|About|News|Products|Prices|Solutions|Support|Registration|Services|Jobs|Contacts|Home| bar-upper

PHION network management products - fully managed, fast, secure, traffic intelligence architecture  flag-ltu.gif


Enterprise firewalls - comparison by features
phion Information Technologies - Company Summary 

Matrix UAB has became an authorized products dealer of PHION and has direct support for projects, and tehnical info from Phion central office.  Thanks to Peter Perdich, CEE from Phion AG, we can provide to Lithuanian clients Phion products, and detailed information about these excellent products and technical support.  Lithuania and Austria has many things in common, so we believe we can cooperate in very effective way.  After reading this material, we hope your understand, why Phion is better than main competitor Juniper NetScreen products for enterprise users, for ISP and other clients, withbuilt in its fully managed, fast, secure, traffic intelligence architecture.  PHION now is one of the leading enterprise firewalls/vpn worldwide, and leader in Europe German speaking coutries. 

About phion AG, plc  phion-central-headquarters.jpg
Founded in 2000
HQ in Innsbruck 
Regional offices in Vienna, Munich, Düsseldorf, Zurich, Milan, London, and Venlo
Since July, 4th 2007 plc at  Vienna Stock Exchange (mid market)
Numerous international customers
from the Fortune 500
public and health sectors
financial services (up to 85% of Austrian and Swiss banks)
Leading enterprise security from the heart of Europe:
Gartner: Magic Quadrant for Enterprise Network Firewalls, 2H07, Sep 2007
Burton Group: Enterprise Firewalls and Perimeter Architecture, 3 Nov 2005

Secure communication over IP-networks has become a decisive success factor for every enterprise worldwide    
Intelligent IT-security technologies protect communication infrastructure against attacks and environmental threats
Proven IT-security technology shields and accelerates web applications and ensures PCI-DSS compliance
This is the world of phion: Our products make communication secure, available and cost-effective 
phion is a leading European vendor of IT-security and connectivity solutions for enterprise customers

phion-position-compared-to-competitors.jpgAs you can see from this picture,
Niche players are SonicWALL, Watchguard, NETASO, Stonesoft, and Phion is fastly moving from niche player to leaders position. Visioneers: Astaro just remains visioneer.
Challenegers are Cisco, Secure Computing. Current leaders are Juniper wetworks, Checkpoint, Fortinet, but they move to other postitions, only Phion generating niche features into leadership features in this enterprise networks firewalls market segment.
Leaders: Juniper networks is stable, Checkpoint is declining, Fortinet is moving towards challengers, PHION is moving to leaders.

Phion is positioned in Gartner’s „Magic Quadrant“ for Enterprise Network Firewalls for the second year in a row

phion-perimeter-security-round-table.jpg Picture: phion develops and delivers software
and appliances protecting
communication in IP based networks

- providing network/content/endpoint and web application security
- enhancing availability, performance,     and compliance with regulatories
- optimizing operational costs




phion‘s products

Main phion product groups are:
- Airlock
- Web Application Firewall
- Multi-Level Filtering
- Access Control Identity Mgt Single Sign On
- ICAP Content, Filtering
- Monitoring &  Reporting

Some Phion references in bigger projects:
EADS (HQ, IST, LFK, Defence Sys)
Aerospace and Defense
RAS, VPN-Site-2-Site, Firewalls
Market leader refractory materials
100 VPN/FW Gateways
Konica Minolta Europe
VPN/FW Gateways
Schenker Germany
Logistics and Transportation
200 VPN/Firewall Gateways
German Postbank
Branch office security
2500 VPN/FW Gateways

PHION Communication protection  architecture
What is an enterprise‘s need?

Regulatory compliance: Auditability for all product functions, Security policy enforcement and reporting
Reduced operational expenses: Enterprise customer and/or MSSP
Improved productivity :  Downtime reduction, stable networks, Reliable network performance, wherever, whatever happens
Better protection: Reduced complexity, improved interoperability, Multilayered defense structures, Endpoint security and network access control, Web access management & email security

Communication protection - unique feature of Phion products

UTM only protects against hacker-attacks, viruses, worms, spyware, trojans, spam … disgruntled employees.  
Communication Protection : also protects against human error, line outages due to ,  construction work, provider failure , natural disasters.


