The YES Secure CompuWall is an application-level firewall with web management, especially designed for the protection of sensitive networks. It secures the transition of different network segments by physically separating the networks.

The YES Secure CompuWall is a firewall without limitation of the amount of users behind the YES Secure CompuWall. The maximum throughput depends on the hardware platform used. The customer can decide depending on his needed throughput to use a standard computer for a small network up to a big server system for hundreds of Mbps throughput.

The YES Secure CompuWall combines a high security standard with high performance. It is thus well suited for small to mid-sized organizations, but also for the network transitions within larger organizations where parts of the infrastructure are to be protected independently of the central IT infrastructure.

The management interface can be intuitively operated by the administrator, simplifying first orientation and configuration of the YES Secure CompuWall. The YES Secure CompuWall can be operated fast and without profound knowledge of all details of network security.
Configurable proxies are available for HTTP(S), FTP, Telnet, (E)SMTP, NNTP, POP3, Net8 and RTSP. YES Secure CompuWall features the special option to realize secure user authentication by means of mobile phones.

Misconfiguration is practically impossible due to the consistently realized principle:

                                                                             "All that is not explicitly allowed is generally forbidden."

Unique to the YES Secure CompuWall is the possibility to open SSL connections, an integrated solution for the protection against viruses and malicious code within the HTTPS data stream. It depends on the security policy of the customer if this option will be used.

More and more we see that companies want to use an All-in-Solution for their Internet connection. Although we advise separate systems for the different tasks in high end networks, we developed "on request of some of our customers" antivirus and content filtering into the YES Secure CompuWall. The standard implementation is the free software CLAM-AV ( www.clamav.net).

• Simple license model
•  Performance up to 700 Mbps
• Simple administration
•  Antivirus included
•  Antispam included
•  Highest level of security

Other features can be developed on request.

YES Secure CompuWall

The YES Secure CompuWall Firewall System

The YES Secure CompuWall is an Application Level Firewall with web management, especially designed for small and medium-sized networks.

It protects the borders of different network segments by means of physical separation.

Misconfiguration is prevented due to the practiced principle.

"Everything not explicitly allowed, is strictly prohibited".

The YES Secure CompuWall combines this high security standard with good performance and ease of use.

It is thus extremely suited for small to medium-sized organizations but as well for network transitions of larger organizations, in which parts of the IT infrastructure shall be separated from the central IT infrastructure independently.

Special attention was set on

•  the Security,
•  the Stability and
•  the Throughput

of the particular applications.

This constellation delivers the highest security level of all firewall architectures!

It particularly differs from the concept of "Stateful Inspection" firewalling.

SECURITY MECHANISMS

• Access control at network level
• Only permitted communication paths can be established.
• Access control at user level
• Access to single systems or system groups is granted only for authenticated users.
• Administration of access rights
• Access is only possible using protocols and services which have been defined and permitted by the administrator. A time limit is also possible.
• Control at the application layer
• Users are only granted access to commands relating to particular services, such as HTTP or FTP, which are necessary for their personal tasks. Commands which may be misused for illegal actions can be blocked. Data contents (also HTTPS) can be scanned and examined in a central way.
• Isolation of service programs
• All services are forced to pass special proxies. Each proxy starts with restricted permissions within an isolated part of the operating system. This protects the whole system from any security gaps or implementation mistakes.
• Evidence retention, log analysis and alarming
• All security related events can be logged and analyzed or may additionally lead to alarming.
  Concealment of internal network structures
• Knowledge of the communication paths makes work easier for a potential intruder. As a basic part of the security policy, it is therefore important to keep the structure of the protective network structure secret.
• Encrypted administration
• Management access is always encrypted, whether via HTTPS (additionally secured with a client certificate) or via SSH.

Concept of the High-Level YES Secure CompuWall

The YES Secure CompuWall management interface can be intuitively operated by the administrator, first simplifying first orientation and facilitating the configuration of the firewall software.

