See our video here.
Floodgate™ Defender, one of the EDN Hot 100 products of 2011, is a complete embedded firewall providing a critical layer of security for networked devices. Floodgate Defender provides static (rules-based) filtering, Stateful Packet Inspection (SPI) and threshold-based filtering. Floodgate Defender’s Lockdown Mode provides the highest level of security for systems where security is critical. Floodgate Defender is the only embedded firewall to provide all three types of filtering to protect embedded devices from the growing number of Internet-based threats.
Floodgate Defender provides protection from Internet-based threats by controlling what packets the embedded device processes. Encryption and authentication may protect your device from a hacker trying to access your device, but Floodgate Defender can prevent the hacker from even attempting to connect. Floodgate Defender operates by blocking packets at the IP layer preventing unwanted packets from being processed by the device. Floodgate Defender’s filtering engine can block denial of service attacks, packet floods, port scans, or other Internet-based threats.
Floodgate Defender Filtering
- Static filtering (rules-based filtering) blocks packets based on configurable filtering rules.
- Stateful Packet Inspection (SPI or dynamic filtering) filters packets based on the state of the connection.
- Threshold-based filtering blocks packets in real time based on threshold crossings.
Internet Threats for Embedded Devices
In enterprise environments, firewalls, intrusion prevention systems and other security devices protect against Internet threats. In the embedded environment, devices such as medical instruments, industrial controls, mobile devices, consumer electronics, and transportation controls are built using smaller processors and without the defenses found in more sophisticated environments. As a result, embedded devices are vulnerable to DoS attacks, packet floods and other Internet attacks. Reported attacks on small devices include:
- Electronic roadsign reprogrammed by hackers to display false information.
- Electronic billboard reprogrammed to display adult content.
- More than 122 medical devices infected by malware at the U.S. Dept. of Veterans Affairs.
- A sewage spill caused by a compromised control system.
Floodgate Defender Features
Floodgate Defender is a source code library allowing easy integration of packet filtering capabilities for embedded devices. Floodgate Defender uses callback routines that are inserted into the device’s packet processing code. Layer-based callbacks allow filtering to be inserted at any layer in the network stack for maximum flexibility. Floodgate Defender also provides a fully configurable API, allowing full control over Floodgate Defender’s filtering behavior.
- Fully configurable API provides control of:
- Thresholds for enabling and disabling filtering
- Interval length
- Filtering key (IP address, protocol, port, user defined criteria)
- Static filtering rules
- Permeability. Controls the percentage of packets that are dropped when filtering is enabled due to a threshold crossing
- Event logging – all threshold crossings are logged to a file or to other interface.
- Deterministic or non-deterministic threshold filtering.
- Layer-based filtering, allowing integration at any layer in the IP stack.
- Small footprint and efficient design for embedded systems.
- Portable source code for use with any embedded OS.
Floodgate Defender Operation
Floodgate Defender’s unique multi-stage filtering engine allows Floodgate Defender’s filtering to be customized as required for the individual device. Floodgate Defender also supports a Lockdown Mode for security critical applications and devices.
Floodgate Defender supports a Lockdown Mode for security critical applications. In Lockdown Mode all communication must originate from the embedded device; any communication originating from the Internet is blocked. Support is provided for a trusted devices list that can initiate communication.
- Provides the highest level of protection
- Protects against IP spoofing
- Can be used in combination with rules based filtering to further control the packets processed by the device
Floodgate Defender ’s static filtering engine uses easily configured rules to filter packets. The static filtering engine supports:
- Easily configured rules
- White list and black list filtering
- Source IP address filtering
- Protocol filtering
- MAC address filtering
- Port filtering
Stateful Packet Inspection
Stateful Packet Inspection performs filtering based on the state of the connection, allowing faster performance and simplying the filtering rules. Floodgate Defender’s SPI filtering engine supports:
- Configuration of SPI filtering options
- IP header options
- TCP flags
- Configurable TTL
Floodgate Defender’s threshold-based filtering engine performs filtering based on network traffic patterns. Thresholds are used to determine the level at which network traffic will be blocked. The filtering engine does not require any knowledge of the network configuration or make any assumptions about what network traffic that should be allowed or blocked. Instead of requiring fixed rules that may or may not be effective, Floodgate Defender analyzes traffic patterns in real-time and performs filtering based on this information. Only when network traffic patterns exceed the configured thresholds will packets be dropped.