phion Product Guide - security- · PDF filesecure connectivity and WAN optimisation with...

110111010101101010111010101011010101010101010100101011010110110110101010101101101010101011011010101010101011101101110110101010100010101101010101010101101101010101001010101010101010100101101101010101010110110110101010101101010101011011011101101011110101101011101010101101010111101101010 10101011010101010010100101010111011011101

110111010101101010111010101011010101010101010100101011010110110110101010101101101010101011011010101010101011101101110110101010100010101101010101010101101101010101001010101010101010100101101101010101010110110110101010101101010101011011011101101011110101101011101010101101010111101101010101

0101101010101001010010

phion Information Technologies

≥ Product Guide

3Copyright 2006, phion Information Technologies GmbH. The information contained within this document is confidential and proprietary to phion Information Technologies GmbH. No portion of may be copied, distributed, publicised or used for other than internal documentary purposes without the written consent of an official representative of phion Information Technologies GmbH. All specifications are subject to change without notice. phion Information Technologies GmbH assumes no responsibility for any inaccuracies in this document. phion Information Technologies GmbH reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

phion netfence

netfence your network

0001010

10111

01010

1010

0010111

11010

1010

1010

10111101010101010100010101001010101001001001000010101011001010101010001011111010101010101011110101010101

000101010111010101010001011111010101010101011110101010101010001010100101010100100100100001010101110101010100010111110101010101010111101

≥ Perimeter Security

≥ Internal Security

≥ Endpoint Security

≥ Content Security

≥ Secure Connectivity

≥ Central & Local Management

Table of contents

phion‘s Communication Protection Architecture (CPA) .......................................... 5

phion netfence at a glance .................................................................................................. 6

phion netfence Appliances – netfence gateways .......................................................... 8

phion netfence Appliances – netfence contegrity ........................................................ 11

phion netfence Appliances – netfence sintegra ............................................................ 12

phion netfence Appliances – netfence sectorwall ............................................................. 14

netfence VPN Connectors .................................................................................................. 15

netfence Management Centres ......................................................................................... 16

netfence reporter .................................................................................................................. 17

netfence specialists – netfence M ..................................................................................... 18

netfence specialists – netfence industrial ...................................................................... 20

Software and Hardware Extensions ................................................................................ 22

Appendix A – Ordering information .................................................................................. 25

Appendix B – netfence licenses .......................................................................................... 26

Appendix C – Understanding phion Licensing ............................................................... 27

Appendix C – phion Licensing Examples .......................................................................... 28

Appendix C – Technical Details .......................................................................................... 29

5

IT security is one of the most dynamic and rapidly changing fields of the overall IT market. As the number and size of networks and the protocols supported increases, so does the sophistication of threats, the complexity of security devices and the multitude of regulatory standards IT professionals need to comply with. On top of this, IT departments need to efficiently and effectively solve problems while facing a continual lack of resources and an ever increasing need to cut costs.

In order to successfully meet the requirements of such a demanding environment, security operations need to become more efficient. With its netfence product line, phion facilitates achieving all these goals, while making sure key corporate assets are protected from internal and external threats.The vision and conceptual goal of phion netfence is that of helping IT professionals to meet the most demanding security standards while ensuring economic viability, transparency and manageability across the corporate network.The products in our netfence Communication Protection Architecture (CPA) ensure that all aspects relevant to security are addressed consistently at all times – from perimeter defence, through secure and highly available links with subsidiaries, to defence against hazardous content and protection of internal networks. The functiona and management of all the components deployed are seamlessly integrated so that they derive maximum benefit from your infrastructure with minimal use of resources.CPA’s gateway components are all based on identical software and therefore reduce configuration and life cycle management complexity and ease operational management. phion solutions are perfectly meshed appliance and software combinations for all security and connectivity requirements. This high level of integration combines with central management to create a particularly low Total Cost of Ownership (TCO) and reduces the complexity of the infrastructure.

CPA’s products are based on the following groups:

netfence appliances

netfence Management Centres

netfence VPN Connectors.

‰

‰

‰

The netfence Management Centres are foundation of phion’s Communication Protection Architecture are. From the smallest branch office a staff of three, up to a Managed Service Provider environment with several thousand customers, they manage all netfence components centrally.

netfence appliances are the backbone of the CPA and cover every relevant network security aspects enterprise-wide.

They include netfence gateways for perimeter security, secure connectivity and WAN optimisation with netfence sintegra appliances for branch offices, netfence contegrity for content security and netfence sectorwall for internal security.

netfence VPN Connectors ensure secure VPN connections for mobile desktops.

Purpose netfence Product group

Perimeter Security netfence gateways

netfence appliances

Internal Security netfence sectorwall

Secure Connectivity netfence sintegra

Content Security netfence contegrity

Endpoint Securitynetfence VPN Connectors

Managementnetfence Management Centre

phion‘s Communication Protection Architecture (CPA)

HQ Internal LAN Segment

Branch Office LAN

VPN connections

Internet

HQ LAN

xDSL

UMTS

Wireless

netfence gateway

netfence sectorwall

netfence contegrity

netfence sintegra

netfence Management

Global phion.a workstation

netfence VPN Connectors

HQ InternalLAN Segment

The Enemies of Your Corporate Communication

≥ Hacker attacks on your infra-structure that transform branches, subsidiaries and laptops into wide open gateways to your network

≥ Viruses, worms, spyware & Co. that paralyse your entire corporate networks and disseminate business secrets on the Internet

≥ Spam that stops your staff working and gobbles up bandwidths

≥ Disgruntled employees who are free to browse your network and have uncontrolled access to critical data

≥ Human error with your ISP or other service providers who render your sites and applications inaccessible as a result of the smallest configuration errors

≥ Unpredicted mistakes in construction work, technical maintenance operations, etc. that damage an important power or communication line somewhere in the world

≥ Natural disasters that can put entire regions out of action without any advance warning

7


netfence VPN Connectors combine all the requirements for powerful VPN Client Software: secure authentication and strong encryption ensure that only authorized users have access and communication is safeguard against eavesdropping. Since VPN Clients are simultaneously linked with the company network and the untrustworthy Internet, phion has also integrated a powerful Personal Firewall.


Purpose Secure Connectivity Secure Connectivity & Endpoint Security

Models netfence Smart Connector netfence Secure Connector

Centrally managed Personal Firewall

-✔

BOB extension available - ✔

netfence “Specialists”

Designed for deployment in adverse environments for IT, netfence industrial allows extending the CPA to industrial facilities.

netfence M provides the perfect Unified Threat Management solution for small and medium-sized companies that want to protect a single location at low cost.

netfence industrial netfence M

Purpose Protection for industrial facilities UTM appliance

Models 1 M1 M2 M3

Users unlimited unlimited

Limits - no central management

Available as software - -

6

phion netfence at a glance

netfence appliances

netfence appliances are the backbone of the CPA. Equipped with identical software they offer optimum performance and protection to fit all your security needs.

