The AppGate Distributed Device Firewall is a system designed for both WindowsTM workstations and servers and
consists of two components:
- The Device Firewall that is designed for remote administration and has no GUI for end users
- The Policy Manager that allows system administrators to define and distribute global policies for all personal firewalls in a network.
With the Distributed Device Firewall it is easy to manage and build a distributed protection system that fits both small and large enterprises.
AppGate Device firewall in combination with the Policy Manager offers many benefits:
Controls all inbound and outbound traffic on all adapters and network interfaces. The firewall system can make sure that user workstations cannot communicate with each other. Many viruses and worms spread between systems through bugs or vulnerabilities in the operating systems. This kind of protection also stops users from accessing other users’ workstations over the network.
Easy to use and install with minimal end-user interaction, no GUI for the end-user.
Two different policies can be distributed: one to use when the protected machine is connected to a Policy Manager and one that is used when the machine is standalone, for example when it is located outside the corporate network.
System administrators can make sure application servers only offer the services they are intended to. For example an internal web server should offer access only to the web server, not to any other services the operating system may want to publish to the network.
If a virus or worm start spreading using a specific port, it can easily be disabled centrally by the system administrator.
The firewall can be installed as a standalone firewall without the Policy Manager, if desired.
The Device firewall can co-exist with other personal firewalls. All firewalls must approve the traffic before it is passed in or out from the system. An existing Device firewall with a graphical user interface can be combined with the centrally administered AppGate Device Firewall that governs the minimum level of protection for the machine, regardless of what action the users take.
Policies sent to user workstations are signed and time-stamped by the Policy Manager to guarantee their authenticity.
Rules can generate both log entries and alarms. Alarms are entries sent to the Windows event log system, which can be
inspected by remote system administrators.
The AppGate Device firewall is designed without a graphical user interface on the client machine (user’s workstation or network server). It is normally remotely configured by system administrators through the Policy Manager instead of letting local users be firewall administrators that have to make decisions about traffic filtering. Administration is normally done from one or more Policy Managers, although local administration is possible by local system administrator on standalone systems.
The AppGate Distributed Device Firewall system is ideal to use on public systems and systems used by many users, in schools and large organizations, on internal and external corporate workstations as well as on application servers.
System administrators have the possibility to create different policies based on system classes and IP addresses, for example to distribute different policies for user workstations and corporate servers on different networks. Several policy managers can also work in parallel. This enables a high degree of redundancy as well as offers load sharing on very large networks.
The policy manager is delivered as a software package. It runs on Windows, Unix and Linux systems and any other platform having Java version 1.4 or later installed. The policy manager should preferably run on a dedicated server and must, of course, have proper protection either by an external firewall or by the AppGate Device Firewall.
All configuration information and policies are text files. This makes the system easy to manage and scripts can be created to generate automated policies. All policies downloaded to clients are signed by the policy manager to prevent spoofing. The clients are able to verify that the policies they receive are current and authentic before installing and using them.
Different policies can be defined for different groups of machines on the network.
Multiple policy managers can be used to achieve redundancy and load sharing, if needed.
There are two different rule-sets that are distributed by the Policy Manager:
- One rule-set that is active when the client has contact with a Policy Manager.
- One rule-set which is used when no Policy Manager can be contacted
(“a default policy” to fall back to).
The Policy Manager is normally placed on an internal corporate network to manage all internal workstations and Windows servers. To all clients, it distributes both rule-set #1 and #2 above. If a computer is moved outside this network and the contact with the policy server is lost, the default rule-set (#2) which normally is more restrictive, will automatically become active on that particular computer.
- Rules allow “related states” to be defined, i.e. to allow new traffic based on whether other TCP sessions are
established or not. This makes it easy to define rules for complex protocols.
- Mobile computers can have a restrictive default rule-set with
rules guarding the workstation when no connection to a
policy server is available, for example when it is used outside
the corporate network.
If used together with an AppGate VPN system, the personal firewall can also be controlled by an AppGate Security Server to enforce specific policies when the user connects to a protected application server. It is, for example, possible for the AppGate Security Server to demand that all connections except the secure VPN tunnel should be closed before certain resources become available to the user.
The Distributed Device Firewall system can also be used together with non-AppGate VPN systems. If a policy manager becomes visible when the user connects to a remote network, the Personal Firewall will immediately request a policy from that server and start using it.
User workstations should be protected and only allowed to receive and send the necessary traffic required to run its applications. This prevents internal hackers from gaining access to other users workstations and makes it much harder for viruses and worms to spread between workstations and servers.
Application servers. Servers connected to the Internet and all servers on the internal network need protection. Systems connected to the Internet are often controlled by the corporate firewall, but internal systems containing vital and possibly sensitive information are normally placed on the internal network without any protection. These systems can be attacked by users, viruses, worms and any other malicious software if not protected by a personal firewall.
Portable users. Attacks against portable users is a threat to many organizations since these computers are often moved between internal networks and the Internet. If not properly protected, they can carry malicious software from the outside to the inside. In addition, if the VPN system can verify that the personal firewall is running a specific rule-set, it can be the enabler that makes it possible to offer new applications to external users.