Select Page

Feb 19, 2023

Empowering Cyber Security and Resiliency with Hillstone Networks StoneOS 5.5R10


In a post-pandemic world with a distributed workforce, the traditional, edge-based security model must be modified, so as to reinforce the defenses against the expanded cyber-attack surface brought on by the hybrid workforce.

Hillstone Networks is happy to announce the release of a major upgrade to our proprietary operating system – StoneOS 5.5R10 – with 300+ new features. StoneOS is the bedrock of all Hillstone next-generation firewalls. With enhancements in threat detection leveraging AI technology, remote access, system operations and robustness, it arms the users to better withstand attacks and SecOps issues.

Highlights of StoneOS 5.5R10

AI-empowered threat protection

Excellent detection capability undoubtedly contributes to threat protection. With the help of a machine learning (ML) model, the new release can detect abnormal encrypted traffic without decryption. This feature not only fills the gap of detecting encrypted traffic when it cannot be decrypted; but also minimizes the demand for computing resources compared to the case where traffic can be decrypted and detected, likely improving detection efficiency.

On top of the detection, the protection capability is also directly tied to the effectiveness of the assessment. Specifying the thresholds for attack defenses plays a pivotal role in anti-DDoS protection, because the threshold value indicates the cut-off value for traffic assessed as abnormal. This is why the accuracy of the threshold value affects the accuracy of the protection: too high a threshold can disrupt normal operations, while too low a threshold cannot stop anomalous traffic. The thresholds suggested by an ML model may help the security team better conduct more accurate and efficient assessments of attacks.

In addition, StoneOS 5.5R10 enhances the blacklist that makes the perimeter-traffic-filtering(PTF) feature provide even greater defense against malicious traffic.

Centralized Zero Trust control and management

Zero trust network access (ZTNA) is gradually becoming an advantageous solution for managing hybrid work environments due to its granular access control, in contrast to VPN which provides users access to everything on the network once a private, encrypted tunnel is built.

ZTNA policies are the core of defining users’ access to application resources, but the deployment and management of policies might become a challenge for the SecOps teams as both the number of policies and ZTNA gateways are increasing. This time, we implement centralized management for ZTNA policies through Hillstone Security Management (HSM) to help users out. Moreover, the new release is committed to enhancing the security, availability, and adaptability of the ZTNA service by supporting single packet authentication (SPA) to ensure that the ZTNA gateways only open service to authenticated users, establishing multi-gateway to guarantee the high availability of the ZTNA service, embracing the majority of mainstream operating systems for ZTNA clients, and providing a more informative portal.

Smarter interconnectivity through VPN

Slow transmission or bad connectivity can affect the user experience and make for unhappy customers. But the latest StoneOS improves the user experience by supporting ECMP and failover for intelligent VPN routing. This allows for more reasonable bandwidth utilization. Additionally, to further improve connectivity, StoneOS provides IPSec VPN tunnel establishment options by configuring custom ports and auto-negotiation in case the default ports 500 and 4500 are blocked. The combined efforts of these features ensure the business remains undisrupted.

Streamlined system operations

Due to budget and resource constraints, enterprises, especially small and medium-sized businesses, tend to be unwilling or unable to create a well-staffed security team. To assist them in security operations, the new release introduces a super simple start-up wizard.

In practice, there will surely be an increasing number of NAT rules, some of which may be redundant. However, manually sorting through a large number of NAT rules is time-consuming and error-prone. Therefore, StoneOS provides automated redundancy checks for NAT rules to help offload redundant workloads.

The conversion from ipv4 to ipv6 is also an urgent issue for many users, and StoneOS 5.5R10 allows Internet Service Providers (ISPs) to transfer IPv6 packets over the IPv4 network in a seamless manner by IPv6 Rapid Deployment (6RD) Tunnel Protocol.

Enhanced system robustness

For business continuity, the new release supports the advanced high availability (HA) peer mode solution and graceful restart of Border Gateway Protocol (BGP).

HA protects companies from lost revenue when access to their data resources and critical business applications is disrupted, and HA peer mode is frequently used to deal with asymmetric routing. In the previous peer mode, when a switch or router that connected to the HA firewalls was used as the gateway of hosts, traffic was distributed by the gateway to both firewalls. But if one firewall failed, traffic traveling to it would still be delivered to it, which caused packet loss. Hillstone Virtual Redundancy Protocol (HSVRP) solution binds the HSVRP groups to the virtual forwarding group interfaces on each firewall, assigns IP addresses to HSVRP groups, and lets the gateway distribute traffic to the IP addresses of active HSVRP groups. In this case, if a firewall fails, the active HSVRP group of it seamlessly floats to the other firewall, which means the active firewall has both IP addresses the gateway will distribute traffic to, ensuring undisrupted traffic. StoneOS, therefore, executes a timely takeover of traffic from the failed device, assuring no packet loss under the circumstance.

The BGP graceful restart ensures that the data plane can continue to direct data forwarding during equipment restart or master-backup switchover, while actions such as neighbor relationship reconstruction and route calculation at the control plane will not affect functions at the data plane. With BGP graceful restart, StoneOS 5.5R10 prevents service interruptions and enhances the overall network reliability.

For more information, contact your Hillstone representative or authorized reseller.