PROTECTING CRITICAL INFRASTRUCTURE:

ENERGY MARKET SECURITY IN GERMANY AND EUROPE

Stuxnet was only the beginning. The political efforts in Germany and Europe also show: The energy industry must now respond to the significant changes in the control and management technology.

2

FUNDAMENTAL CHANGE AND SECURITY The energy market is in the midst of two fundamental changes: The first major change revolves around where energy production comes from and how this energy gets to market. Historically, electricity has been generated in centralized locations like power stations using a variety of technologies from coal, to nuclear, to natural gas and biomass. Many of these power generation locations use, at least partially, generations-old technological components in their process control operations. These components have historically worked well and have been reliable but were designed with centralization in mind and designed to operate as a »technology island« in an un-connected and un-networked world. Today the energy market is increasingly moving to a balance of more distributed power generation systems like windmills, solar, and micro or localized power stations. There are increased requirements for inter-grid accounting and management with regional operators and pannational suppliers and the inevitable interoperation of systems and functions. There is increased sensitivity to demand variability and new supply types like wind and solar bring a higher degree of supply-side variability. These affect pricing

and are part of the movement towards Smart Grids but they also blur traditional areas of ownership and security lines. The second change is around the technology and subsequent processes used to facilitate the management and accounting in the evolving energy market. As noted above, many of the components were designed and deployed prior to the movement to the all-IP, Internet world. They simply were not built to be part of today’s information technology (IT) landscape let alone to be able to defend themselves against attacks. There are now Smart Grids with Smart Meters. There are energy suppliers collaborate on-demand with supporting billing and reconciliation systems. There’s the challenges of legacy process control networks (PCNs) connecting to supervisory control and data acquisition (SCADA) networks increasingly connected. There are increasingly IT-based office networks and systems growing rapidly to meet the demands of the new energy market as a whole. And together, these are the fundamental forces rapidly expanding the security threat space in energy markets today.

3

THE DECLARATION OF CYBER WAR The Stuxnet attacks of 2010 are widely considered to be the moment the media and western governments took threats to the energy market critical infrastructure seriously. It was in June of that year that details emerged of an attack that found specific targets, exploited a vulnerability on those targets, installed and executed code on the now-comprised targets and then used these zombie machines to actually seek out and destroy programmable logic controllers (PLCs) specifically used in the energy market space. In the case of Stuxnet, the end-targets were PLCs operated by the Iranian nuclear program. By all accounts, Stuxnet was very successful and ended up destroying more than 20% of the Iranian nuclear generation capacity. Even in the cyber security terms of 2010, much of what Stuxnet did was actually quite mundane and well known. The attack followed a well-documented path or »kill chain« of events that includes finding a target, creating an attack to exploit vulnerability on the target, delivering the attack and then using the compromised target location as a foothold for something more sophisticated. The following, more specific attack then goes after the end goal and can be anything from destroying

Iranian centrifuges to stealing sensitive plans and data. Deploying defense measures addressing each point in the kill chain is the foundation to successfully defending against cyber attack. gateprotect uses this basis for its Echelon Internal Defense methodology.

The Threat Space and the Stuxnet Legacy There are differing opinions on what Stuxnet may or may not have changed in the world of network and information security. But Stuxnet indisputably accomplished two things. First, it formed a broad agreement on the possible vectors of cyber attack. Second, it highlighted the overall seriousness of the cyber threat in an increasingly networked world. Both were magnified by the fact that the threat is against the life-critical infrastructure of today’s energy market. After Stuxnet there could no longer be dismissals by public and governments to consider misguided teenagers or »script kiddies« using »mass-market« basic attacks as being the central malicious actors in the modern cyber security threat space.