By using BOB enhancements for netfence gateways or netfence sintegra, their functionality scope is extended by adding high-performance data compression.

netfence gateway netfence sectorwall netfence contegrity netfence sintegra

Purpose Perimeter Security Internal Security Content Security Secure Connectivity

Models 10 different appliances 500 2000 100 1000 XS S

Users 10 to unlimited unlimited unlimited 10, 25 10, 25 ,50

BOB extension available ✔ - - ✔

UMTS & ISDN extension ✔* - - ✔

Also available as software ✔ ✔ ✔ -

* Depends on appliance model


netfence Management Centres are the key to comprehensive management of even the most complex security infrastructures for profitable deployment of resources. The netfence Communication Protection Architecture solutions are administered through dedicated and centralized servers that afford access to all functionalities – up to the operating-system level of phionOS.

netfence Management Centre

Purpose Mid-sized companies Mid-sized to large companies Large companies and MSSPs

Models Entry Edition Enterprise Edition Global Player Edition

Manageable nodes unlimited unlimited unlimited

Recommended number of managed nodes

50 200 1000+

Hierarchical depth 1 2 3

netfence reporter available -* ✔ ✔

* only with Option Pack 1

9

There are various hardware options available depending on the number of users and whether rack casing is preferred. Optional hardware support is also available.

Please see the table below for phion’s hardware recommendations based on different requirements.

Medium requirements nf-240 nf-240 Rack S6 S16 M50

Firewall performance* 172Mbps 172Mbps 146Mbps 164Mbps 211Mbps

VPN performance (AES128)** [x/y***] 39/112Mbps 39/112Mbps 30/110Mbps 56/112Mbps 54Mbps

Typical user licence 10-100 10-100 10-100 10-100 10-100

# of NICs (100/1000) 4/0 4/0 4/0 4/0 4/0

Expansion slots (for additional NICs or UMTS/ISDN)

1 PCI 1 PCI 1 PCI 1 PCI 1 PCI

Rack-mountable - ✔ - - ✔

UMTS add-on UMTS-SC UMTS-SC UMTS-HG UMTS-HG UMTS-HG

ISDN add-on ISDN-SC ISDN-SC ISDN-HG ISDN-HG ISDN-HG

Product number APP-nf-240 APP-nf-240R APP-S6 APP-S16 APP-M50

High requirements nf-421 nf-431 M1000 M2000

Firewall performance* 356Mbps 386Mbps 442Mbps 442Mbps

VPN performance (AES128)** 209Mbps 228Mbps 243Mbps 243Mbps

Typical user licence 50-500 50-500 50-500 50-500

# of NICs (100/1000) 2/4 0/6 2/2 4/4

Expansion slots (for additional NICs or UMTS/ISDN) 1 PCI 1 PCI 1 PCI 1 PCI

Rack-mountable ✔ ✔ ✔ ✔

UMTS add-on UMTS-SC UMTS-SC UMTS-HG UMTS-HG

ISDN add-on ISDN-SC ISDN-SC ISDN-HG ISDN-HG

Product number APP-nf-421 APP-nf-431 APP-M1000 APP-M2000

Ultra-high requirements nf-780 nf-850 L1000 L2000

Firewall performance* 3814Mbps > 4000Mbps 4085Mbps 4052Mbps

VPN performance (AES128)** 267Mbps 300Mbps 318Mbps 300Mbps

Typical user licence 250-UL 250-UL 250-UL 250-UL

# of NICs (100/1000) 0 (0/16 max.) 0 (0/12 max.) 0/8 1/10

Expansion slots (for additional NICs or UMTS/ISDN) 1 PCI-X 1 PCI-X 1 PCI-X 2 PCI-X

Expansion slots (for NICs only) 4 3 0 0

Rack-mountable ✔ ✔ ✔ ✔

UMTS add-on - - UMTS-HG UMTS-HG

ISDN add-on - - ISDN-HG ISDN-HG

Product number APP-nf-780 APP-nf-850 APP-L1000 APP-L2000

Appliance Models for netfence gateways

8

phion netfence Appliances – netfence gateways

Overview

netfence gateways combine all functions of modern network security infrastructures and, primarily, are used as classic perimeter security systems. They are also the central entities for branch office networking and Unified Threat Management infrastructures.

netfence gateways‘ flexible structure ensures that customer requirements concerning number of users, performance, NICs etc. as well as an advantageous cost-value ratio are entirely met. Ranging from 10 to unlimited users, phion‘s offering is a comprehensive appliance family for all requirements. netfence gateways are fully integrated into CPA‘s central management architecture.

Target market

Large and mid-sized companies demanding a great deal of scalability, manageability, and flexibility of their security infrastructure’s central components.

Product variants

netfence gateways are available on perfectly corresponding appliances for 10, 25, 50, 100, 250, 500 and unlimited users. High availability licenses can also be obtained as well as upgrade licenses that are charged at the respective price difference. netfence gateways are also available as software-only licenses and can be deployed on standard x86 Hardware.

Modulenetfence 10, 25

netfence 50 to unlimited

Network Security

Firewall ✔ ✔

Intrusion Prevention

✔ ✔

DHCP relay ✔ ✔

VPN server ✔ ✔

Application Security

HTTP proxy ✔ ✔

URL filter optional optional

Mail gateway optional ✔

Spam filter optional ✔

FTP gateway optional ✔

SSH proxy optional ✔

Antivirus optional optional

Infrastructure Security

DNS server optional ✔

DHCP server ✔ ✔

OS Security

phionOS ✔ ✔

Realtime accounting

✔ ✔

SNMP ✔ ✔

OSPF/RIP ✔ ✔

Models netfence 10, 25netfence 50 to unlimited

User10, 25

50, 100, 250, 500, unlimited

Product numberNF-10, NF-25

NF-50, ... NF-500, NF-IPU

* Firewall performance tested with large packets** VPN performance tested with AES-128 and large packets*** Performance with BOB enhancement

Overview

A large amount of undesired content enters companies via emails and the Internet. Attackers specialize in gaining access to sensitive data through manipulated emails and Web pages. Together these facts represent not only a serious threat to critical data and processes, but also a major burden to employee’s productivity and network performance. Companies react by purchasing best of breed solutions that offer effective protection against worms, viruses, spam, etc., aiming at blocking threats before they penetrate the internal network.However, given the increasing complexity and sometimes the over-functional nature of solutions these goals are rarely achieved.netfence contegrity provides an all-in-one, best-of-need, manageability-driven solution. It includes email security through highly scalable Web, email proxies and state-of-the-art Web and email content security. netfence contegrity appliances allow companies to pave their way towards corporate success by improving network performance, enhancing productivity and cutting overheads.

Target Market

Large and mid-sized companies that need to make sure that content gaining access to the corporate network does not represent a threat to valuable corporate assets while ensuring the highest levels of productivity and performance.

