The trouble with a better mousetrap is that it soon becomes yesterday's model: when you build security around a growing enterprise it is well to avoid obsolescence by adapting an EdgeForce appliance with its modular specification and performance.
EdgeForce is principally a hardware firewall, designed to provide security primarily for stations associated in a local area network as might be used by any small or medium size business. In addition it provides many other security services on an optional 'plug-in' basis, and the traffic speed and depth of services is tailored to the needs related to the size of the business. Users can start with the basic unit and advance to faster throughput and 'beefier' security measures as the enterprise grows, rather than have to anticipate future needs in detail
The additional features and extra performance of EdgeForce are, in most cases, inbuilt. When you wish to upgrade to match the needs of your system, you can contact the vendor and obtain a key license, which will upgrade EdgeForce while it is still in its rack. These additions are called FlexModules, and each offers both feature and performance boosts.
The EdgeForce firewall with Performance Module 1 enabled incorporates a flexible demilitarized zone (DMZ) via a third port. This gives the ability to host public servers (email, FTP and web for example) from behind the firewall. With this feature in play, non-authenticated access to servers behind the firewall can be granted, yet the private network itself is still completely shielded from the internet. In addition the DMZ stops private network users if they inadvertently try to put sensitive data on those servers that are accessible to the public.
Throughput rate through the firewall can be tailored to be 75, 100 or 150Mbps full duplex, supporting 16, 30 or 50 thousand sessions, vetted by 1,000, 2,000 or 4,000 policies. The base unit firewall supports 75Mbps, 16,000 and 1,000 policies. The 'professional' module adds a 20Gb hard drive and several extra features, including web caching and URL filtering. Even on the base unit there is no limit to the number of nodes, and static or dynamic, network address translation (NAT) or PAT modes plus transparency prevail. All internal IP addresses are secure within the firewall, and will not be compromised to the outside, even if NAT mode is used (where outside traffic can reach internal stations).
There are currently a full 28 methods of detecting denial-of-service (DoS) attacks. The manufacturer will update firmware to recognize newly discovered attacks. The firewall is said to support 'MAC-IP binding,' which means that MAC addresses are locked with network-assigned IP addresses, making source IP address spoofing (a technique often used in DoS attacks) virtually impossible.
Provided with the base EdgeForce unit is capability to handle 20 Mbps through a virtual private network. This enables up to 250 'tunnels,' being in essence secure 'holes' drilled through the firewall but not interacting with any other signals over the web, so that a remote station can function with exactly the same protections as a local station safe behind the firewall. Since traffic through a VPN tunnel is securely encrypted, the web or net on which it originates will not impinge on it - unable to interact with data in either direction. This enables portable stations (a laptop carried by a traveling representative, for example) to transact business with exactly the same authority and protection as enjoyed at stations directly attached behind the firewall.
The EdgeForce system even allows a remote station virtually to join the secure cluster of stations behind the firewall through VPN technology, and then allow it likewise safe access to the web which it has exploited as a medium. Thus the local network behind the EdgeForce firewall is safe; the data inside the firewall is ring fenced so that it is protected from signals beyond the firewall outside any VPN tunnel, and a remote station is safeguarded even as it connects with the external world, exactly as if it is within the cluster protected within the firewall. With Performance Module 1 VPN throughput rises to 30 Mbps through up to 500 tunnels, and with Performance Module 2 it rises to 40 Mbps through up to 1,000 tunnels.
Yet another feature improvement module incorporates McAfee's anti-virus engine onto the EdgeForce appliance, so that virus scanning is provided at the firewall point itself. This can be seen as an additional layer of security, quite apart from virus scanning already incorporated within the network inside the firewall.
Subject to the incorporation of the various modules, EdgeForce provides not only protection expected of a firewall but active resistance to DoS attacks and viruses entering from outside. The architecture of the firewall has in mind the commercial distributed business, with branches that need authorization to use databases secured at head office, and suits even the very small business with an acumen that is appropriate even to medium and larger enterprises. The FlexModule strategy - the security appliance upgraded in place as the business requires it - is an excellent approach that should in the long run save both time and money, and go a long way toward stemming anxiety.