The CompuWall stands out for the following criteria:

• Overall protection by means of eXtended Unified Threat Management (XTM)
• Very high security standard
• Fast implementation and startup
• Simple and intuitive operation
• Structured rulebase
• Detailed status notification

The YES Secure CompuWall is based on a security optimized Linux operating system, the CryptoBastion OS, which was basically developed as an impregnable firewall system.

The same solid firewalling principle remained since the early 90s, but was extended with a multitude of additional security features and optimizations.
The system's core is built out of proxy applications developed with lots of experience.

The YES Secure CompuWall is capable of configuring three different connection modes, which can also be used simultaneously:

•  non transparent connections,
•  single transparent connections and
•  double transparent connetions

This flexibility ensures a slight conception and seamless integration of the Application Gateway into arbitrary network infrastructures.

YES Secure CompuWall - Features and Benefits

Service Programs
The YES Secure CompuWall delivers the whole functionality spectrum to secure the network borders of one or multiple organizations.
To satisfy the high security needs of your network infrastructure, special proxies were designed and developed:

OpenVPN Tunnel
OpenVPN access provides an unproblematic way to connect external teleworkers to the company intranet as well as easy and secure site-to-site company access.
Client software is available for the following operating systems: Linux, Windows XP, Windows Vista, PocketPC.

HTTP/HTTPS [AntiVIRUS]
Provides access to the World Wide Web with the option to filter on application level (ClamAV, KasperskyAV®)).  We offer special Kapersky server license.

URL Filter
Based on categorized blacklists, configurable by means of domain names, URL fragments or regular expressions within the URL (additional whitelist for trusted URLs).

Phishing and Malware protection
Based on Google Safebrowsing blacklists, including automatic updates.

SSL Decrypter
Integrated solution for protection against viruses and malicious code within the HTTPS data stream (additionally for protection against phishing attacks).

Reverse Proxy
Integrated protection of internal servers or server farms within a DMZ.

MIME Filter
Ability to filter different MIME types.

Content Filter
Ability to filter Java, JavaScript and ActiveX elements and Cookies.

FTP [AntiVIRUS]
File download/upload with the ability to filter FTP commands.

TELNET
Administrational access to external servers, with the ability to log these sessions in detail (AUDIT).

ESMTP[AntiVIRUS/ AntiSPAM]
Protection for sending and receiving e-mails, by means of strictly disconnecting the relevant processes. The ESMTP commands and options can additionally be filtered.

POP3 [AntiVIRUS/ AntiSPAM]
Receiving e-mails from external/internal e-mail servers.

NNTP
Access to newsgroups.

NET8
Proxy for Oracle database access.

RTSP
Real Time Streaming - Multimedia Proxy.

TCPR
Relay for TCP based applications.

UDPR
Relay for UDP based applications.

DNS
Enables the possibility to perform forward/backward name resolution across network borders.

PING
To check the reachability of remote entities.

MGNTP
Possibility to manage the YES Secure CryptoGuard VPN devices via a YES Secure CompuWall gateway.

