OverviewFirewallControl allows the access to the firewall's console port for the purpose of monitoring and controling the filewall status. Whether it be a dedicated firewall or a Linux server running firewalling software, the remote access to the console port allows the same level of intervention permitted by a local serial cable connection. In addition, the InfraNode's built-in power switch makes it possible to power down and up the firewall in the case of a complete halt of responce. Just like any other InfraReach product, FirewallControl allows IN-BAND/OUT-OF-BAND access to the firewall thanks to the controlling InfraNode's capability to automatically select an alternative path when standard connectivity is not available. This is key when dealing with firewalls: if the firewall is not working properly and needs urgent service most likely the IN-BAND access will not be operative. The InfraNode can be configured to automatically use an alternative PSTN connection to an Internet Service Provider or even a mobile access via GSM/GPRS when the normal connectivity is not available: this OUT-OF-BAND connection availability makes the InfraNode always reachable and, as a conseuqence makes the firewall always maintainable. Once connected to the InfraReachServer, the InfraNode authenticates itself using the IPPower Technologies Security Standard that guarantees verification of the identity of the controller. On the operator's side, the technician's PC is running the InfraClient software that, using a 1024-bit RSA key, stored on a scrambled pas-phrase protected file stored on an removable USB memory device, is able to reach the InfraReachServer and authenticate itself just like the InfraNode does. After both sides have successfully authenticated themself with the InfraReachServer, a secure tunnel is estabilished over a direct IP connection between the InfraClient and the InfraNode, no matter what kind of connectivity is used between them (Local LAN or Internet). At the same time, a virtual serial port is created on the mainteiner's PC by the InfraClient: This port is mapped, through the secure IP tunnel where all data will transit fully encrypted, to the firewall's console port and any command sent to the virtual port will automatically reach the remote firewall. This way, any maintenance tool (like Cisco Configurator for a Cisco Pix firewall or a serial terminal for a Linux machine) is able to securely reach and operate the remote firewall by selecting the virtual serial port as the port the tool will connect to. Step-by-step to secure remote maintenanceVery few simple steps are required to the technician using FirewallControl to initiate a maintenance session on a remote device:
| Key featuresCentralized management of single firewalls as well as complex networks State of the art security with 1024bit RSA key authentication and strong encryption Web based interface for maximum usability with minimum training Compatibility with any third-party remote maintenance tools allows seamless integration with existing infrastructure and management tools Security highlightsFirewallControl relies on IPPower's Secure Connectivity Services to create a strongly encrypted communication channel on top of existing connectivity services like the corporate network and/or the Internet.
A unique key is stored inside the InfraNode's hardware whereas the user's key can reside on a scrambled pass-phrase protected file normally residing on a re-movable USB memory device. Two-level security Supported firewallsWhile FirewallControl allows raw access to any firewall through its console port, the complete range of functionalities is available right out-of-the-box only for Cisco Pix firewalls. Nevertheless, thanks to the InfraNode's support for Web Buildable Scripts, any device-specific action in response of console feedback can be easily implemented by a skilled technician via a simple, C-standard script. This makes it easy, for example, to implement monitoring and alarming on a Linux firewall configured to log its activity on the console port. |
Additional FirewallControl functionalities
Power control
In addition to the secure IP tunneling and virtual resource creation, InfraReach's exclusive power control functionality allows the user to perform a remote firewall's power-down/power-up cycle if the InfraNode is wired up to feed the firewall's input power cord. This way, a completely frozen dedicated firewall or Linux machine can be rebooted without any need of local access or a firewall whose finctionality is compromised by an external attack can be cut off the network immediately.
Backup and restore
FirewallControl is able to perform automatic backup of supported firewall's configuration and can reload the configuration even in case of total system failure through a controlled boot procedure: the firewall is powered down and then up by the connected InfraNode that, immediately afterwards sends a signal to the firewall's console re-enabling the user to upload a previously backed-up configuration. This way the firewall is restored to its standard conditions within minutes and without any need of local access
Monitoring and alarming
FirewallControl also supports a complete range of alarming functionalities triggering selected events as they happen. Any fault is immediately tracked by the InfraNode connected to the firewall and all collected data is sent to the InfraReachServer where all details about the state of health of the device are available. This functionality is key to prevent critical or even dangerous situations by making technicians aware of the incoming problem on time thanks to the alarm notification via email or even SMS: a fine-grained configuration of the alarm reaction is available on a customizable alarm severity basis. Connecting to the InfraReachServer with his Internet browser, the user has immediate visibility on the state of health of the monitored firewalls. In addition, a complete history of the alarms is available along with a detailed view of each alarm. The technician can also handle each single alarm or groups of alarms and store and track all the intervention made to solve the fault. This means auditing and controlling easily and reliably. |
Other functionalities
FirewallControl also supports a number of other functionalities, including:
- Autologin, to centralize the storage of the device's real passwords on the InfraReachServer that instructs the Infranode to perform the necessary login operation on the firewall before it makes the channel available to the user
- Session recording, to track all commands and responses of every maintenance session and make prove of what has been done when and by whom.
- Forbidden commands, to restrict access to critical operations on a per-group or even per-user basis.
- Scripting support, to allow skilled technician to create new functionalities in the InfraNode and in the central servers. Such scripts WBS (Web Buildable Scripts) are written directly into the web interface of the InfraReachServer
- Performance reporting, with tabular and chart views to see and follow the overall performance of a Router network and its maintenance
- Service Level Agreement management with complete reporting and automatic compliance and discounts calculation.
For a detailed explanation of all these functionalities please take a look at the InfraReach Functionalities page.