Security Gateway SGA

Today all organizations are threatened more intensely and effectively. And the increasing reliance on computer networks can compromise the continuity of your business or organization. The backlogs of anti-virus protection were long overdue, even systems previously known as "secure", are now the target of attacks that result in the loss of information or the compromise of sensitive data, including the hijacking of information.

Sites like Have i been pwned? Keep track of large companies and systems that have been compromised by detecting 1,444,567,928 accounts in 142 global sites. Linkedin's importance sites; Companies such as Adobe; And services like Dropbox. Whose main business is technology have been compromised. And not to mention information committed to governments and institutions around the world.

How safe is your network?

It is a fact, your organization needs protection. The figures are compelling, and the reality about computer security is frankly worrisome. For some years now, we have perceived how thanks to the films and TV, the perception that has about the "hackers" and the vulnerabilities, it seems that it is a science fiction.

With the growing reliance on technology, more and more information circulating around the network, information is certainly very sensitive to organizations such as electronic billing. It is becoming increasingly necessary and indispensable to have mechanisms that protect our information.

Security Gateway Appliance (SGA), fulfills this purpose. It has features that allow you to protect your networks in an integral way. Provides protection to your communications and your equipment from a single device. In addition, we have different models to protect from small networks, to very complex corporate networks.

Models

SGA 1100

The Netgate® 1100 security appliance with pfSense® Plus software is the ideal micro-appliance for home networks and small offices. Thanks to its compact design, low power consumption, and silent operation, it can run discreetly on a desktop or wall mount. Featuring a dual-core ARM Cortex-A53 CPU at 1.2 GHz, three 1 GbE ports, and 1 GB of DDR4 RAM, the Netgate 1100 delivers routing performance of up to 927 Mbps and firewall throughput of 607 Mbps.

SGA 2100

In terms of price-to-performance, the Netgate® 2100 security appliance with pfSense® Plus software delivers unmatched performance and flexibility in its class. It is ideal for home deployments, remote workers, and small businesses that require additional computing resources to run multiple pfSense add-on packages and VPN performance capable of supporting multiple user and site-to-site connections. It features a dual-core ARM Cortex-A53 CPU at 1.2 GHz, a dedicated 1 GbE WAN port (RJ45/SFP combo), four 1 GbE Marvell switch ports, 4 GB of DDR4 RAM, and expandable storage. The 2100 also includes additional expansion slots for M.2 SSDs.

SGA 4200

The Netgate® 4200 with pfSense® Plus software is the most versatile security gateway in its category. The 4200 leverages the ultra-fast performance of the 4-core Intel® Atom® C1110 CPU to achieve benchmark results up to three times faster in routing, firewall forwarding, and IPsec VPN compared to the previous generation of security gateways. The 4200 delivers more than 9.2 Gbps of L3 routing throughput across four independent, flexible 2.5 GbE WAN/LAN ports.

SGA 6100

The Netgate® 6100 with pfSense® Plus software is one of the most versatile security gateways in its class. It combines the power of a quad-core Intel® C3558 CPU with integrated QuickAssist Technology (QAT) and AES-NI, along with 8 GB of memory, to deliver a responsive user experience. It provides more than 18 Gbps of L3 routing throughput across eight independent, flexible WAN/LAN ports supporting 1 GbE, 2.5 GbE, and 10 GbE. The 6100 is capable of running high-performance firewall, routing, and VPN applications. Despite its powerful performance, the 6100 operates in complete silence thanks to a passive cooling system and is ideal for home environments, small and medium-sized businesses, or edge deployments.

SGA 8200

If you require high-performance firewall, routing, and VPN capabilities, look no further. The Netgate® 8200 with pfSense® Plus software is the fastest Intel® Atom®-based firewall we offer, featuring an ultra-quiet rack-mount configuration. It is ideal for remote offices, edge deployments, managed service providers, and enterprise networks.

SGA 8300

Experience unmatched value and performance with the Netgate® 8300 security gateway powered by pfSense® Plus. The Netgate 8300 is designed for medium and large enterprises, xSPs, and MSPs/MSSPs with high connectivity and stability requirements. This enterprise-ready unit features Netgate’s most expandable chassis and hot-swappable power supplies, ensuring mission-critical reliability and simplified maintenance. This security gateway is powered by a high-performance Intel® Xeon® D processor.

Features

Captive Portal

It allows you to protect a network by requesting a username and password. It is an authentication, this can be done through the integrated user administration in Security Gateway Appliance (SGA), or an external authentication server, like a RADIUS server.

