1U 14P IPS NG-UTM - HERHSIANG Information Co., Ltd.

Home Page

Member sign up | Member login

Home Page Services conventional middle 1U 14P IPS NG-UTM

Services

Search By Category

Search By Keyword

middle

Product Name

1U 14P IPS NG-UTM

Model

NGS 3572HF

Introduction

IPS / WAF / UTM / FW / HA / Two-Factor Two-Part Authentication

1 LAN / 13 definable PORT | All Giga Port (10/100 / 1,000M)

Support VPN such as IPSEC / SSL / PPTP / L2TP (available for IOS) / ZTA

Support 3G / 4G / 5G LTE USB mobile wireless network card

Built-in anti-virus for 1 year, 3rd party application and 3rd party URL database control for 2 year

Optional items: AI IPS (1 or 3 years) / AI Sandstorm (1 or 3 years) / Kaspersky Anti-Virus (from the 2nd year) / 3rd party application (from the 3rd year) / 3rd party URL database (from the 3rd year)
Data storage: SSD

Product Specification

Product Manual

NGS 3572HF is a network security device that complies with Next Generation UTM specifications. It features high operating efficiency, multiple security protection mechanisms, and hierarchical authorization management. It is the preferred network security and management device for medium and large enterprises. NGS 3572HF has the powerful functions of next-generation firewall, including Deep Packet Inspection (DPI) -based application identification and control, In-Line IPS, SSL analysis and blocking, Web Filtering, bandwidth management, anti-virus, spam filtering, and Supports external authentication integration and other functions, which can prevent hackers from sneaking into malicious attacks or unauthorized access to internal network resources. In addition, NGS 3572HF also supports dual-machine backup mechanism (HA), which can ensure the continuous operation of equipment.

Feature Of Product

NGS 3572HF is also a core switch supporting Layer 2-Layer 7, which can directly replace the traditional Layer 3 core switch and meet the requirements of the next generation Software Defined Network (SDN) core switch. Integrate the centralized management of wireless base stations and network-managed switches to create integrated wired and wireless security protection, allowing managers to take care of both inside and outside, Can be used as the second layer as an intranet security firewall (ISFW).

Balancing performance and functionality

HERHSIANG NGS 3572HF, its hardware platform is carefully designed, using X86 hardware equipment, the purpose is to allow enterprise users to fully feel the security protection features provided by HERHSIANG Next Generation UTM. For customers with high connection capacity requirements, we provide high-performance security modules to improve connection capacity and support USB fast restore mechanism.

Two-Factor Two-Part Authentication (Version 9.0.2.3 supported)

Unlike many previous network services that use single-factor password authentication by default, Two-Factor Authentication (2FA), which combines two different authentication methods, users need to pass two or more authentication mechanisms before they can get Authorize access to the system resources provided by the service provider. There are many ways to verify, such as PIN code/fingerprint/scanning QR code/or one-time code and other auxiliary verification, and the purpose is to provide higher security for the account. This The two-factor authentication function combined with Google Authenticator uses the mobile phone owned by the user as the second authentication factor to achieve auxiliary authentication. The function is disabled by default. After enabling this function, the system will prompt you to enter a password and a one-time code. Can access your account.
HERHSIANG NGS next-generation firewall has three parts, supports two-step verification: account management/Internet authentication/SSL VPN

IP v4 / v6 dual frequency technology

There is a shortage of IP v4 addresses, and the age of IP v6 is coming sooner or later, so HERHSIANG has already integrated this trend when developing the next-generation UTM. The same network interface, whether it is defined as WAN or LAN, can be bound at the same time. v4 or v6 IP address, so whether it is in a pure v4 environment, a mixed v4 / v6, or a pure v6 environment, NGS 3572HF is the same.

Support SDN controller

Support SDN controller, can make more than 1 port to form ZONE, directly managed by the SDN controller, and ZONE and ZONE packet transmission will also pass NGS 3572HF packet detection. And with VLAN 802.1Q function, it can cut the internal network into several independent sub-network segments, each of which operates independently without interference.

SSL encrypted connection detection

With the ability to detect SSL traffic, when facing SSL-encrypted connection traffic, you can apply intrusion detection defense, gateway anti-virus, content filtering, and application bandwidth control.

Load balancing

Provides outbound and inbound load balancing, and provides multiple load balancing algorithms. When one of the lines is disconnected, all network packets will automatically switch to another normal line to ensure that the internal user network is unblocked. When the line is restored, the packet It will be assigned automatically again. Enterprises can set load balancing rules according to their own needs, and network access can refer to the set rules to implement network traffic load balancing guidance. The algorithms are: automatic allocation, manual allocation, allocation based on source IP, and allocation based on destination IP.

IPS Intrusion Prevention

The IPS intrusion detection and prevention system provides more than 30,000 signatures, IPS It will check the content corresponding to layers 4 to 7 of the OSI model, whether there are malicious attack programs and viruses, hidden in the TCP / IP communication protocol. After detailed content inspection, the qualified feature code will be Mark out, once discovered, you can block the packets immediately, so that these malicious packets through the firewall have nothing to hide.

