Network Firewall and Router

Advanced firewall

The built-in UserGate firewall provides additional LAN protection against hacker attacks and other sophisticated types of protocol-based intrusions by blocking traffic going through particular ports (TCP, UDP, or any other Internet protocol). Ports specified in the proxy settings (HTTP, FTP, SOCKS, etc.), as well as ports specified in Port Mapping, are included in automatically generated firewall rules (type auto). UserGate’s firewall system also processes packets not processed by NAT rules. If a packet is processed by the NAT driver, it will not be processed by the UserGate firewall.

Advanced NAT driver

The UserGate Network Address Translation driver (NAT driver) supports masquerading and is able to work in routing mode. Routing mode support allows the creation of several local subnets originating from the UserGate server, as well as network relationship management.

Multiple ISPs and connection failover

UserGate proxy & Firewall allows to use several Internet Service Providers (ISPs) and make different providers available for different user groups. If the primary ISP connection is not stable, you can enable the Connection Failover feature to switch users to a secondary connection in case the primary connection is broken.

Routing

UserGate Proxy & Firewall routing support can be used to avoid installing additional hardware, such as a router. If there are several LAN interfaces on the machine where you run our solution, you can create rules that transmit packets between them in both directions.

Internet connection sharing (ICS)

With UserGate Proxy & Firewall, you can share single or multiple Internet connections, such as DSL, cable, dial-up, wireless, ISDN, or any other among users in your local network. The server is visible from both the Internet by an external IP address and from a LAN (or several LANs) by an internal IP address.

Since the traffic goes through a single server, an administrator is able to protect the local network against threats, get detailed statistics and usage patterns, and control what is downloaded or uploaded using flexible rules.

Proxy servers

UserGate includes a number of proxy servers for application layer protocols, such as HTTP, FTP, SOCKS, POP3, SMTP, SIP and H323. All of the proxies can work in transparent mode, eliminating the need to specify the proxy address and port in applications on user machines. You can also specify for what particular network interface a proxy server should be enabled.

IDPS and Antivirus Protection

Triple-antivirus protection

It is critically important to ensure that all traffic coming into a local network is protected against viruses and spyware. UserGate Proxy incorporates three antivirus engines – from Kaspersky, Panda and Avira – to provide optional triple antivirus control, and check all inbound and outbound traffic on HTTP, FTP, SMTP and POP3.

Intrusion Detection and Prevention System

IDPS (Intrusion Detection and Prevention System) is a network malicious activity monitoring solution. The primary purpose of IDPS is the detection of potentially dangerous activities, logging, threat prevention and reporting.

Detection of security breaches is usually performed with the help of heuristic rules and analysis of signatures of known attacks. Breach details are logged and a corresponding notification is sent to the console and/or system administrator via a specific communication channel. IDPS takes counter-measures against the breach by dropping the connection or reconfiguring the firewall for blocking incoming malicious traffic.

IDPS tracks activities in real time and quickly blocks attacks. Possible preventive measures include blocking of particular segments of network traffic, disconnection and notification of the network administrator.

Web Filtering and Access Control

User-based access management

UserGate Proxy & Firewall creates accounts of users to which Internet access is granted (or denied), traffic rules are applied, and for which statistics are calculated. A user settings are defined based on a specific parameters, such as an IP or MAC address, login/password, Active Directory account, or Windows login.

To simplify traffic management, users can be combined into groups by using the "Groups" feature. Another way to combine computers or users is through one of the many authorization methods. Administrators can choose either one or both methods to effectively manage multiple users, computers, and subnetworks.

Categorized URL filtering

Internet abuse in the workplace can cause many negative effects for a company, such as a decrease of work productivity, excessive traffic consumption, malware, identity theft, and copyright infringement, etc. In order to minimize or eliminate problems caused by personal or even illegal use of the Internet, web filtering (also known as content-filtering) is a strongly recommended as a part of your company’s security defenses.

The Entensys URL Filtering module helps add extra security to your local network. It is designed to enable administrative control over employee Internet downloads and to restrict access to potentially dangerous web sites if needed.

Traffic Management

Application firewall

Real time communications – instant messaging, chat programs such as IRC, and web conferencing and peer-to-peer networking tools – are in regular use in many organizations today. Application filtering is designed to protect against security threats posed by Internet-based applications. The purpose of it is twofold – enable administrators to restrict personal use of Internet-based applications, such as instant messengers or peer-to-peer clients, and protect a local network from application-specific Internet threats.

