Professional Documents
Culture Documents
1
The Evolving Security Challenges
Deployment Scenarios
©©2022
2022Hillstone
HillstoneNetworks
NetworksAll
AllRights
RightsReserved
Reserved| |33
The Evolving Network Security Challenges
©©2022
2022Hillstone
HillstoneNetworks
NetworksAll
AllRights
RightsReserved
Reserved| |55
6
E-Pro
Highlights
Critical Apps
Prioritized
Bandwidth
User Applications Deep Packet Inspection
Session limits,
Access time limits
Threat
Time
IP Port
Protocol
IP/Port/
Protocol
Application
Signature
Prevents DoS/DDoS network-layer attacks.
abnormal abnormal
protocols traffic
NGFW
Internet
Bot
Advanced Network
Capabilities Multiple
dynamic
routing IPv6 Ready
protocols (Gold)
App based
routing
Mobile workers
SSL VPN
L2TP VPN
HQ
Remote workers
Internet
IPSec VPN
IPSec VPN
Intranet server pool
Branch offices
Traffic
E.g. Maximum 5GB per day for a single IP
quota
Traffic
Manager
Tenant A
Server A Internet
Dedicated Resources
Tenant B
Server B Dedicated Policies
Dedicated Admins
Multi-cores, full concurrence architecture Unpack simultaneously, All security features can be
64-bit StoneOS® operating system detect concurrently executed on one single core
• Daemon
01
• Redundant process - logs, monitoring
Operation • Multiple operation methods: Concurrency limits, port multiplication, session maintenance, persistent
connection maintenance
02
• Dual OS
System • Separation of control plane and data plane
• Port redundancy
03
• Link aggregation
Link • Link load balancing
• BFD
Hillstone NGFW
Core
Branch Branch
HSM – Hillstone Security Manager © 2022 Hillstone Networks All Rights Reserved | 19
HAS – Hillstone Security Audit
CloudView: Security Management & Analysis Service
(SaaS)
Real-time Monitoring
Low/Flexible
Investment Options
• Free to initiate (Includes Essential features)
• Pay to subscribe (For advanced features,
Professional Version)
• Security as a Service (SaaS)
Policy Group
Automated User 01 Efficient policy management based on
Policy Deployment business requirement
Radius Dynamic Authorization
Automatically issue user policy via CoA message Aggregate Policy
A set of policies act as one single policy
Policy
04 Lifecycle 02
Management
Policy Redundancy Check
Discover redundant policies for deletion Policy Assistant
Refine a general policy into detailed policy
Policy Analysis App-based and service-based policy generation
Adjust the policies by observing the
03
hit counts and hit trends
Superior Price Comprehensive Full Security Advanced Rich Network Full Centralized
Performance Visibility & Fine- Protection Threat Functions Concurrence Management,
granular Control from Layer 2 Protection High Audit &
to 7 Performance Monitoring
24
© 2022 Hillstone Networks All Rights Reserved | 25
Hillstone’s NGFW Product Portfolio
100G E6360P/E6368P
10 Gigabit
80G
60G
10 Gigabit
E5760P E5960P
40G
20G
Gigabit
Desktop
6G
E1600P E1600WP E1700P
4G
Wi-Fi
E1600P E1600WP
E1700P E2800P
150M internet access; Up to 50 150M internet access, Up to 50 150M internet access; Up to 100 800M internet access; 100-300
Suggest Sizing *
users users; need a wireless access users users
* Suggestion based on experience, it can go up and down depending on specific traffic profile and configuration
CON+AUX+USB MGT+HA 6xGE 4xSFP 2xGeneric Slot CON+AUX+USB MGT+HA 6xGE 4xSFP 2xGeneric Slot
E3662P E3668P
2xGeneric Slot
E3960P / E3968P
* Suggestion based on experience, it can go up and down depending on specific traffic profile and configuration
8SFP+
E6368P Front
© 2022 Hillstone Networks All Rights Reserved | 31
