Floodgate Packet Filter
See our video here.
Overview
Floodgate™ Packet Filter, one of the EDN Hot 100 products of 2011, is a complete embedded firewall providing a critical layer of security for networked devices. Floodgate provides static (rules-based) filtering, Stateful Packet Inspection (SPI) and threshold-based filtering. Floodgate’s Lockdown Mode provides the highest level of security for systems where security is critical. Floodgate is the first embedded firewall to provide all three types of filtering to protect embedded devices from the growing number of Internet-based threats.
Floodgate provides protection from Internet-based threats by controlling what packets are the embedded device processes. Encryption and authentication may protect your device from a hacker trying to access your device, but Floodgate can prevent the hacker from even attempting to connect. Floodgate operates by blocking packets at the IP layer preventing unwanted packets from being processed by the device. Floodgate’s filtering engine can block denial of service attacks, packet floods, port scans, or other Internet-based threats.
Floodgate Filtering
- Static filtering (rules-based filtering) blocks packets based on configurable filtering rules.
- Stateful Packet Inspection (SPI or dynamic filtering) filters packets based on the state of the connection.
- Threshold-based filtering blocks packets in real time based on threshold crossings.
Internet Threats for Embedded Devices
In enterprise environments, firewalls, intrusion prevention systems and other security devices protect against Internet threats. In the embedded environment, devices such as medical instruments, industrial controls, mobile devices, consumer electronics, and transportation controls are built using smaller processors and without the defenses found in more sophisticated environments. As a result, embedded devices are vulnerable to DoS attacks, packet floods and other Internet attacks. Reported attacks on small devices include:
- Electronic roadsign reprogrammed by hackers to display false information.
- Electronic billboard reprogrammed to display adult content.
- More than 122 medical devices infected by malware at the U.S. Dept. of Veterans Affairs.
- A sewage spill caused by a compromised control system.
Floodgate Features
Floodgate is a source code library allowing easy integration of packet filtering capabilities for embedded devices. Floodgate uses callback routines that are inserted into the device’s packet processing code. Layer-based callbacks allow filtering to be inserted at any layer in the network stack for maximum flexibility. Floodgate also provides a fully configurable API, allowing full control over Floodgate’s filtering behavior.
- Fully configurable API provides control of:
- Thresholds for enabling and disabling filtering
- Interval length
- Filtering key (IP address, protocol, port, user defined criteria)
- Static filtering rules
- Permeability. Controls the percentage of packets that are dropped when filtering is enabled due to a threshold crossing
- Event logging – all threshold crossings are logged to a file or to other interface.
- Deterministic or non-deterministic threshold filtering.
- Layer-based filtering, allowing integration at any layer in the IP stack.
- Small footprint and efficient design for embedded systems.
- Portable source code for use with any embedded OS.
Floodgate Operation
Floodgate’s unique multi-stage filtering engine allows Floodgate’s filtering to be customized as required for the individual device. Floodgate also supports a Lockdown Mode for security critical applications and devices.
Lockdown Mode
Floodgate supports a Lockdown Mode for security critical applications. In Lockdown Mode all communication must originate from the embedded device; any communication originating from the Internet is blocked. Support is provided for a trusted devices list that can initiate communication.
- Provides the highest level of protection
- Protects against IP spoofing
- Can be used in combination with rules based filtering to further control the packets processed by the device
Static Filtering
Floodgate’s static filtering engine uses easily configured rules to filter packets. The static filtering engine supports:
- Easily configured rules
- White list and black list filtering
- Source IP address filtering
- Protocol filtering
- MAC address filtering
- Port filtering
Stateful Packet Inspection
Stateful Packet Inspectin performs filtering based on the state of the connection, allowing faster performance and simplying the filtering rules. Floodgates SPI filtering engine supports:
- Configuration of SPI filtering options
- IP header options
- TCP flags
- Configurable TTL
Threshold-based Filtering
Floodgate’s threshold-based filtering engine performs filtering based on network traffic patterns. Thresholds are used to determine the level at which network traffic will be blocked. The filtering engine does not require any knowledge of the network configuration or make any assumptions about what network traffic that should be allowed or blocked. Instead of requiring fixed rules that may or may not be effective, Floodgate analyzes traffic patterns in real-time and performs filtering based on this information. Only when network traffic patterns exceed the configured thresholds will packets be dropped.