Product Variants

netfence contegrity is available on two platforms with different performance levels:

netfence contegrity 100 is for use in environments with up to 100 users.

netfence contegrity 1000 is intended for use in environments with up to 1000 users.

netfence contegrity is also available as a software-only license. Note that the performance of the software-based contegrity solutions depends on the performance of the machine where the software is installed.

‰

‰

Modulenetfence contegrity 100

netfence contegrity 1000

Network Security

Firewall - -

Intrusion Prevention

- -

DHCP relay - -

VPN server - -


HTTP proxy ✔ ✔

URL filter* optional optional

Mail gateway ✔ ✔

Spam filter ✔ ✔

FTP gateway - ✔

SSH proxy - ✔

Antivirus* optional optional


DNS server ✔ ✔

DHCP server ✔ ✔

OS Security

phionOS ✔ ✔

Realtime accounting

✔ ✔

SNMP ✔ ✔

OSPF/RIP ✔ ✔


netfence contegrity 100 Rack


Recommend. users

100 100 1000

Appliance model

nf-240 nf-240 Rack nf-431

Rack mountable

- ✔ ✔

# NIC‘s 4 4 6

Expansion slots (for additional NIC‘s)

1 1 1

Product number

CTY-100-SC CTY-100-SCR CTY-1000-SC

* URL filter & antivirus options require additional subscriptions.

11

phion netfence Appliances – netfence contegrity

10

BOB-Pack (Branch Office Box) Available for all netfence gateways

Benefit

WAN optimisation through data stream compression. Activation of hardware crypto acceleration on nf-240, S6 and S16.Effective increase of available WAN bandwidth, cost savings, improved encryption performance for up to 100Mbps AES128 wire-speed encryption.

netfence VPN Connectors Available for all netfence gateways

BenefitSecure authentication, strong encryption, unrestricted connectivity, and implementation of central security policies. Integrated personal firewall offering comprehensive application protection features and ease of use.

Gateway user license 10 25 50 100 250 500 UL

netfence Secure Connector (incl./max) 0/10 0/25 5/UL 10/UL 15/UL 20/UL 30/UL

netfence Smart Connector (incl./max) 0/10 0/25 0/unlimited (UL)

UMTS-Option Available for some appliance models (see above)

BenefitPreparation of box to host an UMTS cardbus adapter card from Option Wireless Technologies and thus use UMTS/HSDPA/EDGE protocols for wireless communication.

ISDN-Option Available for some appliance models (see above)

Benefit Includes an ISDN-card supporting EURO-ISDN standard

Content Subscription Licenses

Antivirus Available for all user categories independent from gateway license

URL filter Available for all user categories independent from gateway license

Limitations

The 10 and 25 user license does not contain mailgateway, spamfilter, ftp-proxy, ssh-proxy, and DNS server

The 10 and 25 user license has no HA option

‰

‰

Upgrades and High Availability

10 to unlimited users: upgrade is always possible. The price difference will be charged.

Each gateway license from 50 to unlimited is available as a price-reduced HA license also. However, it is not possible to combine gateways with different HA-gateways, e.g., a NF-500 with a HA-NF-50. It is possible to combine different hardware, although not recommended.

‰

‰

Add-ons for netfence gateways


An upgrade is not possible from one product to the nextHA: Ordering of an HA machine is possible, but only the same model, e.g., it is not possible to combine a contegrity 1000 with an HA unit for contegrity 100.

‰

‰

Limitations

The FTP & SSH gateway is only available for contegrity 1000.No upgrade is available from 100 to 1000 since they use different hardware platforms.An upgrade from desktop to rack version is not available.

‰

‰

‰

13

Modelsnetfence sintegra XS 10

netfence sintegra XS 25

netfence sintegra S 10



Users 10 25 10 25 50

Firewall throughput 140Mbps 140Mbps 172Mbps 172Mbps 172Mbps

VPN (AES-128) throughput [x/y*] 30/90Mbps 30/90Mbps 40/112Mbps 40/112Mbps 40/112Mbps

Appliance model nf-240 nf-240 nf-240nf-240Rack

nf-240nf-240Rack

nf-240nf-240Rack

Rack mountable - - - ✔ - ✔ - ✔

# of NICs 4 4 4 4 4

Expansion slots (for additional NIC‘s, UMTS, ISDN)

1 PCI 1 PCI 1 PCI 1 PCI 1 PCI

Product number SIN-XS-10-SC SIN-XS-25-SCSIN-XS-10-SC

SIN-XS-10-SCR

SIN-XS-25-SC

SIN-XS-25-SCR

SIN-XS-50-SC

SIN-XS-50-SCR

BOB-Pack (Branch Office Box) Available for both, netfence sintegra XS and netfence sintegra S

Benefit

WAN optimisation through data stream compression. Activation of hardware crypto acceleration on nf-240, S6 and S16.Effective increase of available WAN bandwidth, cost savings, improved encryption performance for up to 100Mbit/s AES128 wire-speed encryption.

netfence VPN Connectors available for both, netfence sintegra XS and netfence sintegra S

BenefitSecure authentication, strong encryption, unrestricted connectivity and implementation of central security policies. Integrated personal firewall offering comprehensive application protection features and ease of use.

netfence sintegra XS 10 XS 25 S 10 S 25 S 50

max. netfence VPN Connectors (Smart or Secure)

5 10 10 25 25

UMTS-Option Available for both, netfence sintegra XS and netfence sintegra S


ISDN-Option Available for both, netfence sintegra XS and netfenc esintegra S


Content Subscription Licenses netfence sintegra XS netfence sintegra S

Antivirus - 10, 25, 50

URL filter 10, 25 10, 25, 50

12

Overviewnetfence sintegra is a branch office gateway for the successful integration of remote branch offices into the existing network infrastructure. It provides seamless availability of all critical business applications and data across the corporate network. netfence sintegra is supplied in two different versions – XS and S. netfence sintegra S is also equipped with real-time accounting capabilities and a more powerful CPU. The netfence sintegra appliances are available with licenses for 10, 25 and 50 users.

Target MarketLarge and mid-sized enterprises that need to provide remote sites with comprehensive security functionality and maximum availability of their digital communication and are looking for significantly reducing operational costs.

Product VariantsThe sintegra XS and S product line comprises slimline desktop base hardware versions equipped with netfence sintegra XS or S licences as appropriate. For sintegra S, a rack version is also available.

