Hillstone Networks’ X7180 data center firewall offers outstanding performance, reliability, and scalability, for high-speed service providers, large enterprises and carrier networks. It provides flexible firewall security for multi-tenant cloud-based security-as-a-service environments. The X7180 platform is based on Hillstone’s Elastic Security Architecture (ESA), which offers highly scalable virtual firewalls, exceptional firewall throughput, massive concurrent sessions and very high new sessions per second. The X7180 also supports Deep Packet Inspection (DPI), next generation application control and Quality of Service (QoS). The system delivers exceptional performance in a small form factor with low power requirements.

Hillstone’s Elastic Security Architecture: A breakthrough technology for data centers

Streaming media, web-based applications, VoIP, peer-to-peer file sharing, mobile devices, cloud computing, and international presence are all contributing to accelerating data center traffic. As core network traffic increases, the need for high-speed network interfaces and high port densities becomes critical. Mobile device traffic also requires more emphasis since network security solutions can degrade significantly when the traffic shifts toward a large number of users and smaller packet size. As a result, datacenter firewalls must provide high throughput, large numbers of concurrent sessions and high numbers of new sessions per second. More importantly, they must respond to the usage patterns of its customers, which are often highly unpredictable. Consequently, data center firewalls must also provide rapid elasticity and on-demand security.

 

The X7180 data center firewall is built on Hillstone’s Elastic Security Architecture. It can support up to 1000 virtual firewalls and it can be provisioned as an on-demand service option complete with service level agreements (SLAs). Service providers can dynamically adjust resource allocation (CPU, sessions, policies and ports) for each virtual firewall in response to SLAs. Hillstone’s X7180 hardware is composed of multiple security and networking blades that provide scalability for future growth. It leverages a distributed multi-core architecture enabling wire-speed performance up to 680 Gbps throughput, 240 million concurrent sessions and 4.8 million new sessions per second. The chassis supports up to 68×10-GbE ports or 144x1GbE ports.

NAT and IPv6

The inevitable march to IPv6 is underway but service providers still need to deploy Carrier Grade NAT (CGN) and Large Scale NAT (LSN) to manage the IPv4 address shortage while the transition is underway. Hillstone’s X7180 supports a variety of transition technologies including Dual Stack, IPv6/IPv4 tunnels, DNS64/NAT64, NAT 444, full cone NAT, NAPT, etc. Session logging and address translation enable audit trails for record keeping and forensics.

Energy efficiency

The X7180 has slots front and rear, which saves rack space and facilitates cooling. It has a 5U form factor and a maximum power consumption of 1300W, which is 50–67% less power than other data center firewalls.

Security

The X7180 provides visibility and control of over 3,000 web applications including 600 mobile applications and encrypted P2P applications. It allows fine grain control of applications, bandwidth, users, and user/groups. The X7180 prevents users from accessing malicious or inappropriate applications and the embedded Intrusion Prevention System (IPS) protects the network from malicious activity. The X7180 supports deep packet inspection and standard-based IPsec VPN, which uses hardware based crypto acceleration to provide third-generation SSL VPN. Hillstone also offers a unique Plug-and-Play VPN solution that makes branch office VPN deployment a simple task.

QoS

The X7180 platform can manage bandwidth based on applications, users, and time of day. The system provides fine-grained policy control including guaranteed bandwidth, bandwidth limit, traffic priority, and FlexQoS, which can dynamically adjust bandwidth based on utilization. These features, along with session limit, policy routing and link load balancing enable flexible bandwidth management.

