gateProtect GPA 250 / GPA 250a

Overview:

Its features include HA, VLAN, xUA with single sign-on, bridging, VPN SSL with x.509 certificate + IPsec, anti-spam with real-time detection, antivirus, intrusion detection, web filtering, as well as process-oriented eGUI® technology.

eGUI®-Technology

The new eGUI® technology from gateProtect is remarkable for its ergonomic approach to the processing operation. The display, even of sometimes very different applications, is always consistent and delivers the information required by the user for the current operation only. A measure of the quality of the gateProtect operator concept are the principles governing the design of software dialogue, as formulated in ISO 9241, part 110.

Extended User Authentication

Most modern firewall systems support proxy-based user authentication. This means that only those services which work with proxies such as HTTP or FTP can be issued to specific users. The gateProtect firewall has rule-based Extended User Authentication. This allows any number of services to be assigned individually to one user or a group of users. If a user logs on to the firewall from a computer, all the assigned services for the computer in question are enabled.

1. Web browser/UA Client: logon is via an HTTPs connection.
2. Single sign-on: Kerberos automatically passes the log-on to the domain to the firewall.

VPN Gateway (SSL with X.509 Certificates + IPSec)

gateProtect offers the most commonly used forms of current site-to-site and Road Warrior VPN connections via IPSec and SSL. Wizards and the eGUI® technology help with the management and set up of these connections. In addition, the firewall generates external configuration files when the VPN connections are created. These files can be used for setting up single click connections and also for site-tosite connections when importing on the firewall at a remote site.

Furthermore, gateProtect offers an IPSec and SSL site-to-site solution with X.509 certificates which can work in bridge mode as an option. For a normal bridge, two or more network cards are linked to form a logical network. gateProtect not only allows this for network cards but also for VPN-over-SSL connections. This makes it possible to treat remote computers as if they were in the local network.

Failover

In order to safeguard the connection to the Internet, gateProtect offers the failover feature. A second emergency connection is set up in addition to the main connection. If the first main connection fails, the emergency connection is automatically established up and data traffic with the Internet is conducted via the new connection. This safeguards any current business processes, such as email despatch and reception.

Monitoring

In order to estimate the load on the firewall, it determines the status of the components, for example, the hard drive, the processor or similar relevant data, which it records and analyses permanently. It is possible to access this data with the administration client in order to respond rapidly in critical situations.

Load Balancing

gateProtect load balancing distributes the data traffic with the Internet to different routes. The firewall then decides which way the Internet is accessed each time a connection is established.

As a rule, this distribution is based on protocols. gateProtect also makes it possible to assign each individual connection to a route. This allows the utilization of Internet connections to be planned in great detail and optimized.

High Availability

The high availability of gateProtect firewall systems is based on an active/passive system where a secondary firewall is installed in parallel with the primary firewall. The secondary firewall synchronizes itself constantly with the primary firewall using dedicated connections. It can therefore at any time take over the work of the primary firewall, should this fail, without any manual intervention.

Furthermore, the status of the primary firewall is monitored by different systems. If any problems are detected in the firewall, it switches itself off. The secondary firewall enables the synchronized configuration and can continue operating in the place of the primary firewall immediately. Downtime is minimized and problems can be dealt with under less pressure.

Features:

Demos:

eGUI - Presentation

Demo versions
Group	Version	Size	Download
Next Generation Firewall	DEMO Frontend Administration (eGUI) Version 9.0	9.0 MB	Download EXE
	DEMO Frontend Statistik (eGUI) Version 9.0	5.0 MB	Download EXE
Command Center (Managed Security)	DEMO Frontend Administration (eGUI) Version 3.1	8.6 MB	Download EXE

Specifications:

* System performance depends on activated proxies, IDS, application level and number of active VPN connections.

eGUI® Technology:

Simple, fast and easy to use

The biggest security risk faced by today’s IT networks is that in order to effectively combat attacks, the safety functions integrated in them must be increasingly complex. Without a doubt this makes operating these systems equally complex and the risk of user error rises exponentially. The reason lies in the many interactions of the settings which cannot be shown clearly, or not at all, on commonly available consoles.

Operating and setting errors in IT security systems are therefore the cause of 95% of the safety lapses suffered by companies.