IT-Net

INTERNET

R O U T E R Packet Filter

G AT E P R O T E C T NP

4

PROCESS-N ET

IT-NET (OFFICE)

NETW ORK COMMUNICATION

RTU | PLC

MTU Master Terminal Unit

MTU

RTU Remote Terminal Unit

OFFICE- AND IT-SYSTEMS

PLC Programmable Logic Controller(s)

Interaction of process net and IT net at today‘s energy producers and energy providers

Observation, Reduction and Concealment The Target: IT Networks and Process controlled specific power generation or energy system INTERNET TRAFFIC INTERNET TRAFFIC Threat Detection and Disarming Control Networks management components. PLCs typically have a lifespan measured in decades and many original and early Identification, VALIDATED In very broad terms, there are generally two Blocking types ofand Policing generation devices still exist today and will continue to Complying, Monitoring and Refining networks in energy market operations today. The definiexist. Remote terminal units (RTUs) connected multiple tions have many exceptions but these tend to be PLCs within a site and typically had some form of interƒƒ Process control networks (PCN or often referred to face (»human machine interface« or HMI). as »process network« or »control network«) form Subsequent generations of critical energy infrastructure the working operational core of the energy market. added layers to connect RTU into a master terminal unit These control the individual components within a (MTU) system. However, proprietary communication power plant. The role responsible for maintaining designs continued despite the emergence of standards. and running this network is typically the Operation While this made intended interconnection difficult, it Group. shielded early SCADA generations from many open IT ƒƒ IT networks are the foundation of the modern net- and inter-networked security challenges. However, this worked office environment. These networks are also meant that security was not even a secondary deused to host servers and databases and to coordi- sign consideration of these systems. The rise of large nate management operations between all the incre- scale IT networked systems promised cost benefits but asingly distributed points of the modern energy mar- the level of connectivity and access also exposed theket from the producer to consumer and the Smart se PCN-based components to security threats they not Grid in between. The role responsible to maintaining only were not designed to face. In many cases, the PLCs this network is typically the IT Group in the now-connected PCN-to-IT network have no ability to computationally counter and defend themselves PCNs have historically been separate from the more refrom known threats. Yet worms and Trojans like Stuxnet, cently constructed IT networks. IT networks have been spear-phishing, malware, viruses, drive-by downloads based on IP over Ethernet and are common internets have all become today’s networked reality and are key (inter-connected networks), intranets and the Internet threats targeted by gateprotect. and are common through the personal and professional lives of most people in the developed nations including Germany and most of Europe.

Connecting legacy PCNs is the supervisory control and data acquisition (SCADA) system infrastructure. SCADA originally operated a variety of proprietary communication methods (serial and otherwise) in an n-tier design. The early generations typically connected specifically designed programmable logic controllers (PLCs) that

5

Ownership of Security Threat Mitigation Today’s PCNs are connected to IT networks. So while there is an overlap of internal connectivity and therefore »attack surface area« between the two networks, there has historically been little overlap in internal network defense. This lack of single security accountability has already started to be addressed at least in part. This has been done initially through process improvements since skills on the PCN operations and the IT network sides are distinctly unique in some way. However higher security levels are increasingly achieved through the deployment of internal defense and information security platforms like those offered by gateprotect within and between these networks. Since energy markets are tightly regulated, government and government legislation are increasingly playing a positive role in energy market security and highlight key aspects of gateprotect’ functionality. Much of the initial recommendations and initiatives stemmed from the United States after the 2001 September 11th terrorist attacks. These include the expansion of NERC CIP (Critical Infrastructure Protection of North American Electric Reliability Corporation )and NIST 800-series (National Institute of Standards and Technology) guidelines. These were augmented by initiatives like the NISCC in the UK. But Germany and Europe have also played a strong and increasingly leading role. German initiatives from the Bundesverband der Energie- und Wasserwirtschaft (BDEW) took the initiative to specify the basic security measures for systems operating in energy market networks. This included requirements for encryption of data, cryptographic standards, anti-virus and malware functions, secure communication between networks, auditing, secure network design, application protocol standards, and more. All of which are components within the gateprotect product. The Bundesamt für Sicherheit in der Informationstechnik (BSI) both lead and confirm many global industry best practices. For example, both in their IT-Grundschutzkatalog and BSI-Standard 100 series papers specify processes and practices for network security within the German public and private sectors. The BSI