The perception of security is changing
The  monkey business. There is a widening gap in the perception of what is important and relevant between IT management (CIO) and IT professionals?
Ongoing commoditisation. Certain aspects of the security industry like firewalling have been neatly commoditised. Their effectiveness may be taken for granted. Would you ever ask whether your car actually comes with mounted tyres when you order it?  
The insurance calamity. Investment into security is perceived important but not sexy much like an insurance policy. Insurance policies do not improve the core business.

Falling from grace
The security hype is no longer network centric
Firewall is becoming an increasingly unspecific general purpose notion for a whole of range of technical equipment placed in the network communication path
Everything is a firewall thus everyone has a firewall
Understanding firewalling as a core technology that per se is getting increasingly commoditised
BUT, firewall technology is a key building block of any modern communication equipment
AND, firewalls have massively replaced routers in branch offices and many intranets. The firewall will be the intelligent successor to the router.
Traditional network security is still important but the relevant differentiator is now integrated network optimisation capabilities and application control

Reconciling different views:  Operations vs Management


The BOB (branch office box) convergence continues
Client in remote branch office, Policy/remediation server replica
phion-clients-in-remote-office.png Server in HQ
Approaches to network security, by year chronology:
2000: VPN  with Provider
2002: Multiple Providers
2003: Loadsharing
2006: UMTS / HSDPA
2007: WAN Optimization, MPLS + VPN
2008: NAC Integration
2008: Internet break out
Always: Scalability and Cost

Security investment can improve core business

Comprehensive effective protection

phion netfence at a glance
phion netfence is one of the leading enterprise firewalls worldwide
First firewall/VPN solution with Traffic Intelligence
First UTM converged firewall/VPN solution aiming to deliver a Branch Office Box - BOB
First enterprise firewall to include 3G uplink support
Comprehensive security and content gateway portfolio
Mail, Web, FTP, SSH, DNS, …
Own VPN Client and Managed Personal Firewall Solution
Own NAC framework – netfence entegra
Equipped with the most scalable and powerful management architecture

Airlock by phion at a glance
URL Encryption  Smart Form Protection
Effective against Forceful Browsing
URLs and parameters 100% protected
Hides technology and topology
Works dynamically, no specific configuration necessary
Cryptographic protection of HTML forms
Only allowed input is accepted
Automatic protection of hidden and selection fields

Positive Security Model: Web application dynamically defines valid requests and data

netfence VPN World
It is real working configuration map, links shown between branches:

Secure Connectivity-  Manageability
phion-secure-connectivity.jpg phion-wan-connection-management.jpg
Picture: WAN connection management via drag-and-drop

Traffic intelligence -  5 nines SAP availability
Simultaneous use of multiple physical transport paths
Transports are highly customisable (Encap[TCP, UDP, ESP], IPs, Ciphers, Hashes, Compression, etc.)
Firewall is the traffic manager selecting the appropriate transport path
Availability and posture of each transport is monitored  

Realtime Management and Reporting- Quick fault diagnosis and resolution

A single dashboard
Hard facts with two mouse clicks
Getting realtime info quickly and unambigously
Historical data any time preprocessed and in human readable format

Compliance and Recovery - Revision Control System
Each node is versioned individually
Each configuration entry is tracked separately
Each configuration node can be individually set back to a previous version.
Every config session can be tracked individually
Audit trail can be streamed


Phion gives you answers WHAT? WHEN? WHO? WHEREFROM? is happening in your network.
Let’s have a look at this session. New FW PASS Rule from to Port 80,  Same available for EVERY feature node without exception.


phion M appliances

phion-appliance-mr.jpg (picture: Phion MR appliance)

(picture: Phion M1 appliance)

(picture: Phion M3 appliance)

(picture: Phion M5 appliance)

Streamlined appliance offerings


phion M
netfence gateway
Target market
Midmarket, UTM product
Enterprise product
Max. FW Performance, now or in future
around max. 1 Gbps
>> 1 Gbps
Max VPN Performance, now or in future.
around max. 500 Mbps
 > 1 Gbps
Geographic location
Mostly local (no SDR)
Appliances dispersed throughout the world, SDR
Central management
Available, 25 devices max
License handling
Node-locked and device based
User based floating licensing via MC,
site-license model for content add-ons
Service Offerings
NBD Change 1-5 years
NBD Change 1-5 years,
SP Plus
HW Roadmap
Robo appliance to max. one dual core processor and 4 GB RAM
10 Gbps NICs, full range from edge appliance to two quad core processors and HW Accelerator cards. >>4 GB Ram

