Firegate™ Overview

3. Operating Principles

3.1 Inline Traffic Inspection

Firegate operates in inline mode, meaning:

• All packets are inspected in real time
• Security rules are applied before forwarding
• Malicious traffic can be dropped immediately

Unlike passive monitoring systems, Firegate enforces security decisions directly.

3.2 Intrusion Prevention (IPS)

Firegate uses Suricata in inline IPS mode.

The IPS engine:

• Detects exploit attempts
• Identifies known malicious traffic patterns
• Blocks command-and-control communication
• Prevents access to known harmful destinations

Rule sets are maintained and updated via secure channels.

3.3 DNS Enforcement Model

Firegate enforces DNS-level control by:

• Intercepting outbound DNS requests
• Redirecting hard-coded DNS traffic
• Preventing bypass via public DNS servers

This ensures that filtering policies cannot be easily circumvented by endpoint configuration changes.

DNS control is fundamental to maintaining consistent policy enforcement, particularly in family and controlled environments.

3.4 Local Processing Model

All traffic inspection and log generation occur locally on the device.

Firegate does not:

• Stream network telemetry to cloud providers
• Share browsing activity with third parties
• Depend on external analytics platforms

Security decisions are executed on-device.

This architecture preserves privacy and reduces external attack surface.

4. Access Control Model

Firegate supports a dual-mode access structure.

4.1 Protected Mode (Default)

In protected mode:

• DNS filtering policies are enforced
• Malicious and harmful domains are blocked
• VPN and Tor access may be restricted
• Bypass attempts are intercepted

This mode is suitable for families and controlled environments.

4.2 Controlled Unrestricted Mode

Authorised users may connect via a secure WireGuard tunnel to access unrestricted internet connectivity.

This model allows:

• Administrative override capability
• Secure remote access
• Controlled separation between restricted and unrestricted usage

Access credentials are generated and managed securely.

5. Update and Maintenance Model

Firegate receives periodic updates via a secure WireGuard update channel.

Update process characteristics:

• Encrypted transport
• Authenticated endpoints
• Controlled rule updates
• Operating system security patches

If the update channel is unavailable, the device continues operating with existing policies.

Protection does not depend on constant cloud connectivity.

6. Security Boundaries and Limitations

Firegate provides network-layer protection.

It does not:

• Replace endpoint antivirus software
• Prevent user-installed malicious software entirely
• Protect devices outside the network unless connected via VPN

Firegate should be considered a network enforcement layer within a broader security posture.

7. Intended Deployment Environments

Firegate is designed for:

• Residential broadband connections
• Home office networks
• Gamer households
• Small businesses requiring simple inline protection

It is compatible with ISP-provided routers and third-party routers when deployed inline.

8. Design Philosophy

Firegate is built on the following principles:

• Local enforcement over cloud dependency
• Deterministic policy control
• Transparent inline architecture
• Minimal user configuration requirements
• Privacy-preserving operation

The system prioritises security consistency over feature complexity.

9. Summary

Firegate™ is a locally enforced inline network security gateway designed to provide continuous protection without cloud-managed infrastructure.

By combining intrusion prevention, DNS enforcement, and controlled access models within a dedicated hardware platform, Firegate delivers consistent network-layer protection suitable for modern residential and small business environments.