Innominate

Security Technologies AG protecting industrial networks

mGuard

The all-in-one security solution for protecting business critical communication

The mGuard smart is available in the performance classes

■ mGuard smart / 266

■

■ mGuard smart / 533 mGuard smart / 266 VPN

■ mGuard smart / 533 VPN

The mGuard smart is currently the smallest security device on the market, offering an extremely high degree of security and performance. It can be integrated anywhere both quickly and simply without modifications to the computer system, regardless of the processor technology or operating systems used.

protecting industrial networks unbeknownst to the user. Here, anti-virus software is only of limited use, as it can only be as secure as the operating system. The security holes in Windows – the operating system most often used in offices – are well documented. Against such security gaps, even the best anti-virus software is powerless. Aside from this, several systems used in office environments, such as SAP/R3 servers, do not allow the installation of additional software.

Primary functions mGuard, the “device attached security” solution from Innominate, unites all functions to reliably protect IP connections:

■ VPN (optional) for secure data transmission via public networks

(hardware-based DES, 3DES and

AES encryption, IPsec protocol).

■ Configurable firewall – protects the system from unauthorized access from “outside”. The Stateful Inspection Firewall filters data packets based on the originating and target address, blocking undesired data traffic – also from

“inside”.

■ User firewall regulates access to internal or external resources via user login to the mGuard and central RADIUS server.

■ Integrated anti-virus protection

(optional) supporting the HTTP,

FTP, SMTP and POP3 protocols.

Anti-virus protection takes place outside of the system – assuring increased security for the applications and high performance for the secured system.

New and unsurpassed: the cost-effective solution for security in industry environments

Conventional security concepts, whether hardware or software-based, always require a complex implementation procedure, including modifications to the system’s configuration. In many areas, however, systems cannot be easily modified. In industry environments, for example, strict security provisions apply for production systems. In the medical technology sector, validation processes are required by law. And every system modification is a costly investment in terms of manpower.

Quickly installed: the platform-independent security concept

The mGuard solution unites the advantages of hardware and software-based security concepts in a single component. All the security functions are integrated into the self-contained, fully independent mGuard platform. For this reason, it is not necessary to reconfigure the computer system being protected, nor do drivers or additional software need to be installed.

Moreover, there are several environments which rely on older processor technologies or which utilize proprietary platforms. In order to implement additional security measures, these technologies usually do not offer enough performance – or drivers and software support are not available.

Unassailable with the Innominate Stealth Mode

Innominate’s mGuard “device attached security” systems take advantage of a special function – the

Stealth Mode. This allows the systems to perform absolutely transparent, as they do not require their own IP addresses. Instead, mGuard uses the same IP as the computer it is protecting and therefore cannot be recognized by invaders, making the system unassailable to attack.

The secure solution for office and production back-office

Generally, conventional gateway appliances protect entire networks or network segments with a uniform security standard – and only against attack from “outside”. However, a critical company server or the laptop of a managing director both require security levels that are much higher. What’s more: different systems call for various levels of security. With conventional gateways, this is virtually impossible to carry out.

Added to these dangers are those which arise from

“inside”. From laptops, data media or private e-mail accounts, for example, “malicious codes” are often introduced to company networks and disseminated,

Maximum data throughput for the VPN and firewall

The basis of the integrated security solution is the embedded Linux running on a network processor with XScale core by Intel (IXP 42x), with up to 533

MHz processor capacity, 64 Mbytes of SDRAM working memory and 16 Mbytes of Flash memory. The processor features hardware-based DES, 3DES and

AES encryption. This guarantees maximum data throughput for firewall (up to 99 Mbit/s) and VPN (up to 70 Mbit/s).

Innominate

Security Technologies AG

Innominate Device Manager

With the Innominate Device Manager (IDM) large populations encompassing several thousand mGuard appliances can be efficiently configured and managed. Due to the Innominate mGuard’s templatebased approach, the roll-out of numerous identicallyconfigured appliances can be carried out quickly and conveniently.

For intuitive monitoring and logging, the mGuards communicate with all standard SNMP management systems. The full graphic integration can be realised on the Industrial HiVision management platform from the firm Hirschmann, for example.

At a glance:

■ Better CPU performance and higher data throughput for VPN and firewall.

■ No configuration modifications, no installation of drivers or additional software.

■ Independent operation, regardless of the processor technology or operating system version used.

■

■

Transparent Innominate Stealth Mode.

Platform-overreaching security management with the Innominate Security Configuration Manager

(optional).

■ Configuration with the Innominate Device Manager

(IDM).

■ Integrated, high-capacity anti-virus solution

(optional).

■ User firewall regulates access to internal or external resources via user login to the mGuard and central RADIUS server.