standards have, for example, validated the gateprotect concept for multilayer network monitoring and internal defense with their »PAP« concept. These best practices form a significant portion of the energy market security recommendations noted in this whitepaper below. Current initiatives at the EU-level indicate even more forward thinking. There are Brussels-based efforts that summarize the critical infrastructure security challenge and these are supported by gateprotect – particularly those by the EPCIP (European Programme for Critical Infrastructure Protection). The EPCIP furthermore starts to recognize that European-centric standards and solutions are required for Europe. Whether the Snowden revelations are accurate or not, it is no longer acceptable to blindly accept American, Israeli, Chinese, Indian and other non-European vendor solutions in critical infrastructure and expect European and German standards and laws to be maintained at all times. Probably the most influential standards globally today are the ISO/IEC 27000 series standards. The ISO/IEC 27001 has specifically and recently been revised and streamlined and is a key starting point for gateprotect recommendations.

6

TOWARDS EUROPEAN ENERGY GRID SECURITY Legacy firewalls and their security strategies are only to a limited extent able to provide for the necessary protection in process networks. Classical port filtering is not precise enough, and filtering functions such as AV, A-Spy, IDS or Web Filtering, available in UTM solutions, are all based on the concept of blacklisting.

80 to make work easier for users and/or administrators. Therefore, malicious traffic is under no obligation to comply with these assignments. This kind of traffic can be transported any way the attacker considers useful and, therefore, via any open port, camouflaging itself as »good-natured« traffic.

This is exactly the point where gateprotect‘ next-generation firewall comes in: A whitelisting approach is realized through highly granular application identification control. Deep-Packet-Inspection enables to filter and valuate within applications. The full-validation whitelisting approach meets the need of the energy industry: In this concept, any traffic wanting to pass through the firewall has to be clearly identified and positively validated. Unknown data flows, even unknown components within known data, are reliably blocked and are »not allowed« to pass.

In order to be able to clearly identify communication, the traffic itself has to be identified. It is not enough to determine, release or block a specific port. The firewall allows you to determine highly granular – for specific machines within a network or even the entire network – which kind of network traffic is allowed to pass to or from a machine. A further advantage is that basic traffic-shaping methods can be applied to this clearly identified network traffic, i.e. the bandwidth of applications less important for the objectives of the company can be limited in favor of business critical applications.

Technical Progress in Detail:

For example, streaming content (Youtube, Spotify etc) can be limited to the extent that only a (small) portion of the bandwidth is available, while the SCADA control receives the free capacities it requires at all times.

Application Filtering vs Classical Port Filtering Originally, ports were used for Internet traffic to characterize the different kinds of communication (e.g. port 25 for e-mail traffic, port 21 for file transfer or port 80 for web-browsing). In principle, »good applications« still comply with these assignments. There is, however, no compelling technical reason to do so. On the contrary, often it is much easier to transport different kinds of traffic via the same port. Webmail (e-mail client accessed via a web browser) as well as cloud data storage (Dropbox etc), for example, are both accessed via port

Deep Packet Inspection (DPI) Another step is to both identify the application and further filter using »decoders« to identify the communicated content an application or a protocol. This provides the ability to, for example, control the commands within IEC-60870-5-104 are only accepted from particular users to a specific target via an encrypted interface. That way it can be ensured that network traffic represents exactly what it claims to be and only from those

Process Net Control and Management

IT-Net

I NT E R NE T

R O UT E R Packet Filter

G ATEP R O TEC T N P

Firewall concept with multiple zones

R O UT E R Packet Filter

G ATEP R O TEC T N P

7

authorized to communicate it. So communication can be partly restricted for specific users or devices both on command sending and command receiving sides. Full-Validation Whitelisting In contrast to port-filtering or UTM firewalls, the two above described functions of „real next-generation firewalls» allow for a reversal of the security principle for individual zones: While it was not possible to limit e.g. http-based traffic because the traffic could not be divided more finely so far, it is now possible to individually and explicitly define what is and what is not allowed. No attempt is made to identify malicious code (using Virus Scan, IDS/IPS etc) within generously allowed traffic (only), instead it is only allowed what has been defined as good. As a result, the following schematic network construct can be seen as a first step: According to BSI-Grundschutz-Katalog M2.73, a multilevel firewall concept should be applied The term PAP model stands for packet filter, application level gateway, packet filter. A model in which the application level gateway is protected by a packet filter a from user site as well from net site. The first packet filter is represented by a router. The application filter and the second packet filter is represented by the Next-Generation Firewall. External devices communicate via (IPsec-) VPN with the TERNET O U T E R Packet Filter process network,I N the VPN tunnel is Ronly terminated in

