SecSSL 3600 gateway is a new generation of products and equipment for enterprise and telecom users' network core applications. Based on the research experience and in-depth study of SSL VPN in recent 10 years, it has been developed through closed testing for nearly two years, which effectively meets users' security access requirements. The product adopts All in One VPN technology, which realizes the secure access of various terminals, integrates SSL-VPN and IPsec VPN, and supports the whole network access of Windows, Linux, MAC, iOS and Android. The product has the technical characteristics of user desktop remote wake-up function, multi-link intelligent routing technology, virtual secure desktop technology, dynamic SMS authorization and so on. With the help of safe and reliable encryption algorithms and protocols, this product connects mobile computing terminals to the internal networks of enterprises and governments, which not only realizes mobile office, but also effectively guarantees the security of the internal networks of enterprises and governments.
Product overview
SecSSL 3600 is a multifunctional VPN gateway, which provides two-in-one VPN service and network firewall service based on SSL protocol and +IPsec protocol to realize data transmission and protection. Adopt mature VPN technology to realize the cross-regional and cross-network interconnection between user application client and application business; Adopt a variety of authentication protocols to realize the comprehensive authentication of user identity; And provide comprehensive and informative audit services through detailed log information.
SecSSL 3600 uses SSL protocol to establish VPN connection between remote users and gateways to ensure that data will not be eavesdropped, replayed and interfered during transmission. For each user's access, authentication technology is adopted to ensure the user's identity is credible. Gateway can interact with LDAP/AD/Radius/ certificate authentication server to provide flexible and diverse authentication solutions.
NetGod SecSSL 3600 can easily and safely access the intranet for home office users, mobile office users and partners without pre-installing client software. Products can not only protect Web applications, but also support a variety of applications based on TCP/UDP. In order to improve the application scope of remote access, a network connection mode is also provided, which allows remote access customers to access any IP resources in the enterprise internal network, and can also realize the interconnection between two local area networks.
SecSSL 3600 has built-in IPsec protocol function module, network firewall function module and network intrusion detection function module. On the basis of providing SSL-VPN service, it can provide users with comprehensive network security protection solutions.
SecSSL 3600 provides comprehensive logging, auditing and monitoring functions. Administrators can view the history of users using the system, the current running status of the system and the real-time information of current online users.
Product highlights
All in One VPN technology realizes the secure access of various terminals, integrates SSL-VPN and IPsec VPN, and supports the whole network access of Windows, Linux, MAC, iOS and Android, which is more flexible in use and more comprehensive in business support.
The remote wake-up function of the user's desktop can achieve the best balance between working anytime and anywhere and saving energy and reducing emissions. The administrator can register the user's desktop computer for the user, and let the user log in to the system and start the office desktop computer through remote wake-up to realize remote access to his own office host.
Multi-link intelligent routing technology realizes rapid response to remote user access and supports multi-link access, which not only meets the bandwidth differences of different operators, but also realizes redundant backup;
The leading virtual secure desktop technology ensures that the business data on the remote side will not fall. The virtual secure desktop makes the user's desktop data in the virtual secure desktop, and the business data will not be leaked, which meets the customer's data leakage prevention requirements in the current situation.
The flexible combination authentication mode ensures the security of user identity and supports the combination of multiple authentication methods; Support user terminal binding to ensure the security and anti-counterfeiting of user identity;
Support dynamic SMS authorization, ensure that key business access is controllable and meet audit requirements. Users can set up temporary authorization of short messages when accessing key services. This function can meet the high security of enterprise IT system for outsourcing business personnel to access enterprise business data.
Application audit enables you to audit application business orders. For the application of remote access users, users' orders can be recorded and log reports can be displayed, so that the remote access part can meet the compliance requirements of security audit for outsourced access personnel. I. Product introduction
NetGod SecIDS 3600 intrusion detection system is a network-based intrusion detection system based on NetGod's research on network security technology and hacker technology for many years. NetGod intrusion detection system adopts advanced protocol analysis detection engine, and through optimizing mechanism, it can quickly process network data and accurately find various attacks, with high intrusion detection rate and low false alarm rate. Products can be widely used in government, enterprises and other occasions that need real-time monitoring of network behavior.
Second, the product function
Support the detection of attacks on Windows system and Linux/Unix system;
Support Trojan detection and late category attacks;
Support the detection of TCP, UDP and IP protocols;
Support the detection of dozens of application layer protocols such as WWW, FTP, TELNET, SMTP, DNS, IAMP, POP, etc.
Support database (MS-SQL/Oracle/MYSQL) attack detection;
Support the detection of common P2P and IM software activities;
Support the detection of user-defined network behaviors and characteristics;
Support the detection of illegal access behavior;
Support the detection of password guessing behavior;
Support worm detection;
Support the detection of CGI/PHP attacks;
Support the detection of port scanning and host scanning;
Support detection of DoS/DDoS attacks;
Support the detection of IIS and Apache attacks;
Support the detection of SIP protocol security;
Support malware and spyware detection;
Support the detection of SSL protocol attacks;
Support SSH security detection;
Support IP spoofing check;
Support detection of buffer overflow attacks;
Support the detection of wrong file types;
Support to display alarm events on the console and record them in the database;
Support sending snmp traps to SNMP servers;
Support to notify administrators by email;
Support to run user-specified programs when specific events occur;
Support sending event information in Syslog mode;
Support OPSEC protocol;
Third, the working principle
In order to analyze and judge whether a specific behavior or event is an abnormal behavior or an attack that violates security policies, an intrusion detection system needs to go through the following four stages:
(1) data acquisition
Network Intrusion Detection System (NIDS) uses the network card located in promiscuous mode to obtain the data passing through the network and collect the necessary data for intrusion analysis.
