Secure your information exchange with ZoneGuard
ZoneGuard reduces potential attack vectors by validating the information exhange between your security domains. ZoneGuard can also be the trusted point-of-contact when you need to share information with another organisation.
Content based attack protection
ZoneGuard PE250 offers futureproof secure two-way information exchange that always safeguards your assets.
Your information policy implemented in a ZoneGuard, defines accepted structure, format, types, values, and digital signatures. An allowlisting approach begins with security and adds granular control over your information flow.
Key features
ZoneGuard is a gateway for controlled information exchange between security domains. ZoneGuard ensures that your organisation’s information policy is enforced on every transfer, leaving an audit trail as evidence.
Validation
ZoneGuard validates that your network protocol follows official standards.
ZoneGuard can also be configured for xml validation based on your XML Schema Definition (XSD).
HTTPS gateway
HTTPS is the most common protocol for transferring data over the ZoneGuard.
Built in support for TLS Client Certificates ensures that only authorised clients can reach the ZoneGuard.
Filter
ZoneGuard filters information based on properties such as the HTTP method (POST, GET, PUT, DELETE), checks that values are within range, verifies signatures, etc.
It is easy to allow a specific URL while blocking others.
Services
While HTTPS support provides ease of use for protecting most modern web applications, the ZoneGuard can be extended with services to support more protocols, eg. Email, File transfer and more.
Appliances
The PE250 ZoneGuard is a pre-configured 1U 19” device optimized for the ZoneGuard system.
The ZoneGuard system can also be hosted as a virtual machine for ease of integration in your existing data center.
Cross Domain Solutions
Segmenting your network into separate security domains is a vital strategy to lower the risk of an attack causing a major outage or a leak of sensitive data as recommended by SE NCSC.
With ZoneGuard you can disconnect your security domains while maintaining a two-way communication channel for selected information.
Read more about Cross Domain Solutions and the security principles behind ZoneGuard at UK NCSC.
Product sheet
Security Gateways
Here are some frequently asked questions about our Security Gateways!
What is a Security Gateway?
A Security Gateway, also sometimes called Data Guard or Information Exchange Gateway, is a device that validates the information flowing between different security domains. Advenica provides this functionality in a product named ZoneGuard. Read more about Security Gateways
What is the difference between a Security Gateway and a firewall?
The ZoneGuard filters data in the application layer. This means that it’s possible to control the information flow with high granularity.
A traditional firewall acts on data in the transport layer. While good at handling a dramatic denial of service attack, the firewall is often limited to block access to hosts or services on specific IP addresses or ports.
An attack where your most valuable information is quietly stolen through an unpatched vulnerability in one of your services can pass unnoticed through the firewall for weeks or even years. A ZoneGuard lowers the probability of such scenario by orders of magnitude.
The ZoneGuard can be combined with a firewall for additional layers of security.
What is the difference between a Security Gateway and a data diode?
The ZoneGuard is bidirectional, and filters data based on information transferred in the application layer. The bidirectional information flow means that the ZoneGuard can be used to query a database or acknowledge that submitted data has reached its destination.
A data diode has a uni-directional transportation layer with no data flow in the other direction. With a data diode you can be certain that information is only flowing in one direction.
The ZoneGuard can be combined with a data diode for additional layers of security.
Read more about data diodes!
When do I need a ZoneGuard?
A ZoneGuard is useful when you want to connect two security domains while maintaining granular control over the information flow.
The domains could be the two networks within your own organisation separating IT from OT. ZoneGuard can also be used as a trusted point of contact when sharing sensitive information with another organisation through a VPN tunnel.
Has the ZoneGuard been certified by a third party?
The ZoneGuard has been rigorously tested by Advenica together with our customers. But so far, most of the customers have asked to remain undisclosed and thus Advenica can’t share their evaluation protocols.
Security Gateways are expensive, aren't they?
The word "expensive" is a relative term if a Security Gateway is only seen as a cost. Actually, a Security Gateway is an investment that can be cheaper in the long run than if you choose not to buy it. It's all about the alternative cost in case you get breached and have insufficient security. Determine your risk appetite (and perhaps do a ROSI calculation – see below) and then decide to invest or not.
What is the delivery time?
We generally have very short delivery times and can usually deliver your products within a week.
What are the options?
If you need data communication in two directions, a Security Gateway is a secure solution as a Security Gateway only forwards received information when it follows a certain policy derived from your organisation's information security policy. If, on the other hand, you need a unidirectional data communication flow, a data diode is the most secure option. A data diode guarantees unidirectional separation between the networks. It consists of optical fiber with a transmitter on one side and a receiver on the other, with absolutely no risk of two-way transmission. Read more about Data diodes!
How to calculate ROSI (Return on Security Investment)?
Calculating ROSI is about calculating what the lack of security can cost and what the most cost-effective solutions are - this is to be able to know what to spend on security. Read more about how to do it (in an article about another security product) here!
Do you control your production, including all components?
Advenica offers cybersecurity solutions that meet the highest security requirements. Our product development differs in many ways from traditional development as our customers demand that we can show that our solutions offer security with a high level of assurance. This can only be achieved if all work can be reviewed and evaluated. We therefore develop and manufacture the vital parts of our solutions in-house to ensure the highest level of security (high assurance). For our Security Gateway, this means that we use hardware that we have checked and in the case of software, we check and verify it so that we can take full responsibility for it throughout its life cycle. We ensure IT security, protection of development and production environments, perimeter security in the premises and access to a reliable, security-cleared and security-aware workforce. We design the products so that as few components as possible are vital from a security perspective and that these parts can be assembled and delivered under our own control. We carry out the configuration and final inspection ourselves on our premises with our own staff and under strict supervision. Read more about our high security product development in our White Paper.
“This is a really neat way to manage sensitive information that I personally think more businesses should consider. As usual with Advenica, the documentation is really good and provides plenty of support for both setup, operation, security routines and development of policies and services. If you don’t want to do anything too complex, you can get started relatively quickly, although the policy part of course requires a little more work compared to a firewall or a network diode.”
OT security expert, about Advenica's ZoneGuard