U

Start » Cross Domain Solutions » ZoneGuard

Secure your information exchange with ZoneGuard

ZoneGuard offers a custom fitted yet simple information policy-based solution empowering organisations who need to enable secure, precise information exchange between varying security domains.

ZoneGuard – secure transfer of correct and validated information

As your true asset is information, ZoneGuard is designed to focus on information security rather than network security. Securely transferring correct and validated information using an allowlisting approach automatically solves network security in the cross domain exchange.

ZoneGuard only forwards received information when it complies with your organisation’s information policy. The information policy implemented in ZoneGuard defines accepted structure, format, types, values and even digital signatures and how information has to comply.

Advenica ZoneGuard PE250

ZoneGuard PE250 offers futureproof secure two-way information exchange that safe-guards your assets at all times.

ZoneGuard Technology

Many existing systems and solutions are vulnerable to protocol or implementation errors. Potential vulnerabilities range from a flaw in a network protocol to applications not thoroughly tested for buffer overflow attacks. ZoneGuard’s ability to safeguard which information is transferred to and from a system provides unparalleled control and accountability of the entire critical information flow.

ZoneGuard Appliances

UDP/TCP Application

The UDP/TCP Application provides the means to carry data, with unspecified type and structure, between separated security domains in a controlled manner. The application, that support one-way traffic, can be configured to support only UDP, only TCP or both.

 

Syslog Application

The Syslog Application provides the means to forward Syslog messages over the UCP or TCP protocol between separated security domains in a controlled manner. The application is compliant with syslog standards RFC3164 and RFC5424 and consists of one server and one client. The server listens for syslog messages and tries to normalize them into a structure that follows the RFC5424 standard. The application supports multiple simultaneous sessions.

Email Application

A versatile and powerful tool providing policy-based e-mail exchange between network boundaries. Only “permitted by you” validation allows messages including attachments to be sent through an information centric content inspection, where the inherent allowlisting works to allow permitted information to be transferred and denies all other information.

File Transfer Application

In ICS/SCADA systems it is necessary to send reports and allow incoming firmware updates while preserving the system integrity. Defence organisations need to keep classified information within the security domain but still have to be able to release information to another system or security domain. File Transfer Application handles both use cases, protecting integrity and confidentiality by allowlisting information exchange and providing explicit control over files sent from or to a system.

Integration Application

Market and efficiency requirements mean ICS systems, business networks, legacy systems get more and more connected to each other, the Internet or other environments with little knowledge of current vulnerabilities. Integration Application protects integrations and fulfils the organisational information policy 24/7, making digitalisation possible without reducing security.

Why do you need a ZoneGuard?

Enforces organisational IT policy on system integration

ZoneGuard is designed around separation of duties and a policy enforcement function. A digital signature is needed to change the information policy inside ZoneGuard. The keys for signing the information policy can be owned by an IT security department or another appointed policy approver. Changes cannot be done without these keys. The policy approver thus effectively takes superior control over information validation, ruling out the operational IT team and the users.

ZoneGuard also provides log control and audit trails. It can be configured to log any information entering its validation core, which is vital when you need evidence of compliance to policies and regulations.

How does a ZoneGuard work?

Advenica’s Security Gateway, ZoneGuard, allows for a strictly controlled two-way filtered information flow supporting third party controls for enforcing a digitally signed information policy. ZoneGuard uses filters in both directions and information is always controlled using full message inspection. The filter can allow information to pass depending on several factors e.g. source/destination addresses, file formats, attributes or the presence of a digital signature.

Read more about Security Gateways and how they work!

What does the ZoneGuard process look like?

When a message is sent from one system to another where both systems are connected to a ZoneGuard, information in the message received from one system is analysed according to configured rules. Approved parts of the received message are put into a new message which is sent to the intended receiver on the other system.

  1. Data is sent to one of the DATA ports on the ZoneGuard.
  2. The data packages are collected.
  3. The entire message is restored.
  4. The message is divided according to the loaded Service.
  5. The content is structured to fit the loaded Schema.
  6. Schema In will accept only correctly structured content.
  7. Pre-defined filter checks the content.
  8. Schema Out will accept only correctly structured content.
  9. The entire message is restored.
  10. The message is divided into data packages.
  11. The data packages are sent to the intended receiver.

