Security Architecture
Purpose of This Document
This document describes the internal security architecture of the Firegate™ inline network protection system.
It explains how traffic is inspected, how enforcement is applied, and how management connectivity is isolated from the inspection path.
For deployment steps, see the Installation Guide.
1. Architectural Overview
Firegate is designed as a dedicated inline intrusion prevention system (IPS).
The device is positioned physically between the internet modem and the router. All traffic entering or leaving the protected network traverses the device before reaching internal systems.
Firegate does not act as a gateway and does not replace the router.
2. Inline Inspection Model
2.1 Dual-Interface Inline Design
Firegate uses two dedicated network interfaces for inline inspection:
- Internet IN (from modem)
- Internet OUT (to router)
These interfaces:
- Do not hold IP addresses
- Are not directly addressable
- Do not provide management services
- Are not exposed to the local network
Traffic passes between these interfaces where it is inspected in real time.
This design reduces attack surface compared to traditional gateway firewalls.
2.2 AF_PACKET Inline IPS
Firegate uses Suricata operating in AF_PACKET inline IPS mode.
In this configuration:
- Packets are captured at the network interface level.
- Inspection occurs before traffic is forwarded.
- Malicious or policy-violating packets are dropped immediately.
- Allowed traffic is passed through to the router.
This method enables inline enforcement without requiring:
- Linux bridge interfaces
- IP routing between interfaces
- NAT functionality
- Gateway replacement
3. Traffic Enforcement Layers
3.1 Intrusion Prevention (IPS)
The IPS engine performs:
- Signature-based detection
- Exploit attempt blocking
- Command-and-control traffic detection
- Known malicious destination blocking
- Protocol anomaly inspection
Packets matching blocking rules are dropped inline.
3.2 DNS Enforcement
Firegate enforces DNS policy by intercepting outbound DNS traffic traversing the inline interfaces.
This prevents:
- Hard-coded external DNS bypass attempts
- Use of alternative public DNS servers to avoid filtering
- Policy circumvention through local device configuration
DNS enforcement operates at the network level and does not rely on endpoint configuration.
4. Management & Update Isolation
4.1 Dedicated Update Interface
Firegate includes a separate management interface used exclusively for secure update connectivity.
This interface:
- Holds an IP address
- Has outbound internet access
- Is not part of the inline traffic path
The inspection path and management path are physically separated.
4.2 Outbound-Only Connectivity
Firegate establishes encrypted outbound connections to authorised QuantumSabre update infrastructure.
The system:
- Does not expose inbound remote administration services
- Does not require port forwarding
- Does not require public IP exposure
- Does not provide a public management interface
All update communication is outbound and encrypted.
5. Security Boundaries
Firegate operates at the network layer.
It provides:
- Inline traffic inspection
- Network-level threat blocking
- DNS-based enforcement
- Controlled update connectivity
Firegate does not:
- Replace endpoint antivirus
- Prevent user-initiated downloads of unknown software
- Protect devices outside the network unless connected via authorised VPN pathways
It should be considered a perimeter enforcement device within a layered security strategy.
6. Attack Surface Reduction
Firegate reduces attack surface through:
- IP-less inline inspection interfaces
- Absence of gateway routing functionality
- No local administrative web interface
- No exposed inbound services
- Separation of inspection and management paths
This architecture limits direct interaction with the inspection engine from internal or external networks.
7. Design Philosophy
Firegate is built on the following principles:
- Inline enforcement over passive monitoring
- Minimal exposed services
- Separation of inspection and management functions
- Outbound-only update communication
- Deterministic behaviour without cloud-managed dashboards
The system prioritises predictable enforcement and reduced attack surface.
8. Summary
Firegate operates as an inline IPS appliance using Suricata AF_PACKET technology to inspect traffic between modem and router.
Its inspection interfaces are intentionally non-addressable, and management connectivity is isolated via a dedicated update interface.
This design delivers network-level protection while maintaining a minimal exposed surface and avoiding gateway replacement.
