genugate Firewall: Well Protected Against Attacks
Your level of IT security is determined largely at the interface between the Internet and the local network. The attacks from the outside and the data sent from the inside pass through this point.
The more carefully this data traffic is monitored, the greater the protection you achieve for your entire network. The IT security at this critical point should therefore be given top priority. A central element here is the content analysis: you should only allow data into your network after completely inspecting its content, because only in this way can dangerous content be reliably detected and blocked.
The High Resistance Firewall genugate satisfies the highest requirements: two different firewall systems – an application level gateway and a packet filter, each on separate hardware – are combined to form a compact solution.
- BSI certification and approval for use with RESTRICTED data
- Best self-protection: The only "highly resistant" firewall in the world as classified by the BSI
- 2-tier firewall: Implementation of the two components on two independent computers: On the inside is a packet filter (PFL), on the outside an application-level gateway (ALG)
- Application-level gateway: Comprehensive, complete content analysis – not only just a random sample
- Packet filter firewall with individually configurable set of rules
- Web application firewall (WAF) certified according to the Common Criteria (CC) EAL4+ with AVA_VAN.5 (Advanced Methodical Vulnerability Analysis)
- Offline mode: The license can be activated offline; patches and updates can be executed manually
- REST-API support for administrator's task automation
- Advanced update mechanism protects against attacks with quantum computers
The application level gateway analyzes the content of the entire data stream. Dangerous or unwanted data such as active content, viruses or spam are reliably detected and blocked here.
Through this comprehensive content control, the genugate application gateway firewall offers a significantly higher level of security than so-called next generation firewalls, which work primarily with deep packet inspection and check the data content only randomly.
Cloud use can also be monitored with the firewall by, e.g., only allowing uploads to external services if the data is encrypted. In addition to the application level gateway, a packet filter checks formal criteria such as sender address and protocol type as a second security system. The genugate stands out from other firewalls through its two-tier protection and full content control that guarantees you robust protection at critical network interfaces.
The high trustworthiness of the security of our firewall solution has thereby been confirmed by an independent organization. In addition, the genugate is classified as highly resistant as it counters with maximum resistance against direct attacks. The security performance satisfies the requirements of level EAL 7.
The genugate application gateway firewall is the only firewall in the world that offers this high level of security.
With the High Resistance Firewall genugate, German manufacturer genua offers a solution for critical interfaces. The genugate application gateway is a complete solution consisting of hardware, operating system and firewall software.
All components are precisely matched to one another and designed for maximum security. The used operating system OpenBSD guarantees high security standards, and the two firewall systems – the application level gateway and the packet filter – run on physically separate computers. Both firewalls are, however, operated via a uniform user interface which enables convenient administration and reduces support costs. The genugate stands out from other firewalls through its two-tier protection and guarantees robust protection at the critical interface between your network and the Internet.
At the heart of the genugate solution is the application level gateway. This sophisticated security system checks the content of the entire data stream. To this end, the incoming data packets are first stopped – the application level gateway does not permit a direct connection between the Internet and the local network. The gain in security through this feature: attacks are not possible on the network level. Many risks, such as through the extended headers with IPv6, are thereby excluded.
After the connection is terminated, the packets are assembled like a puzzle, since a content check is only possible using complete data sets. Filtering is now performed and, depending on the configuration, undesired and dangerous data such as active content, viruses or even spam are reliably blocked. Only then is the data passed on via a new connection. The application level gateway can also secure cloud usage by, e.g., only allowing uploads to external services if the data is encrypted. With the comprehensive content analysis through the application level gateway, genugate offers a significantly higher level of security than so-called next generation firewalls, which usually function with deep packet inspection or pattern matching and check only a random sample of the data contents.
Teamwork with Packet Filter
With genugate, a stateful packet filter functions as a second firewall system on the inside in the direction of the local network. It checks the data packets based on the header information: IP address, protocol type and port number. This means: all data must pass through two firewall systems whose protective measures optimally complement one another on different levels. Through the finely coordinated teamwork, the two systems mutually protect one another. The two-tiered structure also allows for the creation of demilitarized zones (DMZ) precisely according to your requirements: Servers can be connected to both the application level gateway as well as to the packet filter via other interfaces. As a result, you are able to offer services on the Internet that are secured through the high-performance application level gateway or servers can be closely connected to your LAN via the packet filter.
Two-tiered structure, extensive content control, separation of all connections – The High Resistance Firewall genugate is designed without compromise for strong security. With these features, genugate differs from the firewall solutions offered by other manufacturers. These security features do, however, also require significant computing capacities. Even when using the latest hardware, this results in a loss of performance with respect to data throughput. One must be aware of the relationship that exists between security and performance for all firewall systems. In other words: High performance values can only be achieved at the expense of security performance and vice versa – even if some manufacturers promise otherwise. At such a critical interface, however, you should make no compromises when it comes to security. Here, genugate is the right solution.
The German Federal Office for Information Security (BSI) recommends using a firewall combination comprising two packet filters and one application level gateway – or P-A-P for short – at the critical interface between Internet and local network. The upstream packet filters placed on either side of the high quality application level gateway protect against both direct attacks and high data loads. With genugate, you can comfortably achieve this high level of security: If, for example, you configure your Internet router with rules as a packet filter or additionally use a firewall of type genuscreen from genua, the desired P-A-P combination can be created in conjunction with the two-tiered genugate.
genugate is the world's only Web Application Firewall (WAF) to have received certification according to the Common Criteria (CC) EAL4+ with AVA_VAN.5 (Advanced Methodical Vulnerability Analysis) by the BSI. Designation AVA_VAN.5 stands for a high level of self-protection which has been proven to protect the firewall even against attackers with high attack potential. Especially endangered organizations such as security authorities or operators of critical infrastructures can thereby reliably protect their servers against attacks.
We offer genugate in various hardware models to cover a wide range of requirements. Clusters handle even greater data throughput and availability requirements: All models can be freely bundled as powerful clusters. The two-tier genugate is administrated using a consistent Web GUI. If you use several firewalls of type genugate, you can comfortably create and distribute configuration information such as IP addresses or server names via a management station. You can use an interface to connect the genugate to your security information and event management system (SIEM), e.g., QRadar from IBM. The log data of the firewall system makes an important contribution to your central event and risk analysis.
Based on the high performance in the area of self-protection, the BSI has classified genugate as "Highly Resistant" – the only firewall in the world to achieve this. With this rating, our customers have the certainty from an independent organization of purchasing a high-security solution. To ensure the continued high quality of the High Resistance Firewall genugate, we renew the BSI certification with every major release.
Post-Quantum Cryptography: genua Meets Future Security Requirements
With products from genua you can make the transition to post-quantum cryptography. Our update mechanism guarantees trustworthy product updates today and in the future: In addition to a digital signature for maximum security according to current standards, the addition of a quantum-resistant signature already provides effective protection against attacks with quantum computers.
A Safe Investment in Accordance with the BSI Recommendation
Experts assume that in a few years, quantum computers could weaken or even break the current cryptographic methods. The security of the XMSS method developed by genua in cooperation with the Technical University of Darmstadt and the Technical University of Eindhoven is well understood today. By applying this method, we meet the recommendations for future-proof software updates according to the German Federal Office for Information Security (BSI) and the National Institute of Standards and Technology (NIST).
As a collaborative learning company, it is our mission to continuously improve and share our knowledge of IT Security with you. In our Knowledge Base we offer you articles, white papers, analyst reports, research results, videos and more in the field of IT security.