Airlock WAF
phion-airlock-risks-building.jpg Picture:  Limited overview without Airlock 
Awareness of Risks, Vulnerabilities and Attacks may be present
 Fragmented, isolated measures result in huge operational costs and less security
 Only reactive instead of proactive action possible

 phion-airlock-risks-building-solved.jpg Picture: Comprehensive view & control with Airlock

Access control & single sign-on
3 Users
 3 Roles
 6 Applications
 Authorization matrix is part of
     Airlock config

Description/User role







Customer Portal




Terminal Server



High Security System Architecture


Phion roadmap essentials table  

Q3-08 4.0.[4], phion M
 VMWare support
 VPN World
 entegra 64 bit
Q4-08 4.2
 Crypto performance
 entegra 2.0
 MC FW Log Viewer
 SDR included (plan)
Q1-09 Reporter 2.0
 Warm backup
 More reports
Application Delivery Controller
Web Appl. FW
 Reverse proxy
 Appl. acceleration
 Load balancing
Q2+Q3-09 5.0
 phionOS Update
 SMP Support
 Linux kernel 2.6
 RAM > 4GByte

Access Control (Where to go in year 2008)

entegra, today

entegra is an identity and health state based network access control framework for Windows clients that is fully interoperable with phion netfence firewalls.
Quarantine enforcement within the collision domain relies on a local endpoint agent and firewall. Network access to other network segments can be controlled by a netfence gateway firewall.
Guest networking via friend-foe detection in the DHCP request.
entegra is by intention not an outright endpoint security product. It is a flexible network access control solution.
entegra enforces security policies, policy compliance monitoring and network access rights

NAC usage today

Two of the most-common reasons for malware infection are clients lacking current signature files and unmanaged clients joining the network.  
NAC enables an organization to build policies that govern network access. To achieve the maximum benefits of NAC, it must also be able to detect and quarantine infected endpoints, even if it is an unmanaged client, such as a network guest  .
In addition entegra‘s management capabilities facilitate centralised compliance monitoring . 

entegra, the second stage
- Windows Vista 64-bit support, 4.0.[4]
- Support for 802.1x switch port security, 4.2

802.1x supplicant fully integrated into client

Secure Web Access

Web access management (WAM)

Ruggero Contu, Gartner Market Trends: Security Software, EMEA, 2007-2012, 9 May 2008:  
    „By 2009, most WAM systems will incorporate identity federation and security token service capabilities, integration with network access control systems, and better application integration technologies in an attempt to become the central authentication and authorization infrastructure for the enterprise.“

SSL VPN portal

Picture: policy compliance checks

SSL VPN portal

Simple SSL based complement to existing client based VPN solution - allows VPN access from kiosks and mobile/foreign devices
Fully integrated into phion VPN AND clientless entegra NAC
Utilises regular VPN pool licenses – no extra cost
Requires NO administrative rights
Relies on Java applets – no need for active X
RDP, File Browsing, OWA, VNC, SSH, Telnet, Generic Port Forwarding
IExplorer and Firefox supported
Cleanup of cookies and temporary data

The secure web gateway

Gartner, Peter Firstbrook, Magic Quadrant for Secure Web Gateway, 2007, 4 June 2007
    „A Secure Web gateway (see "Introducing the Secure Web Gateway") is a solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance. To achieve this goal, SWGs must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular Web-based applications, such as instant messaging (IM) and Skype. “

Still only few companies scan for malware on their HTTP proxies

The phion proxy revisited

Common SWG features:
HTTP proxying   
User authentication
URL filtering
AV protection
P2P/Skype filtering
based on technology by global P2P test winner (28 products)
Recognition efficiency up to 97%
Reporting and Accounting

Advanced SWG features:
HTTPS inspection
RSS/XML/webservices inspection

netfence virtualisation (Where to go in 2008)
phion entered vmware partnership
netfence within vmware has been used for functional testing, trainings  for a number of years
phion is commited to fully support vmware on ESX server starting with 4.0.[4]
vmware is a separate „hardware platform“
netfence software appliance becomes virtual appliance
Expected usage: Testing, Management Centers

myphion on vmware 

If you have big project, want free of charge consulting on your network infrastructure, or are interested in Phion products, or to have more details concerning technical parameters and scalability please see the website or ask sales@matrix.lt .

Revised: September 13, 2008, Copyright 2008-2015  MATRIX, UAB