Internet is one of the most cost effective and flexible communication media. However, with the convenience Internet brings to business, it also poses various threads at the same time. Applications such as P2P downloading, online video cause slow access to critical business resource. Social networking also causes involuntarily disclosure of critical business information. These inappropriate activities can lead to the drop of work efficiency and decrease of turnovers while increase the IT operation costs.
Been designed to create value to organization via Internet Access Management, SANGFOR IAM achieves such result through Internet access visibility, control and optimization.
Visibility assists organization to identify Internet access risks such as bandwidth abuse, recreational activity and so on. Control of applications and users access will be deployed to minimize risks through Internet correspondingly. Optimization allows organization to manage and optimize Internet access speed for applications.
By deploy IAM, business enjoys a manageable, swift and a simple network infrastructure. IAM boosts business productivity by offering faster access to business resource and regulate employees’ recreational activities. Furthermore, with efficient bandwidth usage and caching technology, IAM minimizes the Internet bandwidth investment effectively by delaying or avoid frequent bandwidth upgrade.
Monitoring the Internet Access Traffic
SANGFOR IAM identifies, categorizes and logs the internal users' access activities, bandwidth consumption and related content also to enable full traffic visibility. With its unparalleled reporting capabilities, the IAM manages to show an accurate map of network traffic, assist organizations to analyze Internet access risks.
SANGFOR IAM identifies, categorizes and logs the internal users' access activities, bandwidth consumption and related content also to enable full traffic visibility. With its unparalleled reporting capabilities, the IAM manages to show an accurate map of network traffic, assist organizations to analyze Internet access risks.
Controlling the Internet Access Activities
The IAM provides comprehensive controls over applications such as social website, forums, IM, Email, online video, P2P, file transferring, etc. The flexible controls allow you to manage the Internet access the way you want, thus, free you from the challenges of low work efficiency, data loss, copy right, and other risks that caused by improper Internet access.
The IAM provides comprehensive controls over applications such as social website, forums, IM, Email, online video, P2P, file transferring, etc. The flexible controls allow you to manage the Internet access the way you want, thus, free you from the challenges of low work efficiency, data loss, copy right, and other risks that caused by improper Internet access.
Optimizing the Internet Access Speed
IAM’s well-reputed bandwidth management solution is designed to assist organizations to maximize the bandwidth usage, the result of which is more bandwidth for critical business applications/users/user groups while less bandwidth for inappropriate activities. Furthermore, IAM combines its caching feature to reduce up to 30%-50% of the Internet traffic, significantly enhancing the access speed while reducing the bandwidth cost.
IAM’s well-reputed bandwidth management solution is designed to assist organizations to maximize the bandwidth usage, the result of which is more bandwidth for critical business applications/users/user groups while less bandwidth for inappropriate activities. Furthermore, IAM combines its caching feature to reduce up to 30%-50% of the Internet traffic, significantly enhancing the access speed while reducing the bandwidth cost.
| Log & Reports & Network Visibility | |
| Function | Description |
 Real-time monitor | Real-time monitoring of CPU/hard disk/traffic/connection/ session status, as well as online user information, traffic ranking and connection ranking; real-time utilization visibility of bandwidth channels; |
 Access audit (Optional) | Records a wide variety of audit information including: URL, Webpage title and content accessed (can record only Webpage content containing specific keywords), outbound file transmissions via HTTP and FTP and file content, names and behavior of files downloaded, plain text thread posting and emails, chat sessions on MSN, MSN Shell, Skype, Yahoo! Messenger, Google Talk, etc.; also records application behavior such as network gaming, stock trading, entertainment, P2P downloads and Telnet; tallies user traffic and access duration and audits Webpage/file/email access of extranet users on intranet servers; |
 Reporting | Supports various kinds of reports, including scheduled reporting of statistics, behaviors, trend, comparison, plus customized reporting of traffic statistics, queries, ranking, times and behavior of users and user groups; |
 Data center | Massed log storage with built-in and independent data center support; administrators can easily manage users based on a hierarchical permissions structure; |
 Audit-free Key | Prevents access audits for users assigned audit-free keys; audit-free status cannot be arbitrarily changed by system administrator (Optional); |
| Data center authentication Key | Data center administrators can view recorded audit logs only via audit check key (Optional); |
 Content search | Google-like log search tool to enable the manager to locate logs quickly by entering multiple keywords, including the search and location of the content of the log attachments; supports the title subscription, and supports automatically sending the search results to designated mailbox; |
| Internet Access Control | |
| Function | Description |