R O U T E R Packet Filter

the second (NG) firewall. The second firewall contains a set of rules which represents a set of positive rules into within the process network, thus only allowing what is desired. This multi-zones concept is relatively low cost and little additional effort is required. In the second step, in order to realize a complete separation in the perimeter (regarding access to the Internet) as well, a schematic concept could look like the following: In addition to the first concept, in this version the process network has access to the public network via an own router, office and process network are completely separated. Control interventions can be realized via a DMZ, which can be physically separated in a case of extreme emergency. Depending on the configuration, external management (service technicians etc) can be dealt with either via the process network router directly from the Internet or (more secure) via the office router and the DMZ. In this case the devices communicate through the Internet via encrypted VPNs. The set of Process Net rules for the process network as well as the DMZ (at Control and Management both Next-Generation Firewalls) is executed with positive validation with correspondingly fine filtering. For liability reasons, the strategically important compoIT-Net nents (router and firewall) can each be used as a high availability cluster in both concepts. G AT E P R O T E C T N P

G AT E P R O T E C T N P

Process Net Control and Management

DMZ

IT-Net

INTERNET

R O U T E R Packet Filter

G AT E P R O T E C T N P

Firewall concept with complete separation of process net and IT net

P R O C E S S -NE T

IT- NET ( O F F IC E)

N ETW ORK COM M UNIC ATIO N

8 RTU | PLC

MT U Master Terminal Unit

RTU Remote Terminal Unit

M TU

O F F IC E- A ND IT- S Y S TEM S

P L C Programmable Logic Controller(s)

Echelons of the Internal Defense Methodology

INTERNET TRAFFIC

Observation, Reduction and Concealment Threat Detection and Disarming

Identification, Blocking and Policing Complying, Monitoring and Refining

INTERNET TRAFFIC

VALIDATED

Measures for a sustainable defense of IT infrastructure of energy producers and energy providers

gateprotect has a general methodology for the energy market security defense targeting the lifecycle all successful attack. If any stage of the lifecycle or kill chain is disrupted it means that the gateprotect NP has successfully defended or contributed to defense of the critical energy infrastructure. This is the gateprotect Echelon Internal Defense methodology and can be expressed using the classic risk calculation for internal network security defense: Risiko (R) = Threat (T) x Vulnerability (V) x Consequences (C)

Driving R, T, V or C down to zero (0) means the risk is eliminated. The gateprotect Echelon Internal Defense methodology focuses on reducing the threats, access to vulnerabilities, and limiting the consequences (so T, V and C) in the network and through interactions with other systems within the deployed security ecosystem.

9

Observation, Reduction and Concealment

Threat Detection and Disarming

The central functional goal of this layer or echelon is to reduce the attack surface areas internally and externally. Expose only hardened connection points and other only to those locations and services deemed suitable according to legislated and internal security policy and risk profile including ISO/IEC 2700x. Limit connection points between process networks, distributed endpoints, internal ICS networks, for example.

The goal of this echelon is to stop targeted threats within established communications from reaching the intended recipient or systems. One key attribute of this echelon functionally in the gateprotect NP product is to provide application identification and a unified expression of policy address all UTM functions.

Example Recommendations ƒƒ Deploy in BSI »PAP« model to provide a second firewall layer to a perimeter firewall in order to verify post-DMZ traffic for targeted APTs and also to inspect internal-internal traffic. ƒƒ Secure ability to see and communicate between users between PCN and IT networks. Control and monitor access between the most critical points of the energy market network. ƒƒ Encrypt communication from remote sites (windmills, solar cells, smart meter sites). ƒƒ Logically separate intra-IT and intra-PCN functions from user to user on a per-application basis. For example, marketing and executives can access specific Internet cloud or SaaS services but cannot connect directly to database clusters. SIP phones should not have SSH connections. ƒƒ Enforce access to IP address zones and specific machines.

