Edge security or security at your Internet access point is a familiar, tried and true approach in the industry. Threats to your systems, however, are not limited to the Internet alone. Your system bears exposure from not only the outside, but from internal and partner sources as well. igxglobal's security appliances have the integration flexibility and performance to provide not only edge, but core security as well.

Much like a ship with watertight compartments, well-placed core security components can ensure protection and business continuity in the event of virus outbreaks as well as limit users' access to internal resources.

Significant cost-savings have been realized by organizations that contained outbreaks with this intelligent design.

Core security does not always require a redesign. In most instances, igxglobal's expert implementation engineers can transparently integrate this level of security with little to no modifications to your existing environment.

Route-based access control
Each igxglobal firewall is implemented with a minimum of two internal virtual routers. An untrustworthy router and a trustworthy router provide control over the flow of traffic. A first line of defense, route-based access control only allows access to customer-specified networks or hosts. Route-based access control is fast and requires minimal resources to deny destination-based traffic.

Because Internet (untrustworthy) routing and internal (trustworthy) routing functions are mutually exclusive, igxglobal treats them separately.

Policy-based access control
The foundation of the firewall, policies are used to allow or deny access to networks or specific hosts based on a number of traffic specifics:

• Source
• Destination
• Type of Service
• Scheduled Time
• Authentication

Supplemental capabilities that provide further control:

• Per policy network/port address translation
• Logging
• Per-policy bandwidth and prioritization
• Utilization monitoring and alarming

Denial-of-Service Protection
Many aspects of reliable Internet communications can be manipulated and, if left unchecked, could topple even the largest networks. igxglobal offers integrated in-depth denial-of-service protection. These capabilities include:

• Flood Protection for TCP/UDP/ICMP
• Address sweep/port scan detection and denial
• Source/destination IP session threshold
• IP protocol anomaly detection
• TCP anomaly Detection

Network and port address translation
Not all hosts on the Internet have Internet-routable IP addresses. It is quite common to find organizations that use the private IP addresses that are network- and port-address translated as needed for Internet communications. It is also common for many organizations to use the same private address ranges, making it more difficult for partner companies to interconnect. igxglobal's offering makes it easy to interconnect with the Internet as well as exchange information with partner networks via extranet connectivity.

Translation capabilities include:

• One-to-one address mapping
• One-to-many address and port translation
• Policy mapping based on source, destination and service
• Service-based port redirection

Perspective / Zone based security
Zones define a group of systems with some commonalities. Zone-based security detects the perspective of each system in relation to other systems in the same or other zones. Policies are used to control the flow of traffic between disparate zones.

Zones make managing security easier and more straightforward by specifically outlining flows of allowed or denied traffic policies. The perspective offered by Zones also help to identify "spoofed" and other bogus traffic, thereby increasing security and facilitating management.

Authentication
Sometimes a source is more than just an IP address. It is often necessary to verify the user for access to specific resources. igxglobal's "You-are-You" accommodates several authentication technologies with such environments as:

• Integrated device user database
• Radius
• LDAP
• Secure-ID

Proprietary operating environment
Proprietary-based environments offer an advantage in security -- especially in the area of short-term security. Short-term security covers the instances when commercial and open source operating system vulnerabilities are exposed -- giving organizations little or no reaction time, and therefore, heightened exposure. Many security devices run on operating systems that are known to have exposed vulnerabilities. Additionally, there are several levels of each environment (eg., hardware, operating system, application) that need to be secured and managed.

All igxglobal security appliances leverage a proprietary operating environment and the benefits it offers.

Technology environment
igxglobal's firewall appliance technologies are designed, developed, maintained and supported in the U.S. by a single organization. This eliminates the several levels of hardware, operating system and software that need to be supported by different organizations. In the event of a problem, it may be necessary for several organizations (eg., hardware, operating system, application) to come together to identify and address an issue. Responsiveness often suffers as a result.

ConfigNET
igxglobal believes that security is not just a product, service or tool, but an overall approach. That is why igxglobal commits to not ship products across the world or across town with an organization's configuration on it.

igxglobal's ConfigNET requires a minimal configuration on a device -- one that does not put security policies, encryption secrets or network address ranges in untrusted hands to be misplaced or manipulated. The actual configuration is only securely implemented upon successful delivery of the device to the organization's site.

Performance is important in the area of security -- not just for the purposes of achieving functional requirements, but also to support high burst events during outbreak and denial-of-service occurrences.

ASIC Architecture
igxglobal's services are devised around security appliances that incorporate purpose-built ASIC technology. ASIC technology is far superior in minimizing latency and achieving highest routing and encryption throughput performance compared to PC-based technologies.

Ramp rate
Ramp rate is the number of connections a device can support in one second. This is critical in the event of a denial-of-service or if an organization experiences sudden burst of traffic. igxglobal's appliance solutions support some of the industry's highest ramp rates with the capacity for more than 10 times the ramp rate of standard firewalls.

Throughput and latency
igxglobal's security appliances are rated to operate at line speed and are renowned industry-wide for high operational throughput and low latency rates. This pertains to both routed and encryption traffic, a dual role enabled by this device.