Key features

  • Dynamic routing (OSPF, BGP, RIPv2)
  • Static and policy routing
  • Route controlled by application
  • Built-in DHCP, NTP, DNS server and DNS proxy
  • Tap mode—connect to SPAN port
  • Interface modes: sniffer, port aggregated, loopback, VLANS (802.1Q and trunking)
  • L2/L3 switching & routing
  • Virtual wire (Layer 1) transparent inline deployment
  • Operating modes: NAT/route, transparent (bridge), and mixed mode
  • Policy objects: predefined, custom, and object grouping
  • Security policy based on application, role and geo-location
  • Application Level Gateways and session support: MSRCP, PPTP, RAS, RSH, SIP, FTP, TFTP, HTTP, dcerpc, dns-tcp, dns-udp, H.245 0, H.245 1, H.323
  • NAT and ALG support: NAT46, NAT64, NAT444, SNAT, DNAT, PAT, Full Cone NAT, STUN
  • NAT configuration: per policy and central NAT table
  • VoIP: SIP/H.323/SCCP NAT traversal, RTP pin holing
  • Global policy management view
  • Security policy redundancy inspection
  • Schedules: one-time and recurring
  • Protocol anomaly detection, rate-based detection, custom signatures, manual, automatic push or pull signature updates, integrated threat encyclopedia
  • IPS Actions: default, monitor, block, reset (attackers IP or victim IP, incoming interface) with expiry time
  • Packet logging option
  • Filter Based Selection: severity, target, OS, application or protocol
  • IP exemption from specific IPS signatures
  • IDS sniffer mode
  • IPv4 and IPv6 rate based DoS protection with threshold settings against TCP Syn flood, TCP/UDP/SCTP port scan, ICMP sweep, TCP/UDP/SCIP/ICMP session flooding (source/destination)
  • Active bypass with bypass interfaces
  • Predefined prevention configuration
  • Abnormal protocol attack defense
  • Anti-DoS/DDoS, including SYN Flood, DNS Query Flood defense
  • ARP attack defense
  • Flow-based web filtering inspection
  • Manually defined web filtering based on URL, web content and MIME header
  • Dynamic web filtering with cloud-based real-time categorization database: over 140 million URLs with 64 categories (8 of which are security related)
  • Web filtering profile override: allows administrator to temporarily assign different profiles to user/group/IP
  • Additional web filtering features:
    • Filter Java Applet, ActiveX and/or cookie
    • Block HTTP Post
    • Log search keywords
    • Exempt scanning encrypted connections on certain categories for privacy
  • Web filter local categories and category rating override
  • Botnet server IP blocking with global IP reputation database
  • Application identification for SSL encrypted traffic
  • IPS enablement for SSL encrypted traffic
  • AV enablement for SSL encrypted traffic
  • URL filter for SSL encrypted traffic
  • SSL Encrypted traffic whitelist
  • SSL proxy offload mode
  • File transfer control based on file name, type and size
  • File protocol identification, including HTTP, HTTPS, FTP, SMTP, POP3 and SMB protocols
  • File signature and suffix identification for over 100 file types
  • Over 3,000 applications that can be filtered by name, category, subcategory, technology and risk
  • Each application contains a description, risk factors, dependencies, typical ports used, and URLs for additional reference
  • Actions: block, reset session, monitor, traffic shaping
  • Identify and control applications in the cloud
  • Provide multi-dimensional monitoring and statistics for applications running in the cloud, including risk category and characteristics
  • Max/guaranteed bandwidth tunnels or IP/user basis
  • Tunnel allocation based on security domain, interface, address, user/user group, server/server group, application/app group, TOS, VLAN
  • Bandwidth allocated by time, priority, or equal bandwidth sharing
  • Type of Service (TOS) and Differentiated Services (DiffServ) support
  • Prioritized allocation of remaining bandwidth
  • Maximum concurrent connections per IP
  • Weighted hashing, weighted least-connection, and weighted round-robin
  • Session protection, session persistence and session status monitoring
  • Server health check, session monitoring and session protection
  • Bidirectional link load balancing
