XGuard Firewall and Internet Filter
XGuard Firewall is a secure Filtering multi-function network appliance & management system based on FreeBSD OS. Each XGuard Firewall device utilises an industrial strength firewall and networking software providing advanced NAT network translation & transparent web filter and proxy services. XGuard Firewall filters websites using advanced keyword page scoring algorithms as well as black and white lists of URL’s and provides both DNS record guarding and proxy based guarding which increases the strength of the Internet filtering.
Realtime Content filtering
XGuard’s advanced Realtime Content filtering utilises a large database of keywords and categories to determine whether an individual webpage should be allowed or block based on the contents of each page. In conjunction with traditional black/whitelists, XGuard’s Realtime Website filtering gives incredible flexibility to what users and groups of users are allowed to see.
URL Blacklisting/whitelisting of sites and Realtime Content Filtering can be based on multiple categories and access control lists(ACL’s) to provide different & varied levels of internet access. ACL’s can be set per machine, IP address or username from either locally managed, Windows Active Directory, Radius or LDAP servers. ACL’s can also be set to allow or guard based on time periods for added flexibility. ACL’s can be set to force all search engines (if allowed) to search in ‘safe’ or ‘child’ mode. When enforced this mode cannot be worked around by the user, even by URL manipulation. Individual logging of ACL’s can be specified.
Logging & Monitoring
XGuard Firewall provides comprehensive system & network monitoring & customisable logging of filtering and guarding activities. All logs on the XGuard Firewall are automatically uploaded to the XGuard Control Server for analysis or diagnosis. XGuard Firewall provides complete SNMP support for integration with other vendors management systems. XGuard Firewall can provids complete logging & filtering of common Instant Messenger clients (MSN Messenger, AIM ICQ etc) connecting thru it. As well as logging user access & conversations, it can replace words in a customisable expletive wordlist with asterisks (‘*’) in any conversations. Filtering occurs for conversations in both directions. XGuard Firewall allows for a block/allow list for IM usernames that prohibits or inclusively allows the nominated contacts. For example, XGuard Firewall can allow staff to use the communication advantages of IM services like Live Messenger and AIM, while ensuring they can only communicate with team members & clients for productive business use.
- Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
- Limit simultaneous connections on a per-rule basis
- XGuard utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? XGuard allows for that (amongst many other possibilities) by passively detecting the Operating System in use.
- Option to log or not log traffic matching each rule.
- Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
- Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
- Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
- Packet normalization – Description from the pf scrub documentation – “‘Scrubbing’ is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.”
- Enabled in XGuard by default
- Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
- Disable filter – you can turn off the firewall filter entirely if you wish to turn your XGuard into a pure router.
Each XGuard Firewall can be remotely administered, via its own web browser based management centre, providing complete status, health, configuration and management of each XGuard Firewall by designated admins.
Contact Jendai Solutions for details and help tailoring a system to suit your requirements.