Network security tools differ greatly from the standard communication fare upon which the industry has relied. However, aside from their security function, these devices still need to perform seamlessly in the infrastructure.

igxglobal provides multiple ways to integrate access control mechanisms into the network environment. These include:

Route-based implementation
With support for a diverse variety of functions, igxglobal's appliances can be easily implemented in a routed environment using a variety of routing methods including:

• Static routes
• OSPF
• BGP (iBGP & eBGP)
• RIP

Advanced functions offer route-level Access Control Lists (ACL) , RouteMaps and the ability to import or export routes.

Transparent implementation
A unique and advanced solution, transparent mode implementation integrates the firewall as a layer two device, much like a switch. However, it can enforce layer three and layer four policies. This approach has several advantages:

• The need for security exists, but re-designing the network is not possible.
• In an environment where a "hidden" layer of security is needed - one that is undetectable by trace-route or firewalking techniques.
• A requirement exists for inline security to work in conjunction with unsupported, custom or proprietary protocols.

Support for V-LANs
powerful and robust capability to support V-LANs provides the ability to leverage existing switched environment VLANs into security Zones. This means that VLANs are recognized by the security appliance. Each VLAN can then be designated to a Zone. Policies enforce communication flows between each V-LAN/Zone. This, combined with the device's performance capabilities, allows companies to leverage the solution -- not just at the network edge, but in the core.

Support for asymmetric networks
igxglobal's access control solution has the unique capability of supporting single or multi-site asymmetrical networking environments. Now organizations that leverage the power and performance benefits of asymmetrical networking do not have to sacrifice security.

One of the main reasons most organizations implement security is to ensure business continuity. igxglobal's security appliances are designed with the highest levels of availability in mind. These appliances are composed of state-of-the-art technology and do not require hard drives or any moving parts.

Stateful failover
A pair of firewall devices working together yield a powerful redundancy protocol that automatically maintains all communication flows in the event of a failure. Advanced monitoring features provide split brain protection and deliver sub-second fully statefull session failover. This redundancy protocol operates in two modes:

• Active/Passive
  A primary device is backed up by a passive secondary which will automatically and transparently activate upon disruption of the primary unit.
• Active/Active
  Both devices are active and can process traffic and policies. This is the mode that supports asymmetrical networking.

igxglobal harnesses the superb security of the firewall appliances and the tremendous performance of the ASIC to deliver secure, high performance and extremely flexible IPSEC VPN solutions. While an encryption device has complete access to many or all network components, it is not unto itself a security device. igxglobal believes that the encryption functionality should be integrated in and protected by an internal security specific component.

In another departure from other products, igxglobal security appliances leverage a single VPN tunnel to a remote site. This allows an organization to apply security policy for the tunnel in much the same way as it does with standard traffic policies. This intelligent approach also streamlines the number of tunnels needed to ensure effective encryption. Supported solutions include:

• Remote-to-site
  igxglobal's solid software client runs on a Windows or Mac remote workstation to allow seamless yet secure access to the organization's system.
• Site-to-site
  This feature allows the secure interconnection between remote internal or partner sites. igxglobal's security appliance is extremely flexible in interconnecting with other firewalls.
• VPN authentication
  Advanced authentication such as Radius, LDAP, and secure-ID technologies can easily be integrated with any of the Remote-to-Site or Site-to-Site solutions.
• Cross-Platform IPSEC Compatibility
  Organizations can expect complete interoperability with any IPSEC compliant technologies. With granular and refined controls, igxglobal's security appliances offer complete interoperability with Cisco, Checkpoint, Nortel and many other devices adhering to the IPSEC standard.

More and more organizations find the need for greater control of the traffic that traverses their network. Multimedia and Voice over IP (VOIP) applications are demanding on the infrastructure and require specific control elements.

igxglobal's security appliances rise to the occasion by offering not only the performance necessary to sustain these applications, but bandwidth utilization controls and traffic prioritization.

igxglobal's security appliance features the ability to specify the maximum and minimum bandwidth a particular application from a source or destination utilizes. You may also inject a priority that is recognized and passed on to other infrastructure components.

Ease of Operation
First and foremost, igxglobal's security appliances achieve their purpose without fail. Once implemented, there is only a simple operating environment to manage. Upgrades take a few minutes and are remotely managed by igxglobal's Security Operation Centers over a double-encrypted reliable connection. This allows for a significant reduction in ownership and functional costs compared to competing technologies.

Breadth of offering
igxglobal's security appliances can support businesses of all sizes, from the largest data centers and mid-size sites to the SOHO environment and remote user. When implemented with ConfigNET and stringent security standards, igxglobal's offering delivers a superb end-to-end organizational solution. Moreover the configuration and management standards remain the same from the SOHO offering to the large data center platform. This also minimizes the ongoing operating and ownership costs.

More for Less
igxglobal's security appliances offer more capability for less than self-implemented or competing offerings. Our clients get superior security, top performance, encryption and bandwidth management capabilities in an appliance that is intelligently implemented and diligently monitored and maintained.