Next-Generation Firewalls
Enterprises can deploy Perimeter Defender’s appliances for next generation firewall protection. With the mobilization of today’s workforce, the demand for anytime and anywhere access to network resources is crucial to the success of any business. Perimeter Defender’s next-generation firewalls are architected to safely enable applications and prevent modern threats. Our approach identifies all network traffic based on applications, users, content and devices, and lets you define your business policies and rules necessary to facilitate a safe and secure environment.
Next Generation Firewall Feature Overview
• Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic.
• Limit simultaneous connections on a per-rule basis.
• Filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? Perimeter Defender software allows for that (amongst many other possibilities) by passively detecting the Operating System in use.
• Option to log or not log traffic matching each rule.
• Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
• Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
• Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall.
• Packet normalization through “scrubbing”, the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.
• Disable filter – ability to turn off the firewall filter entirely if you wish to turn your Perimeter Defender software into a pure router.
• Traffic management and download throttling
• Server load balancing distributes load between multiple servers for increased capacity and reliability.
• Threat-free remote access via IPsec and SSL VPN.
PCI DSS COMPLIANT
Compliance requirements such as the PCI DSS exist to ensure that those who work with sensitive information do everything in their power to protect it. Perimeter Defender’s UTM Firewall solutions work to protect businesses and its customers while simplifying its compliance with information security and privacy standards.
As required by PCI DSS, Perimeter Defender application proxy technology provides detailed control over the traffic that passes between network zones. This enables administrators to block all traffic by default and to define which traffic is allowed to pass from one zone to the next, including protocols, ports, content (e.g., MIME types, file types, and URLs) and verbs (e.g., HTTP GET).
Beyond supporting the required network architectures, there are strong logging, monitoring, and auditing component required by PCI DSS, all of which are supported by Perimeter Defender’s PD series appliances.
State Table
Most firewalls lack the ability to finely control your state table. The Perimeter Defender software is a stateful firewall with numerous features allowing granular control of your state table. There are multiple production installations using several hundred thousand states. The default state table size varies according to the RAM installed in the system, but it can be increased on the fly to your desired size. Each state takes approximately 1 KB of RAM.
State handling options
• Keep State – Default for all rules; works with all protocols.
• Sloppy State – Less strict state tracking, useful in cases of asymmetric routing; works with all protocols.
• Synproxy State – Proxies incoming TCP connections to help protect servers from spoofed TCP SYN floods.
• No State – Do not keep any state entries for this traffic; rarely desirable but is available as it can be useful under some limited circumstances.
State table optimization
• Normal – The default algorithm.
• High latency – Useful for high latency links, such as satellite connections. Expires idle connections later than normal.
• Aggressive – Expires idle connections more quickly and more efficient use of hardware resources, but can drop legitimate connections.
• Conservative – Tries to avoid dropping legitimate connections at the expense of increased memory usage and CPU utilization.
On a per-rule basis
• Limit simultaneous client connections
• Limit states per host
• Limit new connections per second
• Define state timeout
• Define state type
Network Address Translation
- • Port forwards including ranges and the use of multiple public IPs.
- • 1:1 NAT for individual IPs or entire subnets.
- • Default settings NAT all outbound traffic to the WAN IP. In multiple WAN scenarios, the default settings NAT outbound traffic to the IP of the WAN interface being used.
- • Advanced Outbound NAT allows this default behavior to be disabled, and enables the creation of very flexible NAT (or no NAT) rules.
- • NAT Reflection – NAT reflection is possible so services can be accessed by public IP from internal networks.
Multi-Link Management
Perimeter Defender’s Multiple Link Management supports WAN redundancy and delivers assured WAN availability and reliable connectivity for an “always-on” network.
Automated Load Balancing |
|
Automatic Link Failover |
|
Wireless WAN Technologies |
|
High Availability and Redundancy
The combination of CARP and Perimeter Defender’s configuration synchronization provides high availability functionality. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. The Perimeter Defender software also includes configuration synchronization capabilities, so you make your configuration changes on the primary and they automatically synchronize to the secondary firewall.
The firewall’s state table is replicated to all failover configured firewalls. This means your existing connections will be maintained in the case of failure, which is important to prevent network disruptions.
