VPN & Access Model

Purpose of This Document

This document explains how Firegate™ uses encrypted connectivity for updates and controlled access workflows, while maintaining isolation from the inline inspection path.

For architectural details, see Security Architecture.

1. Connectivity Philosophy

Firegate is designed with a minimal exposure model.

The device does not expose:

  • Public administrative services
  • Inbound remote access ports
  • Web management interfaces
  • Cloud-based dashboards

All management connectivity is outbound and encrypted.

2. Outbound WireGuard Connectivity

Firegate uses WireGuard to establish secure outbound connections to authorised QuantumSabre infrastructure.

This channel may be used for:

  • Rule updates
  • System updates
  • Maintenance workflows
  • Controlled policy distribution

The connection is:

  • Initiated from the Firegate device
  • Encrypted end-to-end
  • Authenticated using cryptographic keys
  • Not dependent on inbound port forwarding

3. No Inbound Remote Administration

Firegate does not:

  • Accept inbound VPN connections from the internet
  • Provide remote shell access to external users
  • Expose administrative APIs publicly
  • Require router port forwarding

The system’s inspection interfaces remain non-addressable.

4. DNS Enforcement & Access Control

Firegate enforces DNS-level control within the inline traffic path.

This prevents:

  • Bypass attempts using external DNS resolvers
  • Circumvention of filtering policies through local device configuration

Access control is applied at the network level, not through device-level agents.

5. Separation of Inspection and Management

Firegate maintains architectural separation between:

  • Inline inspection interfaces (traffic path)
  • Management/update interface (control path)

This prevents management services from interacting directly with the inspection interfaces.

6. Security Characteristics

The access model ensures:

  • No exposed inbound attack surface
  • No public-facing administrative services
  • Encrypted outbound update connectivity
  • Controlled and isolated management channel

This reduces risk compared to traditional gateway firewalls that expose management interfaces on LAN or WAN.

7. Summary

Firegate’s VPN and access model is designed around outbound-only encrypted connectivity.

The device does not expose inbound remote administration and does not require port forwarding.

Inspection and management functions remain isolated to reduce attack surface and maintain predictable behaviour.