movie
Home About Us What we do Executive Guides Contact Help


Back
FireBrick FAQ




FireBrick®

 

The FireBrick® is a simple to use intelligent hardware firewall, it prevents access to your systems except from trusted sources and for special purposes.

It can, re-route traffic, bond multiple routes together, prioritise traffic, be remotely managed, is simple to use, has features to help prevent mistakes, can monitor traffic, can separate and route all 5 ports, supports vlan tags and lots more.  

Most of all if you don't understand what all this fire-walling is about, you can just plug it in and go.  If you need special configuration we can even talk you through the basic set up on the phone so that we can remotely configure the system for you.

The lights really can be set to cycle their lights (like Kit in knightrider), you can also synch multiple firebricks (8 works well) to create a "Mexican wave" in your rack! (they could, of course, be put to more practical uses... is there anything more practical than pretty light patterns?)

  • Overview
  • Standard Features
    • Filtering - What has or has not got access to what. (what firewalls are all about really)
    • Grouping - Allows you to give names to IP addresses and ports so a to make setting rules simple and less prone to error. (e.g. a group call customers, add a new IP to the group and they have that access)
    • Subnets & DHCP, the Firebrick acts as a router and a persistent DHCP server i.e. it give the same IP address to the same equipment, Dynamic but fixed.
    • Port and IP Mapping
  • Optional Features
    • Extras - more of everything, if you have a very complex setup you may need to buy the extras pack.
    • Shaping - if you need to manage your bandwidth then this is the feature for you you can reserve bandwidth, make traffic jump the queue, have low priority traffic take the back seat or just abuse your position and make sure you always get maximum bandwidth for yourself.  On a more serious note VoIP is very fussy about latency and this feature has made otherwise impossible connection work really well just by managing the bandwidth better.
    • Profiles allow you to change the rules, profiles can be activated by Time, ping responses, or manually switched on.  Routing, filtering, bandwidth management all can be assigned to profiles and changed by profiles. 
    • Tunnels allow you to send traffic to another brick* on another network normally used to create a VPN (*an open source Linux tunnel end point is also available)
    • Reporting option allows additional information this can be used to monitor networks, and give statistics on the managed hub.
    • 5 Port option converts the FireBrick to have 5 separate firewall ports rather than one port and a 4 port managed hub.
    • Vlan option allows Vlan tags to be used with Vlan switches to give even more security.
    • Other features are planned and will be released later.
  • Services
  • Pricing / Info Request

OverView

You can restrict the bandwidth available to low priority traffic such as news and email (Or ensure additional bandwidth is reserved for high priority services such as VoIP) with traffic shaping.

This product is aimed at users with a fixed Internet connection presented as Ethernet with an RJ45 connection, the product is truly Plug and Play allowing a level of protection straight from the box. The feature list is very comprehensive and includes Firewall, Tunneling, Stealth, Shaping, NAT, DHCP and 4 port managed hub. Features like these have hitherto only been found in very high cost equipment.

The FireBrick stealth feature allows the firewall to operate completely transparently to the network. It will not show up on any network scans or port scans. The tools that hackers might use to identify a firewall will not help them. As a result the FireBrick can be plugged into a network and the network still operates without any reconfiguration.

The tunnelling feature allows for connection of the FireBrick so that the private addresses in one office can communicate with the private addresses in another office using the Internet and the FireBricks public addresses to carry an IP tunnel. This provides for a large virtual private network (VPN) using FireBrick tunnels. The tunnels are configured to operate only on specific public IP addresses, and use a shared secret/password to further protect against attack. Normal firewall filters can be applied to tunnelled traffic, allowing specific access between sites to be managed.

top

Standard Features

Filtering

This is the core fire walling function of a FireBrick. It controls the filtering table. The Firebrick has a bounce option which may confuse some port scanning equipment.

top

Grouping

This is the named IP and port group feature, it allows you to use a name for a group of IP addresses or a group of Ports.  For example if you have to allow several types of access to your network for customer machines, you could need to add several new rules for each and every customer with some firewalls.  With a firebrick you just add the ip address to the customer group and wherever that group is used that address is now allowed/denied/rejected or bounced (according to the rule)  This reduces the chance of making mistakes in your firewall configuration as well as removing a real headache!

There are some special groups to predefine private address ranges and one for the "currently logged in users" this allows a user to log into the brick on it's wan interface and whilst not having any access to any configuration, create a hole or series of holes for the IP address that this user is using, this is very useful where external access need to be given to users with dynamic IP.

top

DHCP & Routing

Subnets are defined and routing rules for traffic, the DHCP server is persistent so as long as it has spare IP addresses it will always allocate the same IP address as you had last time, so set your laptop to DHCP and you will have the SAME IP address every time you log in.  There is even basic testing so it will tell you if the cables in any port are damaged, broken or shorted and how far down the cable, this is not it's primary purpose and more accurate equipment would normally be used.

top

Mapping (Port & IP)

Mapping ports and IP addresses is an important feature using this you can create an effective DMZ using just one fire wall to do this you simply put a private block on the WAN interface and port map real IP's to those private addresses on the WAN side.

top

Optional Features

Optional features can be installed by purchasing a feature token. All of these are available on a standard FireBrick.

Extras

This provides additional filters, routers administrative users, etc. It is useful for larger or more complex installations. It does not matter what order features are purchased, if you have the extras pack and then get traffic shaping you will have the additional traffic shaping rules that the extras pack offers.

