SMARTrecover Framework — BASCOM's Enterprise Edition

In response to a critical need for Web access and onsite service hosting, BASCOM now offers its SMARTrecover Framework™ (SRF) for Frontera. This provides extra protection against network disruptions caused by unexpected hardware failures. By offering a seamless solution to critical connectivity interruptions, BASCOM's SRF immediately eliminates single points of hardware failure and maximizes uptime during sensitive system updates.

BASCOM's SRF is a high-availability solution that offers three levels of protection by:

• Switching to a "hot standby" appliance within 30 seconds to maximize uptime during a hardware failure.
• Preserving the previous day's data on the secondary appliance in case of corruption on the primary.
• Delaying software updates to the secondary appliance for a week and freezing its configuration data to save the state of the system prior to the release.

Express Exchange Warranty™

For hardware failures with notification to BASCOM by 12:00 noon Eastern Time, our three (3)-year Express Exchange Warranty guarantees delivery of a new appliance the following business morning. (Notifications after 12:00 noon Eastern Time cannot guarantee delivery of a new appliance the following day.) SRF provides a high-availability automated solution for maximizing Internet connectivity uptime for your enterprise-class, network installation. By enhancing BASCOM's award-winning Frontera with the SMARTrecover Framework, you can minimize the risk of using a complex, Internet access management system for your network.

Logging & Reporting

Frontera makes it easy for an Administrator or Technology Director to study how the Internet is being used. This logging and reporting tool also automatically archives log files for easier auditing and logs all access requests for a firewall rule from either inside or outside of a network. With Frontera you can access the following reports:

• Workstation Reports for analyzing Internet use for a workstation

• Profile Reports for locating a profile by specific criteria

• User Reports for finding individuals that are misusing the Internet

• Access Reports for analyzing Internet use by specific requests

• Firewall Traffic Reports

Reporting for LDAP-based Directory Services

Frontera is now able to integrate with LDAP-based directory services—such as Novell eDirectory or Microsoft Active Directory—to add User Names to reports.

Peer-to-Peer

Your network and its bandwidth are protected by the peer-to-peer blocking and monitoring capabilities of Frontera.

Peer-to-Peer Blocking

Protects a network and its bandwidth by restricting clients from running many distributed peer-to-peer file sharing and browsing programs. This allows the enforcement of your Internet Use Policies. It effectively detects most protocols, including: bittorrent, gnutella, edonkey, fasttrack, neonet, ares, and torpark.

Our protocol blocking monitors all traffic flowing from your network to the Internet. By examining the data, Frontera detects suspicious traffic from clients on your network. When this traffic is detected, Frontera restricts all Internet access on that client computer for five minutes. In addition, this access is logged so you can further review and identify chronic peer-to-peer violators.

Peer-to-Peer Monitoring

Frontera's peer-to-peer control monitors and logs activity, quietly logging access, but not blocking the access of violating clients. This provides the freedom of not restricting clients, while still maintaining the ability to administer network utilization.

TorPark/XeroBank

TorPark (now referred to as XeroBank) uses a modified version of FireFox, which routes its traffic through a worldwide distributed network of "onion" servers. These servers make Web requests on behalf of the TorPark browser—therefore not only distributing Web access, but also anonymizing the access in the process. This circumvents most front-line, Web content control. Incorporating TorPark control into Frontera's suite of detectable peer-to-peer protocols effectively fixes the security and policy issues that these browsing proxies and anonymizers introduce.
 

 

Authentication

Frontera provides flexible authentication options to accommodate most network architectures. The methods offered can be mixed and matched to work within many environments—all without reworking administrative philosophies.

IP-Based

• The simplest configuration permits access control assignments by a client's IP address. This allows access policies to be set across a large number of client computers.

Login-Based

• Frontera can be configured to require a login before permitting access. This login is directly tied to a profile, allowing a roving user to apply their Internet access settings to any computer on a network.

Directory Services Integration (Novell, Microsoft Active Directory)

• Access can be authenticated and controlled by utilizing the client's LDAP attributes. When a user logs into their computer, their identifying information is associated with the access control defined within Frontera's administrator interface. Access can be controlled by user or workstation name, or by the associated group or organizational unit.

Directory Services Logging and Reporting

• LDAP can also be used for access logging and reporting. Rather than "opaque" reporting of usage by IP address, utilizing the directory services feature permits reporting with more useful, descriptive names. Doing this requires no configuration or administration of directory services during installation; the login facility conveys a user's information automatically to Frontera's logging and reporting subsystem. Established components of a network's design are leveraged intuitively, without forcing the administration of access control into an "all or nothing" approach.

IP Multicast Support

Streaming of video, audio or other multimedia content from the Internet to multiple computers simultaneously can consume massive amounts of bandwidth. Frontera now supports PIM and IGMP multicasting. This enables it to receive a single video and then broadcast it to many computers on a network, thus saving huge amounts of bandwidth. However, multicasting requires support from your Internet Service Provider, and can only be enabled and configured by contacting BASCOM support.

