Internet Access for German Government (IVBB)

Data zips quickly and securely to and fro between all top-level German federal agencies along the government's Bonn-Berlin information network, the IVBB. Gateways between this and the public Internet are subject to demanding performance and security requirements. These needs are met using firewall clusters.

When the German seat of government moved from Bonn to Berlin, offices of a number of ministries remained in the former capital. So that information could flow quickly and without obstruction between the two locations, the government created the Bonn-Berlin information network, the IVBB. This data highway connects all offices of top-level federal government agencies, from the Office of the Federal President, the Chancellery and all ministries through to the Federal Court of Audit.

Exacting Demands on Firewalls

At its central nodes, the IVBB also links into the Internet, giving all government agencies access to the World Wide Web. The crossover points between the government intranet and the public Internet must meet the highest standards in terms of security technology:

• Security certified to stringent ITSEC or Common Criteria (CC) international standards
• Guaranteed 99.93 percent system availability
• High data throughput to provide all top-level federal agencies with fast Internet access
• Cluster-ready for flexible upgrading to higher performance needs

After in-depth practical demonstrations in the lab, the Federal Office for Information Security (BSI) opted for a solution from genua, a German IT security company. The genugate firewalls fully meet the challenging requirements.

One Solution, Two Firewalls

The genugate security system combines two different firewalls – an application -level gateway and a packet filter – in one compact solution. The two firewalls work in series, meaning that all data packets must pass two separate tests before they can cross the Internet/IVBB interface. The application-level gateway checks the content of received data, sifting out spam, viruses and other undesirables. The packet filter makes sure connection requests are legitimate based on formal criteria such as IP address and protocol type.

The strong security guaranteed by this two-stage system is borne out by high-level certification: ITSEC E3/High for genugate versions 4.0 and 5.0, and CC EAL 4+ for version 6.0. As the firewall attains even higher security standards in terms of selfprotection, genugate additionally carries a Highly Resistant rating – the only firewall in the world to do so.

Teamwork in Clusters

genugate satisfies the demanding availability and throughput requirements by teamwork: All tasks are shared among clusters of firewalls. If one system fails, others in the same cluster immediately take over. The clusters are infinitely scaleable and so can be upgraded to higher performance requirements at any time.