WAF (Web Application Firewall)

Web Application Firewall is a product that specifically protects web server applications by implementing a series of security policies for HTTP / HTTPS.

The work of WAF is to analyze the data of the Web application layer, to force multiple conversions of different encoding methods to restore the plaintext of the attack, and to combine the deformed characters and analyze them, which can be better than the combined attacks from the Web layer.

Provide application layer rules. WEB applications are usually customized. Traditional rules for known vulnerabilities are often not effective. WAF provides dedicated application layer rules and has the ability to detect deformation attacks, such as detection of mixed attacks in SSL encrypted traffic.

Threat Detection Defense

Provide enterprises with the most complete defense-in-depth mechanism. Today's network attacks cannot rely on a single point of protection but require complete defense-in-depth. Only through different levels of defense technology can there be a way to reduce the potential threats to the enterprise. In addition to providing firewalls, intrusion detection systems (IPS), and anti-virus as the basis for corporate security protection, Hexiang NGS 3572HF can strengthen the detection of malicious programs for traffic, web pages, and emails. Through the analysis of related security mechanisms , Play the role of defense in depth.

Mail Gateway Protection

The company already has a mail host, but the spam filtering performance is not good. You can use NGS 3572HF as the mail gateway mode to supplement the original mail server's insufficient functions, such as spam filtering and virus filtering. After filtering the virus and advertisement mail through NGS 3572HF, send the clean mail to the mail host.

Virus Letter Filter

The system provides Clam AV anti-virus engine for free. It can detect more than millions of viruses, worms, and Trojan horses. It can automatically scan for viruses on emails, automatically update virus files through the Internet daily, and provide virus email search. condition. The administrator can set the processing method of the poisoned mail, including automatic deletion, storage of the poisoned mail extension and the subject of the poisoned mail notification letter. The new-generation UTM has a built-in Kabar anti-virus engine for one year. Customers can choose to continue to enjoy Kaspersky Anti-Virus, the leader in virus scanning and virus repair.

Spam filtering

Both internal and external mail can be filtered, and ST-IP network letter review, Bayesian filtering, Bayesian filtering automatic learning mechanism, automatic whitelisting mechanism, spam feature filtering and fingerprint identification are provided. , White list comparison and intelligent identification learning database (Auto-Learning), you can even set personalization rules, flexibly formulate filtering rules, handle spam, and ensure comprehensive protection without misjudgment. The accuracy rate is more than 95%. Mail filtering, which can forward, delete, and block the letters that meet the filter conditions set by the administrator.

Anomaly IP analysis

Any network behavior, no matter what kind of software the user runs, from the perspective of network packets, it is roughly divided into the number of uploads and downloads (Connect Session), flow (Flow) and duration (Time), by detecting these The combination of the numbers estimates that the user is using the Internet normally or has abnormal behavior. When abnormal behaviors of internal users are discovered, the manager can adopt a variety of strategies, such as blocking the Internet, immediately limiting its maximum bandwidth, enabling a cooperative defense mechanism to notify the switch to block it or notifying the manager.

Bandwidth Management (QoS)

Assist network administrators to control the network, effectively reduce the obstruction of corporate network, improve serviceability and bandwidth usage. With QoS (bandwidth management) function, it can distribute limited bandwidth to all users. The difference from ordinary bandwidth controllers is that in addition to providing maximum bandwidth and priority management, NGS 3572HF also has a guaranteed bandwidth function. And it also has a personalized bandwidth management design, which can be set for individual users.若 Bandwidth tube 理 When used with a personalized bandwidth tube, the bandwidth pre-defined by the bandwidth management function can be allocated to users below the enterprise, which can effectively prevent the band from being exclusively occupied by users.

Content filtering

Provide Web Filter (web page filtering) function, can block the access to inappropriate web pages (such as pornography, violence) and offensive web pages (such as hackers, viruses), and can set filter conditions to block inappropriate websites.

Sandstorm Malware Filtering Mechanism

Advanced Sandstorm can effectively detect unknown advanced malware attachments, such as common Microsoft, Word, Excel, Power Point or PDF; or targeted phishing emails, and even compressed files, such as ZIP and RAR.

Before scanning emails for Spam or Virus, Sandstorm Defense compares suspicious attachments, isolates problematic emails, and exposes potential malicious programs to avoid affecting users' email reception.

URL database management [optional 3rd party database (optional)]

The built-in "cloud URL database" automatically categorizes web pages. As long as the administrator can prevent harmful URLs from blocking, it can be easily controlled without having to enter website IP addresses and keywords one by one to block. Clicking on harmful URLs arbitrarily is the source of evil. The best way to prevent blocking is to prohibit the use of the Internet. If it cannot be completely banned, the constantly updated URL database is the best protection mechanism.