  • Outbound link load balancing includes policy based routing, ECMP and weighted, embedded ISP routing and dynamic detection
  • Inbound link load balancing supports SmartDNS and dynamic detection
  • Automatic link switching based on bandwidth, latency, jitter, connectivity, application etc.
  • Link health inspection with ARP, PING, and DNS
  • IPSec VPN:
    • IPSEC Phase 1 mode: aggressive and main ID protection mode
    • Peer acceptance options: any ID, specific ID, ID in dialup user group
    • Supports IKEv1 and IKEv2 (RFC 4306)
    • Authentication method: certificate and pre-shared key
    • IKE mode configuration support (as server or client)
    • DHCP over IPSEC
    • Configurable IKE encryption key expiry, NAT traversal keep alive frequency
    • Phase 1/Phase 2 Proposal encryption: DES, 3DES, AES128, AES192, AES256
    • Phase 1/Phase 2 Proposal authentication: MD5, SHA1, SHA256, SHA384, SHA512
    • Phase 1/Phase 2 Diffie-Hellman support: 1,2,5
    • XAuth as server mode and for dialup users
    • Dead peer detection
    • Replay detection
    • Autokey keep-alive for Phase 2 SA
  • SSL VPN realm support: allows multiple custom SSL VPN logins associated with user groups (URL paths, design)
  • IPSEC VPN configuration options: route-based or policy based
  • IPSEC VPN deployment modes: gateway-to-gateway, full mesh, hub-and-spoke, redundant tunnel, VPN termination in transparent mode
  • One time login prevents concurrent logins with the same username
  • SSL portal concurrent users limiting
  • SSL VPN port forwarding module encrypts client data and sends the data to the application server
  • Supports clients that run iOS,Android,and Windows XP/Vista including 64-bit Windows OS
  • Host integrity checking and OS checking prior to SSL tunnel connections
  • MAC host check per portal
  • Cache cleaning option prior to ending SSL VPN session
  • L2TP client and server mode, L2TP over IPSEC, and GRE over IPSEC
  • View and manage IPSEC and SSL VPN connections
  • PnPVPN
  • Management over IPv6, IPv6 logging and HA
  • IPv6 tunneling, DNS64/NAT64 etc.
  • IPv6 routing protocols, static routing, policy routing, ISIS, RIPng, OSPFv3 and BGP4+
  • IPS, Application identification, Access control, ND attack defense
  • System resource allocation to each VSYS
  • CPU virtualization
  • Non-root VSYS support firewall, IPSec VPN, SSL VPN, IPS, URL filtering
  • VSYS monitoring and statistic
  • Redundant heartbeat interfaces
  • Active/Active and Active/Passive
  • Standalone session synchronization
  • HA reserved management interface
  • Failover:
    • Port, local & remote link monitoring
    • Stateful failover
    • Sub-second failover
    • Failure notification
  • Deployment options:
    • HA with link aggregation
    • Full mesh HA
    • Geographically dispersed HA
  • Twin-mode failover
  • Local user database
  • Remote user authentication: TACACS+, LDAP, Radius, Active
  • Single-sign-on: Windows AD
  • 2-factor authentication: 3rd party support, integrated token server with physical and SMS
  • User and device-based policies
  • User group synchronization based on AD and LDAP
  • Support for 802.1X, SSO Proxy
  • Management access: HTTP/HTTPS, SSH, telnet, console
  • Central management: Hillstone Security Manager (HSM), web service APIs
  • System integration: SNMP, syslog, alliance partnerships
  • Rapid deployment: USB auto-install, local and remote script execution
  • Dynamic real-time dashboard status and drill-in monitoring widgets
  • Language support: English
  • Logging facilities: local memory and storage (if available), multiple syslog servers and multiple Hillstone Security Audit (HSA) platforms
  • Encrypted logging and log integrity with HSA scheduled batch log uploading
  • Reliable logging using TCP option (RFC 3195)
  • Detailed traffic logs: forwarded, violated sessions, local traffic, invalid packets
  • Comprehensive event logs: system and administrative activity audits, routing & networking, VPN, user authentications, WiFi related events
  • IP and service port name resolution option
  • Brief traffic log format option
  • Three predefined reports: Security, Flow and network reports
  • User defined reporting
  • Reports can be exported in PDF via Email and FTP

Resources