The eGUI® (ergonomic Graphic User Interface) technology developed in the gateProtect laboratories solves this problem. The new user interface is remarkable for its ergonomic approach to the processing operation. The display, even of sometimes very different applications, is always consistent and delivers only the information required by the user for the current operation.

A measure of the quality of the gateProtect operator concept are the ergonomic principles governing human-machine interaction, as formulated in ISO 9241, part 110.

Some benefits of the eGUI®

• Visual feedback immediately supplied for each setting
• Self-explanatory functions
• Central overview of all active services
• Immediate overview of the whole network configuration
• Layer and zoom function for networks up to 10,000 users

Extended User Authentication (xUA):

Future-proof with high security

Most modern firewall systems support proxy-based user authentication. This means that only those services which work with proxies such as HTTP or FTP can be issued to specific users.

The gateProtect firewall has rule-based Extended User Authentication which allows any number of services to be assigned to one user or a group of users. These services can be provided with all the known additional options such as proxies or web filters.

If a user logs on to the firewall from a computer, all the assigned services for the computer in question are enabled.

gateProtect offers you two ways of logging onto the firewall:

• Web browser/UA Client: logon is via an HTTPS connection.
• Single sign-on: Kerberos automatically passes the log on to the domain to the firewall.

The extended user-authentication of gateProtect captivates through

• The release as many as desired services for a person
• Configuration of the services for groups
• Configuration of the services for active directory groups
• Approval of services also in the intranet
• Guaranteed future, because of future services are also configurable.
• Single sign-on by Kerberos during registration at the windows domain
• Browser-Login for operating system independence

Traffic Shaping & Quality of Service:

Optimal bandwith-managment in one system

Traffic Shaping up to user level - The traffic shaping facility from gateProtect is one of the most comprehensive implementations on the market. Maximum and minimum bandwidth can be specified for each object on the configuration desktop (users, computers, groups etc). Based on this, it is possible to manipulate the traffic for each service. Bandwidth distribution can be configured at any level of detail.

Quality of service within networks - The quality of service function of the gateProtect systems allows the preferring of important enterprise-critical applications like ERP and CRM systems as well as Voice over IP services for telephone systems. Thus ensures smooth working for all compartments. The adjustment of the quality of service takes place extremely flexibly by setting so-called TOS flags, which marks those to prioritised data packets.

Prioritisation of data packets in VPN tunnels - Another special feature of the gateProtect solution is the prioritization of data packets in the VPN tunnel with QoS. This is important for time-critical applications where a delay would not be desirable. For example, gateProtect makes it possible to use VoIP via a VPN tunnel for interference-free telephone calls, irrespective of the utilization of the tunnel for RDP or data download, for instance.

High Availability & Load Balancing:

High Availability - Security for the case of need

The high availability of gateProtect firewall systems is based on an active/passive system where a secondary firewall is installed in parallel with the primary firewall. The secondary firewall synchronizes itself constantly with the primary firewall using dedicated connections. It can therefore at any time take over the work of the primary firewall, should this fail, without any manual intervention.

Furthermore, the status of the primary firewall is monitored by different systems. If any problems are detected in the firewall, it switches itself off. The secondary firewall enables the synchronized configuration and can continue operating in the place of the primary firewall immediately. Downtime is minimized and problems can be dealt with under less pressure.

Load Balancing - Flexible spreading of all services (protocol /ports) on different Internet connections

gateProtect load balancing distributes the data traffic with the Internet to different routes. The firewall then decides which way the Internet is accessed each time a connection is established.

As a rule, this distribution is based on protocols. gateProtect also makes it possible to assign each individual connection to a route. This allows the utilization of Internet connections to be planned in great detail and optimized.

Technology - For the load balancing in the Firewall the packets of the desired service will be selected in the package filter on the basis of source (IP address, user, VPN connection…), protocol (TCP, UDP, ICMP…) and if necessary further criteria (like e.g. TCP port) and added with one more unique mark.

The decision, which Internet connection(s) should be used for the data stream, is defined in the routing-process (so-called “policy - routing”).