Speed limitations and traffic quotas

UserGate is very flexible in the way it allows system administrators to control traffic speed. There are two modules in UserGate where speed limits can be defined – "Traffic policy" and "Bandwidth management". The first one is used to define rules which are applied to certain users and user groups. The second one is used to restrict traffic according to certain parameters such as a specific adapter, protocol (e.g. TCP or UDP), source and destination IP address, and/or port.

Traffic quotas and time restrictions are specific to user-based management and allow to set limits for a particular user or user group. When setting a traffic quota, an administrator has plenty of options to define a rule that fits particular circumstances. For instance, the rule can be set to activate when the requirements, such as a certain protocol or time of day, are met.

Internet traffic monitoring and reporting

UserGate Proxy & Firewall features a full-fledged statistics module that allows administrators and supervisors to enforce the company’s Internet access policy effectively. Statistics can prove the extent to which the Internet is abused in the workplace, and can serve as the primary basis for decision-making when it comes to restricting or blocking certain Internet resources for a specific user in order to fight the abuse.

A full-fledged VPN server

VPN (Virtual Private Network) is a method of setting up remote secure access to database, email and FTP servers over standard Internet channels. VPN technology is capable of protecting the traffic of any intranet and extranet systems, audio- and video-conferences and e-commerce solutions.

The system features a full-fledged VPN server supporting the creation of a "server-to-server" tunnel, inter-network routing and support of current VPN connections. Configuration of the VPN server is limited to setting a few parameters:

  • Interface to be used by the VPN sever to accept inbound connections;
  • IP address of the VPN server;
  • Range of IP addresses of the virtual network that can be assigned to VPN clients;
  • And other parameters.

Initially, the IP address of the VPN server is viewed by UserGate as a regular local (LAN) interface, so this interface can be used either for routing rules between a local network and a VPN network or for creating NAT rules between a VPN network and the Internet.

Additional Features

Web statistics client

Statistics are available over the Internet through a regular web browser via the UserGate Web Statistics feature. The statistics are presented in the form of a web page with a user-friendly interface, graphs, and charts for better readability. The amount of information available depends on the access level of the viewer.

Billing system

UserGate has a built-in billing system, which performs automatic calculations of Internet expenses for each user based on time and/or traffic consumed. The administrator can introduce tariffs to the system, and apply them to users or user groups. Expenses are calculated according to those tariffs and are shown in the statistics.

Traffic manager

With the number of Internet-based applications and services constantly growing, administrators need to optimize application performance in their networks and avoid the negative effects of exceeding bandwidth limits. This can be accomplished through effective bandwidth management and by utilizing a tool that is specifically designed for that purpose. Our solution has all the features that are necessary for effective bandwidth management.

Web caching

Web caching is an important proxy server feature that accelerates service requests by retrieving content saved from a previous request in local storage (cache). A caching proxy keeps local copies of frequently requested resources, allowing large organizations to reduce their bandwidth usage and cost, while significantly increasing performance.

IP telephony support

UserGate Proxy & Firewall supports IP telephony and can work as a gateway for softphones and dedicated IP phones. IP telephony is another name for Voice over IP (VoIP), a family of technologies for delivering voice communications over IP networks. The great advantage of VoIP technology is its low cost, making it the best choice for corporate use instead of traditional copper-wire telephone systems.

DHCP support

Dynamic Host Configuration Protocol (DHCP) is a communications protocol enabling network administrators to automate and centrally manage the assignment of IP addresses in a network. DHCP allows an administrator to supervise and distribute IP addresses from a central point, and automatically sends a new IP address when a computer is plugged into a different location in the network.

Our product supports dynamic addressing and simplifies network administration by keeping track of IP addresses automatically. This means that a new computer can be added to a network without the hassle of manually assigning it a unique IP address.

Resource publishing

It may be necessary to make a local computer, which is running a certain service, accessible from the Internet. Normally, such services include FTP, Web, VPN, and mail servers. To make a service available from the outside, you need to redirect the requests sent to a gateway computer to the server or workstation where the target service is running. That is when the resource publishing feature in UserGate Proxy & Firewall comes in.

Remote administration

You can access the UserGate Proxy & Firewall server remotely from a computer other than the one where UserGate is installed. Simply run the UserGate installation file and select ‘UserGate Administrator Console’ to install. Once the administration console has been set up, you can connect to the UserGate computer from within your network or via the Internet by entering its IP address or DNS name.