Stateful Firewall
Stateful Firewall or Stateful Inspection Firewall is an advanced security feature. The data connection is not only checked on packet filter level (source IP address, destination IP address and ports) but also checks on the state of a connection to allow or to block a connection.

NAT
Network Address Translation is used to hide private IP addresses in the internal LAN behind the external official Internet IP address of the Netsafe UTM gateway. In addition, Netsafe UTM can handle other types of NAT like Basic NAT (also known as Static NAT) in which an Internal IP Can be substituted 1:1 with an external IP and Dynamic NATs like Many-To-One NAT and Many-To-Many NAT.

PAT
Port Address Translation is used to redirect TCP and UDP ports. Example: an external request is coming to a mail server on port 25. At the UTM gateway it can be redirected e.g. to an internal mail server running on port 225.

Full Application Level Gateway
Beyond the checks of the connection state (Stateful Firewall) the Netsafe UTM firewall has even more advanced protocol and integrity checks. The integrated application level gateway checks if the communication protocols are correctly spoken or if somebody tries to compromise a system using forbidden commands and/or data. Application level checks are done on many protocols like DNS, FTPSIP, H323, SMTP,IPsec ALGs etc.

High Availability and Load Balancing
Netsafe UTM’s HA and Load Balancing feature ensures that there is no down time and Rapid failover facility.

 

 

VPN Protocols
Available VPN protocols are: IPSec, PPTP, L2TP over IPSec

Unlimited dedicated tunnels
The amount of tunnels that a gateway will handle is not limited by the UTM license.

Encryption
Encryption standards that are supported are: DES, 3DES, AES-16/24/32 and AES-CTR16/24/32

Data integrity
Supported hash algorithms for the VPN are SHA-1,AES-XCBC and MD5

Certificate authentication
Pre-shared keys and support of X.509 certificates. Certificates can be imported to UTM, Certificate requests and self certificates can be generated with the integrated certificate manager.

	IPSec NAT traversal		Available
	Site to site VPN		Available
	Client to site VPN		Available
	Route Based VPN		Available
	Hub-n-Spoke deployment		Available

IKEv1 and IKEv2 for Automatic key exchange.

Protocol scanning
Incoming and outgoing data is scanned by UTM for viruses before entering the LAN in real-time within the following protocols:

HTTP (surfing web pages using http).

Automatic Update

FTP (downloading files using ftp)
SMTP (sending and receiving email using smtp)
POP3 (polling email from external mail servers using pop3)
The virus signature database is updated automatically (up to hourly)

Built in ClamAV engine protects intranet from virus threats originated form Internet. It protects the corporate network from such threat by scanning the emails received from Internet. This engine can be attached to the SMTP and POP3 proxies to scan the mails for presence of virus and take appropriate action on them.

 

 

 

 

High Quality Attack Database
The Netsafe UTM advanced intrusion prevention engine detects and blocks a large variety of known attacks and threats inside the data stream. The advanced quality attack database currently contains more than 6000 known attacks. This means maximum security and protection.

Auto-Prevention
Netsafe UTM is equipped with a very unique feature called Auto-Prevention. This means that the Netsafe UTM comes with predefined security policy levels which contain how to react automatically to the different attacks. Through the Auto-Prevention feature intrusion prevention gets usable and secure with a single click and without individual customization.

Advanced Attack Prevention
Advanced prevention and detection mechanisms against major threats and attacks like port scans, DoS (denial of service) attacks, buffer overflows, UDP attacks, application and protocol anomaly attacks, packet fragmentation attacks ( to hide attacks from regular Intrusion Prevention Systems, attacks are not sent in one data packet but are split into several data packets. To prevent attacks that are fragmented Netsafe UTM not only looks at single packets but also reassembles complete data streams and does checks over the complete data stream)

Automatic Update
The attack signature database is updated automatically (up to hourly)

Stateful Intrusion Prevention
The Netsafe UTM intrusion prevention also supports sessions. This maximizes the detection rate significantly.

RFC compliance checks
Communication protocols are checked for RFC compliance. This gives additional security against attacks. Many protocols like http, ftp, pop3, smtp, dns, tcp, udp, rpc are checked for their RFC compliance.

 

Black List / White List
Inside the default spam detection engine the user can additionally define its own lists of either definitely wanted (White List) or definitely unwanted (Black List) mail addresses or mail domains. So regardless of whether the mail is classified as spam or not, the mail will be blocked (in case the sender address or domain is defined inside the Black List) or accepted (in case the sender address or domain is defined inside the White List).

Mime Header Check
To identify spam mails the mime headers are also checked.

RBL, ORDB
For spam detection and classification UTM includes Realtime Blackhole Lists (RBL) and Open Relay Databases (ORDB) in its Spam rating. If e.g. an email is coming from a well known Spam server or an open relay server (server that was hacked and is misused from spammers) the Spam rating will go up.

*Optional CommTouch Spam detection engine: The spam detection engine can be optionally supplemented to the CommTouch scan engine.This is an extra option for Netsafe UTM users. CommTouch is a market leader in Spam detection and well known for its very advanced scan technologies (fast) and its very good quality of detection (high detection rates with minimum false positives). More info on CommTouch and their advanced Spam detection technologies can be found at http://www.commtouch.com.

Automatic Update
The spam detection database is updated automatically in real-time.

 

 

Internal database
Netsafe UTM allows building up an internal user database. These users can be used for in-band, out-of-band and VPN authentication.

External Database
Netsafe UTM can communicate with external user databases (LDAP and Radius). These users can be used for in-band, out-of-band and VPN authentication.

Out-of-band Authentication
Nearly all protocols can be authenticated using the out-of-band authentication. The user can logon at an authentication web interface with his login and password. After successful login the access will be temporarily granted to the allowed services for this user.

In-band Authentication
In-band user authentication for http using the authentication features of the protocols.

Client to site VPN
Client to site VPN van be authenticated using user and certificates..