Home About us InfraReach InfraConnect Products Technology Contact us
PRODUCTS » InfraReach Central Server Functional Packages » FireWallControl
FirewallControl
First-class IN-BAND/OUT-OF-BAND access to firewalls for instant feedback and solution

Overview

FirewallControl allows the access to the firewall's console port for the purpose of monitoring and controling the filewall status. Whether it be a dedicated firewall or a Linux server running firewalling software, the remote access to the console port allows the same level of intervention permitted by a local serial cable connection. In addition, the InfraNode's built-in power switch makes it possible to power down and up the firewall in the case of a complete halt of responce.

Just like any other InfraReach product, FirewallControl allows IN-BAND/OUT-OF-BAND access to the firewall thanks to the controlling InfraNode's capability to automatically select an alternative path when standard connectivity is not available. This is key when dealing with firewalls: if the firewall is not working properly and needs urgent service most likely the IN-BAND access will not be operative.

The InfraNode can be configured to automatically use an alternative PSTN connection to an Internet Service Provider or even a mobile access via GSM/GPRS when the normal connectivity is not available: this OUT-OF-BAND connection availability makes the InfraNode always reachable and, as a conseuqence makes the firewall always maintainable.

Once connected to the InfraReachServer, the InfraNode authenticates itself using the IPPower Technologies Security Standard that guarantees verification of the identity of the controller.

On the operator's side, the technician's PC is running the InfraClient software that, using a 1024-bit RSA key, stored on a scrambled pas-phrase protected file stored on an removable USB memory device, is able to reach the InfraReachServer and authenticate itself just like the InfraNode does.

After both sides have successfully authenticated themself with the InfraReachServer, a secure tunnel is estabilished over a direct IP connection between the InfraClient and the InfraNode, no matter what kind of connectivity is used between them (Local LAN or Internet).

At the same time, a virtual serial port is created on the mainteiner's PC by the InfraClient: This port is mapped, through the secure IP tunnel where all data will transit fully encrypted, to the firewall's console port and any command sent to the virtual port will automatically reach the remote firewall. This way, any maintenance tool (like Cisco Configurator for a Cisco Pix firewall or a serial terminal for a Linux machine) is able to securely reach and operate the remote firewall by selecting the virtual serial port as the port the tool will connect to.

Step-by-step to secure remote maintenance

Very few simple steps are required to the technician using  FirewallControl to initiate a maintenance session on a remote device: 

1. The user navigates with his browser to the address of the InfraReachServer and logs in. The InfraReachServer's web interface shows a list of remote devices the user has rights to access. Overall, the web interface is as easy to use as a usual web site or portal.
2. In proximity of the name of the remote firewall he wants to access, the operator will find the "Connect to this Firewall" link. The virtual serial port is then transparently created in the background.
3. No additional operations are usually required to the user: any serial (or network in case of connection to the firewall's ethernet port) maintenance tool can be used on the virtual port just as if the connection were established locally using a cable.


 
Key features

Centralized management of single firewalls as well as complex networks

State of the art security with 1024bit RSA key authentication and strong encryption

Web based interface for maximum usability with minimum training

Compatibility with any third-party remote maintenance tools allows seamless integration with existing infrastructure and management tools


Security highlights

FirewallControl relies on IPPower's Secure Connectivity Services to create a strongly encrypted communication channel on top of existing connectivity services like the corporate network and/or the Internet.



The InfraClient application running on the user's PC and the remote InfraNode connect together after authenticating with the InfraReachServer. Both parties rely on a 1024bit RSA key that guarantees their identities as well as the safe exchange of session specific keys

A unique key is stored inside the InfraNode's hardware whereas the user's key can reside on a scrambled pass-phrase protected file normally residing on a re-movable USB memory device.

Two-level security
The InfraReachServer monitoring and administration functionalities only require a valid login to be supplied, whereas any connectivity task, always performed by the InfraClient, always require the authentication via a user-specific RSA key. This ensures an even higher security level on any task that directly involves manipulation of a remote device.

Supported firewalls

While FirewallControl allows raw access to any firewall through its console port, the complete range of functionalities is available right out-of-the-box only for Cisco Pix firewalls. Nevertheless, thanks to the InfraNode's support for Web Buildable Scripts, any device-specific action in response of console feedback can be easily implemented by a skilled technician via a simple, C-standard script. This makes it easy, for example, to implement monitoring and alarming on a Linux firewall configured to log its activity on the console port.

Additional FirewallControl functionalities

Power control

In addition to the secure IP tunneling and virtual resource creation, InfraReach's exclusive power control functionality allows the user to perform a remote firewall's power-down/power-up cycle if the InfraNode is wired up to feed the firewall's input power cord. This way, a completely frozen dedicated firewall or Linux machine can be rebooted without any need of local access or a firewall whose finctionality is compromised by an external attack can be cut off the network immediately.

Backup and restore

FirewallControl is able to perform automatic backup of supported firewall's configuration and can reload the configuration even in case of total system failure through a controlled boot procedure: the firewall is powered down and then up by the connected InfraNode that, immediately afterwards sends a signal to the firewall's console re-enabling the user to upload a previously backed-up configuration. This way the firewall is restored to its standard conditions within minutes and without any need of local access

Monitoring and alarming

FirewallControl also supports a complete range of alarming functionalities triggering selected events as they happen. Any fault is immediately tracked by the InfraNode connected to the firewall and all collected data is sent to the InfraReachServer where all details about the state of health of the device are available.

This functionality is key to prevent critical or even dangerous situations by making technicians aware of the incoming problem on time thanks to the alarm notification via email or even SMS: a fine-grained configuration of the alarm reaction is available on a customizable alarm severity basis.

Connecting to the InfraReachServer with his Internet browser, the user has immediate visibility on the state of health of the monitored firewalls. In addition, a complete history of the alarms is available along with a detailed view of each alarm. The technician can also handle each single alarm or groups of alarms and store and track all the intervention made to solve the fault. This means auditing and controlling easily and reliably.

Other functionalities

FirewallControl also supports a number of other functionalities, including:

  • Autologin, to centralize the storage of the device's real passwords on the InfraReachServer that instructs the Infranode to perform the necessary login operation on the firewall before it makes the channel available to the user
  • Session recording, to track all commands and responses of every maintenance session and make prove of what has been done when and by whom.
  • Forbidden commands, to restrict access to critical operations on a per-group or even per-user basis.
  • Scripting support, to allow skilled technician to create new functionalities in the InfraNode and in the central servers. Such scripts WBS (Web Buildable Scripts) are written directly into the web interface of the InfraReachServer
  • Performance reporting, with tabular and chart views to see and follow the overall performance of a Router network and its maintenance
  • Service Level Agreement management with complete reporting and automatic compliance and discounts calculation.

For a detailed explanation of all these functionalities please take a look at the InfraReach Functionalities page.