|
Trayo has developed BeySafe, a high end
firewall appliance. Below you can find the technical specifications of
BeySafe.
Firewalls protect data networks. From a
business standpoint, the data networks are vulnerable and need protection
because of:
- The confidentiality of data
residing within and traveling across a network
- The integrity of the above data
- The availability of a network and
its components
A firewall can participate in insuring the
confidentiality, the integrity and the availability of a network by granting or
denying access to the network resources.
BeySafe is a firewall system that helps protecting your network against
attacks compromising the confidentiality, the integrity and the availability of
your data and networks.
BeySafe is an appliance that supports several interfaces:
- Outside: one interface connected to
the outside world. This interface has the lower security level
- Inside: one interface connected to
the local network
- DMZ: up to three additional interfaces
where you can connect some servers or parts of your network to split them
from your main local network
BeySafe has three main characteristics:
Actions, Rules and States
1- Actions:
The following actions are defined:
- Accept: accept an authorized packet
to reach the inside networks
- Drop: dropping the un authorized
packets without notifying the sender
- Reject: dropping the un authorized
packets and sending an ICMP error message to the sender notifying him of the
unavailability of the host or the service
2- Rules:
BeySafe uses a set of rules to accept or block packets. These rules can be
configured using a web interface.
3-States:
BeySafe is a multi layered stateful firewall. It inspects datagram headers and
application services, but also applies the stateful packet filtering principles.
Stateful firewalls have two advantages. They operate more quickly than the non
stateful firewalls because they don’t need to operate inspections on packets
belonging to existing authorized communications. They are also more secure
because they keep a state table for the connections and not only relying on the
ACK TCP flag. BeySafe defines four connection states. A protocol, source and
destination IPs and ports determine each state:
- New: a client attempts to contact a
server
- Established: the state changes from
New to Established when the server answers, otherwise, the New connection is
removed at the end of the communication or after a certain inactivity time
- Related: a Related connection is
one that has an association with an Established connection but with a
different protocol, source or destination IP addresses, source or
destination ports. An example of a Related connection is the ICMP datagram
sent by a router when a communication across an established connection is
interrupted
- Invalid: when an error occurs
during the processing of a datagram
Fields used by the firewall rules: We are
using the following fields:
- Protocol: tcp, udp or icmp
- Input interface
- Output interface
- Source IP
- Destination IP
For the TCP datagrams, we are also using:
- Source port
- Destination port
- SYN and other TCP flags
- TCP options
- Type of Service
For the UDP datagrams, we are also using:
- Source port
- Destination port
For the ICMP datagrams, we are also using the
ICMP type and code.
BeySafe also filters using the connection
state and the source MAC address. It can perform source and destination NAT. It
also implements the inspection of the fragmentation of the data packets. It also
has other features:
- Web interface (HTTPS with username
and password) for the configuration, maintenance and monitoring of the
firewall appliance
- Built-in alarm system
- A backup procedure
- An auto regeneration system of the
firewall rules if they are deleted in an inappropriate way by a hacker for
example
- A remote secure maintenance
procedure to allow the maintenance teams to gain remote access to the
appliance securely
- Activation and de activation of the
HTTPS access from the outside zone and a blocking feature of the allowed
traffic from the outside zone in case of an attack on the firewall box
itself
The current appliance fits the needs of the
small and medium sized companies. It was tested remotely by Qualys, an American
company leader in vulnerability scanning and penetration testing.
To address the needs of large companies, we
are developing the below new features:
- GRE and IPSEC tunnels
- DHCP server
- Integration of SNMP
- Integrated IDS/IPS
- High availability appliance or
failover feature
- IPV6
- Treatment of the active FTP and
similar applications
We are also developing a revolutionnary
intelligent box that doesn’t require any firewall rules or IDS/IPS signatures.
It works using intelligent profiling with pre loaded universal profiles.
| 
