3Com Integrated Switch Firewall
Security Brigade Logo
Services | Products | Compliance | Training | Home | Clients | Contact Us
Menu
Services
Products
Training
Compliance
Whitepapers
Case-Studies
News
Media
Contact Us

Clients / Partners

Search
3com
Datasheet

Overview

The 3Com® Switch 8800 Firewall Module is an affordable stateful security firewall designed to protect enterprises from attacks originating inside and outside of their networks.

This module represents a new era of integrated network security for the 3Com Switch 8800 solution. It occupies a single I/O slot and includes an onboard operating system as well as custom hardware designed for highspeed packet filtering, switching, protection, analysis and reporting.

The Firewall Module also:

  • Occupies any I/O slot in the chassis and is hot swappable;
  • Interfaces directly with the Switch 8800 high-capacity backplane;
  • Fully utilizes the internal crossbar switching capabilities of the Switch 8800; and,
  • Includes eight Gigabit SFP ports on the front panel, which can be utilized in conjunction with the firewall or separately as regular switching/routing ports.

Until now, the perimeters of enterprise networks were protected against external attacks and threats by firewalls at the edge. However, according to security experts, the majority of today’s threats originate in the internal network, making it the most serious concern. The Switch 8800 Firewall Module, which is tightly integrated within the Switch 8800 system, provides companies with the flexibility they need to defend their networks from both outside and inside risks.

The Firewall Module operates in either routed or transparent mode, and delivers the following capabilities:

  • High-efficiency packet filtering.
  • Stateful detection security technology.
  • Transparent proxy.
  • In-depth statistical analysis functions.
  • Broad range of security protection measures.
  • Multiple analytical and management tools.
  • Various log types and functions.
  • Email alarm for firewall events.

Features

The 3Com Switch 8800 Firewall Module delivers an unprecedented level of security integrated within the Switch 8800 system.

This module provides a stateful firewall that operates in either routed or transparent mode, and offers security features such as high-efficiency packet filtering, transparent proxy, stateful detection and more. In addition to this broad range of security protection measures defending at the network layer, multiple analytical and management tools are provided to fully protect the network.

Designed for the needs of medium-sized enterprises, the module has its own operating system, allowing the firewall processes to be separate from the switch processing. By embedding the firewall within the module, the need for additional appliances or devices is reduced, eliminating redundant management of multiple devices and lowering capital expenditures and reducing operating costs.

The Firewall Module occupies any I/O (payload) slot in the Switch 8800 chassis, is hot swappable, and interfaces directly with the high-capacity switch backplane, fully utilizing the internal switching capabilities of the switch.

INTEGRATED SECURITY

Enterprise network infrastructure is evolving dramatically from the core to the edge of the network, with greater demands being placed on the entire network system to deliver comprehensive security for network access control and protection of corporate resources.

The Switch 8800 Firewall Module helps companies achieve superior protection with seamless integration into the core. The module includes a number of technologies that allow it to protect both the exterior and interior of the network:

  • Application Specific Packet filter (ASPF) technology aims at packets at the application layer and works with ordinary static firewalls to implement security strategies for the internal network. ASPF achieves packet filtering in conjunction with the Access Control Lists (ACL). Its stateful detection technology enables the Firewall Module to monitor the connection process and detect harmful commands.
  • Attack defending technology detects multiple types of network attacks and takes measures to prevent the internal network from disruption.
  • Protection against Address Resolution Protocol (ARP) attacks maintains the integrity of addresses in the internal network.
  • Network Address Translation (NAT) and Network Address Port Translation (NAPT) enable internal hosts to access the external network resources with their privacy protected.

The Firewall Module also provides a number of real-time network monitoring methods that help administrators with security management. These include automatic network attack alerts, and immediate notifications about unusual traffic streams generated by attacks and worm viruses. In addition, the module enables administrators to analyze and manage log information to detect security leaks, attack types and ongoing intrusions.

RESILIENT ARCHITECTURE FOR BUSINESS CONTINUITY

The Firewall Module takes advantage of the built-in redundancy and innate mission-critical capabilities available in the Switch 8800 Family. All critical system components in the Switch 8800 Family are redundant and hot-swappable, minimizing any impact to the enterprise in the event a single component should fail.

Each Switch 8800 chassis model supports the option for dual switch fabrics providing high resiliency and rapid failover to deliver the highest possible availability of network resources. With dual switch fabrics installed, both fabrics are active and load-sharing, ensuring resiliency as well as doubling effective system performance.

Using Virtual Router Redundancy Protocol (VRRP), companies can utilize two Firewall Modules in the same system or in separate systems, enabling an active with hot stand-by deployment (with preempt and non-preempt mode capabilities) to be established for mission critical environments. In the event the primary Firewall Module fails or is unavailable, the secondary module automatically and immediately becomes the primary. This enables business continuity under even the most serious failure circumstances.

INTEGRATED DESIGN

Integrating the firewall within the chassis switch decreases the need for additional external appliances in the core. As a result, fewer resources are required to manage, service and support the multiple network elements that are provided by various suppliers. The integrated design also cuts down on rack space requirements, power provisioning and cable complexity.

Other Features:

  • Stateful firewall with Application Specific Packet Filters (ASPFs); supports routing and transparent modes.
  • Network Address Translation (NAT) and Access Control Lists (ACLs).
  • Secure VLANs and Demilitarized Zones (DMZ).
  • Protects from attacks originating outside (IP spoofing, smurf, fraggle, WinNuke, SYN flood, etc.) and inside (ARP and host cheats).
  • ICMP redirection and traceroute control.
  • Net traffic real time analysis.
  • E-mail alarm for firewall events.
  • Eight 1000 Mbps SFP ports for switch connectivity.
  • Three 10/100 Ethernet, AUX and console ports for management.
  • IPv6 ready (requires IPv6-capable routing software on switch fabric).

Benefits

Designed for the needs of medium-sized enterprises, the module has its own operating system, allowing the firewall processes to be separate from the switch processing. By embedding the firewall within the module, the need for additional appliances or devices is reduced, eliminating redundant management of multiple devices and lowering capital expenditures and reducing operating costs.

The 3Com Switch 8800 Firewall Module provide many benefits such as:

  • Protects from attacks originating outside (IP spoofing, land, smurf, fraggle, teardrop, WinNuke, SYN flood, ICMP/UDP flood, address scan/port scan, ping of death) and inside (ARP and host cheats).
  • Onboard operating system and custom hardware designed for stateful high-speed packet filtering, switching and analysis.
  • Enhanced detection function for TCP packet flag validity that is preventing attack analysis behaviors at early stages of attack.
  • Supports transparent and routed modes of operation.
  • Real-time network monitoring methods help administrators with network security management.
  • ASPF detects session information of application layer protocols that attempt to pass firewalls and stop packets not matching rules.
  • Denial of Service (DoS) detection and defending.
  • Java Blocking protects networks from harmful Java Applets.
  • Port-to-application mapping for application layer protocol services on universal ports.
  • Enhanced session log function records all connections.
  • Application layer protocol information detection capabilities maintain the status of sessions and check protocol and port ID of session packets to prevent malicious invasion.
  • MAC-to-IP Binding and ARP spoofing check for protecting the security of addresses in the internal network.
  • Supports Network Address Translation (NAT) to enable internal hosts to access the external network resources with privacy protected.
  • IPv6 capable (requires future IPv6-capable routing software).
Copyright 2006 Security Brigade