 User identification | IP, MAC, IP/MAC binding, username/password, third-party authentication such as LDAP/AD/RADIUS/POP3/PROXY, USB-KEY and hardware authentication; Single Sign-on (SSO) options include LDAP/POP3/Proxy and forced SSO of designated network segment/account; account control via public/private accounts and account validity period; account import options include text list, IP/MAC scanning, and even account and organization structures from Active Directory servers; |
 Authentication exception | Accounts can be renamed (in the IP/MAC/computer name formats) based on new users' IP segments; authentication exception-handling includes conflict detection, privileged control after authentication failure and page forward control after successful authentication; |
 Online access authorization | Multi-level user account management to align with organizational structure, allowing access control based on account, IP, application, behavior, content, period, etc.; Implements re-use, integration and forced inheritance of access privileges by combining object-based access policy templates; Monitoring of accumulated duration and maximum traffic for specified user applications; |
| Web filtering | Support Webpage filtering based on URL/search word/keyword contained in Webpage; Support keyword-based filtering of outbound Webmail and Web post; fine-grained control such as allowing only reading post but not post thread, and only allowing receiving but not sending mail; Optional URL database for on-disk URL database, in-cloud URL database, Blue Printdata URL database; |
 Application control | Over 1000 application identification rules conveniently built-in to identify and control popular network protocols, including IM chat, network games, Web-based stock trading, P2P, streaming media, remote control, and proxy software; |
 IM software control | Perfectly control over the usage of IM tools, including IM tool that been encrypted or not encrypted, such as MSN, Skype, Gtalk, MSNShell, Yahoo!, QQ, etc. Support blocking the designated IM tools or allow IM chatting while block file sharing and other applications via IM tools. Apart from that, the IAM's IM logging feature also allows you to audit all the IM chatting content to ensure the full visualization of the network; |
 File control | Capable to control outbound file transmission via HTTP/FTP/email attachments, supports identification and blocking of outbound files based on file extensions and file types (to identify encrypted, compressed, extension name modified files); |
 Email control | Supports complete blocking of email reception and sending, and filtering of outbound and inbound junk mail; filtering can be based on multiple conditions such as keyword, sender and receiver addresses; |
 Intelligent P2P identification and control | Identifies over 30 popular P2P application protocols such as BitTorrent, eMule, etc. with deep packet inspection (DPI); SANGFOR's patented intelligent P2P identification technology can further comprehensively identify and manage other variant P2P protocols, encrypted P2P behaviors and unknown P2P behaviors; |
 Advanced control | Encrypted SSL URL filtering; identifies and filters attempts to avoid management via public network proxies or encrypted proxy software; Capable to control behavior of sharing web access privileges with others via installed proxy software; |
| Internet Access Optimization | |
| Function | Description |
| Bandwidth management | Bandwidth management based on wide range of criteria, including application type/Website type/file type, user, time, target IP, etc.; extranet-to-intranet access flow control and bandwidth management; |
 Multiplexing and intelligent routing | In case that organizations may have multi-lines that connecting to the Internet, the IAM's multi-lines and intelligent routing feature will allocate the best output for users automatically when Intranet users are visiting the resources of different ISP operators. To guarantee stability, IAM can also lead the traffic to the other healthy lines automatically when one line is interrupted; |
 Virtual line | The "virtual line" visualizes one link into multiple virtual links and each virtual links can be applied with independent traffic shaping policies; |
 virtual pipe | The "virtual pipe" allows the traffic shaping pipes to be divided into 8 layers to offer better flexibility; |
| Dynamic bandwidth control | The "dynamic bandwidth control" allows "bandwidth borrowing" to optimize the bandwidth usage. All policies can be applied to uplink as well as downlink; |
 Caching | The frequently accessed webpage, files and videos are cached in IAM appliance. When internal users visit these websites or watch these videos, they will get the data from IAM's cache rather than directly from the servers in Internet; |
| Additional Features | |
| Function | Description |
| Proxy | HTTP proxy; Socks 5 proxy; Transparent proxy; |
 Firewall | Built-in SPI firewall thwarts a range of security threats to gateway reliability, including DoS attacks, ARP spoofing, etc.; |
 End-point detection | Detects end-point profile (including OS version/patch, system processes, disk files, registry, etc.) and can prompt or reject access for end-points not meeting IT requirements or passing security tests; |
 Gateway anti-virus | Built-in professional anti-virus engine supports gateway virus elimination (Optional); |
| Equipment Management | |
| Function | Description |
| Deployment mode | Deployable via router, bridge, bypass and multi-bridge topologies, with active-standby, active-active for HA; |
 Device management | Web based management access; functionality of different modules can be assigned to different administrators as needed, via a hierarchical management paradigm; |
 Bypass | Supports hardware bypass |
SANGFOR Internet Access Management (IAM) series is designed to meet challenges from the evolving Internet. By focusing on Internet access visibility, control, optimization, the tailored solution effectively helps to create a more productive Internet bandwidth.
