Firewall features

Woman points to icons showing security features of the operating system for the Unified Firewalls

Secured from A to Z: UTM security features for Unified Firewalls

The digitized present and sophisticated cyber attacks redefine the rules for your network security. Application control and blocking as well as intrusion detection and prevention are therefore a must-have for secure IT networks. Integrated in the powerful firewall operating system LCOS FX, these and other industry-leading UTM security features ensure a trustworthy IT infrastructure "Made in Germany" and a significant security advantage for your network. The feature set for the LANCOM R&S®Unified Firewalls and LANCOM vFirewalls is regularly expanded so that professional networks are also protected against new types of risks.

Technical features

  • Application Management & R&S®PACE 2 DPI engine
  • Intrusion Detection / Prevention System (IDS / IPS)
  • Anti-Virus / Anti-Malware / Anti-Spam
  • High availability (HA)
  • VPN: IPSec VPN & SSL VPN
  • Secure Web Gateway (SWG) using HTTP(S) proxy
  • DNS Web Filter & Content Filter
  • SD-WAN with dynamic routing & Traffic Shaping
  • Network segmentation (VLAN)
  • Management, monitoring & administration
  • User authentication
  • Cloud-managed Security
  • Backup & restore
  • SSL Inspection

Highlights

Unified Threat Management (UTM) combines multiple security functions into a holistic security package. This coordinated feature set facilitates the implementation and management of professional security strategies. The LCOS FX operating system offers, among other things, the following firewall security features for the LANCOM R&S®Unified Firewalls and LANCOM vFirewalls.

Note: A Full License is required to use all UTM features. The corresponding security features are marked with an *.

Application Manage­ment & R&S®PACE 2 DPI engine*

DPI-based control of applications and content

Monitoring digital applications and precisely classifying network traffic at the application level are just two of the many tasks performed by a Deep Packet Inspection (DPI) engine. The industry-leading R&S®PACE 2 DPI engine inspects data packets down to layer 7 – in other words, it analyzes not only the metadata but also the data area of a…

DPI-based control of applications and content

Monitoring digital applications and precisely classifying network traffic at the application level are just two of the many tasks performed by a Deep Packet Inspection (DPI) engine. The industry-leading R&S®PACE 2 DPI engine inspects data packets down to layer 7 – in other words, it analyzes not only the metadata but also the data area of a data packet. Using Application Management, the DPI engine allows you to decide for yourself which applications, application groups or protocols should be allowed (validated), filtered, or blocked in your network (Application Filter, Application-based routing). Definable blacklists and whitelists allow you to target your management of malicious or trusted applications.

Whitepaper: R&S®PACE 2 DPI engine

Intrusion Detection / Prevention System (IDS / IPS)*

Database-based protection against known threats

Known threats such as DDoS (Distributed Denial of Service), portscans, or botnets must also be taken seriously. To do this, the Intrusion Detection / Prevention System ("IDS / IPS") maintains a database of known threats to reliably protect end devices in the network from a wide range of hostile attacks. Included in the threat database…

Database-based protection against known threats

Known threats such as DDoS (Distributed Denial of Service), portscans, or botnets must also be taken seriously. To do this, the Intrusion Detection / Prevention System ("IDS / IPS") maintains a database of known threats to reliably protect end devices in the network from a wide range of hostile attacks. Included in the threat database is a blacklist of more than 40,000 active signatures, IP addresses, and patterns for detecting malware, interface and network scanning, as well as brute force attacks. The IDS mode detects and warns of malicious traffic. These alerts cause the IPS mode to terminate and henceforth block the communication link to hostile sources. In addition, "virtual patching" prevents the exploitation of known vulnerabilities, for example in non-patchable systems. In case of a "false alarm", the admin can allow the corresponding traffic and configure exceptions.

