Chapter 1 System Overview

The X family firewall functionality provides service-level, stateful inspection of network traffic. It incorporates filtering functionality to protect mission-critical applications. An administrator can use firewalls and content filters to determine how the device handles traffic to and from a particular service. These filters are specified by the source, destination, and service or protocol of the traffic. The device maintains an inventory of the active hosts and services on those hosts.

IPSec VPN management provides the ability to apply all X family functionality across the enterprise, monitoring network traffic at the enterprise level and also traffic between main office and branch locations.

Bandwidth management, or policy-based traffic shaping, allows the X family device to control both inbound and outbound traffic streams as well as inside and outside IPSec VPN tunnels. Using these policies, the device allows users to prioritize real-time business critical applications including video and conferencing, IP telephony, and interactive distance-learning over non-essential traffic, such as peer-to-peer file sharing.

Web content filtering provides the tools to enforce network policy by prohibiting the download of non- work related web sites and offensive or illegal web content.

The IPS functionality provides total packet inspection and intrusion prevention to detect and block malicious traffic such as worms, viruses, Trojans, Phishing attempts, Spyware, and VoIP threats. Using filters defined by the Digital Vaccine security team, the X family device scans traffic to recognize header or data content that signals an attack along with the protocol, service, and the operating system or software the attack affects. Each filter includes an action set, which determines how the device responds when it detects packets that match filter parameters. In a broad sense, the device either drops matching packets or permits them. The Digital Vaccine security team continually develops new attack filters to preemptively protect against the exploit of new and zero day vulnerabilities. To ensure up-to- date network protection, you can configure the device to automatically check for and install DV updates.

Core Functionality

The X family device provides the following core functionality:

Stateful packet inspection firewall — flexible configuration of object-based firewall rules and unified control of multiple services, virtual servers, network address translation (NAT), and routing.

Security Zones — logically section your network for the purposes of applying firewall rules and IPS filters between internal sections of your network, between your network and the internet, and between your network and remote office locations (VPN).

Standards-based IPSec Virtual Private Networks including:

ohardware-accelerated encryption DES, 3DES, and AES encryption protocols

ofeature-rich client VPN capability using PPTP or L2TP protocols

oability to inspect and control traffic both inside and outside of all VPN tunnel types using firewalls or IPS to ensure secure VPN connectivity.

Flexible user authentication — control access to the device and the internet, authenticating via the device itself, or through an external RADIUS database.

Web filtering — URL filtering with configurable permit/block lists and regular-expression URL matching as well as a web content filtering subscription service to enforce network security and

2 X Family LSM User’s Guide V 2.5.1