Network Security / Secure Web Access
01
0
10
10
111
10
0
11
10011011001
10101
0101
010
10
1010
1110
10001
0110101
10
10
10
10
1
01
10110100011 0101110000111011
0110100
1010
101010
01101011110
1010
11010
1010101010101011
10101010101011010001101011110101010101010101
1010
1
01
01
10
0
 netfence gateways
010
1110101
01010
10101
01010
1
1
1
1
010
0011
1010
1010110100011010111101010101010
10101
11010
1010
10101
10100011
01010111
010
1110
1010
11
1010
0
1
10110
0
0011010
0101
01
1110101010101011001010101010101010111
1
0
1
0
1
0
101
1110
0 0 0 01 1 1 0
Effective Perimeter Security is a combination of Firewall, Content Security and intelligent Mail
Security. phion netfence integrates all these tasks in one management and efficiently protects your
Corporate Communication from various enemies such as Hacker attacks, Viruses, Worms, Spyware,
disgruntled employees, human error (e.g. your provider), natural disasters, etc.
Features & Benefits
ÊÊ Integrated multi-purpose protection platform
ÊÊ Outstanding cost-performance ratio
ÊÊ Intelligent traffic management
ÊÊ WAN optimization & Network Access Control
ÊÊ Extensive networking capabilities
ÊÊ High Availability
ÊÊ Powerful real-time & historical reporting capabilities
netfence gateways integrate gigabit-performance firewall,
cutting-edge technology VPN, intrusion prevention, DDos/
DoS protection, intelligent application-selective bandwidth and
multipath management with other critical application gateway
functionality.
ÊÊ Pattern-based intrusion prevention with data stream filtering
on a per rule basis.
A netfence gateway may also act as a fully fledged SMTP mail
router, DNS server, or HTTP proxy thereby protecting and
strengthening your infrastructures both on the network and
the application security level.
ÊÊ High availability firewall through continuous synchronisation
of existing sessions between HA partners.
Firewall
netfence’s full-featured firewall component uses the latest in
stateful and deep level inspection based technology to provide
thorough protection against external and internal attacks on
your IT resources. netfence gateways offer a per-rule choice
between performance friendly stateful packet forwarding or
transparent application proxying for extra protection against
attacks staged at application level. netfence gateways provide
added flexibility and security for today‘s networks through:
ÊÊ Fully integrated and easy to maintain solution with hardened
phionOS providing a higher level of security and connectivity
than loosely coupled software based solutions and at the
same time a better cost-performance ratio in the gigabit
domain than specialised appliance solutions.
ÊÊ Routes all commonly used IP protocols, monitors ARP activity
on all active network interfaces.
ÊÊ NAT and port address translation (PAT) to shield internal or
non-routable networks.
ÊÊ Routing or fully-inspected bridging mode of operation.
Content Security
State-of-the-art firewalls protect your network both at the
network level and at the application level. This is why the
integrated firewall also includes extensive mechanisms for the
recognition of and defence against application-protocol-based
attacks on the server resources of your company‘s network.
netfence gateways provide effective intrusion prevention by
scanning traffic for known exploit patterns and terminating the
connection instantaneously in case of a match.
Thus the protocol exploit is intercepted before it may ever reach
and harm your server. In addition netfence gateways provide
transparent redirection of network traffic into local application
gateways such as a SMTP mail router, a secure web proxy or a
local DNS server for extra protocol protection.
Unwanted mails have become a serious problem, clogging
corporate networks. A spam filter integrated into the SMTP mail
gateway of netfence gateway helps to regain control over mail
traffic by identifying and stopping spam mails.
ÊÊ Supports extensive DoS and attack mitigation features
including SYN flood, flood ping, port/address range scans.
www.phion.com
netfence gateways
Spam filter definitions may be set very easily by both
administrator and mail user.
security architectures become reality. Highlights include:
netfence gateways built in HTTP and caching proxy also
provides optional URL Filtering services. Web content filtering
allows administrators to consequently enforce and maintain
the corporate security policies. Better control of Internet
access protects networks from unwanted content, increases
productivity and helps enforce compliance initiatives.
