Home arrow Solutions arrow Firewall
Lightning VPN and Firewall: Unique benefits
User Rating: / 32
PoorBest 

Lightning MultiCom IPSec VPN gateway and firewall provide unique benefits to security- and cost-conscious corporate customers.

High-Availability using redundancy, support for Public Key Infrastructures (PKI) using X.509 certificate and certificate authority (CA) in addition of Pre-shared Keys (PSK), extensive encryption algorithms support, including IDEA, AES and CAST, dual stateful Object firewall, Multimedia and IPSec pass-through, profile scheduling, split security management, certificate management tools, Intrusion Detection System (IDS), Quality Of Service (QOS) including concurrent sessions control, support for IPSec network tunnels with dynamic IP addresses at both ends, built-in SSH VPN server with port-forwarding capabilities, load balancing and Internet connection failover: All those features put the Lightning VPN gateways and firewalls at the top of the security appliances and contributes to really unique user benefits. Extended interoperability has been tested by an independant telco test-lab.

Benefits Highlights

Unique features, attractively priced, offer unique benefits to security- and cost-conscious customers.

High-Availability and Failover redundancy provides maximum business uptime

All Lightning VPN gateways and Firewalls provide a failover option that ensure resilient network protection for  enterprise network environments. Businesses can deploy Lightning security gateways using either an Active/Standby failover design or a more  advanced Active/Active failover design, which supports complex network environments that require asymmetric routing support. Failover pairs  continuously monitor their connection state and switch over within fractions of seconds, thus providing an easy-to-manage high availability solution.  Synchronization takes place the LAN and/or WAN connection, providing another layer of protection by enabling businesses to  geographically separate the failover pair. In the event of a system or network failure, network sessions running over IPSec can be automatically transfered between appliances, with complete transparency to users.

Support for Public Key Infrastructures (PKI) using X.509 Certificates and Certificate Authorities (CA)

The Lightning IPSec VPN option supports natively PKI, in addition of the common Preshared Keys (PSK) and Manual keying. It interoperates with large-scale Public Key Infrastructure (PKI) deployments through n-tiered certificate hierarchy support. The X.509 Certificates support is not only a mass-deployment tool, but it also allows for easier and cost-saving integration of Windows XP SP2 standard IPSec clients.

Extensive Certificate issuance and management tools are available from Lightning (see below).

Dual stateful Object firewall

An integrated dual firewall with stateful packet inspection (SPI) and concurrent connection tracking protects your computers from intrusion and attacks. The built-in multi-source attack protection provides a wealth of advanced attack protection services to defend businesses from many popular forms of attacks, including Denial-of-Service (DoS) attacks, fragmented attacks, replay attacks, spoofing attacks, TCP flag attacks, and  malformed packet attacks.

The SPI firewall provides rich stateful connection inspection firewall  services, tracking the state of all network communications and preventing unauthorized network access. Deep Packet Inspection techniques allow for automatic application and protocol state tracking, extended multiple Network Address and Port Translation (multi-NAT / PAT) services, and attack detection techniques. Real-time alerts using email, syslog and SNMP messages allows notification of possible attacks or use of filtered sites.

A second distinct WAN firewall, the SecureWall (TM) firewall, posted in front of the SPI firewall, allows for the added security of a second independant firewall in the same unit, without the additional purchase and management costs of a separate unit.

Firewall, filter and NAT for the VPN traffic

The VPN traffic can also be firewalled, filtered and NATed, as any other non-VPN traffic,  adding an important security barrier to remote accesses through VPNs and a large lot of flexibility in the IP addressing schemes.

Full Hub-VPN and Spoke-VPN support

A central location can be configured to also route, firewall, filter, limit and NAT traffic between selected VPN tunnels ("Hub-VPN") or not ("Spoke-VPN").

Hub-VPN have the big advantageover usual IPSec VPNs to allow direct links between remote locations through the central site without requiring direct point-to-point VPN tunnels, removing configuration complexity for an integrated enterprise-wide network. The firewalling filtering and limiting allows then to control and limit the traffic selectively or globally between remote locations and between remote locations and central site. Hub-VPNs are typically useful within a company.

Spoke-VPN have the functionality to completely separate the traffic of the remote locations and only allow traffic between a remote location and the central site. Here also, fiewalling, filtering, limiting, and NAT are fully supported. Spoke-VPN are typically used to connect partners or customers to a company.

Network integration with DHCP-over-IPSec, IPSec with ARP proxy and Extruded subnets

Remote locations can be given central-site IP addresses dynamically from the central site, using the built-in DHCP-over-IPSec feature, and even small subnets can be "extruded"  (or "delegated") from the central-side's subnet(s), so that no special adressing plan is required, and detailed IP addressing space management is not needed anymore. This is a big installation-costs and -time saver, and gives an unprecedented flexibility in managing easily any size of IPSec deployments.