Anti-Virus / Anti-Malware / Anti-Spam*

Protection against unknown threats with sandboxing and machine learning

To protect networks against cyber attacks on previously unknown vulnerabilities ("zero-day exploits"), a multi-stage scanning concept detects and eliminates potential threats. To do so, cloud-based sandboxing and machine learning (ML) are used after a local scan. Machine…

Protection against unknown threats with sandboxing and machine learning

To protect networks against cyber attacks on previously unknown vulnerabilities ("zero-day exploits"), a multi-stage scanning concept detects and eliminates potential threats. To do so, cloud-based sandboxing and machine learning (ML) are used after a local scan. Machine learning helps passing on information about new attack attempts to all firewalls connected to the Anti-Virus cloud. Specifically, all firewalls "learn" from each other's experiences. In an isolated cloud test environment (sandbox), suspicious files are identified, analyzed, scanned, tested, and blocked if necessary. Reliable scanning of protocols such as HTTP/S, FTP, POP3/S, SMTP/S, and IMAP/S can be controlled with configurable exceptions in blacklists and whitelists. With Recurrent Pattern Detection (RPD), spam, phishing, and malware are detected based on the distribution pattern of emails. Suspicious emails are then automatically rejected or deleted.

Infopaper: Avira Protection Cloud

High availability (HA)

Increased reliability of your Unified Firewalls

For trouble-free operation, high availability is a necessity in critical network installations. Therefore, multiple Unified Firewalls in a HA cluster ensure increased reliability and constant availability. Thanks to the active / passive cluster, the second firewall of the same model only steps in when it is really needed. Hot…

Increased reliability of your Unified Firewalls

For trouble-free operation, high availability is a necessity in critical network installations. Therefore, multiple Unified Firewalls in a HA cluster ensure increased reliability and constant availability. Thanks to the active / passive cluster, the second firewall of the same model only steps in when it is really needed. Hot standby and stateful failover enable this without any interruptions immediately after the primary firewall fails, so that your business-critical systems are optimally protected at all times.

Illustration of a rectangle with icons symbolizing security features

VPN: IPSec VPN & SSL VPN

Secure and encrypted site networking

Company locations, such as branch offices or mobile employees in home offices, are securely connected via a virtual and private network (VPN). The client-configurable VPN acts like a secure data tunnel, although it uses the public Internet as a communication path. This creates a trustworthy Wide Area Network (WAN) that can only be accessed by…

Secure and encrypted site networking

Company locations, such as branch offices or mobile employees in home offices, are securely connected via a virtual and private network (VPN). The client-configurable VPN acts like a secure data tunnel, although it uses the public Internet as a communication path. This creates a trustworthy Wide Area Network (WAN) that can only be accessed by authorized persons thanks to user authentication. With IPSec and SSL, two different VPN technologies are available: IPSec uses the IKEv2 protocol recommended by the German Federal Office for Information Security (BSI) and supports NAT-T. IPsec tunnels can be used, for example, for high-performance site-to-site connections and SSL tunnels for flexible client-to-site connectivity.

Secure Web Gateway (SWG) using HTTP(S) proxy*

Filtering network traffic

A Secure Web Gateway (SWG) is used to protect a network and their devices against access from the Internet. This is precisely the task performed by the HTTP(S) proxy server in the Unified Firewalls, which analyzes and filters network traffic down to the application level. The proxy acts as a barrier between the user's own network and…

Filtering network traffic

A Secure Web Gateway (SWG) is used to protect a network and their devices against access from the Internet. This is precisely the task performed by the HTTP(S) proxy server in the Unified Firewalls, which analyzes and filters network traffic down to the application level. The proxy acts as a barrier between the user's own network and the web server and intercepts unsecured data traffic before it reaches the network. Using its own HTTP(S) proxy CA, the HTTP(S) proxy generates a pseudo-certificate for the website and uses this to establish a connection. HTTP(S) proxies are differentiated according to their level of anonymity and can be configured in the Unified Firewalls in transparent and non-transparent variants. 