Modulenetfence sintegra XS 10

netfence sintegra XS 25




Network Security

Firewall 10 25 10 25 50

Intrusion Prevention ✔ ✔ ✔ ✔ ✔

DHCP relay ✔ ✔ ✔ ✔ ✔

VPN server ✔ ✔ ✔ ✔ ✔


HTTP proxy ✔ ✔ ✔ ✔ ✔

URL filter optional optional optional optional optional

Mail gateway - - optional* optional* optional*

Spam filter - - optional* optional* optional*

FTP gateway - - - - -

SSH proxy - - - - -

Antivirus - - optional optional optional


DNS server - - - - -

DHCP server ✔ ✔ ✔ ✔ ✔

OS Security

phionOS ✔ ✔ ✔ ✔ ✔

Realtime accounting - - ✔ ✔ ✔

SNMP ✔ ✔ ✔ ✔ ✔

OSPF/RIP ✔ ✔ ✔ ✔ ✔

phion netfence Appliances – netfence sintegra

Limitations

The Antivirus option is available for sintegra S only.

The Mail gateway and SPAM filter are available only for sintegra S and in conjunction with the antivirus option.

The Statistics feature is not available for sintegra XS

The UTMS and ISDN options should be specified at ordering time. Otherwise, extra handling may be required.

No upgrade is available from XS to S since they use different hardware platforms.

No upgrade is available from the desktop to the rack version for sintegra S.

‰

‰

‰

‰

‰

‰


10 to 25 users: Upgrade purchase available for XS and S, the netfence price will be charged for the HA-box.

‰ HA: upgrade is possible. It requires an additional product of the same kind.

‰

* Performance with BOB enhancement

* In conjunction with Antivirus without additional charge

15

OverviewIn order to meet the demanding requirements of today‘s connectivity, comprehensive solutions are required that not only enforce endpoints to be compliant with the corporate security policies, but also guarantee the up-to-date health status and performance of end point‘s Antivirus, Antispam, etc. products.

The netfence VPN Connectors meet these high requirements: the integrated personal firewall is easy to use and offers comprehensive application protection features. Unrestricted connectivity is provided by combining the benefits of IPsec and SSL-VPN, so that NAT Traversal and HTTPS/SOCKS proxy compatibility are possible. Secure authentication and strong encryption are guaranteed. The netfence VPN connectors will also soon include Microsoft NAP and Cisco NAC support, for easing the standard implementation of central security policies and ensuring the health status of end points remotely accessing the corporate network.

Target MarketEvery enterprise with secure connectivity as a component of its IT concept benefits from netfence VPN connectors regardless of its size.

Product Variantsnetfence VPN Connectors are available in two versions:

netfence Smart Connector

netfence Secure Connector

Both types offer the complete width of security and connectivity features including a Personal Firewall.

Additionally, netfence Secure Connector provides central management for the client’s Personal Firewall and, with Release 7, BOB, i.e., application acceleration via data compression.

‰

‰

netfence Smart Connector

netfence Secure Connector

VPN Client with IPSec in SSL encapsulation

✔ ✔

Personal Firewall ✔ ✔

Personal Firewall centrally managed by VPN-Server

- ✔

BOB compatibility - ✔ (with R7)

Operating SystemsWindows 2000Windows XP

Windows 2000Windows XP

Available user packages 5, 50, 100, 10005, 25, 50, 100, 500, 1000

Product numberVPN-C5 to VPN-C1000

VPN-SC5 to VPN-SC1000



Upgrade is possible from Smart Connectors to Secure Connectors. The price difference will be charged.

Limitations

Smart Connectors are also available for several Linux and BSD flavours as well as for MacOS. The compatibility to these kinds of OSs, however, can not be guaranteed.

‰

‰

14

Overview

Modern security architectures do not simply protect corporate networks at the interface to the outside world. Typically, the most „successful“ threats originate internally. Internal firewalling and network zoning help protect vital IT assets from internal attacks and abuse. The netfence sectorwall appliances, specially designed for deployment in the internal corporate network, present the optimum solution for internal firewalling and LAN zoning. They allow efficient implementation of security policies right across the organisation.

With netfence sectorwall, company-wide security policies are not restricted to the perimeter and branch offices, they can also be implemented in the increasingly important core areas.

netfence sectorwall is available as a software and an appliance solution.

Target Market

Large and mid-sized enterprises that require comprehensive protection of vital IT assets from internal attacks and abuse and aiming at acquiring a firewalling and network zoning solution specially designed for deployment in the internal corporate network.

Product Variants

netfence sectorwall is offered on two platforms with different performance levels:

netfence sectorwall 500 is intended for throughput of up to several 100Mbps. The number of licensed IP addresses is unlimited.

netfence sectorwall 2000 has been designed for throughput of up to 2 Gbit/. The number of licensed IP addresses is unlimited.

The netfence sectorwall is also offered as a software-only license. Note that the throughput of the software-based sectorwall solutions depends on the performance of the machine where the software is installed.

‰

‰

Modulenetfence sectorwall 500/2000

Network Security

Firewall ✔

Intrusion Prevention ✔

DHCP relay ✔

VPN server -


HTTP proxy -

URL filter -

Mail gateway -

Spam filter -

FTP gateway ✔

SSH proxy ✔

Antivirus -


DNS server -

DHCP server -

OS Security

phionOS ✔

Realtime accounting ✔

SNMP ✔

OSPF/RIP ✔

netfence sectorwall 500

netfence sectorwall 2000

Firewall througput 386Mbps 3814Mbps

Appliance model nf-431 nf-780

Rack mountable ✔ ✔

# NIC‘s 6 8 (max. 16)


1 1

Product number SEC-500-SC SEC-2000-SC

phion netfence Appliances – netfence sectorwall


An upgrade from sectorwall 500 to sectorwall 2000 is not possible.

HA: Ordering of an HA machine is possible, but only for matching models, e.g., it is not possible to combine a sectorwall 2000 with an HA unit for sectorwall 500.

‰

‰

Limitations

netfence sectorwall products may not be used at Internet perimeters.

phion cannot specify the throughput of the software based solution as it depends on the performance of the hardware where it is installed.

The software-based solution of sectorwall is only available in conjunction with operation through a MC.

‰

‰

‰

17

OverviewThe netfence reporter complements a netfence Management Centre (MC) through on-demand automatic processing of statistics and event data into reports. The netfence reporter is a dedicated server system running a novel set of services on top of phionOS. It provides the right means to consolidate, to analyze, and to present the enormous amount of accounting data generated by the netfence systems. In doing so, it provides the means for analyzing network behavior, measuring the effectiveness of security policies, or optimizing the economic viability of the whole connectivity and security investment, among others, at a very attractive cost-benefit ratio. On top of this, its ease of use and attractive Web-based interface makes it appropriate for all kinds of users ranging from IT administrators to general management.

Target MarketIT administrators and general management of medium and large enterprises whishes to turn large amounts of raw data into valuable corporate information.

IT administrators and general management of medium and large enterprises aiming at optimizing the economic viability of the whole connectivity and security investment.

Product VariantsThe netfence reporter is currently available as a unique edition and requires a reporter server license to run the service components. The number of netfence systems whose data is supposed to be processed is an additional license parameter. Any netfence system which is a primary box for a server is counted. Systems solely used as standby-machines are not counted.

