Hillstone StoneOS 5.5R10

Threat Protection Enhancement with AI Technology

At any given time, organizations today can face multiple advanced attacks, such as 0-day attacks, threats in encrypted traffic, and other highly evasive attacks. The latest StoneOS leverages AI technology to provide Machine Learning (ML) based threat detection for encrypted traffic without the need for decryption, and intelligent DDoS protection, enhancing the existing intelligent threat protection capabilities on firewalls. Further, the optimized Perimeter Traffic Filtering (PTF) with a blacklist extension allows for broader threat protection.

StoneOS leverages ML technology to conduct analysis and threat detection for encrypted traffic in real time without the need for decryption. By sampling the number of encrypted traffic, the detection model can be continually trained, optimized, and delivered. The intelligent analysis and non-decryption process improve the efficiency and accuracy of threat detection for encrypted traffic, allowing better protection performance than traditional SSL decryption.

ML-based intelligent DDoS protection:

The ability to defend against DDoS attacks strongly depends on the configured attack detection threshold. However, it’s always difficult to manually configure a rational and accurate threshold since it’s closely related to a real network environment. The ML-based baseline establishment of the new StoneOS allows for auto-configuration for flood protection threshold. This ensures optimal, accurate and effective DDoS protection while allowing for automated configuration.

ML-powered DGA detection:

DGA can generate pseudo domain names randomly on infected hosts to evade security countermeasures. With ML capabilities integrated, StoneOS can now build and train the new detection model with the latest DGA data set and additional features extracted from the domain name, and real-time updates to the model in the form of a signature database. The ML-based algorithms for detecting DGA helps you better defend against unknown threats with higher effectiveness.

Robust blacklist empowers PTF:

PTF enables the firewalls to perform the fastest blocking of threats at the edge. The new StoneOS release improves PTF capability by supporting super capacity static IP blacklist and blacklist library, which are increased by 100 times and 10 times, respectively. Beyond that, more advanced functions of the blacklist are also supported, such as blocking based on username, and a new API interface for importing files to the blacklist library and blacklist log importation. The robust blacklist features empower the PTF function and deliver even more protection against threats.

Centralized Zero Trust Control and Management

As Zero Trust Network Control (ZTNA) is more widely deployed, how to centralize control and management for multiple ZTNA clients and gateways is coming into focus. The new release implements centralized management for a large number of ZTNA policies via the Hillstone Security Management (HSM), improving the overall operations and management of the solution. It also introduces other advanced features, such as intelligent connectivity in multiple gateways, etc., making operations safer and smarter.

Choosing the gateway with the best connection quality is critical for operational stability; manual configuration is not efficient nor effective. In the latest release of ZTNA, when a ZTNA connection fails or the network is abnormal, another available or more optimal gateway is automatically selected. With this feature, the availability and operational efficiency of the ZTNA service and distributed ZTNA gateways are significantly improved.

Centralized management of ZTNA policies:

The manual configuration of a large number of policies is both tedious as well as inefficient, especially in large-scale or complex deployments. The latest StoneOS release supports batch deployment and updates of ZTNA policies to multiple devices via the HSM platform, as well as maintenance of policies for an individual device, bringing higher O&M efficiency for ZTNA policies.

Single packet authentication:

Single packet authentication (SPA) uses a proven cryptographic technique to make internet-facing servers only visible to authorized users. With the support of SPA on firewalls and ZTNA clients, the firewall can hide the IP and ports of ZTNA, and only if the firewall approves the request with SPA sent from the ZTNA client, the connection can be established successfully. This further enhances access security and protects critical assets by reducing the attack surface and mitigating DoS attacks over Transparent Layer Security (TLS).

Multiple Operating System support:

The latest StoneOS extends the support of ZTNA clients on more mainstream Operating Systems in addition to Microsoft Windows®, including iOS, Mac OS, Android, and Linux. This allows more users and endpoints to benefit from the comprehensive capabilities of ZTNA.

ZTNA portal:

ZTNA portal can help users get a quick overview of all access limitations to the application resources. Based on the original function, the new ZTNA portal now supports instant information from the WebUI for restricted access, allowing users to update access as needed for a better user experience.

Smarter Interconnectivity with Extended VPN Capabilities

Site-to-site VPN deployment requires multiple gateways at each site connected through a VPN tunnel. This may cause system instability and inefficient connectivity since it involves complex installation, configuration, and management of gateways. The new StoneOS release brings extended VPN features that support ECMP and failover to improve the connection efficiency, and provides more IPSec VPN tunnel establishment options by configuring custom ports and auto-negotiation.

Poor VPN tunnel link quality or network environments can cause unstable connections. By supporting ECMP and failover in this new release, it not only enables smart load balancing over multiple IPSec tunnels, but also supports IPSec VPN link switching based on the link quality. It does this through comprehensive monitoring, which includes richer attributes for the IPSec tunnel, such as duration, sending/receiving rate, last setup, last breakdown, breakdown reason, and breakdown times. Thus, intelligent VPN routing brings better bandwidth utilization and ensures the business remains undisrupted.

Custom port configuration and auto-negotiation for tunnel establishment:

Service providers may block common VPN ports 500 and 4500 in some scenarios, resulting in failed tunnel establishment and an abnormal connection. This new feature allows users to establish IPSec VPN tunnels via auto-negotiation with the customized ports, eliminating restriction for blocked VPN ports and improving the effectiveness of connections.

Streamlined System Operation Offloads Redundant Workloads

Since efficiency plays a critical role in conducting and expanding business, organizations always look for improvements. The latest StoneOS facilitates system operations by introducing a series of features, such as simplified start-up wizard and automated NAT redundancy check. These additional features help you improve overall productivity by reducing or streamlining workloads.

Firewalls are necessary for most organizations but may require complex configurations at initial deployment, especially for large-scale environments. However, SMBs often need a simple configuration process due to the relatively straightforward security requirements and limited resources. With the super simplified start-up wizard in the WebUI, the configuration process can be finished under 5 minutes, bringing up to 400% improvement in the overall operational efficiency for SMBs.

Automated detection for NAT redundant rules:

Business applications are operated based on a large number of NAT rules. Typically, many duplicate and overlapping NAT rules need to be filtered manually. Automatically detecting NAT redundant rules reduce extra overhead while accurately maintaining the NAT rules, bringing higher O&M efficiency for organizations as well as reducing administrative overhead for security administrators.

Robust System-wide Enhancements Further Ensure Business Continuity

As systems become more complex, it becomes harder to run operations with the risk of system or network disruption. However, as the system continually complicates, organizations are facing more challenges of business disruption. In the latest StoneOS release, the system availability is improved across the board with support for advanced high availability (HA) and the graceful restart of Boarder Gateway Protocol (BGP), further ensuring business continuity for organizations.

HA peer mode can provide an Active/Active, highly available solution even in asymmetric routing deployment scenarios. But it becomes invalid when the IP address of the physical interface is set as the gateway address on each firewall in the HA group, which can result in business disruption. The new release optimizes the Active/Active HA solution via the Hillstone Virtual Redundancy Protocol (HSVRP), improving business continuity in the above scenario with higher availability of firewalls.

BGP supports graceful restart:

During HA failover, the BGP neighborhood between the HA firewalls and the edge router is re-established. With the support of BGP graceful restart, the BGP routes announced by the failed firewall will be marked as stable and remain active until the backup firewall announces the new BGP routes. This ensures system stability and avoids business disruption by enabling non-stop forwarding during the HA switching process.

Contact Us