Managed UTM Version2¶
About This Menu¶
Overview¶
Features¶
This menu has following features:
- Reliable and secure operation by security managed serviceThe Security Operation Center (SOC), which has a global security management system, monitors the management servers provided in this menu.
- 2. All-In-One provision of security features:All-in-one necessary security features in order to protect the customers' environment from a variety of security threats such us unauthorized access, virus infection, unwanted web access, spam e-mail, etc. are provided.Firewall function (Access control/IPSecVPN)● IDS/IPS function provides detection and protection for fraudulence access.● Anti-Virus function for Protection from Virus.● Web Filter function for Filtering of Web communication based on URL.● Spam Filter function for determination of Spam mail.
- Immediate provision by self-operation · Immediate setting changeCustomer can immediately leverage this menu by operation Security Control Panel through Enterprise Cloud 2.0 Portal. Configuration change is immediately reflected by Security Control Panel.Customers can use the necessary resources without initial investment and minimum usage period, without owning assets, and can constitute a secure environment tailored to the customer's business environment.
Available Functions¶
List of Available Functions¶
This menu provides following functions;
Functions |
Description |
---|---|
1.Firewall | Traffic control function based on firewall policy which customer configures. |
2.Security | Security function is where Customers can control and manage security measurements such as followings against what they set as Transmissions Rule accordingly at their own given parameter in (which is Firewall policies) Firewall : |
3.Network | This function is where the "Device" is connected to the Logical Network and / or routed to the transmitters. |
4.IPsecVPN | This function creates a tunnel encrypted with IPsec and realizes secure communication between multiple bases. |
5.Other Functions | The other functions are to transmit back and forth the Sys log server a log obtained by the Customers themselves through the "Device" and assign the time zone for the log content recorded within the "Device" themselves. |
6.Security Incident Report | This function is what the "Device" self-analyzes and reports any security incident(s) occurring within themselves once there is any information that determines the "Device" received hostile incoming transmissions. |
7.Control Panel | Ability to set up applications and devices from Security Control Panel of Enterprise Cloud 2.0 Portal |
8.Version Upgrade | Function to upgrade Managed FW / UTM / WAF Version 2 |
Description of Respective Functions¶
1.Firewall¶
Item |
Description |
---|---|
Firewall |
Traffic control function by Stateful inspection [1] based on configured firewall policy to a traffic through the device. |
NAT / NAPT [2] |
NAT / NAPT function is to transform the IP Address or Port number(s) which pass through the "Device" . |
[1] | Stateful inspection will inspect to determine if it allows or disallow a passer-by packets (through the "Device" ) by monitoring the status of passer-by packets. Usually the packets will be allowed to come passing back through if it is allowed on the way to. |
[2] | NAT stands for Network Address Translation.
NAPT stands for Network Address Port Translation
|
2.Security¶
Item |
Description |
---|---|
IPS/IDS | This function proceeds with signature-based virus filtering on transmissions; detects and separates dangerous transmissions and then blocks such dangers. |
Signature-file based detection of transmitters; detects and block such dangers of which function considers as "Virus". |
|
This function checks the access destination of the Web communications and control the communication. |
|
Spam filter filters Mail transmissions; this function will identify the spam email and makes actions. |
Functions of IDS/IPS
Item |
Description |
---|---|
Protocol |
TCP/IP |
Action |
Choosing the action of the risk communication event
|
Note
In the case of IPS mode, not all the signatures are target to be blocked, there are signatures only for inspection.
The signature will be automatically updated.
● Antivirus function
Item |
Description |
---|---|
Protocol |
HTTP、FTP、SMTP、POP3、IMAP、MAPI、NNTP |
Port Number |
Customer-specified port number |
Action |
By protocol, select the action at the time of detection
|
Selectable file size for inspection: |
1MB - 10 MB (Initial value: 3MB) |
Number of times compressed |
Only 12 or less time compressed files are able to be inspected |
Compression Format |
arj、cab、gzip、lha、lzh、msc、rar、tar、zip |
Decompressed file size of the compressed file |
Decompression file size is the value indicated by Selectable file size for inspection. |
Note
Encrypted and passworded file is not verifiable. Traffic with encrypted and passworded file passes this menu without verification.
The signature will be automatically updated.
Functions of Web-Filter
Item |
Description |
---|---|
Protocol |
HTTP |
Port Number |
Customer-specified port number |
Block URL category. |
Control in the URL category units
|
White list / Black list |
The customer sets individually the URL and specify the action for the URL.
|
Note
Communication with TCP 8008, 8010 and 8020 port is not allowed for verified communication by WebFilter function to show Block screen correctly.