Example Recommendations ƒƒ Examine internal traffic according to Intrusion Prevention System (IPS) policy and block suspicious. ƒƒ Inspect content of communication for malware and viruses. ƒƒ Restrict access over Ethernet IP or HTTP (as examples) to a particular machine.

Identification, Blocking and Policing The goal of this echelon is to identify internal actions that may indicate infection or even possible insider threat. One key attribute of this echelon functionally within the gateprotect NP product is to provide application identification and decode the communication and extract syntax and meaning from the data. The unified expression of policy address all application identification, firewall and UTM functions also plays a role. Example Recommendations ƒƒ Verify IEC 104 communications from windmills. Restrict transactions that remote access users can execute. ƒƒ Filter all web traffic, block non-technical domains for technical employees, limit domain categories for others. ƒƒ SIP phones should not have SSH connections. SIP phones should not have any applications except for SIP running. ƒƒ Police YouTube application traffic of employees so that it does not consume more than x% of the critical infrastructure bandwidth.

10

Complying, Monitoring, and Refining The goal of this echelon and resultant technologies and recommendations is to interact and augment internal security administrators, systems, processes and practices legislated or beyond. Example Recommendations ƒƒ Decode IEC 104 communication to ensure only certain messages and commands can come from specified locations. Inspect each remote access transaction at the data level. ƒƒ Alert SIEM security ecosystem based on suspicious activity. ƒƒ View network and user based reports for traffic and/ or usage anomalies. ƒƒ SIP phones can only communicate with the SIP server and other communication should be flagged and alerted to SIEM.

11

FULL SECURITY, MADE IN GERMANY Three core aspects form the basis for the energy market security solution and are reflected in all gateprotect security recommendations and each echelon of the gateprotect Echelon Internal Defense methodology:

Application identification and decoding. gateprotect provides a native application and protocol detection and decoding method. This allows gateprotect to not only rapidly identify protocols and reference these in a common firewall policy rule but also focus on protocols that are unique or are used in unique ways by German and European energy markets (IEC 104 protocol identify and IEC 104 protocol decoding control messages, for example).

Unified Policy of Single Pass Engine. Unified expression of network and security policy that cover all facets of the security functionality available in the platform. This is not simply centralized management but a single pass policy engine that comprehensively expresses and implements security policy. This addresses the energy network challenge that combining multiple groups responsible for different parts of the security equation means that components may have different masters. A combined, single line of security firewall

policy allows for easy and visual expressions of policy without the unintended obfuscation of individual complex systems providing the same functionality. So the argument for firewall policy rule combination not only merges functions into a single solution device to verifiably meet various standards but also allows responsible security administrators to see all security clearly and in a single location.

Adherence to German laws, standards and compliance. gateprotect is a German company fully committed to supporting our government initiatives both in standards and unique requirements. Furthermore, we support our government’s initiative to design and build software and products with no backdoors or inherent compromises for foreign or domestic intelligence agencies or other non-customer agendas.

12

FUNCTIONS OF GATEPROTECT NP Feature Specifications UNIFIED THREAT MANAGEMENT Web Filter – Part of the unique Single Pass Engine – Block rules up to user-level – Blacklists / Whitelists – Category based website-blocking – Granular filters based on http protocol decoding – Patterns of Symantec Application Control – Part of the unique Single Pass Engine – Layer 7 Packet filter (DPI) – Filter applications and protocols – Detection & control of applications and protocols like Skype, Bittorrent as well as Web 2.0 applications like Facebook – Protocol decoders for real time access to parameters like content type, cookies – Patterns of ipoque

