Founded in 2000, SANGFOR set a clear goal to build high-performance, reliable and secure network devices that can increase the business growth of our clients while decrease the Total Cost of Ownership (TCO) at the same time.

For more information, please kindly visit our official website at www.sangfor.comor contact your local SANGFOR office in Mainland China, Hong Kong, US, UK,Singapore, Indonesia, Malaysia and Thailand.

Next Generation Firewall was defined by Gartner based on the requirements of customers, the deep understanding of security industry, and the vision of security market trends.

With more than 10 years of technology innovation, accumulated knowledge and experience of serving customers in the network security business, SANGFOR believes that NGFW should be characterized by following features:

Single-pass Analysis AlgorithmMulti-core Parallel Processing

10G throughput Stable performance

Low latency

NGFW

Defendingagainst

ApplicationLayer Attacks

TraditionalSecurity

Capability

Authentication of Thousands of ApplicationsEnhanced Wed Defense SQL Anti-attack IPS Based on Applications Anti CC Attack Malware and Trojan Filtering

DOS, DDOS Attack ProtectionStateful Inspection

Access Control Intergrade IPsec VPN

Router & NAT

Bidirectional Contents Inspection

Data Leak Protection Unsafe URL Filtering Application Info Hide Anti Webpage Tampering

Application Layer High

Performance

Superior to traditional UTM devices whose performance degrades significantly in multi-functional mode, SANGFOR’s comprehensive approach provides the capability of 10G throughput with low latency in microseconds when working in multifunctional mode.

Superior to traditional firewall that mainly focusing on inbound threats, NGFW consolidates security with bidirectional contents inspection function. Outbound dataflow responded by server are also monitored. Potential sensitive information leaks, webpage tampering, and other threats are detected and prevented.

Although threats on application layer become prevailing, traditional threats on network layer should not be discounted, as they are still causing serious damages. NGFW provides traditional security functions such as Stateful FW, IPS, and VPN to ensure higher ROI and lower TCO for our customers in long-term.

As 75% of overall attacks or threats targeting on application layer, next generation firewalls should be capable with full stack visibility, able to identify and authenticate application layer protocols and contents, able to provide end-to-end solution to defend against network threats especially on application layer. Traditional security devices are vulnerable to the application layer threats due to the limitation of its network layer focus.

Bidirectional Contents Inspection Application Layer High Performance

Defending against Application Layer Attacks Traditional Firewall Capability

Definition of Next-Generation Firewall

Copyright ©2013 SANGFOR Technologies. All Rights Reserved.

SANGFOR Next-Generation Firewall is designed with Application Control, Intrusion Prevention and Web Security in mind, providing deep and fine-grained visibility over Users, Applications and Contents. SANGFOR NGFW ensures end-to-end security from layer 2 to layer 7 in multi-gigabit speed, in-bound and out-bound, and distinguishes itself from traditional firewalls, and makes it the ideal choice for customers in the business of service provider, enterprise, financial services, and public sectors.

Today’s network attacks are getting more sophisticated. Traditional firewalls are no longer effective to cope with ongoing and emerging threats.

As a platform of network security policies, SANGFOR NGFW enforces bidirectional security policy on users, applications, URLs, data payload and contents. Superior to traditional port and protocol based security policy, SANGFOR NGFW’s approach allows IT organization to better defend increasingly sophisticated network threats, to identify and block misuses of applications precisely and effectively.

SANGFOR NGFW is designed to defend attacks end-to-end from layer 2 to layer 7 with the focus on the application layer. The surging of application layer attacks are becoming growing concerns, and causing serious information leaks and infrastructure damages worldwide.

SANGFOR’s high scalable and extensible software and hardware architecture ensures high performance in application layer processing. Leveraging its innovative technology of Single-pass Analysis Algorithm and Multi-core Parallel Processing, SANGFOR NGFW delivers 10G throughput with low latency in microseconds when working in multifunctional protection mode.

Product Overview

Next Generation Firewall Next Generation Firewall

Scenarios

Internet access zone Entire security for internet access.

Website one-stop security protection.Anti Webpage tampering.Sensitive business information leak protection.

Entire security for internet access.Security reinforcement for core business system.Sensitive business information leak protection.

