A-Real Consulting: ICS Internet Gateway

Internet Gateway "Internet Control Server" - a universal gateway with tools for protecting the corporate network, traffic accounting, access control, deploying mail, proxy, file servers, web and jabber servers, organizing IP telephony. It is used as a universal complex for managing any Internet connection.

The Internet gateway is a hardware and software complex for organizing access to an external network (Internet) from a local network. This is one of the system administrator's working tools that allows him to control traffic accounting and employee access to the external network.

The Internet gateway provides the ability to distribute access to users, record traffic, restrict access for individual users or groups of users to resources on the Internet. The gateway can include a proxy server, firewall, mail server, shaper, antivirus, and other network utilities.

The Internet gateway can run on one of the local machines of the network, under the control of a virtualization system or on a separate server. It can be installed as software on a machine with a working operating system, or on an empty computer with a full installation of its own operating system.

Scope of Use

Applicable in networks of various topologies as a universal traffic counter. Management is available for management by a system administrator of any skill level.

Purpose and audience

Internet Control Server is a solution that is suitable for use by individual entrepreneurs, private organizations, educational institutions, state and municipal structures. At the moment, ICS is used by more than 7,000 customers in Russia and the CIS countries.

Opportunity Overview

Any network needs protection and control, and the corporate network in particular. In addition to traffic traffic, the corporate network also runs a number of services such as telephony, mail, messaging and much more. In this situation, the best option is to choose a complex software product that combines almost all the necessary functionality for a corporate network, a kind of "multitool or Swiss knife." One of these solutions can be called the Internet Control Server (ICS) network corporate gateway, developed by the Russian company A-Real Consulting. Read more here.

ICS functions

NAT

The solution includes an address translation service - NAT. Internal interfaces define communication with computers on the enterprise's local network, and external interfaces define communication with Internet or other external network providers. In most cases, the NAT service is configured on the external interface to translate internal addresses to external addresses. Since the internal computers of the network are not visible from the outside, NAT also helps protect the network.

After configuring the network interfaces, the next step of the administrator is to connect and configure the main services. The most commonly used of them are DNS, DHCP and proxy servers.

In terms of network services, the solution provides functionality:

• Routing
• Proxy
• Network Address Translation (NAT)
• Name Server (DNS)
• Dynamic Network Configuration (DHCP) Service
• ICQ-Bot (Notifications on ICQ)
• Working with multiple providers
• Works with VLAN and DMZ
• PPPoE\PPTP VPN Support for Users
• The function of WiFi networks in client mode and access points
• GRE\IPIP VPN Tunnels with IPSEC PSK Encryption
• OpenVPN-tunnels

Access control in ICS

• Name/Password Authorization
• IP Address Authorization
• Domain Controller Authorization
• VPN Authorization (PPTP, PPoE, Radius)
• Agent Authorization
• Login/password authorization in the browser
• Terminal Server User Authorization
• Layer 7-filtering
• Content filtering using SkyDNS
• Content filter
• User roles when working with ICS
• User and Group Management
• Delimiting Group and User Access
• IP Access Restriction: Host Port
• URL Access Restriction
• Web authorization (captive portal)
• Assigning traffic priority allows individual traffic categories (e.g. VoIP, SSH) to walk with the lowest delays
• You can now set multiple time ranges and days of the week for rules and profiles
• Quotas by day, week, month may be limited to address and port ranges
• Importing Users from LDAP
• Blocking sites by categories: dating sites, entertainment, etc.
• IPIP, GRE, and IPSEC tunnels. OpenVPN
• Prevent users from changing the address without permission

Traffic control

High-quality traffic control and accounting is necessary, first of all, for organizations whose employees have access to the Internet. Internet traffic counters allow continuous monitoring of incoming and outgoing data.

Network services

The most complete set of the best network tools and services on the Internet Control Server is logically and clearly inscribed in a holistic system. The main direction of the development of the Internet Server Control is the creation and integration of various server and service functions that make the operation of the corporate network more manageable and less time-consuming.

Internet Control The server in the network is able to replace many devices necessary to support the network and the Internet Control The server is a full-fledged router, on the basis of which a number of functions operate:

• The proxy server allows you to obtain detailed statistics on user requests to WWW servers, block user access to certain URLs, optimize Internet operation by caching requests, which ultimately allows you to achieve 10-30% savings in traffic consumption.

• Mail server supports multiple domains and unlimited mailboxes
• Supports mail redirection rules, such as sending incoming mail to multiple recipients or duplicating all outgoing mail to a mailbox
• The scheduled mail collector receives mail from a remote POP3 server and puts it into mailboxes
• RBL-enabled multilevel spammer
• Mail antivirus detects and deletes mail messages with viruses (ClamAV and DrWeb antiviruses are supported)
• Support for gray lists reduces the amount of incoming spam and saves traffic
• Blacklists and whitelists allow you to control access to the mail server
• Roundcube Web Interface
• Mailing
• Web mail is integrated with the system address book and other benefits

Built-in web and FTP servers

FTP is a protocol designed to transfer files to the ICS, it allows you to place files on the server and provide them with access over the network. Anonymous login and login and password authorization are supported. You can set different access rights for users.

Your own web server helps you organize an enterprise site, mark up a web server on the Internet, create an internal server only for company users, or a set of virtual servers for clients.

• Supports unlimited virtual domains
• PHP 5.2 with major extensions
• MySQL 5
• other functions

Built-in file server

Through Windows Network Environment

• Via FTP
• Over HTTP
• IP-telephony

Fax to e-mail

Telephony Tunnels - If your organization uses multiple IP Telephony servers, you can associate them using IP or IAX tunnels. There is a call queue.

