MATRIX UAB - PHION network management and security products, VPN, firewalls

PHION network management products - fully managed, fast, secure, traffic intelligence architecture

Enterprise firewalls - comparison by features
phion Information Technologies - Company Summary

Matrix UAB has became an authorized products dealer of PHION and has direct support for projects, and tehnical info from Phion central office. Thanks to Peter Perdich, CEE from Phion AG, we can provide to Lithuanian clients Phion products, and detailed information about these excellent products and technical support. Lithuania and Austria has many things in common, so we believe we can cooperate in very effective way. After reading this material, we hope your understand, why Phion is better than main competitor Juniper NetScreen products for enterprise users, for ISP and other clients, withbuilt in its fully managed, fast, secure, traffic intelligence architecture. PHION now is one of the leading enterprise firewalls/vpn worldwide, and leader in Europe German speaking coutries.

About phion AG, plc

Founded in 2000
HQ in Innsbruck
Regional offices in Vienna, Munich, Düsseldorf, Zurich, Milan, London, and Venlo
Since July, 4th 2007 plc at Vienna Stock Exchange (mid market)
Numerous international customers
from the Fortune 500
public and health sectors
financial services (up to 85% of Austrian and Swiss banks)
Leading enterprise security from the heart of Europe:
Gartner: Magic Quadrant for Enterprise Network Firewalls, 2H07, Sep 2007
Burton Group: Enterprise Firewalls and Perimeter Architecture, 3 Nov 2005

Secure communication over IP-networks has become a decisive success factor for every enterprise worldwide
Intelligent IT-security technologies protect communication infrastructure against attacks and environmental threats
Proven IT-security technology shields and accelerates web applications and ensures PCI-DSS compliance
This is the world of phion: Our products make communication secure, available and cost-effective
phion is a leading European vendor of IT-security and connectivity solutions for enterprise customers

As you can see from this picture,
Niche players are SonicWALL, Watchguard, NETASO, Stonesoft, and Phion is fastly moving from niche player to leaders position. Visioneers: Astaro just remains visioneer.
Challenegers are Cisco, Secure Computing. Current leaders are Juniper wetworks, Checkpoint, Fortinet, but they move to other postitions, only Phion generating niche features into leadership features in this enterprise networks firewalls market segment.
Leaders: Juniper networks is stable, Checkpoint is declining, Fortinet is moving towards challengers, PHION is moving to leaders.

Phion is positioned in Gartner’s „Magic Quadrant“ for Enterprise Network Firewalls for the second year in a row

Picture: phion develops and delivers software
and appliances protecting
communication in IP based networks

- providing network/content/endpoint and web application security
- enhancing availability, performance, and compliance with regulatories
- optimizing operational costs

COMMON CRITERIA
EAL4+ CERTIFIED

phion‘s products

Main phion product groups are:
- Airlock
- Web Application Firewall
- PCI-DSS
- Multi-Level Filtering
- Access Control Identity Mgt Single Sign On
- ICAP Content, Filtering
- Monitoring & Reporting

Some Phion references in bigger projects:

EADS (HQ, IST, LFK, Defence Sys) Aerospace and Defense RAS, VPN-Site-2-Site, Firewalls
RHI Market leader refractory materials 100 VPN/FW Gateways
Konica Minolta Europe VPN/FW Gateways
Schenker Germany Logistics and Transportation 200 VPN/Firewall Gateways
German Postbank Branch office security 2500 VPN/FW Gateways

PHION Communication protection architecture
What is an enterprise‘s need?

Regulatory compliance: Auditability for all product functions, Security policy enforcement and reporting
Reduced operational expenses: Enterprise customer and/or MSSP
Improved productivity : Downtime reduction, stable networks, Reliable network performance, wherever, whatever happens
Better protection: Reduced complexity, improved interoperability, Multilayered defense structures, Endpoint security and network access control, Web access management & email security

Communication protection - unique feature of Phion products

UTM only protects against hacker-attacks, viruses, worms, spyware, trojans, spam … disgruntled employees.
Communication Protection : also protects against human error, line outages due to , construction work, provider failure , natural disasters.