ÊÊ Configure multiple gateways for a given tunnel with
automated fail-over when a gateway becomes unreachable.
All Web and SMTP-Mail traffic may be scanned for viruses and
other malware by means of a subscribable fully integrated AV
scanning service. phion netfence gateways thus stop viruses and
malicious code already at the network perimeter.
WAN Optimization
Besides build in traffic shaping capabilities netfence gateways
can be extended to include Branch Office Box (BOB)
functionality. This enables packet and data stream compression
in site-site as well as VPN Client tunnels, effectively increasing
the available bandwidth by a factor of four or even more.
In addition to WAN optimization, firewall bandwidth management
and VPN functionality, netfence appliances feature true traffic
intelligence, turning arbitrary IP-communication structures into
highly failsafe networks. Multi-provider setups for Internet link
redundancy and protocol based load balancing over multiple
links for maximum cost-efficiency and maximum reliability is
netfence‘s daily business. Thus netfence offers optimization of
connection costs through a high availability design that extents
from the link layer all the way to the application level.
netfence gateways allow a traffic management scheme for
each network interface on your netfence gateway. This means
you define the maximum permissible bandwidth for inbound
(ingress) and outbound traffic on the interface as well as eight
traffic bands which each are allotted a certain percentage of the
maximum bandwidth. Within the firewall rule set you may assign
traffic to each of these bands based on IP address or network
protocol information. This means your critical applications are
always guaranteed a fixed minimum amount of bandwidth.
Virtual Private Network (VPN)
In addition to a state-of-the-art stateful inspection firewall
netfence gateways also provide a full-featured VPN solution
facilitating advanced VPN deployments such as cross-linking
company locations, securing wireless LANs with IPsec
technology or linking mobile workers.
The integrated nature of the phionOS warrants that VPN traffic
is routinely inspected after decryption or prior to encryption for
all site-to-site traffic. With netfence VPN traffic is fully firewalled
and thus gives you more granular access control at the tunnel
endpoints for a more thorough enforcement of your security
policies. Using netfence‘s cutting edge tunnel technology with
traffic intelligence, flexible, reliable and cost-efficient global VPN
ÊÊ Redundant VPN gateway support.
ÊÊ Protocol or address based load balancing over several VPNtunnels (any combination of leased lines, Internet via DSL or
leased line and/or frame relay) due to an interplay of firewall
and routing capabilities of the phionOS. This helps reducing
costs and provides superior VPN high availability.
ÊÊ Leading encapsulation technology combines the security of
IPsec and the connectivity of SSL based VPN in one product.
ÊÊ Support for broadband Internet access with dynamic IP
addresses (xDSL, ISDN, Cable).
ÊÊ Extensive remote access VPN support, flexible and strong
2-factor user authentication including support for Windows
domain logons (pre-logon) and a server-side managed VPN
client firewall to secure all tunnel endpoints.
ÊÊ Complete central policy management for client VPN.
ÊÊ Full integration to the entegra network access control
framework.
Management and phionOS
By adding additional structural components, phionOS transforms
a hardened and optimised Linux OS into a fully managed
operating system. Since netfence software comes bundled with
its own optimised operating system phionOS, it provides all
the management advantages of a genuine appliance without
hardware limitations on number or type of available network
interfaces. netfence’s proven speed install procedure takes
less than 4 minutes to get a new gateway up and running or to
restore it to its previous state after a server hardware failure.
phionOS provides many of the core features of the netfence
gateway and is part of all netfence products:
ÊÊ Extensive networking and routing capabilities to support
multi-provider set-ups or redundant routing paths.
ÊÊ Separate host firewall protecting netfence gateways from
unauthorized access attempts and attacks.
ÊÊ VLAN support to facilitate integration of security
into existing networks.
ÊÊ High availability for maximum reliability &
fault tolerant operation.