Backup/Restore

Backup

• Every night, Frontera performs automatic, remote backup of all configuration files—including firewall rules, profiles, and network settings—and stores this data securely at BASCOM's Network Operation Center. This relieves technology staff of doing daily tape backups.

Restore

• For disaster recovery, a phone call to BASCOM's Technical Support staff is all that is needed to remotely restore Frontera using a private, inter-server, communication channel. A simple interface is used to restore backed-up data and Internet access. For hardware failures with notification to BASCOM by 12:00 noon Eastern Time, Monday through Friday, our three (3)-year Express Exchange Warranty guarantees delivery of a new Frontera appliance server the following business morning. (Notifications after 12:00 noon Eastern Time cannot guarantee delivery of a new appliance the following day.)

Integrated Web Cache

Frontera includes Web Caching for HTTP traffic (including YouTube videos). This speeds up Internet access by storing frequently used Web objects on the server.

Web caching is the ability for a server or computer to 'cache' or save Web pages and their individual elements onto its internal storage. When a Web surfer calls for the page, parameters determine whether it's more efficient to ask for the page from the original Web server over the Internet (takes more time) or directly from Frontera (saves time). In addition, a rudimentary check is performed to assure that the locally cached information is still valid. Since pages are served locally whenever appropriate, performance is improved using less expensive connection scenarios, saving bandwidth and access costs.

Flexible Setup

For ease of installation and to meet your networking requirements, Frontera is available in a variety of setup options. This flexibility includes the following configurations: Internet (2 or 3 Ethernet), Internet Gateway (PPPoE), Proxy Only, and Transparent Bridge (with or without firewall).

Internet Gateway (2 Ethernet)

• This Frontera includes a LAN firewall, Web caching, filtering, and the Virtual Administrator. It is compatible with many forms of Internet access, including ISDN, DSL, Cable, and T1 and works with an external router.

Internet Gateway (3 Ethernet)

• This Frontera requires the installation of a third network card. Depending on the system, this third network card may be pre-installed and provides a separate physical network. This network can be used as a DMZ for the protection of public servers such as a Web or an e-mail server, or it can be used as a separate internal network. For both networks (depending upon the setup), this Frontera includes the LAN firewall, Web caching, filtering, and the Virtual Administrator. This Frontera is compatible with many forms of Internet Access, including ISDN, DSL, T1 and works with an external router.

Internet Gateway (PPPoE)

• Point-to-Point Protocol over Ethernet (PPPoE) is used by some DSL-based ISPs to establish communications. If using a DSL line, check with the ISP to see if they use PPPoE. If they do use PPPoE, it must be enabled. Remember to remove any existing PPPoE routers on the network and plug the system directly into the DSL modem. This Frontera includes a LAN firewall, Web caching, filtering, and the Virtual Administrator.

Proxy Only

• In this configuration, the system is not in the direct path of network traffic. It sits adjacent to a router. The Web browser on each of the workstations needs to be configured with a proxy setting so that all Web requests are directed to the system. The DNS setting on each of the workstations also needs to be pointed towards the IP address of the system to properly resolve the system interface addresses. The system then performs Web caching and filtering. This Frontera also includes the Virtual Administrator.

Transparent Bridge

• In this configuration, Frontera is in the direct path of network traffic. All traffic flows through it, but only Web and DNS requests are intercepted. The system performs Web caching and filtering. This Frontera also includes the Virtual Administrator.

Transparent Bridge with Firewall

• In this configuration, Frontera is in the direct path of network traffic. All traffic flows through it. The system acts as a Web cache, filter and firewall. This Frontera also includes the Virtual Administrator.

Integrated Firewall

Frontera includes an integrated stateful firewall, providing robust network security that is managed through a simple Web interface. This deep-packet inspection firewall filters both inbound and outbound traffic. Since it is an affirmative firewall, all traffic into and out of the network must be explicitly allowed by the System Administrator.

Frontera actively logs blocked attempts against the firewall. These logs are available to BASCOM's Technicians. The firewall also actively monitors, blocks, and logs invalid login attempts. If there are too many invalid login attempts, the computer is blocked from further login attempts for 60 seconds. Doing this prevents most brute force, script-based attacks from interfering with your network.

Predefined Rules

• For ease of network deployment, BASCOM has provided numerous predefined firewall rules, allowing firewall settings to be defined with just a few clicks and keystrokes. Many common applications, such as Web servers, VNC, FTP, and H.323, are made available in the Predefined dropdown of the Add Firewall Rule page. With a single selection, the required rules for an entire application are added to a firewall.

VPN Pass-Through

• Within these predefined rules, BASCOM has defined VPN pass-through rules. This enables VPN connectivity without knowing the nuances of each port and protocol that's required to properly deploy it. Our VPN pass-through rules encompass popular VPN protocols, including IPSec, PPTP, and L2TP.