DNS Web Filter
& Content Filter*

Content-based filters to protect against phishing attacks

The use of user-owned devices (BYOD) is no longer a novelty in schools or in hybrid work environments. The DNS Web Filter provides security without the need for certificates: Using an online scanning technology, DNS queries that pass through the DNS server of your Unified Firewalls are identified, classified, and filtered according…

Content-based filters to protect against phishing attacks

The use of user-owned devices (BYOD) is no longer a novelty in schools or in hybrid work environments. The DNS Web Filter provides security without the need for certificates: Using an online scanning technology, DNS queries that pass through the DNS server of your Unified Firewalls are identified, classified, and filtered according to their categories or individually configured blacklists and whitelists. This DNS-based protection immediately blocks unwanted and harmful page views. The Content Filter can also be used to define category-based filter rules for e.g. criminal, pornographic, or violent URLs and content. The rules can be configured individually for each user and can be adapted or overwritten via imported or exported URL lists (override function).

SD-WAN with dynamic routing & Traffic Shaping

Efficient and robust site networking

By efficiently controlling the maximum bandwidth as well as the line prioritizing (Traffic Shaping), the applications that are important to you are guaranteed to run with the best quality in and out of your network. Pre-configuration of common scenarios as well as selectable Traffic Shaping groups and profiles (QoS) depending on the WAN…

Efficient and robust site networking

By efficiently controlling the maximum bandwidth as well as the line prioritizing (Traffic Shaping), the applications that are important to you are guaranteed to run with the best quality in and out of your network. Pre-configuration of common scenarios as well as selectable Traffic Shaping groups and profiles (QoS) depending on the WAN connection save configuration time. By steering specific traffic directly to the Internet (Application Steering), you decide which applications (e.g. Microsoft 365) you trust to increase the overall performance of your network. In addition, multi-WAN and a dynamic, policy-based routing process ensure fast responses to network changes. Depending on the load level, the BGP (Border Gateway Protocol) routing protocol can be used to dynamically refine the optimal route internally and externally (EBGP, IBGP), comparable to a navigation system. Firewall rules can also be used to freely configure static routing for multiple gateways based on input and output interfaces as well as source and destination IP.

More Features

Network segmentation (VLAN)

User-based rules and network separation

The logical division of a network allows you to define individual security settings and access rights depending on the requirements of the user groups and to divide your infrastructures and applications into different areas. This separation (zoning) does not create classic physical networks, but purely logical virtual networks, so-called VLANs…

User-based rules and network separation

The logical division of a network allows you to define individual security settings and access rights depending on the requirements of the user groups and to divide your infrastructures and applications into different areas. This separation (zoning) does not create classic physical networks, but purely logical virtual networks, so-called VLANs (Virtual Local Area Networks). For example, you can separate the accounting network from the human resources network to limit unauthorized access to sensitive company data. The advantage: Your corporate network as a whole remains protected, even if a network segment is damaged. Unified Firewalls use user-, group- or time-based policies to monitor and control which users are allowed to communicate across zone boundaries, when and under what circumstances.

Management, monitoring & administration

Despite progressive automation, an "easy-to-use" operating concept is more than helpful. In order to reduce complexity and thus susceptibility to errors, the following tools and functions are available for the Unified Firewalls:

Despite progressive automation, an "easy-to-use" operating concept is more than helpful. In order to reduce complexity and thus susceptibility to errors, the following tools and functions are available for the Unified Firewalls:

  • Management tools with graphical interfaces, self-explanatory functions and dashboards, and initial setup wizards for an overview of the entire network
  • Role-based administration with object-oriented configuration and IP-based access restriction for SSH and web client
  • Extensive monitoring with statistics on e.g. IDS / IPS with application and surf control as well as connection tracking, simple network management protocols (SNMP v2c and v3), and logging to external syslog servers
  • Exportable, detailed report (executive report as PDF, HTML, CSV, or XLS)

