Stonegate Highlight Feature

Antivirus Protection

Antivirus protection for traffic through StoneGate Firewall

StoneGate Firewall/VPN solution can be used in remote offices as the single security gateway solution as it inspects content for malware in transit.

StoneGate Firewall scans HTTP, SMTP, POP3 and IMAP protocols also for viral content.

The administrator can control what traffic is scanned. For example, he may not want to scan traffic to corporate intranet over VPN for performance reasons. Antivirus protection is fully controlled with flexible StoneGate Firewall access rules.

The antivirus engine updates itself automatically. Together with StoneGate Firewall's protocol inspection features for HTTP, SMTP, POP3, IMAP and SIP protocols this feature provides strong protection for remote offices.

Benefits

• Remote office users are protected against Internet threats
• Improve security by scanning web and mail traffic content
• Improve performance by allowing web traffic and web mail traffic directly from remote offices

Integrating an external antivirus gateway to the StoneGate Security Solution

Although an advanced firewall can do much more than filter packets based on sources and destinations, some threats are most efficiently tackled by complementing the firewall with external content inspection servers (CIS) and external anti-virus gateways.

With StoneGate, this integration can be done easily. Just add one rule to the security rule base and activate an agent to redirect the network traffic for inspection server. Agent redirection is truly transparent and does not require any additional configurations on the client machines.

For instance, incoming SMTP e-mail traffic could be forwarded from the firewall to the content inspection server for virus and content checking.

According to the firewall security rules, content inspection server removes suspicious content and the checked packets are returned back to the firewall for routing to their final destination.

Viruses and hazardous content will be discarded before packets enter the internal network.

Content inspection server can also be used to control outbound Web traffic. The firewall can redirect traffic to a content inspection server, which examines the destination web address (URL). If the site is on the list of inappropriate sites, traffic is denied. Approved traffic continues as usual.

Benefits

• Possibility to use best-of-breed content inspection products
• Get best performance by separating tasks to dedicated servers
• Save money by using existing content inspection solutions

Clustering

Security Engine Clustering and Load Balancing

StoneGate Firewalls and IPS sensors have built-in clustering and load balancing that removes the need for third-party clustering solutions.

Clustering ensures high availability of the security engines, thus allowing uninterrupted operations during system maintenance and updates. StoneGate's built-in load balancing capabilities allow security engines to dynamically balance connections between cluster nodes, transparently transferring connections to available nodes in case a node becomes overloaded or fails. Load balancing is a great way to share the computationally intense processes like deep packet inspection and VPN processing across the cluster of nodes.

Benefits

• Scales up the VPN and deep packet inspection performance of a firewall solution and the throughput of an IPS solution
• Eliminates the risk of downtime
• Clusters up to 16 nodes to function as a single security engine The way the load balancing is designed allows using engine nodes with different hardware in the cluster.

The clustering and load-balancing technologies in StoneGate security engine have evolved from Stonesoft's StoneBeat products.

Deep Packet Inspection

Many companies have to keep Web traffic restrictions in the firewall fairly open for business to run smoothly. This creates a risk that intruders will find their way to the internal networks through web traffic holes in the firewall. StoneGate firewall removes the problem.

StoneGate Firewall has always been able to do basic protocol validation for the web traffic. However, so far only a full-blown Intrusion Prevention System has been able to do more detailed inspection of connections to ensure Web traffic truly is Web traffic and detect any misuse of this route.

Now Stonesoft introduces the deep packet inspection in the StoneGate Firewall that has been previously available only in the StoneGate Intrusion Prevention System.

Benefits

• Blocks bogus web traffic - for example, malware that is trying communicate using web ports
• Malicious activity can be cleaned up already at the firewall level before it has time to enter internal networks and cause damage
• Prevents malicious traffic spreading from the internal networks to external networks (partner, extranet, Internet) – prevents damages you might otherwise be liable for.

What makes StoneGate firewall so powerful in the web traffic deep packet inspection is that it does not have only a part of the Intrusion Prevention System functionality, but it has the full system fingerprint library in its use, and the same analysis and inspection capability that StoneGate Intrusion Prevention System has.

Deep packet inspection also includes anti-virus checking. This combination of detailed protocol analysis and fingerprinting together with full antivirus checking for transferred content provides strong level of security for the web traffic.

DoS Protection

StoneGate Firewall provides protection against illegal input and traffic flood DoS attacks without disturbing legitimate network traffic.

Benefits

• Protects Web services from DoS/DDoS attacks
• Does not disturb legitimate network traffic.

TCP SYN flood attacks are stopped by mitigating the incoming connection attempts from spoofed address sources under an attack, and preventing them from reaching the target system. StoneGate Firewall quickly identifies the spoofed connection sources and blocks them, while allowing valid user connections to pass through.

UDP flood DoS attacks are controlled by rate-limiting the incoming UDP datagrams against the protected Web service.