Menu
 Normal
 Extras
Administrative users
 5
 10 (including nobody user)
Profiles
 10
 100 (+3 pre-defined)
Shaping rules
 30
 100
Speed lanes
 10
 50
Subnets
 5
 30
Routing rules
 5
 100 (+subnets and default gateway)
IP groups
 10
 100
Port groups
 10
 100
Filters
 30
 100
Mapping rules
 5
 100

top

Shaping

Traffic shaping provides a means to group different types of traffic in to speed lanes. The traffic grouping rules are much like filters in that they allow grouping on interface, IP source/target, protocol, and port source/target. The speed lanes themselves then allow the rate to each Ethernet interface to be set in whole KB/s. There are also options to allow spare capacity on one or more speed lanes to be taken up by other speed lanes.

The shaping rules also allow a master rate control to which all lanes are subject unless marked otherwise. This allows, for example, a master lane to be set for an outgoing ADSL line, and then certain types of traffic, e.g. voice over IP, to queue jump that limitation.

top

Profiles

Profiles are a general way to turn on off almost any of the rules within the FireBrick. e.g. individual routing or filtering rules can be associated with a profile. There are standard profiles for 24/7 (always on), 9-5M-F, and 3amSun. It is possible for a rule to be associated with not a profile, so Not 24/7 means always off. These pre-defined profiles are available in every FireBrick.

The profiles feature allows manual, timed and ping based profiles to also be used.
  • Manual profiles are either on or off, and are controlled by a check box on the quick setup screen. This can be useful to allow a whole set of rules to be switched in one go.
  • Time based profiles can be set on or off for each whole hour in a week. This allows aspects of the FireBrick to be time based.
  • Ping profiles are on if there are responses to a ping being sent by the FireBrick, and off if there is no response. The pings can be via specific routes and gateways allowing the profile to be used to monitor an internet link or a server. When ping profiles change, a log can be generated.
Profiles can also be combined, making one profile dependant on another in some way. This allows complex combinations of time, manual switches and external availability to control operations of the FireBrick. A common use is for backup internet links allowing a profile control routing to a backup router if a main link stops working.

top

Tunnels

Tunnels are a way to create a virtual route from one FireBrick to another over an IP link. It allows virtual private networks (VPNs) to be created between FireBricks. The protocol used is proprietary but documented and there is at least one linux implementation fbtunnel freely available. The protocol allows authentication of tunnels (by IP and MD5/secret) but is not encrypted.

top

Reporting

Reporting provides a number of ways of extracting information from the FireBrick and includes:-
  • SNMP monitoring of each port, and also traffic through speed lanes
  • Email log entries
  • Syslog log entries

top

Bonding

Bonding provides two ways in which multiple links can be combined.:-
  • Multiple gateway router bonding - typically used for bonding uplink on multiple ADSL lines. Packets can be sent round robin to up to 4 actual gateways allowing aggregation of the capacity even on a single data transfer session.
  • Weighted routing - typically used for bonding downlink on multiple internet links. Sessions can be sent via more than one gateway on a random probability basis which can be used with NAT to ensure replies come via a specific route. This allows aggregation of overall traffic levels although individual data transfer sessions will be limited to the speed of one link only.

top

5Port

The FireBrick normally operates with a WAN port and a LAN port (on 4 port switchh). In this mode the WAN and LAN can be reversed, putting the 4 port switch on the WAN. There are however only two interfaces for firewalling, WAN and LAN. The names of thhese can be changed as necessary.

The 5Port option changes the FireBrick to allow each port to be separately configured to operate independantly or as a switch. There are 5 separate interfaces for firewalling. This allows configurations with 1, 2 or 3 additional DMZs as well as WAN and LAN if required. Stealth mode still operates between the WAN and LAN interfaces. The factory default for a 5 port switch is to have all 5 ports as distinct interfaces.

top

VLAN

Normally any VLAN tags received by the FireBrick are ignored and stripped off any packets sent through the FireBrick.

With the VLAN subnets feature you can set each subject to have a VLAN identity. This means any traffic to that subnet is tagged with that VLAN tag. When used in conjuntion with a VLAN capable switch this allows independant subnets to operate on different groups of ports on the switch. When the FireBrick acts as a DHCP server, it serves addresses based on the VLAN tag of the request and hence allows independant DHCP allocations for each group of ports. Routing rules allow traffic to be routed to specific subnets.

VLAN identities are not a part of shaping, mapping or filtering rules, but by carefull allocation of IP ranges to different VLAN subnets, fthes rules can use IP ranges to identify each port group.

top

Services

  • Managed configuration
    • We can provide full managed firewall configuration, with remote access we can make configuration changes for you
  • Part configuration
    • You want a complex configuration to bond multiple ADSL lines with fall back to an ISDN router, you can hand the general rules but want us to configure the rest for you
  • OEM builds
    • You want a lot of FireBricks with non-standard feature sets or new features (eg Public Access WiFi access points) 
  • Training
    • If you are looking to deploy FireBricks and offer managed services or if you just want one for yourself, we offer a range of training services, in house, classroom, one to one and internet distance learning are all available. 

top

Pricing / Additional Information Request (all Fields are optional)

FireBrick  £ 350 + £ 150 per feature (Discounts are available for volumes of 5+)

Your name:
Company:
Your e-mail address:
Your Phone number
Any comments
Address
City
County
Post Code
Country  
 
 

top

 
For more information contact us

Terms Contact Us Open Account


Copyright © Making I.T. Happen 2008 

Sag line 50 is a trademark of sage PLC Thames valley Berkshire berks Bracknell computer software help