AppGate Device Firewall
The AppGate Distributed Device Firewall protects windows systems by checking all traffic to and from the network. It can be used as a standalone product or as a companion to the AppGate VPN clients. Accompanied by an AppGate client, it can be configured to allow only one outbound connection, the authorised and encrypted secure tunnel, when connected to an AppGate server.
- AppGate USB Client Datasheet 0.17MB
- AppGate Web-based SSL access 0.08MB
- AppGate Clients 0.15MB
AppGate Case Study
GSS and AppGate have worked closely with us throughout this project. Thanks to the team’s flexibility and commitment we have now achieved the result I was looking for.
Lieven Hermans
Head of BIS
Watford Borough Council
Helps secure remote users A great threat against corporations come from attacks against remote users, for example from unprotected home users. It is not unusual for Internet-connected systems to be probed within minutes by hackers searching for possible machines to take over. If only one home user's computer can be hacked, it can be used as a platform to access internal corporate servers when the user connects to the corporate network. Another common task for hackers is to steal passwords and credit card numbers from users. A workstation without a personal firewall is relatively easy for an attacker to take full control over, including all information stored and handled by that system.
The AppGate Device firewall is an optional component of the AppGate VPN system. If used together with the AppGate clients, an AppGate server controlled policy is activated when a secure VPN connection is opened to an AppGate server and remains active until the connection is closed. In addition, a default policy can be present protecting the system when no AppGate server connections are present.
State of the artThe AppGate Device firewall is an advanced state of the art firewall that intercepts and checks all network traffic, both incoming and outgoing. Pre-configured high-level rules make the rule sets easy to read without too many details, for example “allow-out DHCP” which enables all DHCP traffic. XP. Administrator rights are needed for installation. Features
- Easy to use and install with minimal end-user interaction.
- Controls all inbound and outbound traffic on all adapters and network interfaces.
- Built-in protection against malicious network packets, such as packets with strange IP options and small TCP header fragments.
- A firewall policy is downloaded and activated when the user connects to an AppGate server, for example to block all traffic except the secure tunnels. This makes it ideal to protect home users when accessing corporate resources.
- Support for a default policy with rules guarding the workstation when no AppGate server connection exists.
- Keeps state of all recently sent UDP and ICMP packet destinations to allow answers within a reasonable time.
- No graphical user interface to prevent users from modifying the rule sets.
- Can co-exist with other personal firewall software, for example Microsoft Personal firewall on Windows XP systems.
AppGate Device firewall in combination with the Policy Manager offers many benefits:
- Controls all inbound and outbound traffic on all adapters and network interfaces. The firewall system can make sure that user workstations cannot communicate with each other. Many viruses and worms spread between systems through bugs or vulnerabilities in the operating systems. This kind of protection also stops users from accessing other users’ workstations over the network.
- Easy to use and install with minimal end-user interaction, no GUI for the end-user.
- Two different policies can be distributed: one to use when the protected machine is connected to a Policy Manager and one that is used when the machine is standalone, for example when it is located outside the corporate network.
- System administrators can make sure application servers only offer the services they are intended to. For example an internal web server should offer access only to the web server, not to any other services the operating system may want to publish to the network.
- If a virus or worm start spreading using a specific port, it can easily be disabled centrally by the system administrator.
- The firewall can be installed as a standalone firewall without the Policy Manager, if desired.
- The Device firewall can co-exist with other personal firewalls. All firewalls must approve the traffic before it is passed in or out from the system. An existing personal firewall with a graphical user interface can be combined with the centrally administered AppGate Device firewall that governs the minimum level of protection for the machine, regardless of what action the users take.
- Policies sent to user workstations are signed and time-stamped by the Policy Manager to guarantee their authenticity.
- Rules can generate both log entries and alarms. Alarms are entries sent to the Windows event log system, which can be inspected by remote system administrators.
The AppGate Device firewall is designed without a graphical user interface on the client machine (user’s workstation or network server). It is normally remotely configured by system administrators through the Policy Manager instead of letting local users be firewall administrators that have to make decisions about traffic filtering. Administration is normally done from one or more Policy Managers, although local administration is possible by local system administrator on standalone systems.
The AppGate Distributed Device firewall system is ideal to use on public systems and systems used by many users, in schools and large organizations, on internal and external corporate workstations as well as on application servers.
The Policy Manager System administrators have the possibility to create different policies based on system classes and IP addresses, for example to distribute different policies for user workstations and corporate servers on different networks. Several policy managers can also work in parallel. This enables a high degree of redundancy as well as offers load sharing on very large networks.The policy manager is delivered as a software package. It runs on Windows, Unix and Linux systems and any other platform having Java version 1.4 or later installed. The policy manager should preferably run on a dedicated server and must, of course, have proper protection either by an external firewall or by the AppGate Device firewall.
All configuration information and policies are text files. This makes the system easy to manage and scripts can be created to generate automated policies. All policies downloaded to clients are signed by the policy manager to prevent spoofing. The clients are able to verify that the policies they receive are current and authentic before installing and using them.
Different policies can be defined for different groups of machines on the network.
Multiple policy managers can be used to achieve redundancy and load sharing, if needed.
Policies and rule-sets There are two different rule-sets that are distributed by the Policy Manager:
- One rule-set that is active when the client has contact with a Policy Manager.
- One rule-set which is used when no Policy Manager can be contacted
("a default policy" to fall back to).
- Rules allow “related states” to be defined, i.e. to allow new traffic based on whether other TCP sessions are established or not. This makes it easy to define rules for complex protocols.
- Mobile computers can have a restrictive default rule-set with rules guarding the workstation when no connection to a policy server is available, for example when it is used outside the corporate network.
If used together with an AppGate VPN system, the personal firewall can also be controlled by an AppGate Security Server to enforce specific policies when the user connects to a protected application server. It is, for example, possible for the AppGate Security Server to demand that all connections except the secure VPN tunnel should be closed before certain resources become available to the user.
The Distributed Device firewall system can also be used together with non-AppGate VPN systems. If a policy manager becomes visible when the user connects to a remote network, the Device firewall will immediately request a policy from that server and start using it.
Application examplesUser workstations should be protected and only allowed to receive and send the necessary traffic required to run its applications. This prevents internal hackers from gaining access to other users workstations and makes it much harder for viruses and worms to spread between workstations and servers.
Application servers. Servers connected to the Internet and all servers on the internal network need protection. Systems connected to the Internet are often controlled by the corporate firewall, but internal systems containing vital and possibly sensitive information are normally placed on the internal network without any protection. These systems can be attacked by users, viruses, worms and any other malicious software if not protected by a personal firewall.
Portable users. Attacks against portable users is a threat to many organizations since these computers are often moved between internal networks and the Internet. If not properly protected, they can carry malicious software from the outside to the inside. In addition, if the VPN system can verify that the personal firewall is running a specific rule-set, it can be the enabler that makes it possible to offer new applications to external users.