Captive Portal
Captive portal allows you to force authentication, or redirection to a click through page for network access. This is commonly used on hot spot networks, but is also widely used in corporate networks for an additional layer of security on wireless or Internet access.
- • Maximum concurrent connections – Limit the number of connections to the portal itself per client IP. This feature prevents a denial of service from client PCs sending network traffic repeatedly without authenticating or clicking through the splash page.
- • Idle timeout – Disconnect clients who are idle for more than the defined number of minutes.
- • Hard timeout – Force a disconnect of all clients after the defined number of minutes.
- • Logon pop up window – Option to pop up a window with a log off button.
- • URL Redirection – after authenticating or clicking through the captive portal, users can be forcefully redirected to the defined URL.
- • MAC filtering – by default using MAC addresses. If you have a subnet behind a router on a captive portal enabled interface, every machine behind the router will be authorized after one user is authorized. MAC filtering can be disabled for these scenarios.
- • Authentication options include no authentication, local user manager, and RADIUS authentication – This is the preferred authentication method for corporate environments and ISPs. It can be used to authenticate from Microsoft Active Directory and numerous other RADIUS servers.
- • RADIUS capabilities include forced re-authentication; able to send accounting updates; allows configuration of redundant RADIUS servers; and RADIUS MAC authentication allows captive portal to authenticate to a RADIUS server using the client’s MAC address as the user name and password.
- • HTTP or HTTPS – The portal page can be configured to use either HTTP or HTTPS.
- • Pass-through MAC and IP addresses – MAC and IP addresses can be white listed to bypass the portal. Any machines with NAT port forwards will need to be bypassed so the reply traffic does not hit the portal.
- • File Manager – This allows you to upload images for use in your portal pages.
Reporting and Real-Time Monitoring
Historical RRD graphs provide detailed reporting on:
- • CPU utilization
- • Total throughput
- • Firewall states
- • Individual throughput for all interfaces
- • Packets per second rates for all interfaces
- • WAN interface gateway(s) ping response times
- • Traffic shaper queues on systems with traffic shaping enabled
Important real-time information are available on:
- • SVG graphs are available that show real time throughput for each interface.
- • For traffic shaper users, real-time display of queue usage using AJAX updated gauges is available.
- • Includes AJAX gauges for display of real time CPU, memory, swap and disk usage, and state table size.
Perimeter Defender ™ Security Gateway Appliances
- Best used for
- Processor
- RAM
- Storage Option
- Ports
- Power
- PD-4002
- SOHO Network Remote Worker
- TI AM3352 ARM 600 MHz
- 512MB DDR3
- 4GB eMMC Flash
- 2x 1GbE
- 2.5W (idle)
- PD-4012
- SOHO Network Remote Worker
- Intel Atom® 1.7 GHz 2-Core
- 2GB DDR3L
- 4GB eMMC Flash
- 2x Intel 1GbE
- 6W (idle)
- PD-4004
- Small Business SMB Network Gigabit Speeds
- Intel Atom® 1.7 GHz 2-Core
- 4GB DDR3L
- 8GB eMMC Flash
30GB mSATA SSD
128GB mSATA SSD - 4x Intel 1GbE
- 7W (idle)
- PD-4006
- Medium Business SMB Network Gigabit Speeds
- Intel Atom® 2.4 GHz 4-Core
- 8GB DDR3L
- 32GB eMMC Flash
128GB mSATA SSD
- 6x Intel 1GbE
- 7W (idle)
- PD-4008
- Medium Business SMB Network Gigabit Speeds
- Intel Atom® 2.4 GHz 8-Core
- 8GB DDR3L
- 64GB eMMC Flash
128GB mSATA SSD
- 6x Intel 1GbE
- 9W (idle)
- PD-4016
- Medium Business Large Business Branch Offices
- Intel Atom® 2.4 GHz 8-Core
- 16GB ECC
- 120GB SSD
- 2x 10GbE SFP+
3x Intel 1GbE
1x Intel 1GbE RJ-45/SFP - 20W (idle)
- PD-4014
- Medium Business Large Business Branch Offices
- Intel Atom® 2.1 GHz 8-Core
- 16GB DDR4
- 120GB SSD
- 2x Intel 10GbE
2x Intel 1GbE
- 20W (idle)