Richweb sgw (Secure GateWay) firewalls

Q. What is the firewall appliance Richweb makes - this sgw? sgw stands for Secure GateWay; a Richweb security appliance that is based upon the OpenBSD operating system (http://openbsd.org/) which provides industry leading out of the box security and firewall feature sets. A low end sgw box is a desktop class Intel PC with a single hard disk and 1 or more network interfaces (NICs) and 512MB of RAM or more. Higher end sgw boxes are typically 1u IBM servers with hardware raid, RSA cards for remote management, and 3 Gigabit network cards and 2GB of RAM. Richweb has a standard set of hardening techniques that are applied to the sgw boxes and a regular set of vulnerability scans and intrusion detection tests are performed against both test and live sgw instances to ensure that the sgw appliance is the most secure device you will have on your network. sgw boxes all have a complete set of firewalling functionalty that is managed via a the /etc/pf.conf configuration file. Richweb sgw boxes are deployed as network firewalls, network packet shapers, tcp or http proxy servers, spam filtering firewalls, intrusion detection servers (running snort for example), dns caches / dns servers, and mail bastion hosts (secure smtp relay). Only the software that is needed to perform the specific job functions is loaded onto the appliance. In many cases Richweb will install an sgw box for monitoring purposes; one or more serial ports (RS232) will be connected to Cisco router or firewall consoles or other serial devices. The sgw box is aslo very useful as a TCP proxy; it can terminate inbound TCP connections to an internal server via a backup internet connection even when the primary connection is up and traffic by default is flowing out the primary connection. This is very useful for load balancing and disaster recovery situations with smtp and rdp, where the limitations of source and destination NAT can be painful. All sgw configurations are backed up via subversion repositories so that if a disk or raid array is lost, full functionality can be recovered by retoring the configuration files from svn.   Q. Can the sgw box do routing as well as firewalling and can it be a transparent/invisible firewall ? Yes, it can be a full fledged router+firewall or bridge(transparent) firewall. Here is more information on the differences: http://www.richweb.com/bridging_vs_routing_firewalls   Q. What are the physical security controls in place for access to the sgw servers and software? The cabinets which house the servers are locked; the servers are locked at the BIOS level. Only authorized (by Richweb) data center personnel have access to the servers (as directed by Richweb). Our colocation facilities have SAS70 type II compliant access control implemented. There is 2 factor authentication: ID card acquired in exchange for valid US Govt. ID as well a biometric reader that blocks unauthorized access at the man trap. Only pre-registered users that have entries in the biometric scanner database are allowed into the data center. Each user type (employee, contractor, vendor, customer) is categorized for the purposes of ID generation. All movement through the facility is monitored and tracked. Richweb sgw development and maintenance is isolated to Richweb's corporate headquarters where the senior developers (a small group of 3 to 4 analysts) have access to the code base. All source code, server configuraton files and server system files that detail setup are checked into and managed with the industry leading open source code management software: Subversion. Richweb uses Subversion over SSL protected HTTPS sessions so no source code or config files are pulled via clear text protocols at any time.   Q. How does the process of a Richweb employee gaining access to an sgwappliance work? Richweb does not maintain or create accounts for Richweb management purposes to client sgw instances unless authorized and instructed to do so by an authorized client administrator with the client in question. This authorization should be given via the telephone. Some clients have made arrangements with Richweb whereby certain actions can be taken via emails from the client administrator but usually these directives are issued via telephone conferences or conversations. A written email will then be sent for confirmation of any action that is to be taken. This provides an audit trail for the access that was granted. Richweb logs all time spent supporting a client in our EMS project management system. The EMS system project logs will contain these notes and actions taken. Actual access to the appliance takes place via the ssh2 protocol using ssh keys (password authentication can be disabled for additional security measures). TCP Port 22 is open inbound to the firewall from Richweb Network Operations. This port allows authorized Richweb’s system administrators to access the system to perform maintenance operations. Backups also travel through this port. All communications across this port use strong encryption for SSH access (SSH = secure shell, an industry standard remote access protocol for secured hardware). SSH access to the sgw boxes is restricted at the firewall level to these 2 ip ranges. In some cases the internal (private) ip ranges of a customer's own network are allowed to ssh into the sgw appliance if a customer has 1 or more resources that are trained in the basic sgw command set, such as examining bandwidth usage.   Q. How often are updates to the sgw boxes performed? Because there is virtually no "attack surface vector" for an sgw box setup as a firewall for example, updates are really not required as frequently as with Windows bases systems. The "attack surface vector" is kept to a minimum by virtue of having all incoming ports filtered, and all programs not needed shut off and un-installed. OpenBSD patches come out on occasion; Richweb tests and implements patches as needed once they are (A) verified not to cause any other problems and (B) relevant and needed by the sgw in question. All package updates are crypto signed and installed from openbsd sources or added via the official pkg_add utility that comes with the system.   Q. How are the sgw boxes secured against remote intrusion and rootkits? OpenBSD uses a monolithic kernel approach; a "root kit" would require the kernel to be patched, recompiled, and the system rebooted, which would be rather obvious. The whole point of a root kit is to be able to slip a kernel loadable module undetected into a running kernel, which is not going to happen.   Q. Does the sgw appliance have any industry certifications? OpenBSD is used in many secure network appliances. Refer to http://www.openbsd.org/ for more information. Debian Linux (used by Richweb on certain app server sgw boxes) has achieved Carrier Grade Linux status.