For communication through Proxy server to use WebFilter function, please apply to WebFilter function to communication from client to Proxy server. When WebFilter function apply to communication from Proxy server to Web site on internet, sometimes WebFilter function does not correctly work by Proxy server specification and configuration. For example, Block screen does not shows to client.
If in any case there is a connected site's server certificate with common name domain, which is categorized as a harmful blocked domains at the end of Customers, blocking screen will not be specifically showing but the webpage will show users errors in web browser.
URL included in URL category is automatically updated.
Functions of Spam Filter
Item |
Description |
---|---|
Protocol |
POP3、IMAP |
Port Number |
Customer-specified port number |
Action |
By protocol, select whether you want to enable or disable spam judgment.
|
Tag |
In the case of an action with a tag, the tag can be optionally specified in the mail subject. |
White list / Black list |
The customer sets up the email address individually and specify the action for that email address.
|
Note
Indicated tag is added to the subject of mail which is decided as SPAM . This menu does not delete mail which is identified as spam. Please deal with mail based on tag information in subject by customer.
In IMAP case, Tag may not be added to subject of mail. This behavior is the restriction of IMAP not this service specification. IMAP downloads body of mail after downloads subject of mail to client, so if the URL of body is identified as spam, Tag cannot be added to subject of mail. If mail address is identified as spam, Tag can be added to subject.
Mail address which is determined as spam is automatically updated.
3.Network¶
Item |
Description |
---|---|
Interface |
This function is where Interface of the “Device” will be set and then it will be connected to logical network. |
Routing |
Routing function is where static routes and default gateway is being set and transmission is being routed with. |
Note
It is important for Customers to note that they are required to create logical network prior to the menu is provisioned.
The "Device" will be connected to Data Plane of logical network although it will not be connected to Storage Plane of logical network.
In order for Customers to set (to create) / modify (to change) / delete (to erase) the interface for the "Device" , the Customers (and the end users) are noted that they are required to reboot the "Device" and the interface MAC address will be automatically changed.
The MTU size of the interface can be varied from 100 to 9000 bytes. The initial value is 1500 bytes.
In the case of HA plan, when customer applys address range of connected segment, which is connected to interface, to NAT/NAPT, Please configure Proxy ARP.
4.IPsecVPN¶
Item |
Description |
---|---|
IPsecVPN |
IPsecVPN function defines authentication, encryption method and connection destination IP address and creates a tunnel to the opposite network. |
Routing |
Routing function sets up and routes static routes to the tunnel interface. |
Access Control |
Access control function controls traffic passing through the tunnel based on policy which customer configures. |
NAT/NAPT | NAT/NAPT function converts IP address of traffic passing through the tunnel and port number. |
Note
In the HA configuration plan, the IPsecVPN function can not be used. This function is available only in a single configuration plan.
IPsecVPN function provided by this service is IPsecVPN connection between Managed Firewall / UTM. Connection with other VPN devices is not supported.
The security function can not be used within the policy created with IPsec VPN.
Item |
Description |
---|---|
Authentication method |
Pre-shared key (PSK) |
Encryption algorithm |
AES-128 / AES-192 / AES-256 |
Authentication (hash function) |
SHA-256 / SHA-384 / SHA-512 |
DH Group |
14 / 15 / 16 / 17 / 18 /19 / 20 / 21 / 27 / 28 / 29 / 30 / 31 |
Number of tunnels that can be created |
Maximum 15 (per 1 Managed UTM) |
5.Other Functions¶
Item |
Description |
---|---|
Sys log transmission |
Sys log server where the Customers manage is receiving logs obtained at the "Device" |
Time Zone Assignment |
Time stamp recorded as to the timetable log on the "Device" will be assigned. |
Device Config Export |
Export items set on the device to the document. |
Note
There is only one (1) settable destination for syslog transmission.
If you change the time zone, time stamp of the log that has been recorded before the change time zones are not rewritten.
Traffic logs and Security detection logs, which are configured to obtain logs on firewall policy, are sent by syslog.
