VPN & Access Model
Purpose of This Document
This document explains how Firegate™ uses encrypted connectivity for updates and controlled access workflows, while maintaining isolation from the inline inspection path.
For architectural details, see Security Architecture.
1. Connectivity Philosophy
Firegate is designed with a minimal exposure model.
The device does not expose:
- Public administrative services
- Inbound remote access ports
- Web management interfaces
- Cloud-based dashboards
All management connectivity is outbound and encrypted.
2. Outbound WireGuard Connectivity
Firegate uses WireGuard to establish secure outbound connections to authorised QuantumSabre infrastructure.
This channel may be used for:
- Rule updates
- System updates
- Maintenance workflows
- Controlled policy distribution
The connection is:
- Initiated from the Firegate device
- Encrypted end-to-end
- Authenticated using cryptographic keys
- Not dependent on inbound port forwarding
3. No Inbound Remote Administration
Firegate does not:
- Accept inbound VPN connections from the internet
- Provide remote shell access to external users
- Expose administrative APIs publicly
- Require router port forwarding
The system’s inspection interfaces remain non-addressable.
4. DNS Enforcement & Access Control
Firegate enforces DNS-level control within the inline traffic path.
This prevents:
- Bypass attempts using external DNS resolvers
- Circumvention of filtering policies through local device configuration
Access control is applied at the network level, not through device-level agents.
5. Separation of Inspection and Management
Firegate maintains architectural separation between:
- Inline inspection interfaces (traffic path)
- Management/update interface (control path)
This prevents management services from interacting directly with the inspection interfaces.
6. Security Characteristics
The access model ensures:
- No exposed inbound attack surface
- No public-facing administrative services
- Encrypted outbound update connectivity
- Controlled and isolated management channel
This reduces risk compared to traditional gateway firewalls that expose management interfaces on LAN or WAN.
7. Summary
Firegate’s VPN and access model is designed around outbound-only encrypted connectivity.
The device does not expose inbound remote administration and does not require port forwarding.
Inspection and management functions remain isolated to reduce attack surface and maintain predictable behaviour.
