Expanded Protection with a Future-proof Technology and An Intuitive User Experience
A full re-architecture delivers a modular design with robust security features to ensure consistency across different hardware and virtual platforms. A new user interface takes into consideration Design Thinking principles for an overall improvement in productivity and user experience.
Read about the five highlights that were updated in StoneOS 5.5R8 below.
Botnet Command & Control Protection from Edge to Cloud
Enterprise network admins are increasingly forced to constantly reassess their security posture, given how quickly the threat landscape evolves.
One of the more damaging battles when fighting against polymorphic malware is the defense against notorious Command and Control (also known as C&C, or C2) attacks, often executed over DNS with the goal of helping the attacker gain a foothold into the network to steal sensitive data or even to obtain full control of the network.
The latest StoneOS version enhances protection for C&C attacks from Botnets with:
Robust data center firewall platform:
C&C botnet attack detection is fully supported on the X-Series data center firewall platforms, which protect the data center from any potential threat through the monitoring of C&C connections from L3 to L7.
DGA detection on data center firewalls:
DGA, domain generation algorithms, on infected hosts generate pseudo domain names randomly, including C&C server domain names. The Hillstone firewall detects and prevents these traffic types.
Botnet C&C customized access list:
The ability to dynamically adjust and customize the access list to allow or block based on the IP address or domain name.
DNS sinkhole support:
Protection for hosts and the network by supplying the admins with a detailed report of DNS access requests with false results, automatically redirecting systems to prevent connection to potentially malicious destinations.
DNS tunneling detection:
Detection of traffic over the DNS protocol which could be exploited by any suspicious, non-DNS protocols for C&C callbacks and data exfiltration.
Fully Performant Next-Gen Data Center Firewall with Extended Security Features
Hosting data, apps, and infrastructure resources is the hotbed of threats and attacks. It’s very important to ensure high performance, reliability and availability of all security functions with ever-growing demand. It is also critical to have a comprehensive, future-proof, easy-to-use and easy-to-manage feature set. With the latest StoneOS, the Hillstone Next Gen Data Center firewall security platform is more powerful as the frontline of protection for valuable assets in Data Center.
Key features providing higher performance and security:
Advanced policy-based firewall with granular control:
The Hillstone data center firewall is now armed with data analysis and policy-based, granular control with advanced IPv6 and multicast feature support.
Protection for any traffic and activity:
The high-performance, chassis-based data center network security system integrates richer intrusion prevention, application control, anti-virus, attack defense, URL filtering and botnet C&C detection with updated VPN features.
Enhanced distributed iQoS:
With IPv6 and service-based pipe allocation supported on distributed iQoS, the system implements QoS functions on I/O modules even in an IPv6 environment.
Terminal service monitoring:
Hillstone TS-Agent implements user-based policy enforcement and traffic control for thin clients using terminal services, also known as remote desktop service on Windows® Server.
Agile Configurations to Help Reinforce Policy Management
Policy enforcement and management can be complicated as organizations expand or contract or business requirements fluctuate or grow. With the latest release of StoneOS, admins can now take full advantage of new aggregate policy features to flexibly group or prioritize a hierarchy of policies. Additionally, StoneOS provides admins with the ability to dynamically and automatically assign user policies after authentication.
Configuration and policy management features:
Provides a flexible and powerful tool in policy definition to group and prioritize policies in batch based on requirements.
Radius dynamic authorization:
By leveraging Radius CoA (Change of Authorization) messages, aggregate policies intended for authenticated users can be automatically configured on firewalls in the network. This simplifies configuration and reduces operational overhead.
Importing/exporting policy rules:
Importing and exporting policies allows admins to manage policies more efficiently. The change also enables admins to back up and quickly restore or recover a system by importing the policy file. The update significantly reduces complexity and saves operational and maintenance times with backups.
Configuration enhancements for service rule of policy:
Reduce complexity for Dev/Ops by opening RESTful APIs and allowing direct configuration of port and protocols in the Service Rule.
Consolidating Security with the Power of Virtualization
The StoneOS upgrade brings key security features to virtual systems, streamlining configuration and maintenance. This consolidation of security features extends protection to multi-tenant applications through Hillstone virtual system (VSYS), which allows for multi-tenancy by turning one physical appliance into multiple, isolated, logical virtual firewalls. Virtual environments get an extra boost with protection of virtual assets in public or private clouds through extended features for the CloudEdge virtual Next-Gen firewall platform, including the newly released higher performance VM08 model.
Key firewall and security feature updates to the virtual systems:
Robust feature set on non-root VSYS:
Each VSYS can now work independently as a fully functioning firewall with the addition of security features, including IP reputation, AV, QoS, and IPv6 traffic forwarding. VSYS configurations are available for exporting for backup and importing for restoration in the Web UI page, further streamlining operations.
Enhanced virtual NGFW:
For customers with high-bandwidth workloads that require more performance, without compromising on security, the new VM08 offers twice the performance than the nearest model in the family, with the most concurrent sessions, IPsec sessions, and SSL VPN users available, along with seamless support for all new features supported in this release.
Reshaping the Enterprise Network Landscape
By Nov 2019, the pool of unallocated IPv4 addresses were already depleted. IPv6, which has greater connection integrity, security, as well as scalability required by the modern Internet, is the standards-based solution to this shortage. This release of StoneOS brings additional IPv6 features that allow enterprises to easily transition and be well prepared long-term.
StoneOS brings additional IPv6 features that streamline the transition to IPv6:
IPv6 Jumbo Frame support:
IPv6 packets containing in excess of 1280 bytes are now supported.
IPv6 ISATAP support:
Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is a transition mechanism that allows IPv6 packets to be transmitted between dual stack (IPv6 stack and IPv4 stack) nodes on top of IPv4 networks. This enables a smooth transition by allowing dual stack endpoints to access IPv6-based resources over an IPv4 network.
IPv6 support in Webauth and AAA Framework:
Supports AAA-based user authentication, traffic management and monitoring in a full IPv6 network.
IPv6 support in twin-mode:
Provides a high availability solution in an IPv6 deployment by enabling IPv6 traffic and control plane synchronization, active-passive failovers, and dynamic routing protocol synchronization.