Been developed based on eight years of real world research and with the proven stability, SANGFOR IAM has been favored by over 8000 customers world wide.
| Monitor the Internet access deep into content level |
 Layer 7 visibility based on DPI+DFI+intelligent identification Https traffic visibility Content log and visibility Activity, traffic, flow, online duration, keywords reporting, combining with statics, rank, trends, comparison analysis Highly customized reports Internal/External Data Center |
| Control the unwanted Internet access with flexibility |
| Seamless combination with LDAP, AD, Radius, POP3, and Proxy In-cloud web filtering; 1000+ non-web application identification rules P2P intelligent identification & control Granular controls over Facebook, Gmail, Skype, Gtalk, MSN, etc. Block/Filter/log/Report/Alert policies; Policies based on user/schedule/outer IP, etc. |
| Accelerate the Internet access beyond limitation of bandwidth |
| Traffic shaping to uplink and downlink Dynamic bandwidth control Multi-lines and Intelligent Routing Caching |
Technology use:
| Visibility | |
| DPI (Deep Packet Inspection) | DFI (Deep Flow Inspection) |
| Content Log | External Datacenter |
| Control | |
| SSO | Web Filter |
| Application Control | Intelligent P2P Identification and Control |
| Optimization | |
| Dynamic Bandwidth Allocation | Virtual Lines |
| Multi-lines & Intelligent Routing | Proxy/Caching |
| Others | |
| Audit-free Key | Data Center Authentication Key |
| Anti-virus Engine | |
DPI (Deep Packet Inspection)
| ↑TOP |
DPI, Deep Packet Inspection, is used to identify and categorize the application type of data flow applications whatever the IP or Port the applications are using. By detecting layer2 to layer7 which includes headers and data protocol structures, application signature as well as the actual payload of the message, DPI enables IAM to offer accurate identification and effective controls over various applications.
| |
DFI (Deep Flow Inspection)
| ↑TOP |
For applications that are particularly evasive, such as streaming-typed applications, which cannot be effectively identified through Deep Packet Inspection, can be identified by the Deep Flow Inspection. DFI inspects the session, connection and data flow status, rather than a single packet to identify the application type, offering great benefits to control over applications that usually have particular activity characteristics.
| |
| Content Log | ↑TOP |
The IAM’s unique content log feature enables organization to get full visibility to the Internet access and also can be used as internal audit in case of data leakage via Internet.
IAM records a wide variety of Internet access related content information including: Website title and webpage using http or https, outbound file transmissions via HTTP and FTP, file content, names and behavior of files downloaded, plain text thread posting and emails, chat sessions on MSN, MSN Shell, Skype, Yahoo! Messenger, Google Talk …etc.
| |
| External Datacenter | ↑TOP |
In addition to use the on device storage, IAM allows activites logs to be saved on 3rd party server to extend the storage capacity and duration. The simple to use GUI make it easy to search the log content, generate statistic and auto reports.
  IAM data center search engine, function similar to Google search engine and Yahoo search engine, is provided for administrators to search their desired contents from the logs easily; search result of specific key words can also be set to send to the appointed email automatically. | |
SSO
| ↑TOP |
For organization which implemented LDAP, AD, POP3, Proxy servers as user authentication, IAM supports seamlessly integration with these third-party servers for easy user administration. The implementation is easy with just several simple steps.