ÊÊ Health-monitoring and real-time activity accounting.
ÊÊ Support for dynamic IP address assignment commonly used
to connect branch offices to the Internet (broadband).
ÊÊ GUI based management functions are available in-band or via
dedicated network interfaces.
ÊÊ Serial interfaces and a command line interface are provided.
Beside the phion.a GUI Management, every netfence gateway
can be managed through netfence Management Centres.
These allow enterprises to manage even thousands of netfence
gateways at lowest costs.
Network Security / Secure Web Access
Firewall
High Availability
Stateful packet forwarding
3 per rule
Standby mode
Transparent proxying mode (TCP)
3 per rule
Network notification on failover
Active-Active***, Active-Passive
3
Inline graphical packet analyser
3
Key-based authentication
3
NAT (src, dst, nets), PAT
3
Encrypted HA communication
3
Policy based NAT
3 per rule
Transparent Failover without session loss
3
Protocol support
IPv4, ARP
Provider/Link Failover
3
Gigabit performance
3
Object oriented ruleset
3
VPN
Virtual rule sets
3
Integration into entegra remediation server
Virtual rule test environment
3
Encryption
Redirection to local application
3
Cryptohardware acceleration
Realtime connection status
3
Private CA
Historical access caches
3
External PKI support
Event triggered notification
3
Load balancing for protected servers
3
Multipath load balancing
3
Firewall-to-Firewall compression (stream & packet compr.)
3
Dynamic rules with timer triggered deactivation
3 per rule
x.509v3 policy extensions
Certificate revokation
3
AES-128/256, 3DES, DES, Null
3 ****
3 up to 4096bit RSA
3
Fully recognised
OCSP, CRL
Site-to-site VPN
3
Star (hub and spoke) VPN network topology
3
Client VPN
3
Microsoft domain logon (Pre-logon)
3
Bridging mode / Routing mode (mixed)
3
Strong user authentication
3
Virtual IP (proxyARP) support
3
Replay protection
3
User Authentication (x.509, Microsoft NTLM, RADIUS,
RSA SecurID, LDAP/LDAPS, Microsoft Active Directory
3
NAT traversal
3
HTTPS and SOCKS proxy compatible
3
Redundant VPN gateways
3
RPC protocol support
VoIP support
ONC-RPC, DCE-RPC
H.323, SIP, SCCP (skinny)
Native IPSEC for 3rd party connectivity
PPTP/L2TP (IPSec)
OSPF via VPN
Network Attack Protection
Active ARP handling
3
3
Inline Intrusion prevention
3
System Management
P2P / IM / Skype detection
3*
In-band management
Attack patterns configurable
3
3 client VPN only
3 unlimited
Dedicated management interface
3 all functions available
3
3
Serial interfaces
Reverse routing path check
3
Central management interface
3
ICMP flood ping protection
3 by size and rate limit
All management via VPN tunnel
3
SSH based access
3
Management Centre compatible
3
System maintenance fully GUI based
3
Command line interface (CLI) available
3
SYN / DoS / DDoS attack protection
Malformed packet check
3
Routing, Networking
Ethernet support
Max number of physical interfaces
802.1q VLAN support
xDSL support
3 (10/100/1000Mbit)
32
3 up to 4096
PPPoE, PPTP (multi-link)
UMTS/EDGE/HSDPA
Appliance-based only
DHCP client support
3
ISDN support
Link monitoring
EuroISDN (syncppp, rawip)
3 (DHCP, xDSL,ISDN)
Policy routing support
3
Ethernet channel bonding
3
Multiple networks on interface, IP aliases
3
Logging/Monitoring/Accounting
System health, activity monitoring
3
Monitoring of network environment
3
Dynamic routing table updates
3
FW connection monitoring
3
Human readable log files
3
Active event notification
UDP/email/SNMP trap
Realtime accounting and reporting
Syslog streaming
Configurable MTU size
3 per route
IPinIP and GRE tunnels
3
Additional functions
Integrated OSPF/RIP router
3
Multi-domain capable DNS server
Traffic Management
Maximum overall bandwidth
On-the-fly reprioritisation
Ingress Shaping
3 per interface
3 via firewall status GUI
3 per interface
Supported services
External database types
MS** NTLM, RADIUS, RSA
SecurID, LDAP/LDAPS,
MS Active Directory
3
SMTP/POP3 gateway
3
SPAM mail filtering
3
GUI-based mail spool queue management
3
Caching HTTP proxy (based on squid)
3
Accounting for additional functions
3
3*
3
Supported Platforms ****
Sun
* Optional Service; requires additional subscription
** MS = Microsoft
*** Only with load balancer
**** Check back for compatibility list
3 fully GUI configurable
3
Standard
For details concerning the available content security filters please refer to
the content security datasheet.
