Next Generation Firewall

Next Generation Firewall

summarize

Tianqing Hanma T Series FirewallIt is a new generation of T-bit level high-performance firewall product launched by Qixingchen. It innovatively adopts the architecture design combining SDN hardware switching and multi-core CPU service module, providing non-blocking data processing capability of up to 1.2T.

by means of a highsuretyThe grade VSOS security operating system and high-performance application layer traffic processing engine reconstruct security control, traffic classification, and attack protection from the multi-dimensional perspective of business, user, application, and behavior,VPNIt provides functions such as application identification, anti-virus, intrusion prevention, behavior management, Web protection, multi-layer nested QoS, and user authentication. Provide user policy, application policy and behavioral policy and other intelligent control means to truly realize the deep integration of the L4-L7 layer services, providing users with high-performance, highly reliable integrated security protection.

Support with Tian Tian advanced persistent threat detection and management system (APT), Tian Tian intrusion detection and management system (IDS), Venus Eye threat intelligence, Flow Eye security domain flow monitoring system, Tian Xun intranet security risk management and auditing system, Tai Heinformation securitySystem of Operations Center (SOC) linkage for higher dimensional collaborative protection.

Tianqing Hanma T series next-generation firewall system also has software-defined wide-area network (SD-WAN) function, real-time dynamic path selection, WAN optimization, dynamic VPN tunneling, data compression, end-to-end QoS SD-WAN solution. It meets the demand for multi-path, flexible and low-cost WAN connectivity, realizes fast and secure access for branch offices and mobile users, and can provide the reliability and high efficiency required by the business.

multiplane system architecture

Qisda T series firewall adopts the design of separating control and service in software architecture, and is divided into two parts, Control Plane (CP) and Data Plane (DP), according to the type of service. CP mainly handles management services such as authentication, configuration, routing, logging, and high availability, and provides management interfaces such as WebUI, command line, cloud management platform, and SDN APIs. DP deals withreticulationlayer, application layer parsing, and enforcement of various firewall policies. Each CP or DP is bound to a logical processor to avoid negative impact on performance due to system scheduling.

Qisda adopts the original dual-plane dynamic traffic diversion architecture to distribute traffic. When the data packets arrive at the Qixing T-SeriesfirewallsWhen the packet is delivered, it is first preliminarily categorized by the intelligent splitter. The intelligent splitter decides to which processing core the packet should be delivered based on the currently enabled upper layer functions and the network and application layer information of the packet. The smart splitter ensures that the packet can complete all the required processing on a single processing core (for some special cases, the system still provides inter-core message interoperability), avoiding the high overhead of accessing memory across nodes, and is a key technology to ensure the concurrent performance of multiple cores.

Integrated Message Processing Engine

Qisda uses an integrated message processing engine to complete the unified parsing of messages. The engine first analyzes the user-configured functions and decides what to analyze, and then uniformly processes all the contents that need to be parsed from layer 2 to layer 7 at one time and sends the results to the policy control module. The policy control module matches the user-configured policies with the parsing results for subsequent processing of the message.

All-in-one message processing engine with intelligent splitter completes all the work from message reception, message parsing, policy control and message sending on the processing process of a single processing core. One time parsing, unified processing, avoiding duplication of work and message copying between multiple modules and processes. In the unified processing of policies, a higher level of abstraction can be performed based on user policies, application policies, security policies, etc., to formulate advanced policies based on basic policies.

ClearHumas T-Series firewalls have the industry's most powerful security controls.

Qisda T series firewall adopts the design of separating control and service in software architecture, which is divided into two parts according to the type of service, namely, Control Plane (CP) and Data Plane (DP). The DP handles network layer, application layer analysis and firewall policy enforcement. Each CP or DP is bound to a logical processor to avoid negative impact on performance due to system scheduling.

