InZero Gateways are “secure by design” and feature highest level of malware resistance:
- Dual firmware – configuration mode and ready mode:
- Network connectivity unavailable in configuration mode
- All changes are digitally signed; signature key available only in configuration mode
- Physical confirmation required to change settings
- No administrative privileges after booting in ready mode
- Automated OS enhancements
- Applications isolation on hardware level – cross-application attack prevention
- Stack overflow prevention
- Read-only flash memory OS protection
- Separate chip with protected memory storage for secret encryption key
- Watchdog application protection
- Continuously pings all applications running on InZero Gateway to verify if they are still running and if they have been modified. If needed, restarts application from read-only memory
- Audit – various levels of system audit
- Log keeping
- Ability to create a duplicate of local log on a centralized Audit/IDS server (protocol SYSLOG and encrypted SYSLOG)
Connecting PC to the network through the InZero Gateway enables powerful security mechanism:
- Hardware application sandbox:
- Protected network applications: Browser * Chat * VoIP
- Protected Applications: Document Editor * Spreadsheet Editor * Presentation Editor * PDF * Images
- Connection between host PC and InZero Gateway uses internal drivers – not a network protocol. Therefore, user is provided with Internet access without active network adapters on host PC
- Protected data exchange
- Clipboard control – control over copy and paste functions between host PC and InZero Gateway
- Protected file exchange – filtering and conversion of files between host PC and InZero Gateway based on file type and user policy
- Disallowed file type – automatically removed
- Trusted file type – allowed to pass through
- Untrusted file type – converted to safe format and/or encrypted and opened within protected storage on InZero Gateway
- Protection from USB viruses – both activation (from USB to PC) and propagation (from PC to USB)
- Protected mail proxy
- Hardware-based physical confirmation for outgoing mail
- Three options for attachments processing, depending on file type:
- Disallowed file type – automatically removed
- Trusted file type – allowed to pass through
- Untrusted file type – converted to safe format and/or encrypted and opened within protected storage on InZero Gateway
- Stateful inspection firewall
- Enables traffic filtering according to:
- Protocols
- IP addresses and range of IP addresses
- Ports
- Traffic direction (incoming/outgoing)
- Enables advanced traffic routing
- Enables DNAT, SNAT, masquerading
- Cacheless proxy server
- Supports whitelisting and blacklisting
- Supports import/export of whitelists and blacklists
- Filters http/https traffic
Secure domain mode enables remote policy administration:
- Heartbeat technology: InZero Gateway initiates connection with the InZero Management Server to check for updates; therefore it has no allowed incoming connections – all ports are closed
- All policies are digitally signed with X.509 certificate
InZero Security Platform features powerful VPN capability:
- VPN tunnels supported: SSL, IPSec
- Encryption protocols: AES-256, AES-128, 3DES
- Digital signature: RSA-1024, SHA-256, SHA-1, MD-5
- Full compatibility with X.509 certificates
- Protected memory storage for secret encryption keys
- Real time clock to control and verify certificate expiration date
- Ability to create protected virtual networks based on InZero Gateways
- 10 clicks point-to-point VPN between all InZero Gateways within organization’s domain
- Each InZero Gateway can act as a server or a client in a VPN setup stage
- VPN servers can have a dynamic IP address
- Authentication and access control based on X.509 certificates:
- Per specific certificate
- Filtered based on certificate field (“Accounting”, “London”)
- Based on domain
