  • Cloud-based log retention and reporting
Wireless
  • Multi-SSID and wireless traffic control (only on E1100W and E1100WG3w)
  • Wire link and WCDMA link back up (Only on E1100WG3w)
  • WCDMA IPSec VPN (Only on E1100WG3w)
IoT Security
  • Identify IoT devices such as IP Cameras and Network Video Recorders
  • Support query of monitoring results based on filtering conditions, including device type, IP address, status, etc.
  • Support customized whitelists