The perception of security is changing
The monkey business. There is a widening gap in the perception of what is important and relevant between IT management (CIO) and IT professionals?
Ongoing commoditisation. Certain aspects of the security industry like firewalling have been neatly commoditised. Their effectiveness may be taken for granted. Would you ever ask whether your car actually comes with mounted tyres when you order it?
The insurance calamity. Investment into security is perceived important but not sexy much like an insurance policy. Insurance policies do not improve the core business.

Falling from grace
The security hype is no longer network centric
Firewall is becoming an increasingly unspecific general purpose notion for a whole of range of technical equipment placed in the network communication path
Everything is a firewall thus everyone has a firewall
Understanding firewalling as a core technology that per se is getting increasingly commoditised
BUT, firewall technology is a key building block of any modern communication equipment
AND, firewalls have massively replaced routers in branch offices and many intranets. The firewall will be the intelligent successor to the router.
Traditional network security is still important but the relevant differentiator is now integrated network optimisation capabilities and application control

Reconciling different views: Operations vs Management

The BOB (branch office box) convergence continues
Client in remote branch office, Policy/remediation server replica

Server in HQ
Approaches to network security, by year chronology:
2000: VPN with Provider
2002: Multiple Providers
2003: Loadsharing
2006: UMTS / HSDPA
2007: WAN Optimization, MPLS + VPN
2008: NAC Integration
2008: Internet break out
Always: Scalability and Cost

Security investment can improve core business

Comprehensive effective protection

phion netfence at a glance
phion netfence is one of the leading enterprise firewalls worldwide
First firewall/VPN solution with Traffic Intelligence
First UTM converged firewall/VPN solution aiming to deliver a Branch Office Box - BOB
First enterprise firewall to include 3G uplink support
Comprehensive security and content gateway portfolio
Mail, Web, FTP, SSH, DNS, …
Own VPN Client and Managed Personal Firewall Solution
Own NAC framework – netfence entegra
Equipped with the most scalable and powerful management architecture

Airlock by phion at a glance

URL Encryption	Smart Form Protection
Effective against Forceful Browsing URLs and parameters 100% protected Hides technology and topology Works dynamically, no specific configuration necessary	Cryptographic protection of HTML forms Only allowed input is accepted Automatic protection of hidden and selection fields

Positive Security Model: Web application dynamically defines valid requests and data

netfence VPN World
It is real working configuration map, links shown between branches:

Secure Connectivity- Manageability

Picture: WAN connection management via drag-and-drop

Traffic intelligence - 5 nines SAP availability
Simultaneous use of multiple physical transport paths
Transports are highly customisable (Encap[TCP, UDP, ESP], IPs, Ciphers, Hashes, Compression, etc.)
Firewall is the traffic manager selecting the appropriate transport path
Availability and posture of each transport is monitored

Realtime Management and Reporting- Quick fault diagnosis and resolution

A single dashboard
Hard facts with two mouse clicks
Getting realtime info quickly and unambigously
Historical data any time preprocessed and in human readable format

Compliance and Recovery - Revision Control System
Each node is versioned individually
Each configuration entry is tracked separately
Each configuration node can be individually set back to a previous version.
Every config session can be tracked individually
Audit trail can be streamed

Phion gives you answers WHAT? WHEN? WHO? WHEREFROM? is happening in your network.
Let’s have a look at this session. New FW PASS Rule from 10.0.0.0 to 0.0.0.0 Port 80, Same available for EVERY feature node without exception.

phion M appliances

(picture: Phion MR appliance)

(picture: Phion M1 appliance)

(picture: Phion M3 appliance)

(picture: Phion M5 appliance)

Streamlined appliance offerings

Description/model	phion M	netfence gateway
Target market	Midmarket, UTM product	Enterprise product
Max. FW Performance, now or in future	around max. 1 Gbps	>> 1 Gbps
Max VPN Performance, now or in future.	around max. 500 Mbps	> 1 Gbps
Geographic location	Mostly local (no SDR)	Appliances dispersed throughout the world, SDR
Central management	Available, 25 devices max	Yes
License handling	Node-locked and device based	User based floating licensing via MC, site-license model for content add-ons
Service Offerings	NBD Change 1-5 years	NBD Change 1-5 years, SP Plus
HW Roadmap	Robo appliance to max. one dual core processor and 4 GB RAM	10 Gbps NICs, full range from edge appliance to two quad core processors and HW Accelerator cards. >>4 GB Ram