Extended Functions - XTM - extended Threat Management

• • Detailed Reporting functionality for e-mail- and Web-Traffic (exportable as PDF-Document).
• • URL filter mechanism for HTTP(S) connections, easy to configure, based on categorized blacklists. The utilized lists are compatible to the formats which are also used by Squidguard/DansGuardian. Exceptions may be specified in an additional whitelist.
• • IP blackholing: A list of IP addresses, to which any network traffic shall be forbidden, may be specified. All network packets concerned by this are rejected.
• • Uncomplex, user based OpenVPN access with client and server certificates.
• • Integrated AntiVIRUS detection for the protocols HTTP(S), FTP, ESMTP and POP3 with ClamAV and/or
• Kaspersky® kavd (including automatic updates of the virus database).
• • AntiSPAM protection for the protocols ESMTP and POP3 with SpamAssassin and Realtime Blacklists (RBL).
• Phishing and malware protection, based on Google Safe Browsing blacklists.
• Host-IDS by means of AIDE (Advanced Intrusion Detection Environment), to control the integrity of system files and directories.
• High Availability (Active/Active or Active/Passive) concept based on Heartbeat Version 2, also for transparent connections.
• User authentication, globally for multiple services or session related, with Password, SKey or Hardwaretoken, MAS (Mobile Authentication Service), LDAP or RADIUS-Authentication selectable.
• Logging and alarming of security relevant events via email (also via syslog protocol to a remote logserver). The log content can be exported or automatically deleted due to time resp. volume related settings.
• Easy installation of updates and patches via the graphical surface.
• Reporting: The usage of the single system parameters is captured displayed by day, week resp. month. • The monitoring of the system resources is enabled via
• SNMP v3.
• IP Masquerading: This Application Gateway Technology  hides your internal network from the outside world.
• Support of Demilitarized Zones (DMZ): By using three or more network interfaces arbitrary network segments can be built to secure e.g. public server machines.
• Integrated backup, optionally encrypted (AES 256).
• Time synchronisation with selectable NTP time servers.
• Direct ssh access to the command shell via Javascript ssh terminal.
• Simple Licensing with USB Token; whether for temporary as well as permanent licenses.
• The firewall software provides only a minimum number of necessary commands. Additional, e.g. for administrational purposes needed tools are distributed on a CD-ROM disk.
• Extremely simple initial start-up and installation, as well as intuitive configuration of the network options.
• New Linux kernel 2.6.32.4 (32/64 bit support).

Management via Web Browser

YES Secure CompuWall is managed via a browser. You can thus access your firewall easily and from any place.

The access is secured by means of SSL encryption (client certificate) and administrator authentication, rendering unauthorized access to your firewall impossible.

Your browser provides an intuitive graphical user interface with which the firewall can be operated without complicated commands. All menus are structured clearly and efficiently in such a way as to enable comfortable access to all provided security functions.

Figure 1: Screenshot of the YES Secure CompuWall graphical user interface

Figure 2: Screenshot of Spam statistics

Figure 3: Screenshot of a SMTP Reject statistic

Technical Specification

CryptoBastion:  YES Secure CompuWall

Virtual Private Network:         OpenVPN access with user certificates and/or site-to-site

Proxies:    AntiVIRUS:            HTTP(S), FTP, ESMTP, POP3
                   AntiSPAM:            ESMTP, POP3
                   transparent or       HTTP(S), FTP, POP3,
                   non-                       RTSP, TELNET, NNTP,
                   transparent:          PING
                   non-                       HTTPS Decrypter,
                   transparent:          ESMTP, NET8, MGNTP, DNS

Generic Relays:                      transparent or non-transparent:  TCPR, UDPR
                                                 double transparent:  TCPR

Authentication system:           Local Authentication System:  Password, One-Time-Password (SKey), Mobile Authentication Service (MAS), IDENTD
                                                  Remote Authentication System: LDAP, RADIUS

Intrusion Detection:                 Host Intrusion Detection System by means of AIDE

Throughput1:                           httpp2   without proxy: approx. 880 Mbps (direct connection)

Notes:
1. The throughput was measured by means of the following hardware components, within a gigabit network:
Client: Dual XEON 3.2GHz; Bastion: Quad Core XEON 1.6GHz, 2GB RAM; Server: Dual XEON 3.2GHz
2. Measured in Mixed Mode (Packet lengths: 0.5kB, 5kB, 50kB, 500kB and 5MB) with 100 parallel client threads
                              with proxy: approx. 400 Mbps (LS3: approx. 700 Mbps)
                              with SSL: approx. 70 Mbps (LS: approx. 120 Mbps)
                              tcpr4      without relay: approx. 930 Mbps (direct connection)
                              with relay: approx. 880 Mbps (LS: approx. 920 Mbps)
High Availability:    In each case two redundant gateways work in Active - Active (Load sharing) or Active -Passive (Hot Standby) Mode, based on Heartbeat Version 2
Licensing:    USB token
3. LS denotes load sharing mode via two gateways with identical hardware specifications
4. Measured in 2007 with iperf -P100 (number of parallel client threads)

YES Secure CompuWall - Application Options

YES Secure CompuWall is specifically suited for the following applications:

•  Connection of small and medium-sized organizations to the Internet
•  Connection of branches or subsidiaries to central enterprise networks
•  Protection of partial networks in large networks
•  Special connections to existing networks (e.g. remote access)

Connection to the Internet

This is the core application of firewall systems. YES Secure CompuWall is optimized for small and medium-sized networks. It integrates all necessary functions in one device and can be easily administered by any PC.