WAN dataflow filtering.WAN edge security protection.

DMZ zone

Data center security zone

WAN edge security zone

Integrated layer 2 to layer 7 Security Protection

By combining the static validating and filtering rule with the dynamic intelligence against attack processes of hackers, SANGFOR NGFW’s comprehensive approach performs excellently in defending the top 10 mainstream security threats released by OWASP as well as other common web attacks. The WEB system entirely protects against SQL injection, XSS cross-site scripting, cross-site request forgery, malware, Trojans and other security issues.

Enhanced Web Anti-attack

Leveraging SANGFOR’s unique Six-Threat-Detection-Mechanisms (Signature based attack detection, Special attack detection, Correlation analysis, Abnormal traffic detection, Abnormal protocol detection, and Deep content analysis), NGFW enables the IT organization to consolidate its system security, and to identify attacks and high-risk security breaches, such as: buffer overflow attacks, vulnerability attacks, abnormal protocols, worms, Trojans, back door programs, DOS/DDOS attacks, scanning, spywares and other kinds of threats.

Application Based Deep Intrusion Prevention System

SANGFOR NGFW enables IT organization to detect viruses that originated from the well-known protocol (HTTP / FTP / SMTP / POP3) and deeply hidden into the compressed files (ZIP / RAR / GZIP), to ensure timely and precise response against viruses. By leveraging highly effective stream scanning technology, SANGFOR NGFW delivers great performance in application layer, which significantly distinguishes it from traditional methods that easily become the bottleneck of the whole network.

Comprehensive Anti-virus Detection

Abnormal dataflow and DOS/DDOS attacks are detected and filtered by SANGFOR NGFW. Security and stability of the server are ensured. SANGFOR NGFW provides protection against DOS/DDOS attacks from layer 2 to layer 7, and ensures all the DOS attacks based on data packages, IPs, TCP and HTTP protocols being blocked.

DOS/DDOS Attack Protection

SANGFOR NGFW’s comprehensive signature database of 3,000+ vulnerabilities, 300,000 virus/Trojan/malware, and 2,000+ WEB application threats provides IT organization with great ability to defend threats in various layers.

Partnered of MAPP (Microsoft Active Protections Program), SANGFOR’s vulnerability signature database is certified with compatibility certificate from CVE (Common Vulnerabilities and Exposures). SANGFOR provides best-in-quality of products and services.

Database updated by dedicated R&D team.

L7&above:Data layer

Network Cable

L5-L7:application layer

L4: transport layer

L3: network layer

L2: link layer

L1: physical layer

Business content

High risk requires more protection

WEB application Architecture

WEB Service Architecture

Operations System

TCP/IP protocol stack

Network interface

Sensitive information leakageWeb page tamperingVulnerability attack

SQL injection cross-site scripting

Apps/server scanningWeak password attackApplication layer DDoS

Worms, Viruses , Trojans

Access control,Protocol anomaly,

Network layer DDoS

ARP cheating,broadcast storm

Physical damage

Intelligent Security Defense System

Advanced Cross-modules Security Defense strategy can be generated automatically by active defense technology. For example, the FW can generate a new firewall rule to block a certain IP if dangerous dataflow or attacks are identified from this IP by other modules. It performances well against automatic attacks or tools and ensures system security with easy maintenance and management.

Leveraging SANGFOR’s integrated IPsec VPN function, more effective and secured wide area network can be built up with higher ROI.

SANGFOR NGFW supports several deployment modes such as gateway, bridge, bypass, virtual-wire and hybrid as well as multiple link aggregation and asymmetric routing function, which ensures a good adaptability to complex-networking environments.

Customers can migrate from their traditional firewalls to SANGFOR NGFW without compromise of any current networking functioning, such as ACL, NAT, router, VLAN. These functions are fully supported by NGFW. Smooth deployment and easy management from day one.