DHCP Server

Deliver addresses to DHCP clients and automatically configure them for network access, within a range assigned by the user. By default, the DHCP server is enabled on the LAN interface. The DHCP server service has a tab for each available interface. The DHCP process can only work with interfaces with a static IP address, so if a tab for an interface is not present, verify that it is enabled and configured with a static IP address.

DNS Forwarder

It responds to client DNS requests, and in turn attempts to resolve queries using all currently configured DNS servers available. This way, it is not necessary to configure public DNS servers directly on client systems. If this service is enabled, the IP address of the internal interface for Security Gateway Appliance (SGA) will be delivered to DHCP clients as a DNS server. If disabled, the DNS servers configured in the Security Gateway Appliance (SGA) will be delivered instead. This service can register DHCP host names, granting so that local names can be resolved through DNS. The same can be done with static DHCP mappings. This should only be enabled on networks where client host names can be trusted.

Dynamic DNS

Update an external provider with the current public IP address on the server. This maintains a constant DNS host name, even if the IP address changes periodically. There are many free DynDNS services out there, Security Gateway Appliance (SGA) is compatible with more than 15 different vendors. In addition to normal public services, the Security Gateway Appliance (SGA) also supports RFC 2136 DNS updates to DNS servers. In versions currently supported by the Security Gateway Appliance (SGA), the DynDNS client supports the use of multiple DynDNS and RFC 2136 clients. These can be used to update multiple services on the same interface, or multiple interfaces.

Load Balancer

A distribution method that allocates or balances client requests to servers. Minimize response times improve service performance. Avoid saturation of servers.

Virtual server

A physical computer with an operating system, I could contain a virtual environment (container), which emulates an operating system inside it (Windows, Linux suite), so we can test on these operating systems to serve as a "sandbox" generating A controlled environment to be damaged by such tests.

Firewall Rules

Allow or block traffic from internal and external computers to the network that we do not want users to have access to the private network. The rules can not protect us from threats to which it is subjected by internal attacks or negligent users. It can not prohibit corporate spies from copying sensitive data on physical storage media (disks, memories, etc.) and remove them from the building.

Sticky connections

Adhesive connections can somewhat alleviate shared session problems, but are not as reliable as using shared session storage. For the scenario in which a client requests a Web page and all the contents (images, scripts) on that page, if the adhesive connections are enabled the client will grab the page and all the images and scripts from the same server.

Failover & Recovery

Failover is when a team fails and is replaced in the shortest time possible for the latter to continue the actions of the failed. If a server fails, the Security Gateway Appliance (SGA) will send traffic to available servers that are upstream.

PPPoE server

It allows connections through PPPoE client terminals. This can be used as a means to restrict network access on a restricted interface, either wired or wireless. Network protocol for PPP encapsulation over an Ethernet layer. It is mostly used to provide broadband connection through cable modem and DSL services. This offers the advantages of PPP protocol such as authentication, encryption, maintenance and compression. In essence, it is a protocol, which allows to implement an IP layer over a connection between two Ethernet ports, but with the software features of the PPP protocol, so it is used to virtually "dial" another machine within the Ethernet network, Achieving a "serial" connection with it, with which IP packets can be transferred, based on the characteristics of the PPP protocol.

Watchdog

It monitors the services that they want to have in greater demand in use, or that their discharge from service is very harmful. Each minute will check that the services in the list are running, and if they are not, these services will be lifted.

SNMP

The Simple Network Management Protocol (SNMP) Allows you to check certain Security Gateway Appliance (SGA) status information with an SNMP client, such as network monitoring systems. At a minimum, to enable the service, it establishes a port probe (by default is UDP / 161) and a read community string.

IDS

Intrusion Detection System, as its name in English says "Intrusion Detection System", is used to detect access not allowed to a network. The IDS has sensors that allow them to collect data, so that when it detects the traffic, it can determine anomalies or strange behaviors that can be an attack or a false positive. Types of IDS: HIDS: searches for data that has left the attackers on a computer when trying to take control of it, with all the information they get draws their conclusions. NIDS: Network IDS, detects network-wide attacks. You should see all the traffic entering the network. You have several options to implement it, Hardware, software or combination of both.

IPS

It controls the access of illegitimate users adding the possibility to block the attacks, not simply to monitor them. IPS are categorized according to how they detect malicious traffic: Signature-based: compares traffic with known attack signatures, must have the signature list updated. Based on policies: strict security policies are defined, if traffic is allowed the IPS allows the traffic, if it is not blocked it. Based on anomalies: this method is the most false positive generates because it is very difficult that is normal or standard. In this mode we find two options: Statistical detection of abnormalities: it analyzes all the traffic during a certain time, after this time creates a line of what is "normal or standard." After this period ends if the behavior varies greatly compared to the rule created, it is taken as a possibility of attack. Non-Statistical Detection of Abnormalities: in this option the Administrator defines the line of what is the "normal or standard" that will be the basis for traffic comparison. In summary, the IPS adds the possibility of blocking attacks and also proactively protects the network, while the IDS does not allow to block and reactively protects the network.

