Hillstone Security Management

Platform (HSM)

Intersecting Human and Artificial Security Intelligence

as a Force Multiplier in Enterprise Defense
1 Challenges in Security Management

2 Hillstone HSM Value Proposition

3 Hillstone HSM Product Portfolio

4 Deployment Scenarios & Winning Cases

2
Challenges in Security Management

3
 Security Management Remains a Challenge

How do you configure a security policy to meet service levels?

Where should the policy be placed? In what priority?

Should a new policy be configured?

What kind of policy should be configured?

Which policies have the highest utilization?

Which policies are redundant?

What was added and when?
Who added a configuration? Where was it added?

How does a local admin issue a batch of policies, to equipment located in branches?

4
 Hillstone Security Management
Platform (HSM) Value Proposition

5
 Centralized and Efficient Management

Hillstone Security Management Platform (HSM)

A Centralized Management, Configuration and Monitoring Solution

Centralized Centralized Centralized

Device Management Policy Configuration Security Monitoring

6
 Simplify and Secure Your Network
• Automated and centralized policy management
• Automated configuration management
• Automated device inspection
• Centralized monitoring of all devices
• High availability and distributed deployment
• Personalized and customizable dashboards
• Support Hillstone NGFW/NIPS/CloudEdge
• IPv6 compliant configuration and monitoring
Choose from three HSM models that provide an effective
cost/performance solution!
7
 Centralized Management

Route & NAT IPS Policy

Policy

SLB Policy Centralized

QoS Policy
Management

AV Policy URL Policy

8
Centralized Management & Configuration

Global configuration can be pushed to all managed devices

9
Centralized Management & Configuration

Private configuration for individual device

10
Centralized Management & Configuration

5 types AAA servers configuration in both private and shared type

11
Centralized Management & Configuration

Users configuration in both private and shared type

12
Centralized Management & Configuration

Role and role mapping configuration in both private and shared type
13
Signature Library Online/Offline Upgrade

Synchronize and update APP, IPS, AV, URL signature library through HSM
14
Retrieve Device Configuration Automatically

Retrieve device configuration automatically (up to 10,000)

15
 Firewall HA Management

HA cluster management for firewalls in Active-Passive/Active-Active/Active-Peer modes

HA groups relationship and status display

16
 Policy Management

Redundancy
Object
Check

Policy
Policy Policy
Redundancy Management Inheritance
Check

Rule Hit
Evaluation

17
 Policy Management – Redundancy Object

Check the redundant objects with multiple policy bundling and generate analyze report
18
 Policy Management – Redundancy Object

Check the redundant objects with multiple policy bundling and generate analyze report
19
 Policy Management – Rules Conflict

Examine useless policy, provide optimization suggestion, and generate report

20
 Policy Management – Rules Conflict

Examine useless policy, provide optimization suggestion, and generate report

21
 Policy Management – Policy Inheritance

Add same policy in different devices and configurations to reduce admin’s workload
22
Policy Management: Rule Hit Evaluation

Analyze the rule hit statistics to help admin optimize policies

23
Policy Management: Rule Hit Evaluation

Analyze the rule hit statistics to help admin optimize policies

24
 Add Private Policies in Batch

Private policies can be added in batch to solve problem that was previously unsatisfied by
the sharing policy
25
Configuration Management

Configuration
Lock
Backup
recovery

Configuration
files
Historical file
comparison

Configuration
change

26
Configuration: Historical Files Comparison

Compare device configuration files and show difference

27
Configuration: Historical Files Comparison

Compare device configuration files and show difference

28
 Configuration: Changes

Backup configuration files and check configuration change history

29
 Monitoring Management

• KPI monitoring for device CPU, memory etc. • Application traffic trends
• Monitor network traffic information, new Real-time • Port traffic trends
sessions, concurrent sessions device
availability • Trends and rankings for the TOP10
• Graphic display of device online/offline status threats
monitoring
• License status of devices

Multi-
VPN Comprehensive dimensional
Link Status
Monitoring Security security
information
Monitoring monitoring

• VPN topology monitoring

• Traffic log, Security log,
• Network status monitoring
Operation log Audit
Log Audit
• Time-zone configuration to
support users in all regions

30
 Customizable Dashboard

A visual data display of system stats, system information, system resources, CPU/memory
utilization, threat type, APP/user traffic, etc.
31
 Monitoring Device Status

Real-time understanding of available device status, including CPU, memory, traffic, license etc.
32
 Monitoring Device Status

Real-time understanding of available device status, including CPU, memory, traffic, license etc.
33
 Device Inspection

Automatically check the operation status of the firewall, resource consumption, signature
database and license status, generate reports and notify customers.
34
 Monitoring VPN Link Status

Real-time understanding of VPN link status, including latency, packet loss ratio etc.
35
 Monitoring VPN Links

Real-time understanding of VPN link status, including latency, packet loss ratio etc.
36
 Multi-dimensional Monitoring

Centralized monitoring: View statistics on devices, users, applications and threats

37
 Monitoring Logs

Centralized collection of logs, operational log audit

38
 Comprehensive Report

30+predefined report templates, multiple dimensions

39
Comprehensive Report

Comprehensive and visualized report

40
 High Availability

Master/Slave
roles

CLI Preemption
configuration mode

High
Availability

Master/Slave
Switchover Monitor/Log
Synchronization
Alarm

Automatic
Synchronizing
and Manual
Synchronizing

41
 Master/Slave Roles

Support HSM HA deployment in Master/Slave roles

42
 Preemption Mode

Preemption mode can be configured on master device

43
 Monitor/Log Synchronization

When selected, the HA system will synchronize the monitoring and log data generated by
the system from time to time
44
Automatic Synchronizing and Manual Synchronizing