6.Security Incident Report¶
Item |
Description |
---|---|
Create Report |
Device logs will be automatically analyzed and "Security Incident Report" will be generated after recognizing detected threat(s). |
Publish Report |
Security Incident Report is shown on Security Control Panel through Enterprise Cloud 2.0 Portal. |
Notify Report |
When Security Incident Report is generated, E-mail notification will be sent by registering mail address on Security Control Panel. |
Report notification level setting |
Function to change the severity of the criteria for creating an Incident Report. |
● Security Incident Report
Following titles will be included within the "Security Incident Report":
Item |
Description |
---|---|
Device |
The Device Name if there is any |
Signature | Threat name |
Severity |
Severity in degree of the recognized threat |
Confidence | Detection accuracy |
Reference |
Automatically granted ID |
Date and Time |
The date and time of detection --and date and time of last detection-- of the reported threat being reported |
Description | Description of the details of the recognized threat |
Access Patterns | Draw threat access status |
Details | Threat details |
Note
Analyzed log is limited by firewall policy which the device obtains logs.
All "Security Incidents" are reported in English.
When customer leverages this menu and other menu as like Managed Firewall Version2 or Managed WAF Version2 on one tenant, Security Incident Report by correlation analysis of each device log is generated. So each Security Incident Report is not generated for each menu and device.
7.Control Panel¶
Item |
Description |
---|---|
Order |
Customers can subscribe the Security Menu |
Operation |
Customers can either manage and / or set the created "Device" |
● Order
Following actions are processable from the Order Panel:
Item |
Description |
---|---|
Add Device |
Customers can either create a new or add a "Device" |
Change |
Created "Device" Menu and / or Plan will be changed to update the settings details |
Delete Device |
Created "Device" can be deleted to be eliminated from the operation |
● Operation
Following actions are operable from the Operations Panel:
Item |
Description |
---|---|
Device KPI |
Resource status (such as CPU and memory) and traffics will be viewed. |
Network Management |
Interface of the "Device" will be set here (and then connected to logical network). |
Device Management |
Firewall, security and other functions is configureable. |
Log Analysis |
Customers can download to obtain the data by CSV file after assigning search details by conditions tags. |
Incident Reports |
The Security Incident Report will be posted. |
Customer Profile |
Customers can register mail notification destination for Security Incident Report. |
Document |
Customers can download the CSV file output by the Device Config Export. |
Information |
Any notable information will be relayed. |
Note
To indicate log analysis target and analyzed Security Incident Report, it is necessary to configure which logs are obtained for each Firewall Policy.
In log analysis, confirmable and searchable period of logs is below. It does not ensure integrity of obtained logs.
Log acquired by firewall function (traffic log): 7 days
Log acquired by security function (security detection log): 90 days
In the event that the Customers would like to obtain the log results for a longer span of time to review the search result, then Customers are advised to transmit to sys log server which Customers are managing.
8.Version Upgrade¶
Item |
Description |
---|---|
GetFirmwareSatus | You can check whether the device is the target of version upgrade. |
Firmware Update | Execute the version upgrade of the target device. |
Menu¶
Plan¶
Plan |
vCPU |
Memory |
Disk |
Interface |
Configuration |
---|---|---|---|---|---|
(Number) |
(GB) |
System area (GB) |
(Maximum) |
||
2CPU-4GB |
2 | 4 | 2 | 7 | Deploy Singular |
8CPU-12GB |
8 | 12 | 2 | 7 | Deploy Singular |
2CPU-4GB(HA) | 2 | 4 | 2 | 7 | High Availability (Redundancy) |
8CPU-12GB(HA) |
8 | 12 | 2 | 7 | High Availability (Redundancy) |
Subscriptions Method¶
Order Types |
Details |
Subscription Methods |
Offering Date |
---|---|---|---|
Add Device |
Create the Device |
Subscription by customer on security control panel. |
Immediate |
Change |
Change the "Device" Plan; Modify Menus to change settings |
Same as the above. |
Same as the above. |
Delete Device |
Delete the Device |
Same as the above. |
Same as the above. |
Note
Number of the executable "Device" for one (1) "order" is just one (1). Therefore, if in any event Customers wish to make multiple orders for the "Device", Customers are advised that each order process has to go through once for every "Device" Customers wish to subscribe. The Order screen has to proceed for each and every "Device" every time.
Change of plan can be performed by all of patterns.
- 2CPU-4GB → 8CPU-12GB ○
- 8CPU-12GB → 2CPU-4GB ○
Following plan changes with changing configurations, such as changing from a Single Configuration Plan to a HA Configuration Plan, is not possible.
Single Configuration Plan to HA Configuration Plan: N/A
HA Configuration Plan to Single Configuration Plan: N/A
At such change of Plan, Customers are noted that the "Device" has to reboot.
You can not change the menu from this menu to another menu.
Due to possible multiple orders for subscriptions being processed in, Customers might experience too much traffic which might take a longer time for them to fill out the process in creating "Device", changing Plans and so forth.
