PDF Datasheet

Security Gateway Solution (SGS)

Tech Specification

Turnkey SMB VPN/UTM/Firewall Gateway

The SecureF1rst Security Gateway Solution (SGS) from TeamF1 is a comprehensive turnkey software package that combines a rich set of field-proven, standard components with an array of customizable options to provide OEMs/ODMs the ultimate in product flexibility.

As a member of TeamF1’s SecureF1rst line of innovative prepackaged solutions, the Security Gateway Solution enables OEMs/ODMs to deliver leading-edge VPN/firewall gateway devices to the market in record time at far less risk than traditional development approaches. Devices built around SecureF1rst SGS offer end-customers ironclad, advanced networking security; easy-to-use device management features; and multiple gateway options.

In order to create specific instances of SecureF1rst SGS, TeamF1 leverages pre-existing software blocks that have proven their merit in numerous deployments, not only minimizing risk for OEMs but also keeping licensing terms flexible. And only SecureF1rst SGS can offer such a comprehensive set of features with completely modular packaging that allows for full customization to meet an OEM’s specific requirements.

Flexible Connectivity
With SecureF1rst SGS, OEMs can build gateways between multiple LAN, WAN, and DMZ interfaces – plus any other security zones – of several different types. WAN interfaces can include DSL, cable modem, Ethernet, cellular data (3G/LTE) links, WiMAX or even a Wi-Fi client link. LAN interfaces can include a simple Ethernet port connected to an external switch, a built-in switch (an unmanaged or a “smart” managed switch), or a Wi-Fi access point. SecureF1rst SGS supports any combination of these examples, as well as auto failover from one ISP to another and load balancing between multiple network interfaces on the WAN side.

Mix and match SecureF1rst software modules
To create a fully customized device, OEMs first select from a comprehensive set of SecureF1rst software modules. TeamF1 then integrates the modules with other components to create validated router packages that meet an OEM’s specific needs. In addition to SecureF1rst modules, OEMs can select from third party modules provided by TeamF1 partner companies or modules developed in-house by OEMs.

The final custom touches are added by TeamF1’s professional services experts, who develop specific features such as BSPs, bootloaders, drivers, and hardware accelerators for OS platforms running Security Gateway Solution; integrate non-TeamF1 software modules; and customize end-user management interface.

The end result is a standard, field-tested software solution in a production-ready custom package, with all the hardware integration, porting, testing, and validating completed by TeamF1. Some OEMs opt to use this end-result as a platform for their own innovation with more value-added OEM components added during the life of the device.

Ironclad Networking Security

  • VPN provides secure, site-to-site tunnels for, say, branch office workers, telecommuters, or tunnels for “road warriors” who need to connect from a remote endpoint to the head office. VPNs of different types are available including IPsec  and PPTP VPNs as well as client-less and OpenVPN compatible SSL VPNs. A VPN redundancy feature provides back-up tunnels for primary tunnel failover support.
  • Stateful Packet Inspection (SPI) IPv4 and IPv6 firewall blocks unwanted Internet traffic such as Denial of Service (DoS) attacks and logs security events such as blocked incoming traffic, port scans, attacks, and administrator logins.
  • Perimeter security including Intrusion Detection/Prevention (IDS/IPS) that can be configured to send alert messages to administrators when a significant event occurs or take preventive action against threats and inline scanning for zero-day protection against viruses and other malware.
  • Network Address Translation (NAT) presents only one IP address to the Internet, preventing outside users from directly addressing any of a network’s local computers.
  • Port forwarding directs inbound traffic for a particular service to one local server, blocking or allowing specific traffic.
  • Web URL and keyword filtering enables administrators to block unwanted web addresses.
  • Extensive, real-time Unified Threat Management features such as web content filtering, gateway anti-virus, and wireless intrusion prevention with frequent malware signature updates provide enterprise-grade security capabilities.
  • A rock-solid DNS and DNSsec implementation that thwarts common DNS vulnerabilities.

Features & Benefits

  • Proven TeamF1 software components lessen OEMs' risk.
  • Comprehensive set of features packaged to provide full customization of devices:
    • TeamF1 modules.
    • Third-party or OEM modules.
    • Custom-developed modules.
  • Ironclad networking security features including IPsec VPN, SSL, IPS etc.
  • Management features make it easy to configure VPN tunnels.
  • Multiple gateway options enable OEMs to build more flexible devices.
  • TeamF1’s validated software modules with extensive protocol support.
  • Full IPv6 support (Host & Router)
  • Performance features and hardware acceleration enable high-throughput networking.
  • Branding options offer a customized look & feel.

OS Platforms: Linux®, VxWorks® and other OSs.
Hardware platforms: MIPS®, ARM/Xscale®, PowerPC®, x86.