Synchronization can be performed automatically and manually

45
 Master/Slave Switchover Alarm

Master-slave role change alarm when the master-slave switchover occurs

46
 Distributed Deployment

Standalone/Mast
er/Slave modes

Distributed
Deployment

Memory alarm, CPU Register up to

alarm, disk alarm,
and slave device
16 slave
offline alarm display devices on one
on master device master device

47
 Standalone/Master/Slave Modes

Support HSM distributed deployment in Standalone/Master/Slave modes

48
Slave Devices on One Master Device

Register up to 16 slave devices on one master device

49
 Alarm Display on Master Device

Memory alarm, CPU alarm, disk alarm, and slave device offline alarm can be displayed on
master device
50
 Hillstone SD-WAN Solution

HQ HSM SD-WAN Controller:

(NGFW) (SD-WAN Controller) Deploy HSM at HQ
• full range of HSM products

HQ Firewall:
Mostly deployed at enterprise HQ egress
Zone A Zone B
• mid to high-end series of firewalls
VPN VPN
VPN HUB HUB
HUB (NGFW) (NGFW)
(vFW)
VPN HUB:
NGFW or vFW in the cloud
• mid to high-end series of firewalls or vFW

CPE:
Branch 1 Branch 2 Branch 3 Branch n Deploy firewall at each branch
CPE CPE CPE CPE • low-end series of firewalls
(NGFW) (NGFW) (NGFW) (NGFW)

51
 SD-WAN Orchestration on Demand
internet
Branch Branch

ADSL/Fiber ADSL/Fiber HQ

MPLS
Branch HQ

Branch Branch Branch

Branch
HQ

Hybrid Links with Multiple WAN Access Hub-Spoke Full-Mesh

HQ HQ Branch Branch

HUB HUB HUB HUB

Branch
HQ

Branch Branch Branch Branch Branch

Branch

Single WAN-Dual HUB Dual WAN-Dual HUB Partial-Mesh 52

Hillstone Security Management
Platform (HSM) Portfolio

53
Hillstone Security Management Platforms

HSM-500-D4: hardware platform, support up to 500 devices

HSM-100-D4: hardware platform, support up to 150 devices

vHSM: virtual appliance, support up to 1000 devices

54
 HSM Hardware Appliance Specifications

Specifications HSM-500-D4 HSM-100-D4

Devices Supported
(Default / Maximum) 15 / 500 15 / 150

Storage Capacity 4TB 2TB

RAID RAID 5 RAID 0

Network Interfaces 2 x Gigabit interfaces 2 x Gigabit interfaces

Power Supply Single/dual power supply, 550W Single power supply, 250W

Height 1U 1U

55
 HSM Virtual Appliance Specification

Management Capability
15 / 25 15 / 100 15 / 500 15 / 1000
(Default / Maximum)

vCPU Requirement 4 8 18 24

Memory Requirement 4GB 16GB 32GB 64GB

Port Requirement 2 ports 2 ports 2 ports 2 ports

Hard Disk Requirement 100GB 2T 4T 8T

Virtual Environment
VMware Workstation/EXSi or KVM
Requirement

56
Deployment Scenarios & Winning
Cases

57
 HSM Target Customers
Max # of Managed
Devices

1000

vHSM
500

100 HSM-500-D4

HSM-100-D4
25

SMB/Branch Medium Enterprise Large Enterprise/Carrier

58
 HSM Deployment Scenario:
Large Enterprise and Government Branches

Scenario HSM
• Large number of devices
• Isolated business application servers
• Data switching occurs via VPN Business
Application Servers
• Hierarchical deployment and management
• Focus on operational device status, and monitoring of VPN link
status
Challenges and requirements
• Device management and monitoring
• Centralized management and configuration
Internet
• Privilege management
• Policy configuration management (FW Policy)
• Topology monitoring (VPN)
HSM benefits
• Real-time insights into network security status
• Rapid deployment of devices
• Centralized policy management
• Decentralized O&M management VPN Secured Link

59
 HSM Deployment Scenario:
Large Enterprises & Financial Institutions Data Centers

Trusted Not Trusted

Scenario
• Data center operation and service is simple but sensitive with strict
requirements for policy maintenance
• Networking is done via VSYS; each service zone has one VSYS; an HSM
administrator can manage multiple VSYS systems
• If there are repeated objects in multiple VSYSs, shared-object Externally
management can be used to maintain only the shared object; VSYS connected
Internet/
policies directly use the shared object FW third party
• Centralized policy configuration for multiple VSYSs Data Center

Challenges and requriements

• Device monitoring and management
• VSYS support
• Policy configuration management (FW policy)
• Policy maintenance
• NAT & Route Policy

HSM benefits
• Highly dynamic firewall rules management
IDC FW
• Routine policy maintenance

60
 Winning Cases: HSM

Cable Color Maxis Berhad

CENACE China Mobile The Secretariat of the
ISP ISP Grupo ICE
Malaysia, HSM50 Energy Energy ISP Senate
Honduras, vHSM Mexico, HSM50 China, HSM50
Costa Rica, HSM50 Government
Thailand, HSM50

CN Care Dubai International School First Capital Securities Hua'an Fund Management Royal Thai Embassy Ministry of Foreign Affaires
Other Education Finance Finance Government Government
China Hong Kong, UAE, HSM50 China, HSM50 China, HSM50 Thailand, vHSM Pakistan, HSM50
SD-WAN, HSM

61
 +1 408 508 6750
inquiry@hillstonenet.com
5201 Great America Pkwy, #420
Santa Clara, CA 95054
www.hillstonenet.com
62