Locked Down by Default

• Frontera's firewall is completely locked down by default, restricting all communication in or out of your network. Improved management of a network and bandwidth are accomplished through explicit definitions that selectively permit access.

Temporary Rules

• Firewall rules can be enabled and disabled on demand, eliminating the need to constantly redefine infrequently-used rules.

Port Forwarding

• Frontera's firewall allows the definition of specific port forwards for applications that are not predefined.

Network Address Translation (IP Translation/Outbound)

• Frontera's firewall supports network address translation (NAT), further providing security and control over a network's resources.

Deep, Stateful Packet Inspection

• Frontera employs a stateful packet inspection (or SPI) firewall which actively tracks all inbound and outbound communication. This implementation is a quantum leap over traditional firewalls, leveraging today's available processing power to ease administration and security headaches. An initial connection is examined, and if allowed, is continually tracked by the firewall. Doing this provides two benefits. First, the firewall's rules are only referred to during the initial connection, which means that subsequent packets only need to be checked against the firewall's active connections and not against the rules, as the conversation has already been qualified. Finally, rogue, potentially malicious packets outside of the context of established, tracked connections are ignored—mitigating the risk of traditional firewall attacks. This powerful firewall tracking works equally well with connection oriented (TCP) and connectionless (UDP) protocols. In addition, Frontera deploys application-level filters at the packet level—utilizing deep packet inspection to dynamically detect and configure the firewall in response to the examined traffic.

Internet Filtering

Frontera provides customized Web site filtering using a number of disparate techniques. These techniques can be applied to various elements of your network in a customized and unique manner, depending on your needs. For flexibility when unrestricted Internet access is needed quickly, the filter can also be deactivated using a password. The following filtering techniques are utilized:

Dynamic URL Categorization

• Frontera comes loaded with a powerful Web site filter which automatically categorizes millions of sites in over 90 comprehensive categories. Access to these categories can be permitted or blocked, allowing it to be fine-tuned for each computer. This list is automatically updated by BASCOM, reflecting the continuous changes of Web sites and their content.

Real Time Proxy Detection

• In addition to categorizing known Internet proxies through our URL category list, Frontera examines suspicious-looking URLs to determine if the network client is attempting to circumvent its filter by use of a proxy. This dynamic detection is in addition to the category list, as proxy servers routinely are set up quickly, possibly prior to being categorized in the master list.

Safe-Search Mode

• Frontera can optionally enforce "Safe Search" levels within popular search engines. This allows the Safe Search option to be set on each local network client, regardless of how that client has attempted to set up their Safe Search level within their browser.

Safe-Search for Google Images and Search Engine Cache

• Frontera can also apply Web content filtering policies to Google's image search by examining the destination of the image thumbnails, further protecting users from inappropriate content that is otherwise difficult for traditional Web filters to detect.

File & Extension Blocking

• Frontera also permits selective blocking of specific files and file types. This provides control over the type of content clients can download. System Administrators can also set exception rules to allow specific files or file type downloads only from specific sites.

Streaming Media Blocking

• Blocks all types of streaming media, while allowing a user to selectively permit focused media content.

Select Viewing of YouTube Videos

• Although many educators want to use specific YouTube videos or channels for educational purposes, allowing the entire site may deliver inappropriate content. To address this need BASCOM recently announced its new Frontera Video Selector. This robust feature enables educators to safely allow a specific YouTube video or channel and its related page content, while blocking access to other videos.

• This feature streamlines a very difficult process for the user. Without this feature, the user would have to individually allow many links to aggregate the entire page. Since the YouTube site (www.youtube.com) employs a highly complex infrastructure that relies on many different servers for streaming content, building a single YouTube page requires intelligent URL inspection to examine each link required for the page. Frontera Video Selector performs this automatically to allow all necessary content for proper page display.

Instant Messenger Blocking

• Blocks most popular types of instant messenger clients on a profile basis.

Granular Web Site Control

• In addition to URL categorization, Frontera enables the built-in filtering techniques to be overridden by permitting a defined list of allowed or blocked exceptions. The granularity of this can be as wide as an entire domain name, or as narrow as a specific page. Each filter profile has its own list of custom allowed/blocked sites. For even more granular control, sites are categorized in multiple categories. If a site is blocked in one category, but allowed in another, a "trust" setting is available to always allow the site.

Block HTTPS Traffic

• This feature gives System Administrators the ability to filter access to all sites with encrypted Web traffic while also having the ability to allow specific encrypted sites. This provides another layer of protection from non-legitimate, https proxy sites.

Remote Frontera Administration

• System Administrators have the flexibility of securely managing Frontera from any location.

Mobile Filtering and Protection from External WiFi Signals

• Enforces your policy on your mobile devices when used off-network. Works with Apple iPad®, iPhone®, and iPod touch®; Mac OS® X (10.4.2 or later); and Windows® 32- & 64-bit XP/Vista/7. Prevents anyone using your mobile devices from dodging your filter through public WiFi or personal hotspots and protects your network by securing your mobile devices from malware and phishing sites.