SLA Company Limited is distributor of Hillstone Networks, distribute and support Hillstone Next Generation Firewall to resellers, endusers in Vietnam. The advanced features include Network services, Firewall, IPS, VPN, User identification, Application Control, High Availability.

Hillstone Next Generation Firewall detects and addresses hidden threats previous generation firewalls miss. Real-time traffic data and behavior analysis discover next generation threats early and provide real-time insight into network operations and overall network health. Ground breaking Behavior Reputation and Network Health Behavior Reputation Index and Network Health Index offer practical tools to maximize IT service security and availability.

Hillstone Intelligent Next Generation Firewall offers three deployment scenarios:

• Combined M/G-Series firewall and VM deployment: This scenario combines M/G-Series Next Generation Firewall with software installed on virtual machines for correlation analysis of firewall traffic data. Based on correlation analysis, the firewall can discover and provide early warning of anomalies and adjust policy to address security risks and prevent damage.
• Intelligent cloud services deployment: This scenario combines M/G-series Next Generation Firewall with Hillstone Intelligent Cloud Services for correlation analysis and anomaly detection. The Intelligent Cloud can also provide users with the latest global security intelligence, including new applications and threat features and behavior patterns to help address new and evolving security threats in advance.

Hillstone Next Generation Firewall solution is suitable for enterprise Internet outlets and server front-ends. Behavior Reputation Index, Network Health Index and next-generation firewall features provide robust business security & availability and slash security risk.

Detects more threats and network anomalies than past generation firewalls early and accurately

• Discovers and addresses Botnet, server, DDoS, and abnormal threats missed by legacy signature techniques.
• Provides a foundation to discover and address APT, zero-day and other unknown threats.
• Identifies abnormal threats in advance to slash network security risk and prevent damage.

Monitors and displays network operation status and health in real time

• Monitors availability and security of business services and networks.
• Addresses security threats early, reducing risk of damage.
• Manages security via granular policies.

Slashes operation and maintenance costs

• Provides visual, granular, effective application management.
• Protects against DDoS attacks, Botnets, Trojans, worms, and SQL, XSS, and other Web application attacks. Provides comprehensive protection from the network to the application layer.
• Manages complex business traffic flexibly and conveniently based on users and applications. Improves bandwidth utilization.
• Enhances operation and maintenance efficiency and reduces costs.

Hillstone Next Generation Firewall Product Models:

• T-Series (Intelligent Next-Generation Firewall): T5860, T5060, T3860.
• M/G-Series (Next-Generation Firewall): M8860, M7260, M3108, M3100, M1600, G5150, G2120.

Network services: Hillstone T-Series Intelligent Next-Generation Firewall (iNGFW) is an application-aware firewall that continuously monitors the network. It can identify attacks on all operating systems, applications, devices and browsers. It provides visibility into every stage of an attack and it can detect security breaches within minutes/seconds. It prioritizes hosts with the greatest security risks and provides contextual information about the threat. Security administrators can drill-down into the attack, including packet captures, to analyze all threat details. Hillstone Next Generation Firewall key features:

• Dynamic routing (OSPF, BGP, RIPv2).
• Static and policy routing.
• Route controlled by application.
• Built-in DHCP, NTP, DNS server and DNS proxy.
• Tap mode—connect to SPAN port.
• IPv6 support: Mgt. over IPv6, IPv6 routing protocols, IPv6 tunneling, IPv6 logging and HA.
  Interface modes: sniffer, port aggregated, loopback, VLANS (802.1Q and trunking).
• L2/L3 switching & routing.
• Virtual wire (Layer 1) transparent inline deployment.

Great Firewall:

• Operating modes: NAT/route, transparent (bridge), and mixed mode.
• Policy objects: predefined, custom, and object grouping.
• Application Level Gateways and session support: MSRCP, PPTP, RAS, RSH, SIP, FTP, TFTP, HTTP, dcerpc, dns-tcp, dns-udp, H.245 0, H.245 1, H.323.
• NAT support: NAT46, NAT64, NAT444, SNAT, DNAT, PAT, Full Cone NAT, STUN.
• NAT configuration: per policy and central NAT table.
• VoIP: SIP/H.323/SCCP NAT traversal, RTP pin holing.
• Global policy management view.
• Schedules: one-time and recurring.
• QoS traffic shaping:
  • Max/guaranteed bandwidth tunnels or IP/user basis.
  • Tunnel allocation based on security domain, interface, address, user/user group, server/server group, application/app group, TOS, VLAN.
  • Bandwidth allocated by time, priority, or equal bandwidth sharing.
  • Type of Service (TOS) and Differentiated Services (DiffServ) support.
  • Prioritized allocation of remaining bandwidth.
  • Maximum concurrent connections per IP.
• Virtual firewall: Up to 250 vSYS load balanced firewalls.
• Load balancing:
  • Weighted hashing, weighted least-connection, and weighted round-robin.
  • Session protection, session persistence and session status monitoring.
  • Bidirectional link load balancing.
  • Outbound link load balancing includes policy based routing, ECMP and weighted, embedded ISP routing and dynamic detection.
  • Inbound link load balancing supports SmartDNS and dynamic detection.
  • Automatic link switching based on bandwidth and latency.
  • Link health inspection with ARP, PING, and DNS.