Some security challenges where ZoneGuard is a good solution

Secure remote access

Many organisations depend on remote access through RDP, for example, to allow suppliers to perform maintenance, or so that operating personnel can monitor and control a system. Secure remote access solves many of the security risks that are otherwise associated with such solutions. Read more about secure remote access.

Secure IT/OT integration

Digitalisation means that IT and OT systems are connected. This integration presents security challenges and requires special solutions. Read more about secure IT/OT integration.

Secure transfer of SCADA information

To transmit critical information, e.g. from a SCADA system to an administrative office network means potential security risks. But there are solutions that take care of security problems and at the same time enables an exchange of information. Read more about secure transfer of SCADA information.

Security Gateways

Here are some frequently asked questions about our Security Gateways!

What is a Security Gateway?

A Security Gateway, also sometimes called Data Guard or Information Exchange Gateway, is a device that controls the information exchange that takes place between different security domains. Advenica's Security Gateway is called ZoneGuard. Read more about Security Gateways

What is the difference between a Security Gateway and a firewall?

A bidirectional Security Gateway can be compared to a firewall because it regulates what traffic can enter and exit a network. A comparison to explain the difference between a Security Gateway and a firewall is to visualise an airport. The firewall would be the check-in counter where a simple check is performed, for example identity and ticket check. A Security Gateway would be the security checkpoint where you are scrutinised more, your bags are searched, you go through a body search and so on. Another way to describe it is that a firewall focuses on the traffic between two domains while a Security Gateway focuses on the information itself that is to pass.

What is the difference between a Security Gateway and a data diode?

A data diode is the most obvious and most simple option with high security if you need a unidirectional information flow, while a Security Gateway can handle two-way data communication in a secure manner. Another difference is that a data diode handles traffic while a Security Gateway handles information flows. Read more about Data diodes!

What is the difference between a Security Gateway and a proxy solution?

Our Security Gateway, ZoneGuard, has a unique internal segmentation feature that moves information between segments in a controlled manner. A proxy solution sits between one or more clients and one or more servers where it presents itself to the clients as if it were the server and vice versa. This feature allows you to decide which server will receive the traffic, but also protects the servers against various types of attacks. A Security Gateway is more focused on the information content and information control

Security Gateways are expensive, aren't they?

The word "expensive" is a relative term if a Security Gateway is only seen as a cost. Actually, a Security Gateway is an investment that can be cheaper in the long run than if you choose not to buy it. It's all about the alternative cost in case you get breached and have insufficient security. Determine your risk appetite (and perhaps do a ROSI calculation – see below) and then decide to invest or not.

How to calculate ROSI (Return on Security Investment)?

Calculating ROSI is about calculating what the lack of security can cost and what the most cost-effective solutions are - this is to be able to know what to spend on security. Read more about how to do it (in an article about another security product) here!

What is the delivery time?

We generally have very short delivery times and can usually deliver your products within a week.

What are the options?

If you need data communication in two directions, a Security Gateway is a secure solution as a Security Gateway only forwards received information when it follows a certain policy derived from your organisation's information security policy. If, on the other hand, you need a unidirectional data communication flow, a data diode is the most secure option. A data diode guarantees unidirectional separation between the networks. It consists of optical fiber with a transmitter on one side and a receiver on the other, with absolutely no risk of two-way transmission. Read more about Data diodes!

Do you control your production, including all components?

Advenica offers cybersecurity solutions that meet the highest security requirements. Our product development differs in many ways from traditional development as our customers demand that we can show that our solutions offer security with a high level of assurance. This can only be achieved if all work can be reviewed and evaluated. We therefore develop and manufacture the vital parts of our solutions in-house to ensure the highest level of security (high assurance). For our Security Gateway, this means that we use hardware that we have checked and in the case of software, we check and verify it so that we can take full responsibility for it throughout its life cycle. We ensure IT security, protection of development and production environments, perimeter security in the premises and access to a reliable, security-cleared and security-aware workforce. We design the products so that as few components as possible are vital from a security perspective and that these parts can be assembled and delivered under our own control. We carry out the configuration and final inspection ourselves on our premises with our own staff and under strict supervision. Read more about our high security product development in our White Paper.

Certifications and approvals

Advenica solutions have been awarded several prestigious approvals by the European Union, national certification bodies and international IT security certification bodies. We also hold US patent for our VPN technology, Three Domain Separation.

Warranty

Advenica warrants that this product will be free from defects in material and workmanship for one (1) year from the date of purchase.