Illegal input DoS (aka. trivial DoS) attacks are detected and prevented by StoneGate Firewall System Policy template by default.

Intrusion Prevention System Integration

StoneGate Firewall and Intrusion Prevention System work seamlessly together to provide layered defense.

Blacklisting

StoneGate Intrusion Prevention System Sensor detects and immediately prevents attacks in the network segment that it is protecting. At the same time, it expands and strengthens the protection against the attacker sending a blacklist request across the corporate firewall structure. From there on all corporate firewalls start to block any further traffic from the attacker and therefore block any further attempts to exploit vulnerabilities.

The firewall administrators can set up blacklists manually straight from the firewall logs if they see something alarming in the logs.

Blacklisting can stop worm propagation between network segments. Early quarantine will reduce the time and resources needed for cleaning the worm-infected systems. Combined with whitelisting, blacklisting allows a safe automatic response to attacks while preserving production-critical traffic.

Whitelisting

Whitelisting defines connections that must not be blacklisted or blocked, such as critical production traffic. Whitelisting is an effective way to prohibit a hacker's misuse of blacklisting.

The blacklisting scope can vary from incident to incident. It can stop traffic from single IP addresses to whole network segments either permanently or just for a certain time period.

Unified configuration

StoneGate IPS and Firewall are managed through StoneGate Management Center (SMC) graphical user interface (GUI). The unified configuration view and configuration, simplifies and makes the seamless configuration of the components possible. For example, the possibility to use common elements in both components security policies, and the possibility to copy-paste access rules from one rule base to another reduces the number of human errors.

ISP Load Balancing

Secure Your Connections with Multi-Link

Traditionally, Internet connections provided by Internet Service Providers (ISP) have been a single point of failure for corporate communications. In order to eliminate this risk, organizations have had to resort to very complicated and costly solutions such as redundant routers and switches, routing protocols and peering arrangements between ISPs.

StoneGate enables you to overcome the Internet availability problems in a simple, straightforward and cost-effective manner. StoneGate provides you the possibility to easily utilize multiple parallel Internet

connections. In case of link failure, traffic is automatically routed over to the remaining links.

Benefits

• Eliminate easily your ISP(s) as a single point of failure
• Ensure that your services are always available
• Increase the bandwidth by aggregating multiple lines together
• Provide better service for users by selecting always the fastest link
• No additional costs or configuration of specialized hardware or software

StoneGate Multi-Link functionality can be deployed when connecting directly to Internet and in secured office-to-office VPN connections. It supports all sorts of Internet links, such as ISDN, xDSL, leased lines, modem and even satellite connection.

Multi-Link guarantees that you always have Internet connectivity.

Assessing the Alternatives

Multiprotocol Label Switching (MPLS)

MPLS has been historically the most popular choice due to lack of awareness of different approaches. It provides point-to-point connections, but not multiple parallel end-to-end links. Since the service level agreements offered by MPLS providers often limit the liability in case of link downtime, organizations that require 100 percent uptime need additional independent links for redundancy to mitigate the business risks of downtime. MPLS may not be available at every location and doesn’t offer scalability. Plus the cost of MPLS links is typically much higher than regular Internet Service Provider (ISP) connections.

Frame Relay

Frame Relay provides dedicated point-to-point connections, but does not utilize multiple parallel end-to-end links. Frame Relay connections are typically expensive and the throughput is often a fraction of typical ISP connections.

Border Gateway Protocol (BGP)

BGP, the often-used method for ISP multi-homing, requires additional monetary investment, specialized hardware, as well as complex implementation and management, including the negotiation of cooperative agreements between competing ISPs to ensure performance. StoneGate's Multi-Link Technology, in contrast, works out-of-the-box, with simple drag-and-drop configuration.

External ISP Load Balancers

Appliances placed "in front" of firewalls use some methods similar to Multi-Link. This dedicated hardware however, requires additional monetary investment, is maintenance-intensive and must be configured separately. From a technical stan

Quality of Service

Bandwidth Management

Organizations want to provide better service to a certain type of traffic when bandwidth is limited by, for example, an Internet Service Provider (ISP) connection. Instead of buying more bandwidth, organizations want to manage their existing bandwidth more efficiently.

Business traffic such as VoIP, ERP, critical transactions and important Web sites should receive precedence over other types of traffic. Sometimes it is good to ensure that important users are guaranteed to receive a certain amount of the available bandwidth, regardless of other traffic.

With StoneGate, you can set bandwidth guarantees and/or limits to different types of traffic so that the important business traffic will always have the required amount of bandwidth available and the non-business traffic will not exceed the defined bandwidth limits.

Benefits

• Business traffic can receive precedence over other types of traffic
• Manage existing bandwidth more efficiently instead of buying additional bandwidth
• Limit the bandwidth usage of bulk traffic such as backup
• Give more bandwidth to important users
• Provide for certain services that require QoS in order to work reliably (e.g., VoIP)
• Co-operate with other QoS devices to achieve end-to-end QoS

Quality of Service

Some network traffic, like voice streams and real time data for applications like Citrix, is very sensitive to delay (latency).