Seven-tuple access control:

Access license control parameterized by source address, destination address, source port (source security domain), destination port (destination security domain), service type, APP type, and user;

Seven-tuple session control:

Session license control parameterized by source address, destination address, source port (source security domain), service type, APP type, and user: total new connection rate/total connections, new connection rate per source IP/total connections per source IP, new connection rate per destination IP/total connections per destination IP;

Apply behavioral controls:

In-depth APP or various types of network protocol detail parameters, to achieve fine network behavior management and logging;

Flow Control:

Nested traffic and QoS control with multi-layer pipes parameterized by source address, destination address, service type, APP type and user.

Based on multi-dimensional strong security control, it can realize strong security control capability for users, thus effectively improving the overall security protection level and guaranteeing the stable and reliable operation of core business.

At the same time, Tianqing Hanma T series of next-generation firewalls support deployment in all kinds of network environments, thus realizing the effective landing of the core value of firewalls in the new generation of business environments.

Intrusion Prevention and Virus Filtering

Supports leading intrusion prevention technology and virus filtering. The products use a variety of patented and innovative technologies to provide customers with intrusion prevention and anti-virus performance for up to hundreds of gigabytes of traffic.

The ultra-high performance is due to the use of tagged fusion integrated matching technology, which is structured to maximize the fusion of modules where redundant functions exist, thus avoiding repetitive data reduction and analysis processes.

Application Behavior Control

Intelligent application identification uses technologies based on Deep Packet Inspection (DPI), Deep Flow Inspection (DFI) and Network Behavior Analysis (NBA) to achieve accurate identification of mainstream applications.

Application control provides leading application behavior control functions based on intelligent application recognition, which can achieve fine control based on the depth of information and content of the application.

Advanced Persistent Threat (APT) Protection

Supports linkage with Qixing TianTep Advanced Persistent Threat Detection and Management System (APT)

APT adopts sandbox detection technology, which has precise detection effect on unknown Trojans, viruses and malicious codes, realizing effective protection against unknown threats, advanced persistent threats and 0DAY attacks.

Threat Intelligence Cloud Dynamic Protection

Supports linkage with QixingVenusEYE Threat Intelligence Cloud to provide dynamic security protection functions based on real-time updated threat intelligence.

Full support for security in IPv6 environments

Comprehensively supports IPV6/V4 dual-stack environment working at the same time, and all security protection functions intrusion prevention, anti-virus, application control, QoS flow control, APT protection, threat intelligence protection, etc. are supported in dual-stack environment.

virtualizationfirewalls

Supports underlying hardware virtualization based on Hypervisor technology. Each virtual firewall runs in complete isolation and has no influence on each other, and the software version can be upgraded and restarted independently for virtual firewalls, and HA deployment between virtual firewalls can be realized.

Each virtual firewall provides complete security features, including firewall, intrusion prevention, antivirus, application behavior management, flow control, VPN, and IPv4/IPv6 dual stack.

cloud firewall

Provides rich software-defined interfaces, can interact with cloud management platform through vCenter-PlugIn or LBaaS-Driver, FWaaS-Driver, and can be adapted to VMware, KVM and other environments, and supports the deployment of a variety of cloud platforms, providing high-performance, high-reliability, flexible and elastic for north-south traffic, east-west traffic. It provides high-performance, highly reliable, flexible and elastic four or seven layers of security protection for north-south and east-west traffic.

Vcloud Cloud Log

Provides firewall logs in the cloudstockpileWith analysis services, you can report firewall, NAT, system and security logs to the cloud with one click , support WeChat push alarms, WeChat report push, log query at any time and place.

Software Defined Wide Area Network SDWAN

Integrated software-defined wide area network (SDWAN) technology enables reliable assurance of critical services, service acceleration, application traffic management, service-integrated security, and simplified network management.

Domestic exclusive SDWAN+NGFW integrated convergence solution for vertical intranet of government departments such as headquarter/provincial/prefecture/county and township, and internal production environment of large enterprises.

SDWAN features include:

Multi-link load/automatic route selection based on link quality/multi-link replication for critical services/data compression/TCP bilateral acceleration, etc. Common service acceleration 2x-20x.

Dedicated network users:

Dramatically improve the business experience, enhance business reliability, complete security features such as video conferencing

Internet group network users:

Dramatic savings comparable to dedicated lines / VPN encryption / complete security features