Hillstone E-Pro Series NGFW Spec (3)
Model E5260P E5268P E5560P E5568P E5760 E5960 E6368
Form Factor 2U 2U 2U 2U 2U 2U 2.5 U
FW Throughput 20 Gbps 20 Gbps 20 Gbps 20 Gbps 40 Gbps 40 Gbps 90 Gbps
IPSec Throughput 8.4 Gbps 8.4 Gbps 12 Gbps 12 Gbps 18.8 Gbps 25.6 Gbps 64 Gbps
AV Throughput 3.8 Gbps 3.8 Gbps 4.9 Gbps 4.9 Gbps 7.9 Gbps 14 Gbps 28 Gbps
IPS Throughput 8.9 Gbps 8.9 Gbps 9.3 Gbps 9.3 Gbps 18.5 Gbps 18.8 Gbps 37 Gbps
IMIX Throughput 15.5 Gbps 15.5 Gbps 20 Gbps 20 Gbps 36.5 Gbps 40 Gbps 90 Gbps
NGFW Throughput 3.9 Gbps 3.9 Gbps 5.6 Gbps 5.6 Gbps 8.9 Gbps 14 Gbps 26 Gbps
Threat Prevention
2.2 Gbps 2.2 Gbps 3.1 Gbps 3.1 Gbps 5.2 Gbps 8.2 Gbps 18 Gbps
Throughput
Maximum Concurrent
6M 6M 10M 10M 12M 15M 30M
Sessions
IPSec Tunnels Number 20,000 20,000 20,000 20,000 20,000 20,000 20,000
Maximum SSL
10,000 10,000 10,000 10,000 10,000 10,000 10,000
VPN Users
4 x GE (one pair bypass), 4 x GE (one pair bypass), 4 x GE (one pair bypass), 4 x GE (one pair bypass), 2 x GE, 8 x SFP+, 2 x
Fixed I/O Ports 4 x GE, 4x SFP 4 x GE, 4x SFP
4 x SFP, 2 X SFP+ 4 x SFP, 2 X SFP+ 4 x SFP, 2 X SFP+ 4 x SFP, 2 X SFP+ QSFP+
2 x Generic Slot, 1 x
Expansion Slots 4 x Generic Slot 4 x Generic Slot 4 x Generic Slot 4 x Generic Slot 4 x Generic Slot 4 x Generic Slot
Bypass Slot
IOC-4GE-B-P, IOC-4GE-B-P, IOC-4GE-B-P, IOC-4GE-B-P, IOC-4GE-B-P, IOC-4GE-B-P,
IOC-8GE-P, IOC-8GE-P, IOC-8GE-P, IOC-8GE-P, IOC-8GE-P, IOC-8GE-P,
IOC-8GE-P,
IOC-8SFP-P, IOC-8SFP-P, IOC-8SFP-P, IOC-8SFP-P, IOC-8SFP-P, IOC-8SFP-P,
Expansion Modules IOC-8SFP-P
IOC-4SFP+-P, IOC-4SFP+-P, IOC-4SFP+-P, IOC-4SFP+-P, IOC-4SFP+-P, IOC-4SFP+-P,
IOC-8SFP+-P, IOC-8SFP+-P, IOC-8SFP+-P, IOC-8SFP+-P, IOC-8SFP+-P, IOC-8SFP+-P,
IOC-2SFP+-Lite-P IOC-2SFP+-Lite-P IOC-2SFP+-Lite-P IOC-2SFP+-Lite-P IOC-2SFP+-Lite-P IOC-2SFP+-Lite-P
Storage N/A 256G SSD N/A 256G SSD N/A N/A 512G SSD
Twin-mode HA YES YES YES YES YES YES YES
2G internet access; 500- 2G internet access; 500- 3G internet access; 800- 3G internet access; 800- 5G internet access; 1000- 7.5G internet 15G internet
Suggested Sizing *
1000 users 1000 users 1200 users 1200 users 1500 users access;1200-2000 users access;1500-3000 users
* Suggestion based on experience, it can go up and down depending on specific traffic profile and configuration
• Option 01: Base system + IOC-8GE-P + IOC-8SFP-P + IOC-2SFP+-Lite × 2 (Default Combo) • Option 07: Base system + IOC-8SFP-P × 3 + IOC-2SFP+-Lite × 1
• Option 02: Base system + IOC-8GE-P × 2 + IOC-2SFP+-Lite × 2 • Option 08: Base system + IOC-8GE-P × 2 + IOC-8SFP-P × 2
• Option 03: Base system + IOC-8SFP-P × 2 + IOC-2SFP+-Lite × 2 • Option 09: Base system + IOC-8GE-P × 3 + IOC-8SFP-P × 1
• Option 04: Base system + IOC-8GE-P + IOC-8SFP-P × 2 + IOC-2SFP+-Lite × 1 • Option 10: Base system + IOC-8GE-P × 1 + IOC-8SFP-P × 3
• Option 05: Base system + IOC-8GE-P × 2 + IOC-8SFP-P + IOC-2SFP+-Lite × 1 • Option 11: Base system
• Option 06: Base system + IOC-8GE-P × 3 + IOC-2SFP+-Lite × 1 • Option 12: Minus some module card in Option 01~11
Module Card Option1 Option2 Option3 Option4 Option5 Option6 Option7 Option8
IOC-8GE-P 2 1 2 4 0 3 1 0
IOC-8SFP-P 1 2 2 0 4 1 3 0
IOC-2SFP+-Lite 1 1 0 0 0 0 0 0
Module Card Option1 Option2 Option3 Option4 Option5 Option6 Option7 Option8 Option9 Option10 Option11
IOC-8GE-P 1 2 0 1 2 3 0 2 3 1 0
IOC-8SFP-P 1 0 2 2 1 0 3 2 1 3 0
IOC-2SFP+-Lite 2 2 2 1 1 1 1 0 0 0 0
Customizable:
Configure the base system with your own configuration of interface expansion modules to best meet the business requirement.