Extended VPN:

Fast and secure connection to company network

gateProtect offers the most commonly used forms of current site-to-site and Road Warrior VPN connections via IPSec and SSL. Wizards and the eGUI® technology help with the management and set up of these connections. In addition, the firewall generates external configuration files when the VPN connections are created. These files can be used for setting up single click connections and also for site-to-site connections when importing on the firewall at a remote site.

Furthermore, gateProtect offers an IPSec and SSL site-to-site solution with X.509 certificates which can work in bridge mode as an option. For a normal bridge, two or more network cards are linked to form a logical network. gateProtect not only allows this for network cards but also for VPN-over-SSL connections. This makes it possible to treat remote computers as if they were in the local network.

Antivirus & Anti-Spam:

Antivirus - Protection against unwanted intruders

The UTM firewall solutions of gateProtect contain a world-wide several distinguished scan engine. The newest generation of the anti-virus gateway scans for HTTP, ftp, POP3, SMTP and also HTTPS. For this files are loaded by a proxy from the Internet and scanned for virus on the firewall before they will be forwarded to the inquiring user. Our customers are protected before thus the daily threats by viruses in e-mails or in websites in the best way.

Web-Anti-Virus - If you open determined websites in the internet, there is the risk that your computer will be infected by viruses, which are installed by scripts contained on websites. In addition a dangerous object can be loaded on your computer. The Web-Anti-Virus was developed especially to prevent such situations. The scripts, which are on websites and which are risky, will be intercepted by this component and their execution becomes banned. Also the HTTP traffic is subject to strict control.

Mail-Anti-Virus - The email-correspondence is used more and more by aggressors for the spreading of harmful programs. It is one of the most important media for the spreading of worms. Therefore it is very important to control all email messages. The Mail-Anti-Virus is a component to the investigation all in and outgoing email messages of your computer. It analyzing emails for defective programs. An email is delivered only if it does not contain risky objects.

HTTPS Scan - It is not possible to scan HTTPS traffic on the firewall with the products from most other suppliers. Malware such as trojans and viruses exploit this open door to enter an internal network unhindered.

gateProtect is one of the few manufacturers to close this door with their xUTM appliances. gateProtect software can also scan encrypted HTTPS connections in the data traffic for viruses and other malware.

To do this, the data flow is decrypted at the firewall, analyzed and, if no viruses are found, re-encrypted and sent on its way again.

Anti-Spam - Terminating of annoying spam-mails

The spam-filter of the gateProtect UTM firewall scans email traffic and catches spam before the productivity of the co-workers is reduced.

The configuration makes it possible to define a flexible adjustment of the spam filter with the possibility of black and white lists.

The False positive rate is extremely small with less than 1 in 1.5 million detected spam mails.

The high throughput rate of the gateProtect spam filter is a deciding factor for the choice of the suitable spam filter. This makes an almost delay-free delivering of e-mails possible. The real filtering proceeds externally that allows a very fast scan and avoids the efficiency of the resources.

Technology - real time detection - With insert of real-time-detection centres spam, virus or also Phishing attacks will be detected on the basis of characteristic samples when breaking out. This increases the effectiveness significantly and increases the detection rate explicitly. More than 97 % of the spam sender can be detected and intercepted before spreading.

The spam protection is extremely effective and protects before all forms of spam including image-based and double byte languages. It is not limited on formats and languages, but global applicable and offers protection of world-wide spam senders.

Web Filter:

Combination of URL and content filter

The UTM firewall solution of gateProtect contains a website content filter. With this website requests will automatically adjust with permitted categories. The categories in the gateProtect filter groups can be arranged individually from 60 filters categories. Thus ensures safe, precise and nevertheless manageable filtering.

For companies with very high HTTP appearance the web filter data base can be downloaded onto the firewall. In this case no hash-sign is sent to the web filter server, but the category will be defined directly (from the data base) on the firewall.

Optimal combination of URL and content Filtering - The content filter supplements the well-known gateProtect web blocking (URL filter) on ideal way. The settings are made over a common dialogue. All categories are coordinated directly, so that the configuration can take place fast and simply. The Black- and White-lists are valid for the URL and the content filter, so that a fast and effective handling of Internet security is ensured.

Documentation:

gateProtect GPA 250 Datasheet (.PDF)

gateProtect xUTM Features Overview Datasheet (.PDF)