(2) Data filtering
According to the predefined settings, the necessary data filtering is performed, thus improving the efficiency of detection and analysis.
(3) Attack detection/analysis
According to the defined security policy, all communication services through the network are monitored and analyzed in real time, and the collected network packets are used as the data source to identify attacks. Four techniques are commonly used to identify attacks: pattern, expression or byte matching, frequency or crossing threshold, event correlation and statistical anomaly detection.
(4) Event alarm/response
Once an attack is detected by IDS, the response module of IDS provides a variety of options to notify, alarm and take corresponding response to the attack, which usually includes notifying the administrator and recording it in the database.
Fourth, product features.
1, a powerful intelligent application detection engine.
Netherhead SecIDS 3600 intrusion detection system adopts intelligent application detection engine, which can monitor network transmission in real time. Through the rapid capture of data packets on the network, in-depth protocol analysis, combined with feature base for corresponding pattern matching, through the statistical analysis of behaviors and events, illegal or attack behaviors can be found in time. Netherhead SecIDS 3600 intrusion detection system bears a large number of attacks and application features that have been carefully detected and tested by Netherhead security team, and can accurately identify various attacks and application layer protocols: Trojan horses, backdoors, worms, P2P applications, IM software, online games and so on.
2. State-based protocol analysis
The protocol analysis technology of SecIDS 3600 intrusion detection system is an in-depth understanding of known protocols and RFC specifications, which can accurately and efficiently identify various known attacks. At the same time, according to the algorithm of system protocol analysis, the sensor has the ability to detect protocol anomalies and protocol misuse, which completely solves the disadvantage that IDS products based on pattern matching technology only rely on the number of attack signatures to detect attacks, greatly improving the detection efficiency and expanding the detection range.
3. Detailed and comprehensive customization function
The signature feature library of SecIDS 3600 intrusion detection system provides users with detailed signature parameter configuration. By setting and adjusting parameters, users can get very accurate alarm information, and at the same time, users can easily define or modify these parameters.
4. Strong management and analysis skills.
Optimized three-tier distributed architecture design, hierarchical deployment and centralized control, can provide graphical risk assessment, event display and asset allocation, as well as graphical real-time monitoring of network traffic status, and can provide users with rich dynamic graphical reports, with more than 40 analysis report templates and wizard-like user-defined report functions.
Verb (abbreviation of verb) product technology
Pattern matching technology assumes that all intrusion behaviors and means (and their variants) can be represented as a pattern or feature, so all known intrusion methods can be found through matching. The key to pattern discovery is how to express intrusion patterns and distinguish real intrusion from normal behavior.
Anomaly detection technology anyone's normal behavior has certain rules, which can be summarized by analyzing the log information generated by these behaviors, and usually need to be defined as a set of various behavior parameters and their thresholds to describe the normal behavior range. However, there are serious differences between intrusion and abuse behavior and normal behavior, and intrusion can be detected by checking these differences. In this way, illegal intrusion can be detected even through unknown attack methods, and abnormal user behavior (abuse of one's own authority) that does not belong to intrusion can also be detected.
Protocol analysis technology is mainly aimed at the attacker's attempt to avoid IDS detection in network attacks, such as making some changes to the attack packets. Protocol analysis technology makes full use of the high order of network protocols, and combines high-speed packet capture, protocol analysis and command analysis to quickly detect the existence of an attack feature. Its biggest feature is to transfer the captured data packet from the network layer to the application layer, restore the real data, and then match the restored data with the rule base, so it can be identified by analyzing the structured protocol of the data packet.
The performance and reliability of intransitive verb
Bypass deployment mode does not affect the original network structure and supports high concurrent connection;
Built-in high-performance decoding and detection engine;
Mature and stable products ensure the stable and long-term operation of the business;
Perfect firmware and rule upgrade function to ensure network security for a long time;
Seven. Deployment mode
* * * The deployment mode in the shared network is very simple. Just connect the monitoring network card to the network segment to be detected. The network card collects all data packets in the network for analysis and processing, which has the advantage of not affecting the network structure and normal communication.
The situation in the switching network is very complicated, and there are usually three methods to collect data:
One way is to connect the network interface card to the monitoring port of the interactive device, copy the data packets flowing to each port to the monitoring port through the Span/Mirror function of the switching device, and the intrusion detection sensor obtains the data packets from the monitoring port for analysis and processing.
The second way is to add a hub to the network to change the network topology, and obtain data packets through the hub (* * * enjoys the listening mode).
The third way is that the intrusion detection sensor analyzes and processes the data packets in the switching network through the TAP device.
Sensors can be placed in any segment of the enterprise network that may have security risks. In these network segments, different types of sensors are deployed according to the needs of network traffic and monitoring data.
Small and medium-sized network deployment:
Distributed network deployment: