Firewall features

Woman points to icons showing security features of the operating system for the Unified Firewalls

Secured from A to Z: UTM security features for Unified Firewalls

The digitized present and sophisticated cyber attacks redefine the rules for your network security. Application control and blocking as well as intrusion detection and prevention are therefore a must-have for secure IT networks. Integrated in the powerful firewall operating system LCOS FX, these and other industry-leading UTM security features ensure a trustworthy IT infrastructure "Engineered in Germany" and a significant security advantage for your network. The feature set for the LANCOM R&S®Unified Firewalls and LANCOM vFirewalls is regularly expanded so that professional networks are also protected against new types of risks.

Technical features

Application Management & R&S®PACE 2 DPI engine
Intrusion Detection / Prevention System (IDS / IPS)
Anti-Virus / Anti-Malware / Anti-Spam
High availability (HA)
VPN: IPSec VPN, SSL VPN, and WireGuard
Secure Web Gateway (SWG) using HTTP(S) proxy
DNS Web Filter & Content Filter

SD-WAN with dynamic routing & Traffic Shaping
Network segmentation (VLAN)
Management, monitoring & administration
User authentication
Cloud-managed Security
Backup & restore
SSL Inspection

Techpaper: Cloud-managed Security

Infopaper: Avira Protection Cloud

Whitepaper: Network visibility through DPI and encryption proxies

Highlights

Unified Threat Management (UTM) combines multiple security functions into a holistic security package. This coordinated feature set facilitates the implementation and management of professional security strategies. The LCOS FX operating system offers, among other things, the following firewall security features for the LANCOM R&S®Unified Firewalls and LANCOM vFirewalls.

Note: A Full License is required to use all UTM features. The corresponding security features are marked with an *.

Application Management & R&S®PACE 2 DPI engine*

DPI-based control of applications and content

Monitoring digital applications and precisely classifying network traffic at the application level are just two of the many tasks performed by a Deep Packet Inspection (DPI) engine. The industry-leading R&S®PACE 2 DPI engine inspects data packets down to layer 7 – in other words, it analyzes not only the metadata but also the data area of a data packet. Using Application Management, the DPI engine allows you to decide for yourself which applications, application groups or protocols should be allowed (validated), filtered, or blocked in your network (Application Filter, Application-based routing). Definable blacklists and whitelists allow you to target your management of malicious or trusted applications.

Whitepaper: R&S®PACE 2 DPI engine

Whitepaper: Network visibility through DPI and encryption proxies

Intrusion Detection / Prevention System (IDS / IPS)*

Database-based protection against known threats

Known threats such as DDoS (Distributed Denial of Service), portscans, or botnets must also be taken seriously. To do this, the Intrusion Detection / Prevention System ("IDS / IPS") maintains a database of known threats to reliably protect end devices in the network from a wide range of hostile attacks. Included in the threat database is a blacklist of more than 40,000 active signatures, IP addresses, and patterns for detecting malware, interface and network scanning, as well as brute force attacks. The IDS mode detects and warns of malicious traffic. These alerts cause the IPS mode to terminate and henceforth block the communication link to hostile sources. In addition, "virtual patching" prevents the exploitation of known vulnerabilities, for example in non-patchable systems. In case of a "false alarm", the admin can allow the corresponding traffic and configure exceptions.

Anti-Virus / Anti-Malware / Anti-Spam*

Protection against unknown threats with sandboxing and machine learning

To protect networks against cyber attacks on previously unknown vulnerabilities ("zero-day exploits"), a multi-stage scanning concept detects and eliminates potential threats. To do so, cloud-based sandboxing and machine learning (ML) are used after a local scan. Machine learning helps passing on information about new attack attempts to all firewalls connected to the Anti-Virus cloud. Specifically, all firewalls "learn" from each other's experiences. In an isolated cloud test environment (sandbox), suspicious files are identified, analyzed, scanned, tested, and blocked if necessary. Reliable scanning of protocols such as HTTP/S, FTP, POP3/S, SMTP/S, and IMAP/S can be controlled with configurable exceptions in blacklists and whitelists. With Recurrent Pattern Detection (RPD), spam, phishing, and malware are detected based on the distribution pattern of emails. Suspicious emails are then automatically rejected or deleted.

Infopaper: Avira Protection Cloud

High availability (HA)

Increased reliability of your Unified Firewalls

For trouble-free operation, high availability is a necessity in critical network installations. Therefore, multiple Unified Firewalls in a HA cluster ensure increased reliability and constant availability. Thanks to the active / passive cluster, the second firewall of the same model only steps in when it is really needed. Hot standby and stateful failover enable this without any interruptions immediately after the primary firewall fails, so that your business-critical systems are optimally protected at all times.

Illustration of a rectangle with icons symbolizing security features

VPN: IPSec VPN, SSL VPN, and WireGuard

Secure and encrypted site networking

Company locations, such as branch offices or mobile employees in home offices, are securely connected via a virtual and private network (VPN). The client-configurable VPN acts like a secure data tunnel, although it uses the public Internet as a communication path. This creates a trustworthy Wide Area Network (WAN) that can only be accessed by authorized persons thanks to user authentication. With IPSec, SSL, and WireGuard, three different VPN technologies are available: IPSec uses the IKEv2 protocol recommended by the German Federal Office for Information Security (BSI) and supports NAT-T. IPsec tunnels can be used, for example, for high-performance site-to-site connections and SSL tunnels for flexible client-to-site connectivity. Support of the VPN standard WireGuard, on the other hand, effectively accelerates the establishment and administration of VPN connections and enables high data throughput by reducing encryption parameters.

Secure Web Gateway (SWG) using HTTP(S) proxy*

Filtering network traffic

A Secure Web Gateway (SWG) is used to protect a network and their devices against access from the Internet. This is precisely the task performed by the HTTP(S) proxy server in the Unified Firewalls, which analyzes and filters network traffic down to the application level. The proxy acts as a barrier between the user's own network and the web server and intercepts unsecured data traffic before it reaches the network. Using its own HTTP(S) proxy CA, the HTTP(S) proxy generates a pseudo-certificate for the website and uses this to establish a connection. HTTP(S) proxies are differentiated according to their level of anonymity and can be configured in the Unified Firewalls in transparent and non-transparent variants.

DNS Web Filter
& Content Filter*

Content-based filters to protect against phishing attacks

The use of user-owned devices (BYOD) is no longer a novelty in schools or in hybrid work environments. The DNS Web Filter provides security without the need for certificates: Using an online scanning technology, DNS queries that pass through the DNS server of your Unified Firewalls are identified, classified, and filtered according to their categories or individually configured blacklists and whitelists. This DNS-based protection immediately blocks unwanted and harmful page views. The Content Filter can also be used to define category-based filter rules for e.g. criminal, pornographic, or violent URLs and content. The rules can be configured individually for each user and can be adapted or overwritten via imported or exported URL lists (override function).

SD-WAN with dynamic routing & Traffic Shaping

Efficient and robust site networking

By efficiently controlling the maximum bandwidth as well as the line prioritizing (Traffic Shaping), the applications that are important to you are guaranteed to run with the best quality in and out of your network. Pre-configuration of common scenarios as well as selectable Traffic Shaping groups and profiles (QoS) depending on the WAN connection save configuration time. By steering specific traffic directly to the Internet (Application Steering), you decide which applications (e.g. Microsoft 365) you trust to increase the overall performance of your network. In addition, multi-WAN and a dynamic, policy-based routing process ensure fast responses to network changes. Depending on the load level, the BGP (Border Gateway Protocol) routing protocol can be used to dynamically refine the optimal route internally and externally (EBGP, IBGP), comparable to a navigation system. Multihop BGP can also be used to transmit BPG packets through an IPSec tunnel. Firewall rules can be used to freely configure static routing for multiple gateways based on input and output interfaces as well as source and destination IP. Alternatively, firewall rules can be created over and between DNS objects. The use of host names instead of fixed IP addresses makes it easier to create firewall rules.

More Features

Network segmentation (VLAN)

User-based rules and network separation

The logical division of a network allows you to define individual security settings and access rights depending on the requirements of the user groups and to divide your infrastructures and applications into different areas. This separation (zoning) does not create classic physical networks, but purely logical virtual networks, so-called VLANs (Virtual Local Area Networks). For example, you can separate the accounting network from the human resources network to limit unauthorized access to sensitive company data. The advantage: Your corporate network as a whole remains protected, even if a network segment is damaged. Unified Firewalls use user-, group- or time-based policies to monitor and control which users are allowed to communicate across zone boundaries, when and under what circumstances.

Management, monitoring & administration

Despite progressive automation, an "easy-to-use" operating concept is more than helpful. In order to reduce complexity and thus susceptibility to errors, the following tools and functions are available for the Unified Firewalls:

Management tools with graphical interfaces,…

Management tools with graphical interfaces, self-explanatory functions and dashboards, and initial setup wizards for an overview of the entire network
Role-based administration with object-oriented configuration and IP-based access restriction for SSH and web client
Extensive monitoring with statistics on e.g. IDS / IPS with application and surf control as well as connection tracking, simple network management protocols (SNMP v2c and v3), and logging to external syslog servers
Exportable, detailed report on system, alarm, and audit logs (executive report as PDF, HTML, or CSV)
Automatic e-mailing of security reports with configurable intervals for efficient archiving and auditing