 

The SecureF1rst Advantage
SecureF1rst Security Gateway Solution is a complete turnkey solution for SMB security gateways that require UTM/ VPN/ firewall/ router features with comprehensive management capabilities. The SecureF1rst Security Gateway Solution also features Krypto-Lite, TeamF1’s FIPS-certified common crypto framework, along with a suite of encryption and integrity components to secure and manage network traffic. Krypto-Lite also allows the seamless integration of TeamF1 security protocols developed to meet additional security and certification requirements.

 

Easy-to-use device management features

  • User-friendly browser-based remote web-management—provided by interfaces that utilize an easy-to understand, step-by-step wizard—simplifies configuration of even the most advanced VPN tunnel schemes.
  • Preconfigured security levels for one-click security setup.
  • Advanced AJAX-enabled web management powered by TeamF1's DynaMO (Dynamic Management Objects) technology offers cutting-edge interactive features including dynamic refresh, RSS feeds and search tags.
  • The flexibility of user profiles with different privileges such as super-users, administrators, operators, and guests.
  • Multi-user features for simultaneous device management and information sharing with two-factor authentication support for stronger identity management.
  • Simple Network Management Protocol (SNMP) enables administrators to remotely monitor and fully control network devices and to manage configurations, generate usage reports, collect statistics, and monitor performance, and security. Extensive notification flexibility can help alert administrators to events such as WAN port failover, traffic limits reached, login failures, and intrusion attacks.
  • Network usage and firewall policy implementation with scheduling options based on ToD (Time of Day).
  • A flexible and powerful command line interface (CLI) to configure and monitor a gateway device and automate common tasks. The CLI has a hierarchical command structure for direct execution of management commands using a serial/USB console or remote access mechanisms such as FTP/SFTP, Telnet/SSH and RCP/SCP and includes easy-to-use features such as line editing and history.
  • Support for executing device maintenance tasks such as manufacturing tests capability for ODMs, and device diagnostics and custom CLI scripts for administrators. Predefined CLI scripts can also be saved and run through the GUI.
  • Support for TR-069 and extension protocols for automatic configuration and provisioning of network devices.
  • Localization and internationalization support for multiple GUI users including session-specific localization for concurrent logged-on users.
  • Extensible internal management framework can be used with automated techniques such as XML/SOAP to aid in production testing and RMA failure analysis.

Gateway options

  • Multiple WAN interfaces of different types—Ethernet, xDSL, dialup, wireless WAN, etc.
  • Multiple LAN interfaces of different types—Ethernet, WLAN, integrated Ethernet switch, etc.
  • Fully managed features. Device administration features include upgrade capability, traffic monitoring, logging, and settings management.
  • Wireless networking provided by IEEE 802.11 a/b/g/n and many other Wi-Fi standards. With Wi-Fi, a device connected to a wired LAN can act as a single or multiple virtual access points with features like:
    • Wireless Distribution System (WDS) for wireless bridging and acting as a network backbone.
    • QoS support with traffic priority intelligence (802.11e WMM based).
    • Time of Day (ToD) access control.
    • SSID-based VLAN mapping.
    • Wireless client isolation.
    • IAPP and 802.11r support to enable multi-vendor access point interaction.
    • 802.11h capabilities for enabling Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC).

Unified Threat Management
TeamF1’s Security Gateway Solution enables OEMs to build fully integrated UTM devices. End customers have the tools necessary to carve out security zones and manage security policies in a centralized manner, thereby efficiently controlling network traffic.

  • Service blocking controls specific outbound traffic, for example, from LAN to WAN and from DMZ port to WAN.
  • Site blocking prevents access to certain sites on the Internet. Blocks specific keywords and domain names for content filtering and parental control.
  • A high performance network-based Intrusion Detection (IDS) and Intrusion Prevention (IPS) for continuous filtering and logging of malicious traffic with real-time alerts and an integrated signature database update service.
  • Gateway Anti-Virus (GAV) capabilities support integration with a choice of anti-malware database for continuous signature updates to provide gateway level protection from virus attacks.
  • A highly effective Web Content Filtering (WCF) feature for enhanced protection at gateway level from URLs containing malicious content. Blocks web components like Java, ActiveX, and cookies to prevent malicious software from being installed inadvertently.
  • A robust Wireless Intrusion Prevention to thwart against threats originating in wireless networks.

Aggravation-free branding
TeamF1 offers OEMs different ways to customize, or “brand” the graphical user interfaces (GUIs) of gateway devices. Options include:

  • Support for multiple themes that provide an OEM-branded look and feel with no programming or HTML changes.
  • Support for multiple GUI skins that provide GUI design customization beyond the use of OEM-branded colors and graphics, while requiring no code changes or retesting.
  • Advanced user interface control requiring some programming — using documented APIs supported by the flexible management framework. This enables additional programming elements like dynamic graphics, Flash, and Java that provide the ultimate in branding with a unique look and feel.