Airlock WAF

Picture: Limited overview without Airlock
Awareness of Risks, Vulnerabilities and Attacks may be present
Fragmented, isolated measures result in huge operational costs and less security
Only reactive instead of proactive action possible

Picture: Comprehensive view & control with Airlock

Access control & single sign-on
3 Users
3 Roles
6 Applications
Authorization matrix is part of
Airlock config

Description/User role	Customer	Sales	Admin
CRM		yes
DMS		yes
Customer Portal	yes
eShop	yes
Terminal Server			yes
SSH			yes

High Security System Architecture

Phion roadmap essentials table

Q3-08	4.0.[4], phion M VMWare support VPN World entegra 64 bit
Q4-08	4.2 Crypto performance SSL-VPN entegra 2.0 MC FW Log Viewer SDR included (plan)
Q1-09	Reporter 2.0 Warm backup More reports Performance; Application Delivery Controller Web Appl. FW Reverse proxy Appl. acceleration Load balancing
Q2+Q3-09	5.0 phionOS Update SMP Support Linux kernel 2.6 RAM > 4GByte IPv6 WiFi

Access Control (Where to go in year 2008)

entegra, today

entegra is an identity and health state based network access control framework for Windows clients that is fully interoperable with phion netfence firewalls.
Quarantine enforcement within the collision domain relies on a local endpoint agent and firewall. Network access to other network segments can be controlled by a netfence gateway firewall.
Guest networking via friend-foe detection in the DHCP request.
entegra is by intention not an outright endpoint security product. It is a flexible network access control solution.
entegra enforces security policies, policy compliance monitoring and network access rights

NAC usage today

Two of the most-common reasons for malware infection are clients lacking current signature files and unmanaged clients joining the network.
NAC enables an organization to build policies that govern network access. To achieve the maximum benefits of NAC, it must also be able to detect and quarantine infected endpoints, even if it is an unmanaged client, such as a network guest .
In addition entegra‘s management capabilities facilitate centralised compliance monitoring .

entegra, the second stage
- Windows Vista 64-bit support, 4.0.[4]
- Support for 802.1x switch port security, 4.2

802.1x supplicant fully integrated into client
phion-entegra-monitor-v4.02.jpg

Secure Web Access

Web access management (WAM)

Ruggero Contu, Gartner Market Trends: Security Software, EMEA, 2007-2012, 9 May 2008:
„By 2009, most WAM systems will incorporate identity federation and security token service capabilities, integration with network access control systems, and better application integration technologies in an attempt to become the central authentication and authorization infrastructure for the enterprise.“

SSL VPN portal

Picture: policy compliance checks

SSL VPN portal

Simple SSL based complement to existing client based VPN solution - allows VPN access from kiosks and mobile/foreign devices
Fully integrated into phion VPN AND clientless entegra NAC
Utilises regular VPN pool licenses – no extra cost
Requires NO administrative rights
Relies on Java applets – no need for active X
RDP, File Browsing, OWA, VNC, SSH, Telnet, Generic Port Forwarding
IExplorer and Firefox supported
Cleanup of cookies and temporary data

The secure web gateway

Gartner, Peter Firstbrook, Magic Quadrant for Secure Web Gateway, 2007, 4 June 2007
„A Secure Web gateway (see "Introducing the Secure Web Gateway") is a solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance. To achieve this goal, SWGs must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular Web-based applications, such as instant messaging (IM) and Skype. “

Still only few companies scan for malware on their HTTP proxies

The phion proxy revisited

Common SWG features:
HTTP proxying
User authentication
URL filtering
AV protection
P2P/Skype filtering
based on technology by global P2P test winner (28 products)
Recognition efficiency up to 97%
Reporting and Accounting

Advanced SWG features:
HTTPS inspection
RSS/XML/webservices inspection

netfence virtualisation (Where to go in 2008)
phion entered vmware partnership
netfence within vmware has been used for functional testing, trainings for a number of years
phion is commited to fully support vmware on ESX server starting with 4.0.[4]
vmware is a separate „hardware platform“
netfence software appliance becomes virtual appliance
Expected usage: Testing, Management Centers

myphion on vmware

If you have big project, want free of charge consulting on your network infrastructure, or are interested in Phion products, or to have more details concerning technical parameters and scalability please see the website or ask sales@matrix.lt .