Security Architecture

Purpose of This Document

This document describes the internal security architecture of the Firegate™ inline network protection system.

It explains how traffic is inspected, how enforcement is applied, and how management connectivity is isolated from the inspection path.

For deployment steps, see the Installation Guide.

1. Architectural Overview

Firegate is designed as a dedicated inline intrusion prevention system (IPS).

The device is positioned physically between the internet modem and the router. All traffic entering or leaving the protected network traverses the device before reaching internal systems.

Firegate does not act as a gateway and does not replace the router.

2. Inline Inspection Model

2.1 Dual-Interface Inline Design

Firegate uses two dedicated network interfaces for inline inspection:

  • Internet IN (from modem)
  • Internet OUT (to router)

These interfaces:

  • Do not hold IP addresses
  • Are not directly addressable
  • Do not provide management services
  • Are not exposed to the local network

Traffic passes between these interfaces where it is inspected in real time.

This design reduces attack surface compared to traditional gateway firewalls.

2.2 AF_PACKET Inline IPS

Firegate uses Suricata operating in AF_PACKET inline IPS mode.

In this configuration:

  • Packets are captured at the network interface level.
  • Inspection occurs before traffic is forwarded.
  • Malicious or policy-violating packets are dropped immediately.
  • Allowed traffic is passed through to the router.

This method enables inline enforcement without requiring:

  • Linux bridge interfaces
  • IP routing between interfaces
  • NAT functionality
  • Gateway replacement

3. Traffic Enforcement Layers

3.1 Intrusion Prevention (IPS)

The IPS engine performs:

  • Signature-based detection
  • Exploit attempt blocking
  • Command-and-control traffic detection
  • Known malicious destination blocking
  • Protocol anomaly inspection

Packets matching blocking rules are dropped inline.

3.2 DNS Enforcement

Firegate enforces DNS policy by intercepting outbound DNS traffic traversing the inline interfaces.

This prevents:

  • Hard-coded external DNS bypass attempts
  • Use of alternative public DNS servers to avoid filtering
  • Policy circumvention through local device configuration

DNS enforcement operates at the network level and does not rely on endpoint configuration.

4. Management & Update Isolation

4.1 Dedicated Update Interface

Firegate includes a separate management interface used exclusively for secure update connectivity.

This interface:

  • Holds an IP address
  • Has outbound internet access
  • Is not part of the inline traffic path

The inspection path and management path are physically separated.

4.2 Outbound-Only Connectivity

Firegate establishes encrypted outbound connections to authorised QuantumSabre update infrastructure.

The system:

  • Does not expose inbound remote administration services
  • Does not require port forwarding
  • Does not require public IP exposure
  • Does not provide a public management interface

All update communication is outbound and encrypted.

5. Security Boundaries

Firegate operates at the network layer.

It provides:

  • Inline traffic inspection
  • Network-level threat blocking
  • DNS-based enforcement
  • Controlled update connectivity

Firegate does not:

  • Replace endpoint antivirus
  • Prevent user-initiated downloads of unknown software
  • Protect devices outside the network unless connected via authorised VPN pathways

It should be considered a perimeter enforcement device within a layered security strategy.

6. Attack Surface Reduction

Firegate reduces attack surface through:

  • IP-less inline inspection interfaces
  • Absence of gateway routing functionality
  • No local administrative web interface
  • No exposed inbound services
  • Separation of inspection and management paths

This architecture limits direct interaction with the inspection engine from internal or external networks.

7. Design Philosophy

Firegate is built on the following principles:

  • Inline enforcement over passive monitoring
  • Minimal exposed services
  • Separation of inspection and management functions
  • Outbound-only update communication
  • Deterministic behaviour without cloud-managed dashboards

The system prioritises predictable enforcement and reduced attack surface.

8. Summary

Firegate operates as an inline IPS appliance using Suricata AF_PACKET technology to inspect traffic between modem and router.

Its inspection interfaces are intentionally non-addressable, and management connectivity is isolated via a dedicated update interface.

This design delivers network-level protection while maintaining a minimal exposed surface and avoiding gateway replacement.