■ Virtual addressing (1:1 NAT) in the VPN tunnel avoids address conflicts.

Typical application areas for mGuard technology

■ Additional security for neuralgic points in corporate networks.

■ Individual protection of business critical systems.

■ Cost-effective security solutions for systems which are not “state-ofthe-art”.

■ Controlled remote access to specific systems for employees and external service providers.

■ Economical, secure connections made available round the clock to external sub-networks and remote workstations.

protecting industrial networks

Innominate

Security Technologies AG

Hardware performance features

CPU

RAM / Flash

1 LAN / 1 WAN port

MAU management

Internet

Internet support

Network services

DHCP support

DNS cache / Dyn. DNS

NTP client

LLDP (Link Layer Discovery Protocol)

VLAN (802.1Q)

Internet updates

Remote syslog logging

User based configuration profiles

Multi language

Virtual Private Network

VPN data throughput (3DES)

Max. number of VPN tunnels

Encryption procedure

Hardware-based encryption

IPsec mode

Authentication

Data integrity

Internet Key Exchange (IKE)

IPsec L2TP Server

VPN in Stealth Mode

1:1 NAT in the VPN

IPsec NAT Traversal

Dead Peer Detection (RFC 3706)

Dyn. DNS VPN support

System management

Web-based management (HTTPS)

Command line interface (SSH)

SNMP v1, v2, v3

Innominate Security Configuration Manager

Innominate Device Manager

Anti-virus protection*

Integrated scan engine

Scans HTTP, FTP, POP3, SMTP, HTTP proxy

Block by file size

Automated pattern file updates

* For anti-virus software option the use of an 533 MHz appliance is recommended.

mGuard smart / 266 mGuard smart / 533

Intel IXP 42x with 266 / 533 MHz

64 MB SDRAM / 16 MB Flash

Ethernet IEEE 802.3 10 / 100 BaseTX,

RJ45, full-duplex, Auto-MDIX

•

PPPoE, PPTP, Static IP, DHCP client,

Stealth / Multi Stealth

Server or relay agent

• / •

•

•

•

•

•

•

German, English and Japanese

-

-

-

-

-

-

-

-

-

-

-

-

-

-

•

•

• optional optional optional optional optional optional

Technical overview

Power supply

Operating temperature

Relative humidity

Dimensions (W x H x D)

Weight

Via USB interface (5 V at 500 mA); optional: ext. power adapter (110–230V)

0 to 40 °C

20 to 90 %, non-condensing

27 x 77 x 115 mm

158 g

Firewall

Firewall data throughput

User licenses

Stateful Inspection Firewall

NAT, 1:1 NAT

Port forwarding

MAC-Filtering

Firewall rules in VPN connections

IP spoofing protection

Syn flood protection

Configurable DoS protection

Redundant Firewall (VRRP) mGuard smart / 266 VPN mGuard smart / 533 VPN

Intel IXP 42x with 266 / 533 MHz

64 MB SDRAM / 16 MB Flash

Ethernet IEEE 802.3 10 / 100 BaseTX,

RJ45, full-duplex, Auto-MDIX

•

PPPoE, PPTP, Static IP, DHCP client,

Stealth / Multi Stealth

Server or relay agent

• / •

•

•

•

•

•

•

German, English and Japanese

35 / 70 Mbit/s

10

DES, 3DES, AES-128, -192, -256

•

ESP tunnel / ESP transport

X.509v3 certificates with RSA or pre-shared keys (PSK)

MD5, SHA-1

Quick mode, main mode, PFS

•

•

•

•

•

•

•

•

• optional optional optional optional optional optional

99 Mbit/s unlimited

•

•

•

•

•

•

•

• optional mGuard Software Options

Innominate mGuard VPN-10

IPSec VPN Gateway, max. 10 VPN tunnels

Innominate mGuard VPN-250

IPSec VPN Gateway, max. 250 VPN tunnels

Innominate mGuard Anti-Virus-50

50 appliances, perpetual license for CLAM AV™ virus patterns

Innominate mGuard Anti-Virus-200

200 appliances, perpetual license for CLAM AV™ virus patterns

Innominate mGuard Anti-Virus-1000

1000 appliances, perpetual license for CLAM AV™ virus patterns

Innominate mGuard Redundant Firewall Option

Requires two mGuard Security Appliances

Innominate mGuard is a registered trademark of Innominate Security Technologies AG. Several national and international patents have been registered or are pending for the mGuard technology. All other trademarks, brands and names are property of the corresponding firms.

Product specifications are subject to change. Errors and omissions excepted. Status 01.2007

Innominate Security Technologies AG · Albert-Einstein-Str. 14 · D-12489 Berlin · Tel. +49(0)30-63 92 33 00 · Fax +49(0)30-63 92 33 07 · www.innominate.com

m