VPN Services:

• IPSec VPN:
  • IPSEC Phase 1 mode: aggressive and main ID protection mode.
  • Peer acceptance options: any ID, specific ID, ID in dialup user group.
  • Supports IKEv1 and IKEv2 (RFC 4306).
  • Authentication method: certificate and pre-shared key.
  • IKE mode configuration support (as server or client).
  • DHCP over IPSEC.
  • Configurable IKE encryption key expiry, NAT traversal keep alive frequency.
  • Phase 1/2 Proposal encryption: DES, 3DES, AES128, AES192, AES256.
  • Proposal authentication: MD5, SHA1, SHA256, SHA384, SHA512.
  • Diffie-Hellman support: 1,2,5.
  • XAuth as server mode and for dialup users.
  • Dead peer detection.
  • Replay detection.
  • Autokey keep-alive for Phase 2 SA.
  • IPSEC VPN deployment modes: gateway-to-gateway, full mesh, hub-and-spoke, redundant tunnel, VPN termination in transparent mode.
  • One time login prevents concurrent logins with the same username.
  • SSL portal concurrent users limiting.
• SSL VPN realm support: allows multiple custom SSL VPN logins associated with user groups (URL paths, design).
• Configuration options: route-based or policy based.
• IPSEC VPN deployment modes: gateway-to-gateway, full mesh, hub-and-spoke, redundant tunnel, VPN termination in transparent mode.
• One time login prevents concurrent logins with the same username.
• SSL portal concurrent users limiting.
• SSL VPN port forwarding module encrypts client data and sends the data to the application server.
• Supports clients that run iOS, Android, and Windows XP/Vista including 64-bit Windows OS.
• Host integrity checking and OS checking prior to SSL tunnel connections.
• MAC host check per portal.
• Cache cleaning option prior to ending SSL VPN session.
• L2TP client and server mode, L2TP over IPSEC, and GRE over IPSEC.
• View and manage IPSEC and SSL VPN connections.

Hillstone Next Generation Firewall – User identification:

• Local user database.
• Remote user authentication: LDAP, Radius, Active Directory.
• Single-sign-on: Windows AD.
• 2-factor authentication: 3rd party support, integrated token server with physical and SMS.
• User identification.

IPS Advanced features:

• 7,000+ signatures, protocol anomaly detection, rate-based detection, custom signatures, manual, automatic push or pull signature updates, integrated threat encyclopedia.
• IPS actions: default, monitor, block, reset (attackers IP or attackers IP and victim IP, incoming interface) with expiry time.
• Packet logging option
• Filter based selection: severity, target, OS, application and/or protocol.
• IP exemption from specific IPS signatures.
• IDS sniffer mode.
• IPv4 and IPv6 rate based DOS protection with threshold settings against TCP Syn flood, TCP/UDP/SCTP port scan, ICMP sweep, TCP/UDP/SCIP/ICMP session flooding (source/destination).
• Active bypass with bypass interfaces.
• Predefined prevention configuration.

Hillstone Next Generation Firewall – Threat Protection:

• Breach detection: Near real-time breach detection (seconds/minutes); Detailed description and severity of malware closely resembling attack; Pcap files and log files provide corroborating evidence; Confidence level provides certainty of attack.
• Network behavior analysis: L3-L7 baseline traffic compared to real-time traffic to reveal anomalous network behavior; Built-in mitigations technologies include: session limits, bandwidth limits and blocking; Graphical depiction of anomalous behavior compared to baseline and upper and lower thresholds.
• Network Risk Index quantifies the threat level of the network based on the aggregate host index.
• Host Risk Index quantifies the host threat level based on attack severity, detection method, and confidence level.
• Over 1.3 million AV signatures.
• Botnet server IP blocking with global IP reputation database.
• Flow-based Antivirus: protocols include HTTP, SMTP, POP3, IMAP, FTP/SFTP.
• Flow-based web filtering inspection.
• Manually defined web filtering based on URL, web content and MIME header.
• Dynamic web filtering with cloud-based real-time categorization database: over 140 million URLs with 64 categories (8 of which are security related).
• Additional web filtering features: Filter Java Applet, ActiveX and/or cookie, Block HTTP Post, Log search keywords, Exempt scanning encrypted connections on certain categories for privacy.
• Web filtering profile override: allows administrator to temporarily assign different profiles to user/group/IP.
• Web filter local categories and category rating override.
• Inspect SSL encrypted traffic.

Application Control:

• Over 3,000 applications that can be filtered by name, category, subcategory, technology and risk.
• Each application contains a description, risk factors, dependencies, typical ports used, and URLs for additional reference.
• Actions: block, reset session, monitor, traffic shaping.

Hillstone Next Generation Firewall – High Availability:

• Redundant heartbeat interfaces.
• Active/Active and Active/Passive.
• Standalone session synchronization.
• HA reserved management interface.
• Failover: Port, local & remote link monitoring, Stateful failover, Sub-second failover, Failure notification.
• Deployment options: HA with link aggregation, Full mesh HA, Geographically dispersed HA.

Administration:

• Management access: HTTP/HTTPS, SSH, telnet, console.
• Central management: Hillstone Security Manager (HSM), web service APIs.
• System integration: SNMP, syslog, alliance partnerships.
• Dynamic real-time dashboard status and drill-in monitoring widgets.
• Language support: English.

Hillstone Next Generation Firewall – Logs and Reporting:

• Logging facilities: local memory and storage (if available), multiple syslog servers and multiple Hillstone Security Audit (HSA) platforms.
• Encrypted logging and log integrity with HSA scheduled batch log uploading.
• Reliable logging using TCP option (RFC 3195).
• Detailed traffic logs: forwarded, violated sessions, local traffic, invalid packets.
• Comprehensive event logs: system and administrative activity audits, routing & networking, VPN, user authentications, WiFi related events.
• IP and service port name resolution option.
• Brief traffic log format option.

For more information about Hillstone Networks or Next Generation Firewall, please contact with SLA Company Limited. Or next generation UTM firewall solution.