Features:

• Proactively secure operating system
• Dedicated hardware platform
• Integrated IPSec VPN
• Integrated TLS/SSL transport security
• Centralized strong authentication
• Static and stateful packet filtering
• Dynamic and static network address translation
• Vital set of application proxies with unmatched security features
• In-depth HTML filter
• External content filtering engines, support for third-party virus scanners
• Secure remote management of single or multiple firewalls
• Comprehensive event logging
• Centralized log storage
• Standard log export format for third-party analysis tools
• Configuration tracking

ADVAGUARD™ Design Philosophies and Goals

Our goal has been to create the perfect security administrator's tool. That means we do not compete with low-end devices with limited functionality, nor with firewalls that are designed to match inexperienced user's needs. A firewall administrator should always know meaning of any configuration changes he requests - ADVAGUARD™ makes this possible. There is no black magic in the box. ADVAGUARD™ is user-friendly, as far as is possible without compromising security, functionality and configuration transparency.

Several principles underlying ADVAGUARD™ design are:

• Everything that is not good is bad. We do not search for "suspicious" data to block as our competitors do - we just know what data are allowed to pass and everything else is denied.
• Analyse in depth. That means application data are inspected as carefully as possible for known protocols. When we do http/html, we parse web pages in the same way the browser does (or the same way it should do, if we run into implementation-specific details) and a similar operation is performed on all underlying layers.
• Sanitize. That means application data are brought to a known implementation-independent form, conforming to RFCs and de-facto standards. For the example above, we re-construct the web page from parsed data and pass it to browser. Since the firewall uses the same parsing algorithms browsers do, if it is not bad (broken or contain things that are not permitted) it will appear exactly the same way as original page.
• Control. And there are things that should not pass - say, we may prohibit java / activeX / cookies / access to certain sites etc etc for security reasons. So, we just strip things that are not acceptable.
• Monitor. If we see something that is no good, log it and report it. Our monitoring system is designed to detect any abnormal activity that does not fit everyday operation patterns - and sure, it is configurable what "everyday operation patterns are".
• Be simple and transparent. That means everything happens inside is controlled by code and configuration files the only and obvious way. There are no implicit rules, there are no third-party binaries, that can do things unknown to us or to firewall administrators (that's why we will never run, say, antivirus software on the firewall box itself)

Technology Overview

ADVAGUARD™ is a firewall appliance system based on hybrid technology: it performs application proxy functions for most Internet protocols, and provides virtual circuit gateways (tcp/udp) and stateful packet filtering with address translation for the rest, providing a configurable balance of security and compatibility. An optional MAC address filtering may be used. VPN functions are provided by standard IPsec modules.

Internet Protocols And Applications Support

To name some, we support: telnet, rlogin, ftp, http, ssl, ssl, X11, ntp, archie, dns, smtp, uucp, nntp, pop3, whois, finger, ident, ping, traceroute, irc, realaudio, netrek, icq, rsh, rexec, lpd, ms sql, sybase, mysql , postgress, cvs, icl teamoffice, snmp, x.400, ldap, aol, citrix, imap and many others.

Please note that support for a particular protocol depends on your configuration and security requirements - just having ADVAGUARD™ in place does not assure that your network is secured properly.

Authentication

"Traditional" password authentication is supported (though not recommended) as well as onetime password systems (S/Key, OPIE, MDAuth), hardware token cards (ANSI X9.9: Cryptocard RB1, SNK) and IPSec SA matches.

Authorization

Authorization is performed on an IP basis and depends additionally on authentication results for protocols supporting authentication.

Monitoring and Intrusion Detection

The ADVAGUARD™ firewall event log may be mirrored on a logserver or administrator's workstation (Unix or Windows) using standard Unix syslogd or reliable tcp-based protocol, archived and viewed by the GUI tool designed for that purpose. Built-in monitoring tools are capable of rapid detection of attempts to compromise ADVAGUARD™ firewall security, firewall failures or any abnormal events, using standard notification modules (email, paging) or external ones (IDS and event correlation system plug-ins). And optional Integrity Control System provides a tampering check of firewall binaries and configuration files comparing integrity data with signatures stored on physically protected medium.

Administration

Serial console interface, ssh-based or Java GUI.

Throughput

Actual throughput capabilities of ADVAGUARD™ depend on many factors, and cannot simply be measured in Mb/s, packets/s or requests/s. The system is capable of handling 20-30Mbit/s of "normal" Internet traffic without noticeable slowdown. Network interfaces are 100BaseT.

QoS DSCP markers are supported to make ADVAGUARD™ firewall-originated traffic QoS friendly.

Hardware And Internals

ADVAGUARD™ runs on modified OpenBSD system (BSD Unix-like OS focused on security and code audit) installed on 1u 19" rack-mounted Intel Server machine.

Order or Enquire about ADVAGUARD™.