With SSO enabled, when user gets authenticated, he /she will be authenticated with IAM simultaneously. This feature can simplify IT administration and reduce phishing success of users.
| |
Web Filter
| ↑TOP |
IAM performs web filtering through keyword-based, activity-based and URL database approaches:
Keyword-based filter: Webpage filtering based on URL/keyword contained in Webpage /search engine keyword; Outbound Webmail and Web posting filtering based on keywords, etc.; Activity-based filter: Fine-grained control such as allowing only reading post but not posting post, only allowing incoming but not outgoing mail, and allowed to access the Facebook page but restricted to access the applications on the Facebook; URL Database: Optional URL database – on-disk URL database, in-cloud URL database, Blue Printdata URL database; | |
| Application Control | ↑TOP |
Application control is being used to control Internet applications such as IM tools, gaming clients, P2P downloading clients … etc. First, IAM will identify application via application identification rules. Each identification rule represents one application signature. When traffic travel through IAM, IAM will detect the connection, scan for the application signature and categorize the application accordingly.
IAM accommodates over 1300 application rules across 25 categorizes including streaming media, file transfer, game, download tools, mail, net meeting, OA, database, proxy tool … etc. Controls over the applications can be rather flexible based on activity, schedule, user … etc.
| |
Intelligent P2P Identification and Control
| ↑TOP |
P2P control is the most important and a hard-to-achieve feature in bandwidth management solution due to the variety and fast evolving of the P2P tools and versions. Giving the situation, SANGFORdeveloped its unique P2P intelligent identification technology. Thus allow organizations to be greatly benefited from P2P and streaming video control.
With the intelligent identification, IAM not only recognizes and controls the ordinary P2P software and version, but recognizes and controls the unordinary, encrypted and even future-developed P2P software also, thus delivers a highly effective P2P control solution.
| |
| Dynamic Bandwidth Allocation | ↑TOP |
The “dynamic bandwidth control” is also known as “bandwidth borrowing”. This feature is very useful for any organization that has planned to optimize the bandwidth usage. When bandwidth management policies are configured, i.e. guarantee 1Mbps bandwidth for critical user/ group/ application. When the guaranteed bandwidth is not utilized, the superfluous bandwidth can be used for other user/ application to avoid bandwidth waste.
| |
Virtual Lines
| ↑TOP |
Virtual line function is most useful when organization would like to assign Internet resource for specific group or applications through multiple physical lines. With SANGFOR IAM, each line can be divided into one or more multiple virtual lines based on specific rules such as manage by Protocol, WAN IP, WAN Port, LAN IP, LAN Port … etc. Each virtual line can be configured with specific bandwidth according to the requirements of real-life operation. Once a virtual line is being defined, it can be treated as a physical line. The Flow control policies can be applied to specific virtual line, and each virtual line can be assigned with 256 traffic pipes to make bandwidth management flexible.
| |
Multi-lines & Intelligent Routing
| ↑TOP |
IAM boasts the unique multi-line and intelligent routing Technology from SANGFOR. For organizations with multiple Internet access lines, user access performance can be optimized through IAM by route user traffic through the quickest line intelligently. In case of line interruption, IAM will route all traffic through healthy lines automatically.
| |
| Proxy/Caching | ↑TOP |
In the real-life office environment, bandwidth is limited. When internal users access several hottest websites frequently, precious bandwidth is wasted. In addition, this similarity action generates huge redundancy traffic in the network and causes low bandwidth utilization simultaneously.
SANGFOR IAM’s Proxy/Cache is designed to reduce duplicated data – Frequently accessed webpage, files and flashes are cached in IAM. Hence, internal users can access data from IAM’s cache storage instead of accessing directly from Internet. This helps to reduce the Internet traffic significantly while maximize the bandwidth utilization.
Benefited from the specialized web cache technology “multi-weighted elimination algorithm”, and the dedicated hardware platform, SANGFOR IAM is capable of cut down the Internet traffic up to 30%-50%.
| |
Audit-free Key
| ↑TOP |
In case there are some users or workstations should be excluded from IAM’s monitoring, “Audit-free Key” can be applied to indicate IAM to bypass monitor and record the access on specific device.
| |
Data Center Authentication Key
| ↑TOP |
The data recorded by IAM may involve user privacy. In order to protect the benefit of the employee, different levels of viewing privilege can be defined for the data center – Common administrator can view only statistic report and trend report, while the administrator with SECURE KEY can view the detailed content logs.
| |
Anti-virus Engine
| ↑TOP |
IAM integrates with F-Prot Antivirus engine to protect from Internet attack from worm, virus and Trojan horse.
| |