Full record of online behavior

Some employees of the company use the Internet during work hours to do non-work-related tasks, with small chats and leaks. NGS 3572HF can not only limit the user's permission to use related applications, but also record related online behaviors, including browsing the web and sending emails. When a company leaks information, the saved information is the best evidence to present as evidence.

Traffic Analysis

Provide traffic analysis tools, whether it is the internal user's computer power on and off, real-time network traffic display, communication protocol allocation and traffic rankings. When the line is full, you can immediately find the traffic killer.

Application management [optional 3rd party database (optional)]

Not only is it difficult to manage a variety of network applications, it is also easier to become the best channel for data leakage and virus attacks. NGS 3572HF has a variety of built-in application management functions, including instant messaging, audio and video services, file transfer, P2P software, remote control, browser, VOIP, online games, network protocols, etc., which can easily control employees' use of application software. Permissions to protect corporate network security.

Graphical flow meter

Provide web interface flow meter, draw the system's historical status into charts, so that managers can grasp the current system operating status at any time.

NGS 3572HF provides system status charts (including CPU load chart, memory load chart, system load), network traffic chart (LAN traffic, WAN1 ~ WAN13 traffic), and provides query conditions to quickly search the history of each traffic status .

Threat Intelligence Meter

Provide common threat statistics, APP analysis, mail analysis charts, IPS analysis, WEB analysis, defense analysis, real-time dynamic session analysis and reports.

LOG

Provides a variety of logs, such as log in/out log, system network settings, regulations and targets, network services, advanced protection, IPS, mail management, content logging, VPN, etc. and a detailed log search system.

It is used for debugging analysis, evaluation of system performance, and proof and tracing basis when it is illegally invaded.

ZTA VPN (V9.0.3 Supported in August 2025)

ZTA VPN is a login program that allows you to securely connect to your company's intranet from anywhere. Even from home or elsewhere, you can access your ERP or other intranet-only systems. Data is encrypted to prevent interception or interpretation during transmission, enhancing information security.

In addition, system administrators can customize user access permissions, including resource availability, connection times, and bandwidth limits, enhancing overall control efficiency.

ZTA VPN is easy to use: simply download the program and certificate from your company's NGS firewall, install it, and connect.

ZTA VPN service primarily utilizes Wireguard as its primary connection protocol architecture. Wireguard is a VPN protocol that combines security and performance. However, due to its streamlined architecture, it lacks management and logging mechanisms. This allows it to achieve transmission speeds up to six times faster than IPSEC VPN and four times faster than PPPTP, L2TP, and SSL VPN. ZTA VPN also incorporates comprehensive mechanisms such as authentication, logging management, and VPN tunnel maintenance to achieve highly secure and efficient VPN functionality.

VPN Functionality

Use IPSec, PPTP, L2TP, and SSL VPN to securely connect between site-to-site, point-to-site, and remote users.

These VPN mechanisms allow users to connect to various devices—laptops, branch offices, business locations, mobile devices, and even their homes—from various locations, including home, public information centers, and the internet.

SSL VPN is currently the most important secure long-distance transmission link between many businesses, customers, and partners.

HERHSIANG Android SSLVPN APP

Definition of UTM

IDC's definition of UTM security hardware devices is: It includes multiple security functions integrated into a single hardware device, which must include network firewalls, network intrusion detection and defense, and gateway antivirus. It is not necessary to use all the functions on this device, but it must be built in, and individual components cannot be cut.

In order to test these devices, NSS Group more clearly defines UTM devices as a single device combination of firewall, VPN, IDS / IPS, anti-virus, anti-spam, URL filtering, content filtering and other functions. The detailed definitions are as follows:

* Firewall: Deployed at the network boundary, a strong stateful NAT firewall is required.

* VPN: It is often deployed in corporate WAN as a branch network solution, and basically needs to be able to establish a small number of secure VPN tunnels.

* IDS / IPS: The firewall can only enforce policies. If the policy allows inbound HTTP traffic to the web server in the DMZ zone, the firewall cannot prevent hackers from damaging the target web server from the HTTP protocol. The IPS function will detect and block intrusions that attempt to use network boundaries to prevent malicious network traffic from reaching the server. The IDS function can detect intrusions and issue alerts, but it cannot block malicious traffic.

* Anti-virus: Gateway anti-virus filtering can prevent inbound virus traffic at the network boundary, strengthen computer desktop security, and block them before they reach the desktop. The solution can also prevent internal computers from being infected by viruses from outside the corporate network. .

* Anti-Spam: Gateway Anti-Spam can mark incoming emails and allow further processing by computer-filtered solutions. The solution prevents internal hosts from sending spam to outside the enterprise.

* URL filtering: Using a constantly updated database of URL classifications, a gateway URL filtering solution prevents employees from accessing unpleasant or inappropriate websites from the corporate network.

* Content filtering: Scans specific content of web pages and email traffic. Gateway content filtering solutions can prevent unpleasant or inappropriate content from passing through or being sent out by corporate networks.