– DoS, portscan protection – Malicious network packet protection – Signatures of Emerging Threats

traffic statistics – Interface statistics – Domain statistics – Rule statistics

LAN / WAN-SUPPORT

MANAGEMENT

– Ethernet 10/100/1000 MBit/s – 10 Gigabit Ethernet for L Series – SFP and SFP+ Fibre optics support for L Series – MTU changeable (Ethernet/DSL) – PPP-PAP, PPP-CHAP authentication – Time controlled Internet connections – Manual and automatic DNS assignment – DMZ – Zone based networking

– Role based firewall administration

VLAN – 4094 VLAN per interface – 802.1q ethernet header tagging – Combinable with bridging

Ergonomic Graphic User Interface – Immediate visual feedback for each setting – Self-explanatory functions – mobile device support

– Bridge mode VPN

BACKUP & RECOVERY – Small backup files – Automatic and time based backups

USER AUTHENTICATION – Active Directory / LDAP support – Local User database – Web-interface authentication – Captive Portal

MONITORING – Network (interfaces, routing, traffic, errors) – Processes – VPN

* except gateprotect NP-S50

TRAFFIC SHAPING / QOS – Traffic Shaping and Priorisation on per Rule base

Antivirus

Bridge Mode

– Part of the unique Single Pass Engine – HTTP, HTTPS – FTP, POP3, SMTP – Manual and automatic updates – Patterns of Bitdefender

– OSI-Layer 2 firewall function – Two interfaces per bridge – Combinable with OpenVPN

– Active-passive HA

– Site-to-Site – Client-to-Site (Road Warrior) – PPTP – OpenVPN – IPSec

Intrusion Prevention*

LOGS, REPORTS, STATISTICS

IPSec

– Part of the unique Single Pass Engine – Rule groups selectable – Exceptions definable – Scanning of all interfaces

– Logging to multiple syslog-servers – Logs in admin-client (with filter) – IP / User and Zone statistics – TOP lists – Application and protocol hit and

HIGH AVAILABILITY

SSL

VPN

– Tunnel mode – IKEv1, IKEv2 – PSK – DPD (Dead Peer Detection) – NAT-T – XAUTH, L2TP

YOUR BENEFITS ƒƒ Granular application control of network traffic for maximum business security ƒƒ Full threat protection feature set: unified policy rules engine for application control, web filter, intrusion prevention system, malware filter and anti-virus ƒƒ Responsive, open platform GUI for precise security administration anywhere and reduced operational cost ƒƒ Performance designed to have all security functions enabled ƒƒ Security »Made in Germany«

13

NEXT GENERATION FIREWALL: ENABLING MULTILAYER DEFENSE The fast-paced threat landscape has rendered many of today’s information security solutions obsolete. It is no longer possible to secure the business and network by using firewalls that standalone and only block outsidefacing threats.

context. This single-pass engine uses the combined intelligence of comprehensive signature databases for hundreds of applications, thousands of threats and millions of URLs to provide maximum network protection without compromising on firewall throughput.

The massive increase in web-based applications can help the productivity of businesses but they often act as major attack vectors. Readily available encrypted tunneling protocols, if unmanaged, offer ideal backdoors for covert and malicious activities by employee insiders, attackers or botnets. The global resources of criminals, state-sponsored actors, and hacktivists contribute to targeting the most valuable assets of every business. The combined targets: intellectual property, company and billing data, brand and reputation, user endpoints, access to network resources, and other fundamental threats to the company’s business model.

The gateprotect NP full-validation whitelisting mode, that only allows positively identified and fully validated applications to pass, provides protection even against zero-day attacks.

The gateprotect NP addresses all current and emerging network threats in a holistic manner that combines application identification, traffic management, anti-virus and malware filter, intrusion prevention system (IPS) and web filtering. The appliance uses a purpose-built highly parallelized, context-aware, single-pass engine that allows multiple actions to be performed on the network traffic simultaneously while tracking each session’s

Quality »Made in Germany« Our next-generation firewall gateprotect NP has entirely been developed in Germany and bears the quality seal »IT Security made in Germany«. This protected trademark is granted to companies fulfilling the following requirements: ƒƒ Develops trustworthy IT security products in Germany ƒƒ No backdoors to access the products  ƒƒ Security research and development is located in Germany ƒƒ Adheres to local data protection laws.