Roadwarrior VPN support

All the previous features, together with "single VPN account - multiple users" support, allows to setup a secure central site VPN IPSec gateway for  hundreds of roadwarriors within minutes. X.509 certificates and Lightning's associated CA management and deployment tools add to the deployment simplicity, while preshared keys (PSK) using IPSec's standard IKE or manual keying are also fully supported.

VPN subnets support

Very extensive care has been given to the full support of multiple VPN subnets, allowing to link remote networks using any kind of existing IP adressing schemes.

Multimedia and IPSec pass-through

The Lightning firewall allows for the configuration of pass-through for popular standard multimedia applications such as the standard H.323 and T.120, VoIP audio-calls setup, control and management protocols, User localisation protocols, LDAP access protocols and many more.

IPSec pass-through can be configured either outside an IPSec tunnel, and even inside an IPSec tunnel, allowing for differentiated corporate applications accesses. NAT traversal is also supported as well in the IPSec as in the NAT services.

Profile scheduling

Up to six configurations can be installed and scheduled for activation at different times, allowing for fine-tuned time-of-day and day-of-week access control on VPN, firewall, URL filtering and any other configuration item.  One  custom configuration can be activated by an external configuration button, allowing for instance easy maintenance work.

Split Security Management

Extensive management and monitoring software, ranging from the built-in web-based Easy Configuration wizzard and Easy VPN tool, through the multi-platform Java-based Configurator and Monitor tool, up toLightning's Professional PKI management software allow for a quick deployment, powerfull configuration and monitoring , saving time and cost throughout the long product lifetime, extended by regular firmware and software updates and upgrade oportunities. Standard management interfaces and protocols allow for a wide interoperability, with SNMP (v2 and v1), SSH (v2), telnet, FTP, Syslog, and more.

All the tools have been designed with distinct network- and security-mamagement teams in mind, with precise security and network configuration procedures, as used by our world-leading customers. The built-in User management tools allow to setup and enforce separate or same persons acting as Security Officer and as Network Manager. Specific roles, tasks and commands are assigned to each group.

Certificate issuance and management tools

Lightning's Professional PKI management software includes Lightning CertManager X.509 PKI Certificates Manager which allows to manage X.509 Certificates deployments in PKI Public Key Infrastructures, while the Lightning Certissuer Certificates Issuer for the Ethernet II, III, SpeedSurf, Ethernet Enterprise is a software to manage x.509 Certificates trees in a PKI Public Keys Infrastructure. Finally, the built-in web-based Easy-VPN tool allows to configure and test VPN tunnels and road-warrior accesses within minutes using either PKI certificates or PSK preshared keys with IKE (Internet Key Exchange) standard.

Intrusion Detection System (IDS)

While the Enterprise Ethernet includes a state-of-the-art IDS based on the award-winning SNORT IDS, the whole range of Lightning firewalls features a solid Intrusion Detection System built into the SPI firewall.

Real-time alerts using email, syslog and SNMP messages allows notification of possible attacks or use of filtered sites.

Quality of Services 

Quality of Services is implemented at the firewall level, allowing not only for the control of the authorized legitimate traffic, but also for better trapping of unauthorized trafic. Maximum packet trafic and bursts can be defined for each service, network connection and application/protocol state, allowing for powerful fine-tuning and control of concurrent sessions independantly, or as agregate trafic.

IPSec network tunnels with dynamic IP addresses at both ends using Domain names endpoint support

Lightning's proven IPSec technology allows even for building Network-to-Network and Computer-to-Network tunnels without fixed IP addresses at all, saving installation and recurrent costs, and time before installation. Built-in DHCP server, client and relay, built-in multiple Dynamic DNS client, support for Fully Qualified Domain Names (FQDN) for IPSec allow you to use standard ADSL or CATV Internet accesses and still have the convenience of secured IPSec VPN accesses.

Built-in SSH VPN server with port-forwarding capabilities

For Computer-to-Network access, SSH has shown itself to be an attractive alternative or complement to IPSec, with clients widely available on all platforms with hassle-free setups. Lightning firewalls implement SSH VPN server implementation as an option.

Load balancing and Internet connection failover

Load balancing allows to split trafic on two or more servers or links, while Internet connection fail-over allows to switch provider or line, should an ADSL provider fail.

Extended Interoperability

Extensive interoperability tests by a leading European Telco have shown Lightning's IPSec implementation to be highly interoperable with all other leading vendors tested, guaranteeing extended interoperability using standards. Some of Lightning's unique features may auto-switch-off during protocol negociation phases to provide interoperability.

 

 More Lightning exclusive features can be found in the menu Products - VPN firewall features.

 

 
Next >