35
© 2022 Hillstone Networks All Rights Reserved | 36
Deployment Scenarios
Internet Access Server Protection Branch VPN Connection
Fully prevents internet threats Professional WEB server protection Easy IPSec VPN deployment
Challenges Solutions
Online games, video streaming and P2P Hillstone NGFW can identify online games, video
applications ran by employees in working hours, and P2P applications in traffic, set appropriate
take a lot of bandwidth resource and impact the policies, and block this traffic or limit bandwidth in
critical business applications and normal work. working hours to guarantee critical business
applications.
Identify thousands of
applications, including 600+
mobile apps
Access Control
Session Limitations
Multi-application
control policy based
on application
identification
Traffic Control
Application
Identification Application Traffic
Redirection
Challenges Solutions
• Employees frequently use applications with SSL- • Hillstone NGFW SSL decryption function can identify and
encrypted traffic, such as cloud drives which analyze encrypted traffic, and implement fine-granular
application control.
cannot be identified or controlled.
• Hillstone NGFW can execute complete AV/IPS/URL
• An employee accessed an encrypted phishing filtering on SSL-encrypted traffic, effectively blocking
website and infected his computer malicious traffic and protecting network security.
SSL Proxy
Challenges Solutions
Challenges Solutions
• The company prohibited R&D • Hillstone’s solution can identify the file category and block
staff from transferring Word documents via the Internet. Word documents or any sensitive document types from
However, it did not provide an effective technology to being transferred, and record logs.
control such behavior. • Filter files transferred in working hours, and prevented
• Staff transferred large files in working hours which transferring files larger than 20M.
consumed a large amount of bandwidth.
Challenges Solutions
• Significant repetition and ineffective policies Intelligently detect repetitive, redundant, unused, or
impair firewall performance. ineffective policies. Provides a reminder and helps
• A large number of policies are not reviewed due to maintenance staff to revise and remove them.
maintenance staff turnover. New maintenance
staff is unable to manage old policies
Challenges Solutions
• Several employees have suffered Locky Enabled Cloud-sandbox on Hillstone NGFW, the
ransomware for times and don’t have effective suspicious files are uploaded to cloud-sandbox for
solutions. behavior analysis and identified as ransomware, the
• After the investigation by Hillstone experts, those admin can get detailed threat information by
employees have opened the spam with log/report and take prompt action to block the threat
ransomware.
Challenges Solutions
• Slow to build private network for VPN Hillstone SD-WAN solution support Zero Touch
requirement. Provisioning(ZTP) for quick and easy deployment.
• Multi-type services require fine-grained access Its centralized management of application-based
control. QOS policy, priority control, intelligent load
balancing and routing assures high quality of
different types of services and applications at scale.
HQ Firewall:
Mostly deployed at enterprise HQ egress
Zone A Zone B
• mid to high-end series of firewalls
VPN VPN
VPN HUB HUB
HUB (NGFW) (NGFW)
(vFW)
VPN HUB:
NGFW or vFW in the cloud
• mid to high-end series of firewalls or vFW
CPE:
Branch 1 Branch 2 Branch 3 Branch n Deploy firewall at each branch
CPE CPE CPE CPE • low-end series of firewalls
(NGFW) (NGFW) (NGFW) (NGFW)
• USB Plug and Play: Support USB disk loading configuration file
Easy • Centralized Authorization Management: The device automatically
Deployment ZTP obtains authorization when it is online
• Automatic Version Upgrade: The device automatically upgrades the
specified version when it goes online