Modulenetfence reporter

netfence reporterPackages

netfence reporter ✔ -

Packages for reporting system

- ✔

Product number NF-REPNF-REP-5 to NF-REP-500

‰

‰ netfence reporter

CPU 3 GHz

RAM 2 GB

Storage 1 TB

RAIDFor basic storage and data retrieval requirements usage of RAID is advisable

Network connection 100Mbps NIC Ethernet adapter

Web Interface Requirements

Windows 2000/2003, Windows XP

Internet Explorer version 6.0 or higher (required))

‰

‰

netfence reporter

16


Available MC add-ons

The netfence reporter is available for Management Centres Enterprise and Global Player Edition as well as the Entry Edition with Option Pack 1.

‰


An upgrade is possible from one edition to the next one. The cost is the price difference between editions.

High Availability is available for all editions at reduced prices.

‰

‰

OverviewSecurity conscious enterprises and managed security service providers constantly deploy more and more security gateways throughout their networks. These gateways have to be rolled-out, configured, and monitored constantly. Regardless of how comfortable configuration and operation of an individual device are, managing tens or hundreds of such security devices individually is costly in terms of required skilled manpower.

Management Centres help to significantly reduce cost associated with security management while providing extra functionality both centrally and locally at the managed gateway. Central management also eliminates the risk of overlooked security policy inconsistencies. Administrators use netfence Management Centres to monitor system health and security status of remote gateways, manage netfence gateway configurations and software, define global administration roles and scopes, or retrieve data on individual or collective gateway activity useful for accounting or billing purposes.

Target MarketLarge and mid-sized enterprises wanting to reduce the complexity and costs associated with security management while providing extra functionality both centrally and locally at the managed gateway.

Product Variantsnetfence Management Centre is available in three different editions:

netfence Management Centre Entry Edition

netfence Management Centre Enterprise Edition

netfence Management Centre Global Player Edition.

‰

‰

‰

ModuleMC Entry Edition

Option Pack 1

MC Enter-prise Edition

Option Pack 2

MC Global Player Edition

Maximum number of netfence gateways (recommended, not limited)

50 - 200 - 1000

Multi-administrator capability

✔ - ✔ - ✔

Central statistics

- ✔ - - ✔

PKI - ✔ - - ✔

Central log host

- - - ✔ ✔

Revision control system

- - - ✔ ✔

Product number

MC-EN MC-OP1 MC-ESMC-OP2

MC-GP

MCEntry Edition

MC Enterprise Edition


CPU 2 GHz 2 GHz 2 GHz

RAM 512 MB 1 GB 2 GB

Storage* 80 MB 500 GB 500 GB

Network connection

100Mbps NIC Ethernet adapter

* Note that the recommended storage capacity depends on the amount of central statistics and potential log streaming activities. If the MC is not intended to act either as central statistics server or as central loghost, 80 MB is plenty enough. In other circumstances 500GB may be too low to keep all the data from many devices. As rule of thumb you can calculate with 3 GB/system for statistics and 3GB/system for central syslog functionality.

Limitations

The netfence reporter has to be a dedicated netfence system.For proper operation, the reporter requires the presence of a Management Centre Entry Edition with Option Pack 1, or Enterprise Edition, or Global Player Edition.Both statistics and eventing data, are pushed by a service that needs to be installed on the MC.

High Availability is not available for the netfence reporter.

‰

‰

‰

‰

19

Available Add-ons

BOB, UMTS, ISDN and application and infrastructure packs as add-ons are available for the whole netfence M family.

I-Pack (Infrastructure Package)

Content DNS, DHCP and OSPF/RIPv2 capabilities.

BenefitEffective translation of domain names to IP addresses. Reliable implementation of the DHCP protocol that allows devices to request and obtain an Internet address from a server. Basic network routing functionality.

Product number NF-M-I

A-Pack (Application Package)

Content SSH proxy and FTP gateway capabilities.

BenefitReliable establishment of secure channels between a local and a remote computer. Trustworthy exchanging of files over any network supporting TCP/IP.

Product number NF-M-A

BOB-Pack (Branch Office Box)

Benefit

WAN optimisation through data stream compression. Activation of hardware crypto acceleration on M1.Effective increase of available WAN bandwidth, cost savings, improved encryption performance for up to 100Mbps AES128 wire-speed encryption.


BenefitSecure authentication, strong encryption, unrestricted connectivity and implementation of central security policies. Integrated personal firewall offering comprehensive application protection features and ease of use.

UMTS-Option


ISDN-Option


Content Subscription Licenses netfence M1 netfence M3 netfence M5

Antivirus 50-150 users 50-500 users 250-1000 users

URL filter 50-150 users 50-500 users 250-1000 users

18

Overviewnetfence M provides the perfect Unified Threat Manage-ment solution for small and medium-sized companies that want to protect a single location at low cost. The all-in-one approach saves costs and administration expenditure whilst increasing the effectiveness of the overall security strategy.

Target MarketSmall and mid-sized businesses with up to 1000 users that do not have the need of centrally managing security components and are looking for a compact UTM platform, i.e., an appliance-based all-in-one solution.

Product Variantsnetfence M offers three different models to meet the requirements of different types of organizations:

netfence M1 - up to 100 users



The netfence M product line comprises three 19’’ 1U base hardware versions that are each equipped with an identical netfence M license.

‰

‰

‰

Module netfence M

Network Security

Firewall ✔


DHCP relay ✔

VPN server ✔


HTTP proxy ✔

URL filter optional

Mail gateway ✔

Spam filter ✔

FTP gateway A-Pack

SSH proxy A-Pack

Antivirus optional


DNS server I-Pack

DHCP server I-Pack

OS Security

phionOS ✔

Realtime accounting ✔

SNMP ✔

OSPF/RIP I-Pack

Modelsnetfence M1

netfence M3

netfence M5

Recommended users 100 500 1000

Firewall throughput 172Mbps 386Mbps 3814Mbps

VPN (AES-128) throughput

40Mbps 228Mbps 267Mbps

Appliance modelnf-240 Rack

nf-431 nf-780

Rack mountable ✔ ✔ ✔

# of NICs 4 6 4

Expansion slots (for additional NICs, UTMS, ISDN)

1 PCI 1 PCI3 NIC1 PCI-X

Product number NF-M1-SCR NF-M3-SC NF-M5-SC

netfence specialists – netfence M


An upgrade is not possible from one product to the next

HA: Ordering of an HA machine is possible, but only the same model, e.g. it is not possible to combine a M5 with an HA unit for M3.

Upgrade path to all standard netfence licenses is available and based on a voucher principle. With each purchase of a netfence M system the customer is entitled to consume an upgrade voucher for a period of at most 24 months starting from the date of purchase. the voucher may solely be used for upgrade purchases and may not be accumulated or otherwise reimbursed. The systems to be upgraded must still be covered by valid software subscription contracts at the time of upgrade ordering.

‰

‰

‰

Limitations

The URL filter & Antivirus options require additional subscriptions.