Other key features and protocols

  • Full support for IPv4 and IPv6 (host and router).
  • Certified IPv6 stack implementation, including transition mechanisms from IPv4 to IPv6 such as dual v4/v6 stack, 6-to-4, 6-in-4, ISATAP, and Teredo.
  • Static and dynamic VLANs creation capabilities with switching, grouping and membership support at layer 2 along with sub-netting at layer 3 for inter-VLAN communication.
  • Quality of service (QoS) priority (also for VLANs). A QoS setting determines the priority of a service that, in turn, determines the quality of that service for traffic passing through a router. An administrator can change settings as needed.
  • Multi-PPPoE, PPTP and L2TP, both dynamic and static, available for ISPs worldwide. For example, SecureF1rst SGS supports PPTP (Austria) and Telestra BigPond (Australia).
  • Static and dynamic routing, including RIPv1, RIPv2 and RIPng. Other, more advanced dynamic routing protocols are available from TeamF1 partner companies for integration into SecureF1rst SGS.
  • A package management framework to securely install / update / remove software features or drivers on the fly and managed through the web interface and CLI.
  • Performance features for fast LAN to WAN throughput in software-only implementation, quick VPN tunnel creation, and hardware acceleration support.
  • TeamF1’s OpenVPN compatible SSL VPN, InstanTunnel OmniSSL, for client-to-client, gateway-to-gateway and branch office connectivity through secure SSL VPN tunnels.
  • TeamF1’s clientless SSL VPN, InstanTunnel ExpreSSL, for fast and automatic SSL VPN connectivity of SSL clients on various platforms.
  • A comprehensive administration interface with concurrency support for using multiple device management interfaces at the same time.
  • Support for advanced protocols and features like RSTP, Bonjour, multicast filtering (IGMP snooping, directed multicast), and SIP (Session Initiation Protocol) Application Level Gateway.
  • DNS server/proxy support with DNSsec. Dynamic DNS servers (DynDNS, lego, DDNS 3322 and others) supported.
  • SFTP/FTP, SSH/Telnet and SCP/RCP client and MTA (Mail Transfer Agent) server and client support.

Validated software components
TeamF1’s software component products are all extensively validated on a variety of embedded OSes and CPU platforms, including ARM/Xscale, MIPS, PowerPC, x86 processors. TeamF1 components are also customized for a number of Linux and VxWorks versions and can target other popular embedded OSes.

Flexible Licensing Options
TeamF1’s embedded software products are licensed with very flexible terms from cost-effective binary firmware and object-code licenses to full-source licensing to best suit our customer’s financial and technological requirements. Both Production-license fee and royalty-free options are available.

Customization Flexibility
SGS is based on the advanced SecureF1rst security platform with well-integrated modular technologies tailored to the SMB / SOHO / Home network equipment market. The modular approach enables easy customization of the solution to meet the end-product requirements, from a technical perspective as well as from a look-and-feel perspective. TeamF1's solution engineering team specializes in integrating and customizing our technologies into branded, ready-to-deploy turnkey solutions meeting specific market requirements.

Examples of deployment scenarios

Technical Specifications

Interfaces

  • Ethernet WAN (single or multiple)
  • xDSL/Cable/WWAN ISP Corporate LAN compatible
  • Wireless WAN (GPRS / EVDO / 3G / LTE / WiMAX)
  • Dialup WAN
  • Ethernet LAN port or switch (managed/unmanaged)
  • Wi-Fi LAN Access Point or client (e.g. Muni Wi-Fi or travel router)

Protocol Support

  • IP routing (IPv4 and IPv6)
  • TCP/IP, UDP, ICMP
  • STP, RSTP, MSTP
  • PPPoE, PPTP, L2TP client, including multi-instance capability
  • DHCP (with option 60 VCI support )
  • DNS/DNSsec Server/Proxy
  • NTP, NTPv4
  • RIPv1, RIPv2, RIPng with multi-cast and authentication support
  • IPsec (ESP, AH), IKE, IKEv2
  • IEEE 802.11 standards including 802.11n
  • SIP, FTP and other common ALGs
  • Bonjour (zeroconfig), LLDP and other common discovery protocols

Networking Capabilities

  • Static Routing, Dynamic Routing
  • Unlimited users per port
  • Static IP address assignment
  • Internal DHCP server on LAN, including multi-instance DHCP server
  • DHCP client on WAN
  • PPPoE client support: Static and dynamic
  • Outbound protocol binding
  • PPTP (e.g. Austria DSL) client support for login
  • Telestra BigPond (Australia) authentication support
  • DHCP address reservation and MAC filtering
  • IGMP snooping and direct multicast
  • Dynamic DNS clients (DynDNS, Iego, PeanutHull, DDNS 3322, others)
  • NAT or classical routing
  • Transparent bridging
  • VLAN (static/dynamic, QoS, subneting)
  • Port-Triggering
  • UPNP
  • Configurable MTU, PMTU discovery
  • Multiple LAN sub-nets
  • MTA (client and server)
  • Network device on USB (NAS, printer, 3G, WCN, storage device for sharing or firmware update)