User authentication

Policy compliance thanks to access rules

Network access control is indispensable to ensure that you always have an overview of which users, devices, and services are in the network, which identity is really behind them and who has which functions or is allowed to perform which actions. Authentication for policy compliance via web or client can be…

Policy compliance thanks to access rules

Network access control is indispensable to ensure that you always have an overview of which users, devices, and services are in the network, which identity is really behind them and who has which functions or is allowed to perform which actions. Authentication for policy compliance via web or client can be manifold:

  • Active Directory import
  • Local user management
  • Single sign-on (Kerberos)
  • Multiple logins
  • Captive portal
  • Terminal Server Support (via Remote Desktop IP Virtualization)

Cloud-managed Security

Management via the LANCOM Management Cloud (LMC)

The LMC automates and simplifies the management, configuration, and monitoring of your Unified Firewalls. For example, you can use the central management instance to administer Application Management and firmware updates. The automatic setup of VPN connections between all sites (Auto-VPN) is just as easy as the integration of new firewalls via a secure pairing process as well as the replacement of firewalls including complete configuration.

Techpaper: Cloud-managed Security

Backup & restore

Automatic or scheduled backups

Backups of your data are necessary to protect it from corruption and deletion. Especially complex firewall configurations should be backed up before significant changes or a firmware upgrade. Backups can be automatic or scheduled and controlled via local or remote access or imported automatically during an installation. In addition, the backups can be automatically uploaded (FTP, SCP) or saved to a USB stick in case of a disaster recovery.

SSL Inspection

Security even for encrypted channels

The increasing encryption of data traffic leads to a growing risk of malware infiltrating systems through encrypted channels. With Secure Sockets Layer Inspection, or SSL Inspection for short, Unified Firewalls offer the ability to perform scanning, filtering, and application detection even on encrypted data packets to successfully implement your security requirements.

Licenses

A valid license is required to operate a LANCOM R&S®Unified Firewall or LANCOM vFirewall.

Basic License

Use a high-performance security appliance to handle your internal network segmentation. With user-based rules and rights, professional user authentication, and – last but not least – the easy-to-use design of our interface, you can be sure that the rules in your various security zones are complied with in full. This license activates the firewall features as well as free support and firmware updates.

Full License

Take back control over your network with the complementary, full UTM features. Corporate policies, load, security, and data traffic are easy to monitor with our various filtering and scanning options. These include Content and App filters, the mature IDS / IPS system or our Anti-Virus, Anti-Spam and Anti-Malware features, and preventive security from unknown threats through integrated sandboxing and machine learning.

myLANCOM Firewall License Portal

Always keep a clear overview of the status of your firewall licenses: In the myLANCOM Firewall License Portal, you can monitor, activate and renew your firewall licenses all securely in one place and decide for yourself which of your employees will be granted access to the portal.

The right firewall for every size

When choosing the right firewall, both the amount of data traffic and the size of the company are decisive factors. With the LANCOM R&S®Unified Firewalls and the virtual variants of the LANCOM vFirewalls, you are ideally equipped for any application – and without compromising on security functions, because the maximum security of your network is guaranteed at all times by Unified Threat Management (UTM).

Further information & news

Convenient firewall management tools

Three management tools are available for central management and monitoring of your vFirewall: A graphical Web interface supports you with clear dashboards for the detailed configuration of your firewalls, while the LANCOM Management Cloud manages all devices, networks, and configurations in a highly automated way. The LANCOM R&S®UF Command Center also allows centralized management of many firewalls.

 

Learn more about the management tools

What matters in network security

An essential part of a company's IT infrastructure is ensuring network security. Read more about what risks and threats lurk and what immediate measures you can take to maintain the security of your network.

 

Learn more about network security topics

Your direct line to us

Most questions can be resolved best in direct contact: We look forward to answering your questions and requests by phone or via the contact form.

Inside Sales International Team
+49 (0)2405 49936 122
 

Feel free to write us