At creating device, selectable zone and group are different by region. Detail information is described on Region/Zone/Group in service description.
Restrictions¶
Unit |
Maximum Number |
Minimum Number |
---|---|---|
1 | No limit |
0 |
Terms And Conditions¶
Terms And Conditions¶
Logical Network Connectivity |
---|
<Singular Configuration> For singular deployment, logical network should be placed two (2) or more.
Customers are required to configure each separate logical networks to manage the receiving ends and transmitting ends.
(In essence Customers are hereby advised that they are unable to deploy what they call a "one-arm" setup.)
|
<HA Configuration> In the case of HA configuration, logical network requires four or more.
Requirement of logical network which deals with customer traffic is more than 2 NW same as single Configuration Plan. In addition, 2 logical network is necessary to hook up 2 devices for HA Configuration Plan.
(In essence Customers are hereby advised that they are unable to deploy what they call a "one-arm" setup.)
Note
|
Note
When customer uses VRRP for the opposite device, customer needs to select a different VRRP ID.
Conditions of Use in Combination with Other Services¶
Pricing¶
Monthly Fee¶
Quality of Menu¶
Support Coverage¶
Operations¶
Item |
Description |
---|---|
Security update version management |
Manages signature updates |
Applies security patches |
Apply the security patch depending on the degree of influence
(Equivalent process as version up operation)
|
Life Cycle Management of the Products |
Proceeds with the updated versions in operations |
Monitoring / Maintenance |
Operation monitoring and failure countermeasure implementation of this device |
Restrictions¶
Restrictions of this menu are following;
When customer leverage VRRP, VPPR ID configuration of logical network has restriction below.
In the case of HA configuration, please make sure that the VRRP ID on the same network such as the logical network to which this menu connects and colocation connection (CIC) and Enterprise Cloud 1.0 connection (EIC) do not overlap.
In HA Configuration Plan, Please enable DHCP of logical network dealing with customer’s communication.
Below IP address is not available for Interface, Routing, Address object, Destination NAT and Source NAT. When these IP addresses is used, This menu cannot correctly work.
- 100.65.0.0/16
- 100.66.0.0/15
- 100.68.0.0/14
- 100.72.0.0/14
- 100.76.0.0/15
- 100.78.0.0/16
- 100.80.0.0/13
- 100.88.0.0/15
- 100.91.0.0/16
- 100.92.0.0/14
- 100.126.0.0/15
Please design the IP address in the logical network to which this menu is connected at your own risk. Please be careful not to duplicate the IP address etc assigned to this menu.
Please create firewall policy after object and security profile configuration is saved.
Violation packet to TCP/UDP/IP protocol and abnormal packet are dropped by standard function regardless customer configuration. Example is below.
IP header is intermittently cut off in the middle;
Port number is valued null (0);
TCP flag pair turns out to be abnormally irregular;
- Unauthorized capsular processing of unauthorized packet(s).
If the memory usage on the device exceeds 88 percent, it goes into Conserve mode. When in Conserve mode, new sessions will pass through without being inspected (for antivirus, web filter, and spam filter features). Also, when the memory usage drops below 88%, Conserve mode is automatically canceled.
Dynamic Routing Function is not provisioned in this menu.
Bandwidth Controlling Function is not provisioned in this menu.
During maintenance work related to the device, communication will be interrupted in the case of a single configuration. In the case of HA configuration, the effect is about the same as the switching time at the time of failure. We will carry out the work after notifying in advance, but the work date and time cannot be adjusted.
Each function and log provided by this menu does not ensure integrity, accuracy and compatibility for customer's purpose of use.
NTT Com as a service provider is required to provide the following information to the "Devices'" developer(s) and / or front-end seller of this menu; the purpose of such is to seek if there is any possible or feasible fail-over waiting to happen due to the incompatibility of the setting details or irregular operations or maneuvers which may cause some sort of troubles in duration. However, the fail-over is not at all guaranteed to be repaired if the difficulty in operation or fail-over occur with the operations which NTT Com did not intend to. The following information is going to be relayed to the system developer and front-end seller:
Setting details and data obtained at such time the menu is provisioned.
Managed details within such information relates to this provisioned menu.
Below port is not available for this menu. This menu may not work, when below port is used.
- TCP/2000, TCP/5060
TCP/8008, TCP/8010, TCP/8020 (If WebFiliter function is enabled.)
There is a guideline for the upper limit of performance values. See (Reference) Performance measurement results of Managed FW / UTM .