Wireless Features

  • 802.11 a/b/g/n radio support
  • Customizable SSID
  • WEP/WPA/WPA2/WPS
  • Personal mode and Enterprise mode
  • MAC Access List
  • Disable SSID broadcast
  • Auto Channel detect
  • Rogue AP detection
  • QoS (WMM)
  • WDS (Wireless Distribution System)
  • Multi-radio, Multi-Virtual AP
  • Client Isolation on same AP
  • ToD (Time of Day) active AP
  • SSID based VLANs

IPv6 Features

  • IPv6Ready forum Certified implementation
  • IPv4 / IPv6 Dual-stack
  • Access to IPv4 service via IPv6 (WAN-to-LAN & vice versa)
  • Popular IPv6 / IPv4 tunnelling mechanisms (6-to-4, 6-in-4, GRE, ISATAP, IPv6RD, Teredo, etc)
  • IPv6 enabled web-based device management (HTTP / HTTPS)
  • SNMP, TR-069 over IPv6
  • IPv6-to-IPv6 NAT, NAT-PT
  • OSPFv3, RIPng, RADVD, MLD proxy
  • DHCPv6 Server / Relay with prefix delegation
  • Multiple IPv6 network on LAN
  • Multiple-WAN ports with IPv6 support
  • IPv6 WAN load balancing
  • PPPoE client for IPv6
  • IPv6 DNS Proxy
  • Full featured firewall and DMZ for IPv6
  • IPsec and SSL VPN over IPv6

Cryptography

  • MD5
  • SHA-1/ SHA-256/384/512
  • DES/3DES
  • AES 128/192/256
  • RC-4
  • Blowfish
  • RSA/DSA
  • DH Groups 1,2,5,14
  • X.509 v.3 certificates

Security Features

  • SPI Firewall
  • DoS Attack Resistance
  • Packet-filtering Firewall
  • IDS/IPS (Intrusion Detection/Prevention Service)
  • WIPS (Wireless Intrusion Prevention Service)
  • GAV (Gateway Anti-Virus)» WCF (Web Content Filtering)
  • Java / URL / ActiveX blocking
  • DNSsec
  • E-mail alerts
  • Pre-set security levels in Firewall
  • Flexibility to restrict number of VPNs
  • Port / service blocking
  • 10,000+ tested VPN tunnels
  • Manual key and IKE SAs
  • Preshared keys and RSA signatures IKE authentication
  • Choice of advanced encryption and integrity algorithms
  • AH/AH-ESP support
  • Diffie-Hellman and PFS support
  • Main, Aggressive, Quick IKE modes
  • FQDN based VPN connections
  • Key and IKE lifetime settings
  • Replay attack prevention
  • Remote access VPN (client-to-site)
  • Site-to-site VPN: Hub and spoke, mesh
  • DHCP / DNS / L2TP over IPsec
  • InstanTunnel OmniSSL (OpenVPN compatible SSL VPN suite)
  • InstanTunnel ExpreSSL (Clientless SSL VPN Suite)
  • Microsoft MS-CHAP
  • IPSec NAT traversal (RFCs 3947/3948)
  • PNAC (Port based Network Access Control)
  • Kerberos Authentication Agent
  • Firewall multiple zones
  • VPN redundancy and backup
  • One to one and many to one NAT
  • XAUTH and External RADIUS server authentication
  • Internal local user database
  • VPN ModeConfig Support authentication
  • IKE keep-alive
  • Multiple schedules in firewall

Management and Administration

  • Intuitive, easily brandable browser based GUI
  • Login with two factor authentication
  • Multiple profiles and rights
  • SNMP v2.c and v3 (control / monitor)
  • TR-069 family of protocols for remote access & provisioning
  • FTP/SFTP, Telnet/SSH, RCP/SCP
  • Serial console (RS232/USB) CLI support
  • SSL (HTTPS) based remote mgmt with IP address restrictions
  • Display usage-reports & router status
  • Localization and Internationalization
  • Save/Restore configuration settings
  • USB thumb-drive booting and configuration/firmware backup/restore
  • GUI based firmware upgrade
  • Captive Portal
  • SYSLOG, email logs, alerts
  • SMTP authentication for emails
  • Traffic Metering
  • ToD (Time of Day) policies
  • Admin inactivity timeout
  • Configuration upload in ASCII
  • Restore factory defaults, last known good configuration
  • Comprehensive logging
  • Diagnostics ping, DNS lookup, trace-route, web-based packet capture
  • Support for manufacturing tests access for ODMs