14

PRODUCT OVERVIEW GATEPROTECT NP Specifications

NP-S50

NP-M200

NP-L500

5+0+1

8+0+1

15 + 0 + 1

6.000

Interfaces Ports (GigE + 10G + Mgmt) System Performance* Firewall throughput (MBit/s)

100

1.500

VPN throughput (MBit/s)

35

150

350

UTM throughput (MBit/s)

75

750

3.000

Concurrent sessions

50.000

350.000

2.500.000

New sessions per second

15.000

100.000

300.000

Max. VPN users

50

400

1.200

Max. zones

25

50

100

44 x 426 x 320

44 x 430 x 436,5

88 x 430 x 547,6

4,5

10

18

90 – 240

100 – 240

100 – 240

100

250

600

Dimensions H x W x D (mm) Weight (kg) Power Input Voltage (V) Full load power consumption (W) Environmental Operating temperature (°C)

0 – 40  

0 – 40  

0 – 40 

Operating humidity

5 – 85 % at 40 °C

5 – 85 %at 40 °C

5 – 85 % at 40 °C

Spezifikationen

NP-S100

NP-M400

NP-L800

5+0+1

8+0+1

11 + 2 + 1

8.000

Interfaces Ports (GigE + 10G + Mgmt) System Performance* Firewall throughput (MBit/s)

200

2.000

VPN throughput (MBit/s)

65

250

500

UTM throughput (MBit/s)

140

1.000

4.000

Concurrent sessions

100.000

700.000

5.000.000

New sessions per second

25.000

150.000

500.000

Max. VPN users

100

600

2.000

Max. zones

25

50

100

44 x 426 x 320

44 x 430 x 436,5

88 x 430 x 547,6

4,5

10

18

90 – 240

100 – 240

100 – 240

100

250

600

Dimensions H x W x D (mm) Weight (kg) Power Input Voltage (V) Full load power consumption (W) Environmental Operating temperature (°C) Operating humidity

0 – 40 

0 – 40  

0 – 40  

5 – 85 % at 40 °C

5 – 85 % at 40 °C

5 – 85 % at 40 °C

* System performance depends on application level and number of active VPN connections. We do not offer an express or implied warranty for the correctness /up-to-dateness of the information contained here (which may be changed at any time). Future products or functions will be made available at appropriate time.

gateprotect has been a leading, globally acting provider of innovative IT security solutions in the area of network security for more than ten years. The solutions developed in Germany comprise next generation firewalls with all commonly used UTM functionalities for small companies and the mid-tier, managed security systems for enterprise companies as well as VPN client systems for the interconnection of subsidiaries and home offices. Since 2013, gateprotect has also been offering »Complete Security«effective real-time protection for networks and endpoints from one source. To quickly defend against targeted cyber-attacks and to assure permanent all-round protection for networks and devices, gateprotect has developed the eGUI® interface concept. The patented eGUI® technology is extremely easy to operate and demonstrably increases the factual security in companies by reducing operator errors. The gateprotect solutions comply with highest international standards. Already in 2007, the company committed itself not to implement any hidden access ways in its firewalls. In March 2013, gateprotect’s firewall packet filtering core was certified in accordance with Common Criteria Evaluation Assurance Level 4+ (EAL 4+) at the Federal Office for Information Security (BSI). For the easy operability and comprehensive security of the UTM firewall solutions, gateprotect has been the first German company to be honored with the Frost & Sullivan Excellence Award. Since 2010, gateprotect has been listed in the renowned Gartner Magic Quadrant for UTM firewall appliances. gateprotect is a member of the industry association »TeleTrusT e.V.« and of the »Alliance for Cyber-Security« of the BSI. gateprotect is part of the Rohde & Schwarz group. The Rohde & Schwarz electronics group is a leading supplier of solutions in the fields of test and measurement, broadcasting, secure communications, radiomonitoring and radiolocation.

gateprotect GmbH Valentinskamp 24 20354 Hamburg | Germany Hotline Phone +49 (0) 40 278 850 Internet www.gateprotect.com