1.1. What PNS is

PNS provides complete control over regular and encrypted network traffic, with the capability to filter and also modify the content of the traffic.

PNS is a perimeter defense tool, developed for companies with extensive networks and high security requirements. PNS inspects and analyzes the content of the network traffic to verify that it conforms to the standards of the network protocol in use (for example, HTTP, IMAP, and so on). PNS provides central content filtering including virus- and spamfiltering at the network perimeter, and is capable of inspecting a wide range of encrypted and embedded protocols, for example, HTTPS and POP3S used for secure web browsing and mailing. PNS offers a central management interface for handling multiple firewalls, and an extremely flexible, scriptable configuration to suit divergent requirements.

The most notable features of PNS are the following:

Complete protocol inspection: In contrast with packet filtering firewalls, PNS handles network connections on the proxy level. PNS ends connections on one side, and establishes new connections on the other; that way the transferred information is available on the device in its entirety, enabling complete protocol inspection. PNS has inspection modules for over twenty different network protocols and can inspect 100% of the commands and attributes of the protocols. All proxy modules understand the specifications of the protocol and can reject connections that violate the standards. Also, every proxy is capable to inspect the TLS- or SSL-encrypted version of the respective protocol.

Unmatched configuration possibilities: The more parameters of a network connection are known, the more precise policies can be created about the connection. Complete protocol inspection provides an immense amount of information, giving PNS administrators unprecedented accuracy to implement the regulations of the security policy on the network perimeter. The freedom in customization helps to avoid bad trade-offs between effective business-processes and the required level of security.

Reacting to network traffic: PNS cannot only make complex decisions based on information obtained from network traffic, but is also capable of modifying certain elements of the traffic according to its configuration. This allows to hide data about security risks, and can also be used to treat the security vulnerabilities of applications protected by the firewall.

Controlling encrypted channels: PNS offers complete control over encrypted channels. The thorough inspection of embedded traffic can in itself reveal and stop potential attacks like viruses, trojans, and other malicious programs. This capability of the product provides protection against infected e-mails, or websites having dangerous content, even if they arrive in encrypted (HTTPS, POP3S, or IMAPS) channels. The control over SSH and SSL traffic makes it possible to separately handle special features of these protocols, like port- and x-forwarding. Furthermore, the technology gives control over which remote servers can the users access by verifying the validity of the server certificates on the firewall. That way the company security policy can deny access to untrusted websites having invalid certificates.

Centralized management system: The easy-to-use, central management system provides a uniform interface to configure and monitor the elements used in perimeter defense: PNS devices, Content Filtering servers, as well as clusters of these elements. Different, even completely independent groups of PNS devices can be managed from the system. That way devices located on different sites, or at different companies can be administered using a single interface.

Content Filtering on the network perimeter: PNS provides a platform for antivirus engines. Using PNS’s architecture, these engines become able to filter data channels they cannot access on their own. PNS’s modularity and its over twenty proxy modules enable virus- and spamfiltering products to find malicious content in an unparalleled number of protocols, and their encrypted versions.

Single Sign On authentication: Linking all network connections to a single authentication greatly simplifies user-privilege management and system audit. PNS’s single sign on solution is a simple and user-friendly way to cooperate with Active Directory. Existing LDAP, PAM, AD, and RADIUS databases integrate seamlessly with PNS’s authentication module. Both password-based and strong (S/Key, SecureID, X.509, and so on) authentication methods are supported. X.509-based authentication is supported by the SSH proxy as well, making it possible to use smartcard-based authentication mechanisms and integrate with enterprise PKI systems.