Integrated IPsec VPN Function Cross-modules Intelligent Defense Strategy

Complete Firewall Capabilities Flexible Deployment Modes

Intelligent Network Security Defense System

Access Security Network Security Application Security Business Security

One time analysis algorithm

Strategy linkage

Safety analysis and audit

port / server scanning

weak password scanning

server risk assessment

Application route

IPSEC VPN

OSPF / RIP

User authentication

AD domain integration

Network ACL

NAT

DOS / DDOS

Flow filtering

BM based on applications

Application Access control

IPS based on applications

CC anti-attack

Anti-virus,Anti-Trojans

Apps layer DOS/DDOS

URL filtering

Enhanced web security

SQL protection

sensitive information

webpage ADS

Web shell upload

Malicious plug-in

server/terminal security report

Flow/site/apps statistic report

SMS/ email alarm

Bidirectional Contents Inspection

Anti webpage tampering is a sub-function of NGFW, applying afterwards compensatory approach to protect the security of the website. That means even though the hacker had circumvented the security defense system and tampered the webpage, the modified webpage cannot be delivered to end users. By this method, the damage and economy loss can be reduced to the least. Meanwhile, the administrator will be informed at runtime by NGFW alarm service, allows the administrator to resolve the issue in time. Furthermore, NGFW provides redirection function that redirects end users to the backup server to ensure normal operation of the business.

Compared with the traditional approach of installing anti webpage tampering software, SANGFOR NGFW’s solution is more user-friendly and easy to maintain, no plugins required and no performance impact to the server.

Webpage Protection against Tampering

SANGFOR NGFW can protect sensitive information defined by the user against leaks. The sensitive information can be identified, blocked and alarmed in different ways (SMS, E-MAIL … ) by SANGFOR NGFW, ensuring an entire security for data like user information / email accounts / MD5 encryption key / bank card / ID number / social security account /credit card / mobile phone number.

User Defined Sensitive Info Leak Protection

Auto response information from WEB, FTP, MAIL or other servers, which may turn out to be a guideline for hackers to process the attack, can be concealed by NGFW. For example, HTTP error page concealing, FTP information hiding.

Application Protocol and Content Concealing

NGFW is flexible and allows various levels of security priority on user-defined services or webpages. When accessing services or webpages of higher priorities, strict authentication rules are enforced, such as SMS token or other two-factor authentications. That means hackers cannot access the sensitive and important data or webpages even if they have your username and password.

Enhanced User Login Authentication Protection

NGAF depth content detection technology: analyzing each application command and scanning the content carried to check for sensitive data, threat….Features:- The data is copied to the application layer- Restore data content and realize the deep content detection- Understand the HTTP protocol, defense hidden attack

Server outbound content filteringWebpage Defender: Static, DynamicSensitive information leakage prevention:ID Card, Credit card number, Financial data...

DOS attackApplication layer DOS attackCC attackAuthority controlExe file upload filteringUpload viruses/Trojans filteringPrevent web shell dataflow

Enhanced Web Defense- SQL injection defense- OS command injection defense- XSS attack, CSRF attackIPS based on application- Server vulnerability defense- Terminal vulnerability defense

Prevent port/server scanningPrevent app vulnerability scanningWeak password protectionAnti brute force attack Core URL protectionwebsite structure anti-scanningWeb Crawler defense

Users Hackers

Web application serverScanning Process

AttackingProcess

DestroyProcess

Application Layer High Performance

SANGFOR’s advanced multi-core parallel processing hardware architecture enables high performance computing in application layer, outperforms traditional NP or ASIC architecture. Furthermore, the Lock-free Parallel Processing technology is implemented to the computing process, produces real multi-core parallel processing, and significantly enhances system throughput.

Multi-core Parallel Processing

Unlike UTM, NGFW significantly enhances the performance in application layer processing with the advanced Single-pass Analysis Algorithm. Various threats are detected in single parsing without unpacking and packing the message repetitively as in UTM.

Single-pass Analysis Algorithm

Leveraging the application authentication technology that has been accumulated for years, all packages passing through the NGFW will be tagged with SANGFOR proprietary protocol during its core computing process. With the proprietary protocol, threats can be identified more efficiently and precisely during the content detecting process.

For example, the FTP server-u related vulnerability that exists in the HTTP dataflow cannot generate threats to servers. This is a guideline to optimize the algorithm and enhance the efficiency.

Hopping Scan Technology

CPU1

CPU2

CPU3

parallel processing

performance

1 2 3 N

CPU

Networking Hardware I/O

FW IPS WAF

Policy layer

Network layer