The UTMS and ISDN options should be specified at ordering time. Otherwise, extra handling may be required.

The netfence M appliance licenses are not compatible with central management. This means that a system with a netfence M license cannot be centrally managed. Technically this is realized such that the netfence M box refuses to accept updates from a management center. See License Upgrades below to learn more about the available upgrade possibilities.

‰

‰

‰

21

Available Add-ons

BOB-Pack (Branch Office Box)

BenefitWAN optimisation through data stream compression.


Benefit

Secure authentication, strong encryption, unrestricted connectivity and implementation of central security policies. Integrated personal firewall offering comprehensive application protection features and ease of use.

netfence VPN Connectors (Smart or Secure)

max. 5

Content Subscription Licenses

Antivirus ✔

20

netfence specialists – netfence industrial

Overviewnetfence industrial is a an appliance solution specially designed to meet the needs of manufacturing industries. It features a novel fanless compact flash-based appliance for rough industrial environments. The appliance can be mounted on top hat rails. The license allows for unlimited protected IP addresses but is CPU power limited. The number of supported concurrent VPN tunnels is limited to 5. All services with the exception of the mail gateway/Spam filter are available for maximum UTM protection an industrial environment.

Target Market

Large and medium enterprises with an integrated industrial environment

Large and medium manufacturers offering remote maintenance services via the Internet for their products

Product VariantsCurrently a single variant of the netfence Industrial is available.

Module netfence industrial

Network Security

Firewall ✔


DHCP relay ✔

VPN server ✔


HTTP proxy ✔

URL filter optional

Mail gateway -

Spam filter -

FTP gateway ✔

SSH proxy ✔

Antivirus optional


DNS server -

DHCP server ✔

OS Security

phionOS ✔

Realtime accounting -

SNMP ✔

OSPF/RIP ✔

‰

‰

Models

Firewall throughput 100Mbps

VPN (AES-128) throughput 20Mbps

Rack mountable -

Top-hat-rail-compatible ✔


-

Product number NF-IND


HA: Ordering of an HA machine is possible for reduced price.

Limitations

Antivirus option requires additional subscriptions.

VPN tunnels are limited to 5

The License is not strictly bound to the appliance hardware, but CPU power is currently limited to approx. 700MHz.

‰

‰

‰

‰

23

UMTS & ISDN extensionOverview

Support for ISDN and wireless broadband communication using UMTS/HSDPA/EDGE technologies. The HSDPA standard can provide bandwidths of up to 3.6Mbps and thus makes UMTS an attractive alternative to xDSL and ISDN uplinks or backup lines.

Target MarketISDN - As primary link for businesses requiring connectivity in areas with weak infrastructure such as building sites, mobile locations or trade fairs.

UTMS - As cost attractive back-up link in the event of earth bound cabling damages for businesses requiring 24x7 availability.

Product VariantsCurrently two editions of the ISDN and also for the UMTS extension are available.

Appliance modelcompatible UTMS extension

compatible ISDN extension

nf-240, nf-240 Rack, nf-421, nf-431, nf-780, nf-850

UMTS-SC ISDN-SC

S6, S-16, M-50, M-1000, M-2000, L-1000, L-2000

UMTS-HG ISDN-HG

Product numberUMTS-SC, UMTS-HG

ISDN-SC, ISDN-HG

‰

‰

Product Components

The UMTS-Extension includes the adaptation of netfence appliances to host an UMTS Cardbus adapter card for wireless communication. Currently four different types of UMTS network adapters from Option Wireless Technologies are supported:

Option GlobeTrotter 3G, serial numbers starting with CL, USB-Product ID=5000

Option GlobeTrotter 3G, serial numbers starting with RL or QL, USB-Product ID=6300

Option GlobeTrotter Fusion, serial numbers starting with RC or RQ, USB-Product ID=6000

Option GlobeTrotter 3G+, serial numbers starting with NZ

Due to various hardware compatibility issues phion does not support setups with any other extension cards.

The ISDN extension includes a PCI-based AVM Fritz! ISDN Card.

‰

‰

‰

‰

22

Branch Office Box EnhancementsOverviewThe branch office box (BOB) is regarded by Gartner as the future of WAN-optimisation. It represents a box that unites WAN optimizing techniques with traditional application server features such as DHCP, DNS, NTP and the like. Still, the netfence BOB option goes a step further by providing space grade data stream compression technologies for netfence. By virtue of the BOB extension package netfence sintegra and netfence gateways advance the envisaged BOB functionality as they also provide enterprise grade FW and VPN functionality.

Target MarketLarge and mid-sized enterprises looking for a massive advance for their security and connectivity solutions, which allows them to reduce operational cost by making the most out of WAN links and Web applications, while increasing the reliability and protection of the corporate IT infrastructure.

Product VariantsCurrently a single edition of the BOB extension is available. It is a license key which is deployed additionally to an existing license.

Models

WAN optimisation through VPN and FW compression (only between two netfence systems)

✔

Support for the VIA Padlock advanced cryptographic engine as part of the netfence BOB option (for sintegra S, M1 and nf-240, S6, S16 appliances)

✔

Product number NF-BOB

Note that the compression technology provided by the BOB option can provide an effective WAN bandwidth up to three times larger than the physical size depending on type of traffic.

The features available with BOB option will be further extended in the future. At this time, with netfence 3.4 an attractive introductory offer is available.

Software and Hardware Extensions


The BOB enhancement option has to be licensed per box, that means 2 times for an HA configuration.

Limitations

The BOB enhancements need to be present at both ends.

Compression is not compatible with other vendor’s technology.

‰

‰

‰

Limitations

The UMTS extension is available only for appliances directly supported by phion hardware partners.

The UMTS extension should work for legacy appliances. However, before purchasing the UMTS extension customers should make sure this is the case and that a PCI slot is available.

UMTS modem adapters need to be ordered directly from a provider. They are not part of the extension package.

‰

‰

‰

phion cannot guarantee signal reception. In case your server rooms are located in a basement or in a place with insufficient signal reception, the normal operation of the card may require the use of an UMTS aerial. In any case, make sure the signal quality is sufficient, especially prior to purchasing large quantities.

UMTS and ISDN will not work at the same time on sintegra XS and S as there is only a single PCI slot available.

ISDN is only available for appliances and is not intended for off-the-shelf hardware.

‰

‰

‰

2524

Product Product number

netfence gateways 10-500* NF-10, NF-25, ..,NF-500, NF-IPU

netfence contegrity 100 CTY-100-SC

netfence contegrity 100 rack CTY-100-SCR

netfence contegrity 1000 CTY-1000-SC

netfence contegrity* NF-CTY

netfence sectorwall 500 SEC-500-SC

netfence sectorwall 2000 SEC-2000-SC

netfence sectorwall* NF-SEC

netfence sintegra XS 10 user SIN-XS-10-SC

netfence sintegra XS 25 user SIN-XS-25-SC

netfence sintegra S 10 user SIN-S-10-SC

netfence sintegra S rack 10 user SIN-S-10-SCR





VPN client Smart Connectors VPN-C<users>, e.g. VPN-C50

VPN client Secure Connectors VPN-SC<users>, e.g. VPN-SC100

Management Centre Entry Edition MC-EN

Management Centre Option Pack 1 MC-OP1

Management Centre Enterprise Edition MC-ES

Management Centre Option Pack 2 MC-OP2

Management Centre Global Player Edition MC-GP

netfence reporter NF-REP

netfence industrial NF-IND

netfence M1 NF-M1-SCR

netfence M3 NF-M3-SC

netfence M5 NF-M5-SC

netfence BOB NF-BOB

UMTS for appliance models of secudos UMTS-SC

UMTS for appliance models of Heavensgate UMTS-HG

ISDN for appliance models of secudos ISDN-SC

ISDN for appliance models of Heavensgate ISDN-HG

High Availability options for Products with * HA-<Product Number>, e.g. HA-MC-EN or HA-NF-250

Antivirus AV-<users>-<subscription duration>, e.g. AV-75-1

URL filter IPWF-<users>-<subscription duration>, e.g. IPWF-75-1

Appendix A – Ordering information

Antivirus & URL filter extensionOverviewOptional content security subscriptions are available for several netfence products (gateways, sintegra, contegrity, M). Detailed information about the available sizing of these extensions can be found within the description of the respective underlying product.

Target Market

netfence users who want to extend the UTM power of their products.

Product Variants

For both, Antivirus as well as URL filter, several different user capacities and subscription periods are available.

Models

Module BOBUser numbers*

Subscription periods

AntivirusSMTP, POP3, HTTP, FTP

10, 25, 50, 75, 100, 150, 200, 250, 300, 350, 400, 450, 500, 600, 700, 800, 900, 1000

1, 3, 5 years

URL filter HTTP

10, 25, 50, 100, 150, 250, 500, 1000, additional 1000

1, 2, 3 years

* User counting is described in the appendix.


URL filter is licensed only once in an HA configuration

Antivirus licenses are regarded as site licenses and are hence also licensed only once.

Limitations

To use Antivirus for the respective protocols you have to have them licensed on your netfence product.

Compression is not compatible with other vendor’s technology

‰

‰

‰

‰

Software and Hardware Extensions

2726

Appendix B – netfence licenses

Module

netfence gateways netfence contegrity netfence sectorwall netfence sintegra

10, 25 50 - UL 100 1000 500 200XS10, 25

S10, 25, 50

Network Security

Firewall 10, 25 50 - UL - - UL UL 10, 25 10, 25 ,50

Intrusion Prevention ✔ ✔ - - ✔ ✔ ✔ ✔

DHCP relay ✔ ✔ - - ✔ ✔ ✔ ✔

VPN server ✔ ✔ - - - - ✔ ✔


HTTP proxy ✔ ✔ ✔ ✔ - - ✔ ✔

URL filter optional optional optional optional - - optional optional

Mail gateway optional ✔ ✔ ✔ - - - optional*

Spam filter optional ✔ ✔ ✔ - - - optional*

FTP gateway optional ✔ - ✔ ✔ ✔ - -

SSH proxy optional ✔ - ✔ ✔ ✔ - -

Antivirus optional optional optional optional - - - optional


DNS server optional ✔ ✔ ✔ - - - -

DHCP server ✔ ✔ ✔ ✔ - - ✔ ✔

OS Security

phionOS ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Realtime accounting ✔ ✔ ✔ ✔ ✔ ✔ - ✔

SNMP ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

OSPF/RIP ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

* In conjunction with Antivirus without additional charge

ModuleMC Entry Edition

Option Pack 1

MC Enter-prise Edition

Option Pack 2


Maximum number of netfence gateways (recommended, not limited)

50 - 200 - 1000

Multi-administrator capability

✔ - ✔ - ✔

Central statistics

- ✔ - - ✔

PKI - ✔ - - ✔

Central log host

- - - ✔ ✔

Revision control system

- - - ✔ ✔

Modulenetfence M

netfence industrial

Network Security

Firewall ✔ ✔

Intrusion Prevention ✔ ✔

DHCP relay ✔ ✔

VPN server ✔ ✔


HTTP proxy ✔ ✔

URL filter optional -

Mail gateway ✔ -

Spam filter ✔ -

FTP gateway A-Pack ✔

SSH proxy A-Pack ✔

Antivirus optional optional


DNS server I-Pack -

DHCP server I-Pack ✔

OS Security

phionOS ✔ ✔

Realtime accounting ✔ -

SNMP ✔ ✔

OSPF/RIP I-Pack ✔

netfence Management Centre netfence specialists

netfence Overview

Licences for netfence products are designed so that they correspond as closely as possible to the intended use of the product. We generally try to interpret the licence parameters in such a way as to accommodate the customer’s need as much as possible.

Module-dependent Licensing

Licences include the list of modules that may be active on a netfence system. For example, the sectorwall and contegrity licences do not include the VPN module, whereas it’s included in netfence sintegra and gateway licences. In this way it is possible to implement different product types using identical software.

Quantity-dependent Licensing

Some modules are not merely switched on and off by licences but in addition their usage is metered.

User-counting

Firewall

The number of firewall users is defined as follows:

The current number of firewall users is defined as the number of IP addresses that used the firewall engine with permission within the last hour. The algorithm is explained in detail below.

VPN

The VPN connector itself is not licensed, but its access to the VPN server is licensed. The netfence VPN server differentiates between 2 types of access:

≥ named user

≥ concurrent use

Named users are appointed by the VPN server’s internal CA. The concurrent use method is used for users who do not access the internal CA for authentication. VPN licences include the number of maximum possible users.

‰

‰

Certificates issued by the VPN server’s internal CA reduce the maximum number of users who are able to simultaneously gain access using other authentication methods.

VPN tunnels are not limited by licences*.

URL filter

The URL filter counts the incoming user names or IP addresses and, like the Firewall, saves them for one hour. If the number of licensed users is exceeded, non-licensed users will either be blocked or allowed to pass, depending on how the system is configured.

The URL filter users are to be licensed per system.

Antivirus

The exact number of users is calculated from all users whose traffic is checked for viruses. For this, all e-mail users, web users and FTP users from the entire CPA are added together.

Virus scanner licences are independent of the number of systems and can be used simultaneously on any number of systems.

The virus scanner licences come with an expiry date. After the licence has expired, NO further viruses will be detected. Extend your licence in plenty of time.

‰

‰

Appendix C – Understanding phion Licensing

* Exeption : netfence industrial appliance license

2928

Appendix C – phion Licensing Examples

Example 1

A network with 200 IP addresses is protected by a netfence gateway. Only 40 workstations have transparent access to the Internet through the firewall. 130 workstations have web access using the built-in http-proxy of the netfence gateway. There are 4 servers in the DMZ. 5 VPN clients connect remotely to the VPN server.

The optimum license for this deployment would be an NF-50 (not an NF 250).

Explanation

The 40 clients and 4 servers are counted as protected IPs, 130 workstations access a local service (proxy) and are thus not counted. The 5 VPN clients need VPN-Pool licenses, which are included in the nf-50 license.

Example 2

In addition to 7 nomadic users using Secure Connectors with certificates, 11 individual contractors need VPN access to some machines for support reasons and authenticate themselves by using a user name/password scheme but only one to three at a time.

The correct VPN-Pool license would be a 10-client license.

Explanation

The 7 nomadic users will obtain client access certificates issued by the VPN server. The three remaining client-access licenses are unused, so three clients at a time can connect using a purely external authentication scheme.

Internet

DMZ

HQ LANnetfencegateway

Types of Licenses

phion issues different types of licenses, which are described below.

Box licenses for self-managed gateways

These licenses are associated with a hardware ID of the machine they are running on. Typically either a MAC address of a network card, the mainboard ID or the CPU ID is used as the key for the license. The box license contains information on what kind of service can be started on this machine and to what extent it can be used (Firewall, VPN server, Management Centre, etc.)

„Floating“ box licenses

In deployments in which a Management Centre controls one or more netfence gateways, the license for the gateways can be attached to the MC license and dynamically assigned to the managed nodes.

VPN-Pool licenses

VPN-Pool licenses are either attached to a hardware ID of the machine running the VPN Server or to the MC license, respectively. They contain information as to how many client access licenses (split into Secure Connector and Smart Connector) can be issued by the VPN server. The clients use these certificates to access the VPN server. In deployments using authentication methods that are not based on the internal CA (external PKI and/or user/password methods), the number of client access certificates not yet issued also specifies the maximum number of concurrent VPN client connections.

However, it is not possible to have overlay pool licenses, i.e., to have one 100 user license flexibly dividable.

Management Centre licenses

Management Centre licenses are attached to the hardware of the machine the Management Centre (MC) is running on. It enables the administrator to generate and activate the Main Identity of the Management Centre. This Main Identity will be used for all further communication between the MC and the netfence gateways.

Format of Licenses

All phion licenses are x.509 certificates issued and signed by the phion Certificate Authority. Because all netfence products have the phion public key built into the product, they can easily validate the certificates and extract the license information.

System behaviour without or with invalid licences

Evaluation mode

Without a valid license the netfence gateway will provide you with most relevant features. Nevertheless the system is not intended to serve any other purpose than evaluation.

Take into consideration that systems in evaluation mode provide only weak encryption & authentication methods (DES, RSA-512).

The differences between a licensed system and an evaluation system are the following.

full root access to the phion processes with password phion.

Box access control lists have no effect.

That means that any computer with network access to a management IP on your evaluation system is able to manage it.

Caution! Running the system in evaluation mode is completely insecure and can have severe impacts on your network. DO NOT evaluate the netfence gateway on security sensitive points.

‰

‰

Appendix C – Technical Details

Policy No. 4: site-to-site tunnel

Source is chosen as protected IP address if destination is routed via tunnel

Destination is chosen as protected IP address if source originates from tunnel

Note that if both options apply neither source nor destination is counted.

Policy No. 5: general case

The protected IP address chosen is either the source or destination address based on a comparison of the classification of the incoming and outgoing devices.

Outgoing

IncomingInternal DMZ Unspecified External

Internal Src Src Src Src

DMZ Dst Src Src Src

Unspecified Dst Dst Src Src

External Dst Dst Dst Src

The valid preference is the following: Internal – DMZ – Unspecified – External.

‰

‰

Appendix C – Technical Details

VPN connection

Company LAN

netfence gateway

3130

Grace Period

In the case of a hardware failure or transfer of service to another machine, a license strictly bound to an unchangeable hardware criterion results in a loss of service. For this reason, almost every license issued by phion has a so-called Grace Period (typically 15 days). During this time, the netfence gateway works according to the parameters defined in the license, even if the hardware ID the license is attached to does not match the actual hardware. Should this happen, please contact your phion partner immediately to obtain a new license.

Because the Management Centre renews floating box licenses attached to managed nodes periodically, a netfence system might switch to Grace Mode if the Management Centre is not available for a period longer than a quarter of the grace period.

Reconnecting the Management Centre or re-establishing communication between the managed netfence system and the Management Centre resolves this issue.

Caution! A netfence system with an invalid license will stop all services after the grace period. Do not postpone to obtain a new license!

Details concerning User-counting by the Firewall

netfence gateways are licensed based on the number of IP addresses accessing the Internet and being protected by the gateway. Especially in today‘s complex security environments classification of networks as „trusted“ or „untrusted“ is not always feasible, and thus license enforcement needs to rely on a more granular classification.

Please note that in the following the available count algorithm for protected IPs are described. Note the importance of the order. The most important step is No. 2, which simply states that if the counting algorithm does not count in a way you want, you can reverse its direction.

Policy No. 1: no counting

NOT taken into account (neither source nor destination address):

Source OR destination address is a Personal VPN address

Source AND destination addresses are a site-to-site tunnel addresses (VPN relaying – star topology)

Destination is a Broadcast or Multicast address

Rule results in a Block or Deny action

Any communication directed to the services running on the netfence gateway itself are also not counted:

Caching proxy

Mail gateway

DNS server/forwarder

DHCP server

Policy No. 2: rule explicit

Source is chosen as protected IP address if the rule explicitly requests it.

Destination is chosen as protected IP address if the rule explicitly requests it.

Source and destination are interchanged if the rule matches on reverse

Policy No. 3: redirected destination

If a redirection of the destination IP is performed in the firewall (Redirect or Map) the translated destination IP address is counted as protected.

‰

‰

‰

‰

‰

‰

‰

‰

‰

‰

‰

HQ LAN

DMZ

netfence gateway

Internet

www.phion.com

phion Information Technologies GmbHEduard-Bodem-Gasse 16020 InnsbruckAustria

Phone: +43 (0)512 39 45 45-0Fax: +43 (0)512 39 45 45-20

[email protected]

1101110101011010101110101010110101010101010101001010110101101101101010101011011010101010110110101010101010111011011101101010101000101011010101010101011011010101010010101010101010101001011011010101010101101101101010101011010101010110110111011010111101011010111010101011010101111011010101010101101010101001010010101011101101110110101

11011101010110101011101010101101010101010101010010101101011011011010101010110110101010101101101010101010101110110111011010101010001010110101010101010110110101010100101010101010101010010110110101010101011011011010101010110101010101101101110110101111010110101110101010110101011110110101010101011010101010010100101010111

phion Product Guide - security- · PDF filesecure connectivity and WAN optimisation with...

Documents

Transcript of phion Product Guide - security- · PDF filesecure connectivity and WAN optimisation with...