Squid

It is a web proxy server with cache. It is one of the most popular applications for this feature, free software released under GPL license. Among its utilities is to improve the performance of corporate and Internet connections by caching recurring requests to web and DNS servers, speeding up access to a particular web server or adding security by performing traffic filtering. Although mainly oriented to HTTP and HTTPS it also supports other protocols like FTP and even Gopher. It implements SSL / TLS encryption both in the connection to the web server and to the browsers and any web client that supports it.

Squidguard

It is a URL redirector that is used to integrate blacklists with Squid proxy software. • Limit access to the Web for some users to a list of accepted web servers and / or URLs only. • Block access to some blacklisted or web servers and / or URLs for some users. • Block access to URLs that match a list of regular expressions or words for some users. • Enforce the use of domain names / prohibit the use of IP addresses in URLs. • Redirect blocked URL to an information page. • Redirect banners for an empty GIF. • Have different access rules according to the time of day, day of the week, date, etc.

Blacklist

Blacklists are optional, mostly useful to put as a referent to the list of unwanted or dangerous sites. A better way to start with a blacklist collection as shown below. • Black lists MESD - They are freely accessible. • Black lists of Shalla - Free for non-commercial / private use.

Squid proxy

It is an agent or substitute authorized to act on behalf of another person (machine or entity) or a document authorizing it to do so. Intermediate between the web browser and internet.

UPnP y NAT-PMP

UPnP is the abbreviation for Universal Plug and Play and is commonly found on Windows, Linux and BSD systems. NAT-PMP is short for NAT Port Mapping Protocol and is similar to UPnP, but more commonly found in Apple devices and programs. Security Gateway Appliance (SGA) is compatible with both. UPnP and NAT -PMP both allow devices and programs to automatically support redirecting to dynamic ports and firewall inputs. The most common uses are in gaming systems (Xbox, Playstation, etc.)

Wake on LAN

The LAN service alarm clock (WoL) can send a "magic packet" to a workstation on a locally connected network, which can be turned on by a workstation if it is configured correctly and if its BIOS supports it.

Aliases

They act as location by means of another data to the real host, networks and ports. They can be used to minimize the number of changes that have to be made if a host, network or port. The name of an alias can be entered instead of the address, or IP network port in all fields that have a red background. The alias will be resolved according to the list [on the WebGUI Alias ​​page]. If an alias can not be resolved (for example, because it has been deleted), the corresponding element (eg filter / tracer / NAT rule) will be considered invalid and skipped.

Firewall Rules

Allows you to send or receive traffic with programs, system services, computers or users. You can create firewall rules that perform one of the following three actions for all connections that match the criteria in the rule: Allow connection. Allow a connection only if it is protected by using Internet Security Protocol (IPsec). Block the connection. Rules can be created for inbound traffic or outbound traffic. A rule can be configured to specify the computers or users, the program, the service, or the port and protocol. You can specify the type of network adapter to which the rule applies: local area network (LAN), wireless, remote access, such as a virtual private network (VPN) connection, or all types. You can also configure the rule to be applied when a profile is used or when any profile is used. As the IT environment changes, you may have to change, create, disable, or delete rules.

Pfblocker

Allows you to add IP service blocking and country function blocks from a firewall or router. PfBlocker was created to replace the functions of the IP block list, and packs Country Block.

NAT

Network address translation or NAT is a mechanism used by IP routers to exchange packets between two networks that mutually assign incompatible addresses. It consists of converting, in real time, the addresses used in the transported packages.

Traffic Shaping

It allows to control the traffic in networks so as to be able to optimize or guarantee the performance, low latency, and / or a determined bandwidth by delaying packets. It proposes concepts of classification, queuing, policy enforcement, congestion management, quality of service (QoS) and regulation. On the other hand, this is a practice used by various ISPs not to exceed their service capabilities.

Virtual IP Addresses

A virtual IP address (VIP or VIP) is an IP address that is not involved with an actual physical (port) network interface. Uses for VIPs include network address translation (especially one-to-many NAT), fault tolerance, and mobility.

IPSec

(Internet Protocol Security) is a set of protocols whose function is to secure communications over the Internet Protocol (IP) by authenticating and / or encrypting each IP packet in a data stream. IPsec also includes protocols for establishing encryption keys.

OpenVPN

It is a point-to-point connectivity solution encrypted at the banking level in Secure Sockets Layer (VPN) VPN (Virtual Private Network Private Virtual Network).