JABBER-SERVER

With it, you can organize instant messaging, both inside and outside the enterprise network. For ICQ users, support for special vehicles is implemented with the ability to control all correspondence.

Owncloud App

• The system for organizing storage, synchronization and exchange of data hosted on external servers is similar to Google Docs and Dropbox services.
• Network Address Translation (NAT). Allows, having only one routed address on the external interface, to place as many computers as you like inside the local network. NAT also helps protect the network, since the internal computers of the network are not visible from the outside.
• DNS Name Server. Allows you to use the ICS, both as a caching DNS server and as a server responsible for a domain. You can create zones, add records about computers and servers to them, and edit information.
• The DHCP server allows you to add new computers to the network. The DHCP server will automatically give the computer all the information necessary to work on the network (IP address, mask, router, DNS server).
• Monitoring the status of the Internet connection - collecting statistics on the availability of the service provided by the provider. It is implemented through periodic ICMP ECHO REQUEST packets for several addresses critical to corporate network users. Creates graphical and text reports that can be used to present service quality claims to the provider.
• Alerting the administrator about emergency situations. If errors occur in the operating system, Internet Server Control components, Internet connection failures, suspected virus infection of the internal node, etc., the Internet Control Server sends an error message to the specified e-mail address and SMS message to the specified cellular phone number. You must be connected to the Internet to complete these steps.
• Monitoring the state of the Internet Server Monitoring itself. Allows the user to obtain information about what is happening with the Internet Server Control itself and prevent possible problems. This subsystem generates graphical reports on disk occupancy, physical memory occupancy, file descriptor occupancy, virtual memory occupancy, processor load, number of network connections.
• On-line updates

Network and Personal Data Protection

ICS firewall, built-in Dr.Web antivirus, Kaspersky Antivirus, Kaspersky Antispam, ClamAV, inbound and outbound filtering, DLP module - confidential information leak protection module, ICQ message tracking system, NAT protection, raid-1 support, DMZ, Snort intrusion detection system.

VPN server

NAT function for port and VPN redirection, simple authorization, dynamic addressing, automatic creation of routes to a remote network for tunnels.

Content filter

Content filtering of SkyDNS, corresponding to Federal Law No. 139 and Federal Law No. 436, constant updating of the lists of Roskomnadzor and the Ministry of Justice, certification of the FSTEC.

IP-telephony

Allows you to organize a full-fledged gateway IP-telephony for your organization with the ability to filter and redirect incoming and outgoing calls. SIP Protocol and IAX support

File and Web Server

A file server with HTTP\FTP\access through a Windows network environment (CIFS) and a data store based on a reliable ZFS system with RAID-0/1 support and fault protection; a full-fledged web server with PHP and MySQL support with support for an unlimited number of websites.

Mail and jabber

Proxy server, mail server, DNS, DHCP, Web, FTP, IPSEC encryption, linking remote offices to a single network.

2013

Integration with Zecurion Zgate DLP system

On October 1, 2013, Zecurion announced the integration of the Zecurion Zgate and the ICS Internet Gateway.

Details

Zecurion and A-Real Consulting have integrated the Zecurion Zgate leak protection system and the Internet Gateway Internet Control Server (ICS). This significantly expanded the capabilities of ICS with Zecurion Zgate functionality. More than 10 specialized technologies analyze the contents of forwarded messages, classify information and identify its confidential component.

"Now, with the help of Zecurion Zgate, the ICS Internet gateway can control messages sent through mail, social networks, job search services, Internet instant messengers and other information channels," said Maxim Nikulin, Development Director of Zecurion |. "We are confident that the new ICS functionality will significantly increase interest in this product from potential customers

."

"We are pleased to announce that the Internet Control Server has the opportunity to work with the Zecurion Zgate DLP system," said Alexey Guskov, head of the A-Real Consulting development department. "Using Zgate in conjunction with ICS significantly increases network security and provides the highest level of control over the circulation of confidential information

."

2014

Development of the system

On November 20, 2014, it became known about the certification of the ICS Internet Gateway system by FSTEKP about ^[1].

Screenshot of ICS software

Deployment Details The ICS system is deployed to control the perimeter of the corporate network, protecting it from the outside and controlling it inside. It protects the corporate network from malware and spam, takes into account traffic, helps manage access, organize IP telephony based on Asterisk, deploy mail, proxy, file, web and jabber servers.

Updated features

• The solution is based on the open FreeBSD 9.2 system, combined into an interface with configured services. The ICS supports a sufficient number of communication channels with the outside world:
  • wired,
  • wireless (Wi-Fi),
  • 3G modem.

• The ICS can connect to VPN servers, act as a VPN server itself.

• The ICS has an ARP table, DHCP, port redirection, routing table, firewall, network utilities. Among the utilities: ping, trace, DNS polling, WhoIs, sniffer, channel speed test, network scanner.

• The product includes a flexible system for preparing reports on the use of the network, reflecting the use of the network by employees, users, user traffic, site visits, visiting time, duration. A total of 15 pre-installed reports are provided, excluding the possibility of creating additional ones using the designer.

• The ICS uses antivirus and antispam modules from Kaspersky Lab. They provide a high level of detection and neutralization of viruses, Trojans, rootkits, malware, spam.

• ICS detects various types of network attacks from outside by analyzing traffic using a set of automatically loaded rules. If destructive activity is detected, the gateway interrupts the data transfer and makes a corresponding note in the log.

• To protect confidential information, the ICS uses a DLP filter (Data Leak Prevention), which analyzes web and mail traffic. It filters text and files, both text and others, works as protection against insiders.

Purpose and audience

The ICS Internet Gateway is focused on the heads of information departments, IT specialists, whose work is related to ensuring the uninterrupted functioning of the corporate network, the protection of personal data and information.

Notes