Overview

Floodgate™ Firewall, one of the EDN Hot 100 products of 2011, and Embedded Computing Design Magazines' 2014 Most Innovative Software Product, is a complete embedded firewall providing a critical layer of security for networked devices. It’s unique design provides multiple types of filtering protecting against Internet-based threats:

  • Static/rules-based filtering blocks packets based on configurable rules.
  • Dynamic filtering/stateful packet inspection (SPI) blocks packets based on connection state.
  • Deep packet inspection for industrial automation protocols allowing control and validation of each individual field within the message, and filtering of messages based on message type, contents and message source. 

Threshold-based filtering blocks packets based on threshold crossings to protect against denial of service (DoS) attacks, broadcast storms and other packet flood conditions.

Floodgate Defender Filtering Engine

Cyber Threats for Embedded Devices

Internet-based attacks are on the rise and an increasing number of these attacks are targeting industrial devices. Cyber-criminals, hacking bots, industrial or international espionage agents and even terrorist groups are now targeting industrial, military and utility systems.

Reported attacks against industrial devices include:

  • Automotive manufacturing plant shutdown resulting from a cyber-attack.
  • Pipeline monitoring system that failed due to a DoS attack.
  • Train system delays caused by hackers.
  • Sewage spill caused by a control system hacked by an insider.

Proliferation of malware targeting industrial automation systems including Stuxnet, Flame, Havex and BlackEnergy.

Features

  • Easily configured filtering rules.
  • Ethernet, IP/UDP/TCP/ICMP filtering.
  • Protocol specific DPI for industrial automation protocols.
  • Layer-based callbacks allow easy integration at any layer in the IP stack.
  • Logging of blocked packets/policy violations
  • Small footprint and efficient design for embedded systems.
  • Portable source code for use with any embedded RTOS and embedded Linux.

Whitelist or blacklist filtering modes.

Configurable Filtering Policies

Floodgate Firewall uses configured filtering rules to control the filtering engine.  The rules provide complete control over the type of filtering performed and the specific criteria used to filter packets.  Rules can be configured for:

  • Static filtering rules for IP address, MAC address, port number and protocol number.
  • Blacklist and whitelist filtering modes.
  • DPI filtering rules for message type, message contents and message source.
  • Threshold-based filtering criteria.
  • Independently enable and disable static filtering, dynamic filtering, DPI filtering and threshold-based filtering.

With Floodgate Agent, configuration can be performed remotely with an enterprise security management system

Floodgate Firewall Architecture

 

Static Filtering

Floodgate Defender ’s static filtering engine uses easily configured rules to filter packets. The static filtering engine supports:

  • Easily configured rules
  • White list and black list filtering
  • Source IP address filtering
  • Protocol filtering
  • MAC address filtering
  • Port filtering

Stateful Packet Inspection

Stateful Packet Inspection performs filtering based on the state of the connection, allowing faster performance and simplying the filtering rules. Floodgate Defender’s SPI filtering engine supports:

  • Configuration of SPI filtering options
  • IP header options
  • TCP flags
  • Configurable TTL

Threshold-based Filtering

Floodgate Defender’s threshold-based filtering engine performs filtering based on network traffic patterns. Thresholds are used to determine the level at which network traffic will be blocked. The filtering engine does not require any knowledge of the network configuration or make any assumptions about what network traffic that should be allowed or blocked. Instead of requiring fixed rules that may or may not be effective, Floodgate Defender analyzes traffic patterns in real-time and performs filtering based on this information. Only when network traffic patterns exceed the configured thresholds will packets be dropped.

Logging and Alerting

Floodgate Firewall maintains a log of security events and policy violations.  Changes to firewall policies are also recorded in the logs enabling support for command audit requirements. 

Event logs can be used for forensic investigation to determine the source of an attack. 

Management System Integration

The Floodgate Firewall is integrated with the Floodgate Agent, enbling remote management from the McAfee ePO, Icon Labs Floodgate Management system or to other Security Information and Event Management (SIEM) systems.   This integration provides:

  • Centralized management of security policies.
  • Situational Awareness and device status monitoring.
  • Event management and log file analysis.

Intrusion Detection and Prevention

Hackers attempting to penetrate an embedded device using remote attacks will probe the device for open ports and weaknesses.  Blocking all unused ports and protocols limits the attack surface potential hackers can exploit.  Logging packets that violate configured filtering rules enables detection of unusual traffic patterns, traffic from unknown IP address or other suspicious behavior. 

Most cyberattacks remain undetected until it is too late.  Early detection is critical to allow attacks to be contained, blocked and to prevent theft of confidential information, disruption of services or proliferation of the attack to other systems.

EDSA Compliance Support

Floodgate Firewall provides an important building block for achieving EDSA compliance for embedded devices.  Floodgate Firewall provides support for the following capabilities mandated by EDSA-311:

  • Protocol fuzzing and replay attack protection
  • Data flooding protection
  • Denial of service protection
  • Notification of attacks
  • Disabling of unused ports
  • Audit support