Figure 4: Connection of the YES Secure CompuWall to the Internet

Connection of Branches to the Central Enterprise Network

Many organizations already have a central enterprise firewall and now wish to link their branch offices. Therefore, a secure and clear firewall solution is needed. The manufacturers of enterprise firewalls claim that branches can be managed as well with their products. However, this is often not practically feasible - e.g. if the branch office has its own network administration.

In these cases, YES Secure CompuWall is the ideal choice for the branch office.

Figure 5: Connection of branches to the central enterprise network

Protection of Departmental Networks

Many organizations already have a central enterprise firewall and now wish to protect certain internal departments such as the board or the HR department within their own internal network. The central firewall cannot be used for this purpose as it separates the entire enterprise network physically from the Internet, but not the board's network from the remaining enterprise network.

This, however, can be achieved by installing a small firewall which is easy to administer. In this case, YES Secure CompuWall is the optimum solution.

Figure 6: Protection of departmental networks by means of the  YES Secure CompuWall

Protection of Remote access services

The central enterprise firewall does not always provide the necessary flexibility needed to realize Remote access (Remote Access Service) from the outside. Split responsibilities within an organization can furthermore be the reason why such an access has to be separately secured.

In this case, YES Secure CompuWall presents itself as an independent solution with a high security standard.

Figure 7: Protection of remote access services by means of the YES Secure CompuWall

Advantages of the YES Secure CompuWall

Maximum security and maximum protection, Turn-Key-Solution, XTM

• We provide a comprehensive security solution which will be integrated into your security concept (XTM -extended Unified Threat Managament with AntiVIRUS,  AntiSPAM and Host-IDS).
• No security risks based on misconfiguration of the operating system. The routing functionality has been removed from the operating system kernel:
• No virtual but real network separation!
• Optionally, the YES Secure CompuWall system may be extended with certified YES Secure CryptoGuard VPN devices. This extension provides you the ability of additional packet filtering on different network levels and the fast and secure encryption of communication data in between company departments.

High Performance, Stability, High Availability

• The optimization of our firewall software guarantees a very high data throughput of the proxies on the application layer.
• The CryptoBastion software, whether as YES Secure CompuWall or YES Secure CryptoWall, is well proven over years and you will be convinced by its stability and reliability.
• The integrated high availability solution can be customized due to the special requirements of each system environment.
• No license limitation in terms of number of users or network connections.
• No additional payments for the operating system or other software components.

Flexible, modular, forward looking

• YES Secure CompuWall solutions are designed in a modular way and can be integrated relatively simply into your existing network configuration.
• Should you change your network structure subsequently, you will find it easy to adjust the configuration.
• Continuous ongoing development of new features, the RFC conformity of the services and the regular update of operating system parameters guarantees that the security system incorporates the very latest technology and standards.

Plain, user friendly administration

• The YES Secure CompuWall consists of a hardened operating system, the actual firewall software and the integrated web management.

YES, WE SECURE YOUR NETWORK

You can acquire the YES Secure CompuWall as a readily installed complete solution or just the software from us or one of our sales partners.

As an experienced provider of IT security services, we offer you a sophisticated and comprehensive security concept, which we will tailor to your security policy and your particular requirements in consultation with you.

Advice is a top priority!

We offer a wide range of service and support, including:

•  Security studies, workshops
•  Consulting and concepts
•  Supply of hardware and software
•  Installation
•  Start of operation
•  Training
•  Service Level Agreements (SLA) Make your choice and opt for your individual solution!

If you would like to receive some more information about the products and services of  YES Secure networks, please do not hesitate to get in touch with us.