3
NTP4 time server and client
Secure Web Proxy (HTTPS / XML)
VPN, FW, HTTP/FTP/SSH proxy
3 10 sec interval
GUI-based DHCP server management
FTP & SSH gateway
Central User Authentication
Management and/or console
Intel x86
Sun Fire 4200
phion Product family
customer requirements
needs
purpose
solution
Firewall technology at its best
Network
Security
Far more than just a proxy
Secure
Web Access
To fulfil the promise VPNs made
WAN Protection &
Optimization
Protect your most vulnerable and valuable perimeter –
your web applications and services
Web Application
Security
phion airlock
VPN-access via IPsec and SSL and full control over
your LAN endpoints
Access
Control
netfence entegra & VPN Connectors,
SSL VPN
Save costs by enhancing your control level
Management &
Reporting
phion management centres,
netfence reporter
UTM protection for SMBs
UTM
phion M
phion netfence appliances
Headquarters
Contact information
phion AG
Eduard-Bodem-Gasse 1
Phone
+43 (0)508 100
6020 Innsbruck
Fax
+43 (0)508 100 20
AUSTRIA
Mail
office@phion.com
Regional Offices
Austria
Germany
Italy
Switzerland
phion Sales Office Vienna
phion AG
phion AG
phion Schweiz AG
Mooslackeng. 15-17 / Top 2042
Humboldtstr. 12
Via Cavriana 3
Ottikerstrasse 59
1190 Vienna
85609 Dornach / Munich
20134 Milan
8600 Zurich
AUSTRIA
GERMANY
ITALY
SWITZERLAND
Phone
+43 (0)508 100
Phone
+49 (0)89 9449 0240
Phone
+39 346 8664 420
Phone
+43 (0)508 100
Fax
+43 (0)508 100 20
Fax
+49 (0)89 9449 0110
Fax
+39 0362 476 863
Fax
+43 (0)508 100 20
Mail
office@phion.com
Mail
office@phion.com
Mail
office@phion.com
Mail
office@phion.com
United Kingdom
Netherlands
United Arab Emirates
phion UK Ltd.
phion netherlands BV
phion Middle East FZE
2 Lansdowne Row #242
Gorizialaan 9
RAK Investment Authority Freezone
London W1J 6HL
5926 TA Venlo
Ras Al Khaimah
UNITED KINGDOM
NETHERLANDS
UNITED ARAB EMIRATES
Phone
+44 191 2574 802
Phone
+49 (0)89 9449 0240
Phone
+971 50 7513 299
Fax
+43 (0)508 100 20
Fax
+49 (0)89 9449 0110
Fax
+43 (0)508 100 20
Mail
office@phion.com
Mail
office@phion.com
Mail
office@phion.com
© phion AG, Innsbruck, October 2008, Revision 1.3, All rights reserved
phion AG assumes no responsibility for any inaccuracies in this document. phion AG reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
phion, netfence, sintegra, contegrity, sectorwall, entegra, phionOS, netfence Management Centre, netfence Smart Connector, netfence Secure Connector, phion.a, phion.i are registered
trademarks or trademarks of phion AG. All other registered trademarks and trademarks are the property of their respective owner.
www.phion.com