Next Generation Firewall (NGFW): Stormshield

The distinguishing element of the Stormshield solution is the integration of the Stateful Inspection Firewall with the IPS (Intrusion Prevention System) module at the operating system kernel level. Such deep integration of the two key modules allows for high performance when analysing the entire packet, i.e. its header and content. In this way, STORMSHIELD devices meet two of the most important customer expectations - effectively eliminating dangerous traffic and ensuring high scanning performance.

To detect and block intrusions, Stormshield solutions use unique Active Security Qualification (ASQ) technology, which, through protocol analysis combined with advanced heuristics, allows threats to be detected independently of signatures (proactive protection). In this way, the network is protected against the latest threats for which signatures have not yet been created, guaranteeing the protection of network communications.

 Stormshield units have a disk for collecting and storing logs. On smaller models, there is the option to save logs directly to SD and SDHC cards. This is a particularly useful feature for customers using the lowest models, which do not have a built-in hard drive.

Stormshield appliances allow the control of SSL-encrypted traffic. The solution acts as an SSL proxy, enabling control of HTTPS, POP3S and SMTPS traffic. Inspection of SSL/TLS encrypted data takes place after the transmission has been decrypted. If the transmitted information is secure, STORMSHIELD re-encrypts the data, signs it with its own certificate and sends it to the user.

Falcon Insight can automatically take action in response to detected threats, such as isolating infected devices or blocking malware. The system enables real-time action to stop attacks before they become intrusions. Its response capabilities allow isolation and investigation of compromised systems, as well as direct access to endpoints during analysis.

All STORMSHIELD devices allow encryption of communications between locations using IPSec tunnels, which are configured using a simple graphical wizard. VPN connections for mobile users can be built using IPSec or SSL VPN using a free client or, for example, the OpenVPN application. For customers requiring protection of communication continuity in the event of a link failure, each device is equipped with a VPN failover function, thanks to which the tunnel will automatically set up on a backup link, guaranteeing uninterrupted communication.

STORMSHIELD solutions are available in both hardware and virtualised versions (on MS Hyper-V, VMWare, KVM, Citrix, Microsoft Azure and Amazon Web Services platforms). Both versions provide identically effective security for the protected network and can be administered from a web browser. Importantly, there is configuration portability between the hardware and virtualised versions. STORMSHIELD Elastic Virtual Appliance provides effective protection both between virtual machines and in the physical part of the network.

Stormshied solutions protect IT networks, but also industrial networks. Selected models are dedicated to industrial networks and are perfectly suited for use in harsh environments with high or low temperatures, shock, dust or electromagnetic interference. The devices can be installed on a DIN rail. Thanks to the Hardware Bypass function, the devices will not block network traffic and will not interfere with the operation of the industrial network even in situations of their own failure or power outages. The devices are capable of securing industrial protocols: Modbus, S7, OPC UA, EtherNet/IP, IEC 60870-5-104, OPC CLASSIC (DA/HDA/AE), UMAS, and BACnet/IP.

The tool is available as a virtual machine and allows logs to be collected from multiple devices in parallel. Stormshield Log Supervisor provides greater insight into network logs, while allowing administrators to customise and optimise incident response by managing incidents, creating rules for triggered alerts and more.

Stormshield's solutions provide two URL filters to block corporate network users from accessing selected websites (including those accessible via HTTPS). The first URL filter is dedicated to Polish web users and is the result of close cooperation between the manufacturer and the Polish distributor. The database of websites for this filter was created on the basis of an analysis of the Internet activity of employees of Polish companies. The filter provides more than 50 thematic categories according to which sites are classified. If a page is missing from the classification, it can be reported via a specially prepared tab on the www.stormshield.pl website. A page submitted in this way will be checked and added to the filter.

The second filtering option is cloud-based URL Filtering, with 65 categories - a total of more than 100 million URLs. The advantage of this filter is that it moves the verification process of a given web address from the device to the cloud, almost completely eliminating the performance impact of the solution.

 By integrating the Stormshield appliance with Active Directory, LDAP or multiple simultaneous user databases, it is possible to create security policies with users and groups. If no such user database already exists in the company network, one can be created using the appliance (LDAP database on the appliance).

Each Stormshield device is configured via an administration console in Polish accessible via a web browser. The Polish user interface has been appreciated by network administrators in Polish institutions and companies for many years. Thanks to this, administering Stormshield solutions is also possible using mobile devices. The interface has been divided into two tabs - Monitoring and Configuration. The advantage of such a division of the interface is the ability to switch between tabs without losing the status of the current operation.

Stormshield devices allow the administrator to fully control the use of network applications. This makes it possible, among other things, to block undesirable instant messaging applications (Skype, Gadu-Gadu) and P2P applications that load the connection in the company network. The administrator is also able to control employees' private mobile devices used during work (so-called BYOD).

Stormshield's solutions give the administrator full control of the protected network, and with a constantly evolving graphical interface, it is possible to obtain detailed information on network activity in real time. As an added convenience for administrators, the Log Line Details window provides a simple and clear way to view all events in detail.

Breach Fighter, a sandboxing service that serves to protect against previously unidentified threats of various types. Protection is achieved by analysing previously unrecognised files in an isolated, virtual environment. This process extends the effectiveness of the device's antivirus protection, supporting the traditional method of detecting malicious files. Breach Fighter enhances the ability to detect attacks in real time through technology based on behavioural analysis of the file being run.

The Vulnerability Audit, available in Stormshield solutions, presents the administrator with a detailed list of network applications running on workstations, e.g. Google Desktop, Firefox, anti-virus programmes, etc. Clicking on a designated application displays all the computers on which that programme has been installed, as well as allowing the administrator to check the version of the specific application and the system under which the selected station is running. Auditing works whenever a computer or server on the LAN generates traffic that is checked by the Stormshield appliance. Such traffic is filtered by the firewall and IPS, identifying the application initiating the traffic. Such an application is then screened for known vulnerabilities and attackers.

Thanks to the geolocalisation function, the administrator knows not only which source and destination IP addresses are being connected to, but also where the devices to which these addresses are assigned are physically located. Geoobjects also allow filtering policies to be created according to the country or continent associated with a connection's IP address, making it possible to block users from communicating with servers located in other countries or continents.

Managing multiple STORMSHIELD devices is possible through the Stormshield Management Center console, which has a similar user interface to each STORMSHIELD device. The administrator can manage multiple devices by selecting the interface in Polish. This makes the administration of multiple STORMSHIELD solutions extremely intuitive and does not require paging through additional documentation. With the help of the console, the administrator can gain direct access to his or her devices, without having to configure external access or create a dedicated VPN connection.