User authentication

Policy compliance thanks to access rules

Network access control is indispensable to ensure that you always have an overview of which users, devices, and services are in the network, which identity is really behind them and who has which functions or is allowed to perform which actions. Authentication for policy compliance via web or client can be…

Policy compliance thanks to access rules

Active Directory import
Local user management
Single sign-on (Kerberos)
Multiple logins
Captive portal
Terminal Server Support (via Remote Desktop IP Virtualization)

Cloud-managed Security

Management via the LANCOM Management Cloud (LMC)

The LMC automates and simplifies the management, configuration, and monitoring of your Unified Firewalls. For example, you can use the central management instance to administer Application Management and firmware updates. The automatic setup of VPN connections between all sites (Auto-VPN) is just as easy as the integration of new firewalls via a secure pairing process as well as the replacement of firewalls including complete configuration.

Techpaper: Cloud-managed Security

Backup & restore

Automatic or scheduled backups

Backups of your data are necessary to protect it from corruption and deletion. Especially complex firewall configurations should be backed up before significant changes or a firmware upgrade. Backups can be automatic or scheduled and controlled via local or remote access or imported automatically during an installation. In addition, the backups can be automatically uploaded (FTP, SCP) or saved to a USB stick in case of a disaster recovery.

SSL Inspection

Security even for encrypted channels

The increasing encryption of data traffic leads to a growing risk of malware infiltrating systems through encrypted channels. With Secure Sockets Layer Inspection, or SSL Inspection for short, Unified Firewalls offer the ability to perform scanning, filtering, and application detection even on encrypted data packets to successfully implement your security requirements.

Licenses

A valid license is required to operate a LANCOM R&S®Unified Firewall or LANCOM vFirewall. With the flexible licensing model, you can choose between your desired scope of functions (Basic or Full) and the available license periods of 1, 3, or 5 years.

Basic License

Use a high-performance security appliance to handle your internal network segmentation. With user-based rules and rights, professional user authentication, and – last but not least – the easy-to-use design of our interface, you can be sure that the rules in your various security zones are complied with in full. This license activates firewall features and offers firmware updates as well as support services.

Full License

Take back control over your network with the complementary, full UTM and VPN features. Corporate policies, load, security, and data traffic are easy to monitor with our various filtering and scanning options. These include Content Filter with youth protection filter and App Filters, the mature IDS / IPS system or our Anti-Virus, Anti-Spam and Anti-Malware features, and preventive security from unknown threats through integrated sandboxing and machine learning.

myLANCOM Firewall License Portal

Always keep a clear overview of the status of your firewall licenses: In the myLANCOM Firewall License Portal, you can monitor, activate and renew your firewall licenses all securely in one place and decide for yourself which of your employees will be granted access to the portal.

Ask for access

The right firewall for every size

When choosing the right firewall, both the amount of data traffic and the size of the company are decisive factors. With the LANCOM R&S®Unified Firewalls and the virtual variants of the LANCOM vFirewalls, you are ideally equipped for any application – and without compromising on security functions, because the maximum security of your network is guaranteed at all times by Unified Threat Management (UTM).

Product collage of LANCOM R&S®Unified Firewalls desktop models

Desktop models of the LANCOM R&S®Unified Firewalls

Product collage of LANCOM R&S®Unified Firewalls rack models

Rack models of the LANCOM R&S®Unified Firewalls

Two employees are standing in a server room, next to them is the icon of the LANCOM vFirewall

Virtual Unified Firewalls

Further information & news

Convenient firewall management tools

Three management tools are available for central management and monitoring of your firewall: A graphical Web interface supports you with clear dashboards for the detailed configuration of your firewalls, while the LANCOM Management Cloud manages all devices, networks, and configurations in a highly automated way. The LANCOM R&S®UF Command Center also allows centralized management of many firewalls.

Learn more about the management tools

Collage of the three management tools for the LANCOM R&S®Unified Firewalls

What matters in network security

An essential part of a company's IT infrastructure is ensuring network security. Used effectively, it reliably fends off unauthorized access, data manipulation, or data theft with blackmail, system paralysis (DDoS attacks), and other damage caused by hackers, malware, and viruses. Read more about what risks and threats lurk and what immediate measures you can take to maintain the security of your network.

Learn more about network security topics

Markus Irle, Vice President Firewall and Security with IT colleagues in firewall server room

Everything NIS2 compliant?

Does your technical equipment fulfil the NIS2 requirements?

The EU directive on network and information security for enterprises, NIS2, may also affect you and sets strict security standards that could require action. We support you with expert knowledge, tips, and recommendations in video, text and image form.

Take the NIS2 check now and find out everything you need to know on our topic page.

To the NIS2 check