Organizations need to be able to prioritize such traffic inside their network and to label this traffic so that external network nodes can handle it correctly as well.

With StoneGate you can use the QoS classes for prioritizing the traffic. To provide end-to-end QoS, it is not enough that bandwidth management and prioritizing is done in the StoneGate firewall. The classification information should also be relayed to the other devices between the end points, so that they can handle it properly.

That is why StoneGate also provides you with the possibility of marking the outgoing packets with the DSCP (Differentiated Services Codepoint) field.

Securing VoIP

Voice over IP (VoIP) technology translates analog voice signals into a stream of digitalized packets and sends them to recipients over data (or IP) networks. In other words, VoIP enables telephone calls over the Internet.

VoIP is rapidly growing in popularity, which has also raised some concerns about security.

Since VoIP uses the same paths as the network and Internet traffic, it faces the same challenges and threats that are more commonly linked with the Internet. Viruses, worms, trojan horses, Denial-of-Service attacks, and connection hijacking are all possible threats on the VoIP network. Voice traffic can now be attacked, hacked, intercepted, re-routed, and degraded just like any data packet on the data network.

With StoneGate you not only address security by preventing eavesdropping, hijacking and alteration of data but you also ensure quality and priority for your communications. This leads to higher user satisfaction and simplified administration.

Challenges

Security

Unencrypted VoIP connections are prone to eavesdropping and other common threats in IP networks

StoneGate Solution: VoIP connections can be encrypted with StoneGate Firewall & VPN, which secures your communications so they are not vulnerable to e.g. eavesdropping and alteration of data.

Reliability

Users expect the same reliability from IP networks that they have had in traditional networks and this is often not the case. Connections are not reliable, and network devices become single points of failure.

StoneGate Solution: With StoneGate’s patented Multi-Link Technology you can ensure that the VoIP connections are resilient and have the best possible performance. Also StoneGate Firewall & VPN is fully clusterable, eliminating single points of failure in the communication path.

Bandwidth

VoIP applications may require a lot of bandwidth and disrupt the use of other protocols.

StoneGate Solution: With Bandwidth Management and Quality of Service, StoneGate provides you with the capability to prioritize important traffic or set limits on traffic that has lower importance.

Secure Configuration

There may be difficulties trying to keep the number of open ports to a minimum and performing network address translation (NAT) to private addresses to increase security.

StoneGate Solution: Supporting SIP as the signaling protocol for VoIP the StoneGate solution ensures that only the ports necessary for communication are open and no extra ones are needed. Also NAT is handled gracefully and transparently by the StoneGate solution.

Maintenance

People expect VoIP services to be available when needed, therefore maintenance windows become disturbing critical service breaks.

StoneGate Solution: Since StoneGate is a high-availability solution, it means that maintenance can be done during business hours without any need to disrupt the traffic and without the users even noticing.

Management

As networks become larger and more complex, and the traffic more critical, managing these systems is complicated at best.

StoneGate Solution: StoneGate’s centralized and easy-to-use management system simplifies administration tasks. This means that administrators can manage more devices with fewer resources.

Misuse

TConnectivity may be used for non-business-related and malicious purposes.

StoneGate Solution: Through protocol validation and misuse detection StoneGate solution protects your communications from malicious traffic. Bandwidth management guarantees that important traffic has always priority over non-business-related traffic, if so desired.

Server Load Balancing

When you have servers hosting services (Web, file, print, etc.) that need to be available at any given time, it is essential to monitor the health and availability of those servers and be able to direct traffic accordingly.

StoneGate Firewall includes built-in server load balancing for the servers your firewall is protecting.

Benefits

• Ensure the availability of business-critical services
• Increase customer satisfaction
• No third-party server load-balancing solutions needed
• Save money

StoneGate can monitor the servers and automatically perform corrective actions on a problematic server and move traffic over to healthy servers. This also means that maintenance functions can be done during business hours, removing downtime and reducing costs.

Now you can extend the end-to-end availability from Internet connectivity and firewall availability all the way to service availability.

SSL Inspection

Ensure that no attacks, viruses or other unwanted content can enter or exit the organization network by disguising themselves inside the encryption cloak.

As the organization’s security is much relying on the perimeter security enforcement in the network, the encrypted HTTPS channel acts as a mean to bypass the security functions. A controlled way to open the encryption in the network and to submit the encrypted traffic for the same inspection as the clear-text HTTP data, eliminates the blind spot in the network protection.

StoneGate SSL inspection gives the network security administrators an ability to monitor the traffic inside of the TLS/SSL encryption and to detect and react to any unwanted content.

Benefits

• Protect internal workstations from malicious Web servers.
• Protect Web services being compromized by unauthorized users.
• Meet the PCI DSS requirements.