The BorderGuard 2000 (BG2000) was a
packet filter built by
Network Systems Group, later acquired by
StorageTek. The
BorderGuard series of products (
BorderGuard 1000, 200, and
ATM Atlas) were designed as in-line packet filters that could operate as
bridges or
routers.
The BG2000 had up to four interface cards, which could be serial, token ring, or ethernet (AUI at 10 mbps). It could operate as a router (although it only spoke RIP and static routes), as a bridge, or in "bridgeip" mode (acting as a bridge with some small routing functions).
It booted entirely off of a 3.5" disk drive, although it could then burn the OS into firmware. It had the standeard editor; the diskette also contained all relevant configuration files.
The BG2000 had a Data Privacy Facility (DPF) mode, in which it could establish a "sleeve" (VPN) to another BG2000, using asymmetric cryptography to authentic the other end point, and a fast symmetric algorithm (user selectable) for link encryption. Packets could be placed into these sleeves for secure transmission via the filtering capability.
The BG2000's filtering system was called NetSentry (NS). There were five "filter points" in the system:
- First: All packets would go through the same filter placed here. Most frequently used to log certain packets to an adjacent IDS, such as NetRanger, and to drop known bad packets (e.g., teardrop, Ping Of Death). Also used to place packets into sleeves.
- Incoming: Each interface (including localhost had its own incoming filter point; packets would go through only the filter on that interface. The WAN interface filter was used for policy filtering (blocking IP spoofing, denying by service and protocol).
- Apply Table:Only useful in routing or "bridgeip" mode (Bridgeip became available in 1999 with release 4.11, to allow the apply table to be used in bridging mode). The apply table could take source and destination address blocks (wildcarding was acceptable), and apply a designated filter to traffic between those hosts. This was most frequently used to maintain a large list of addresses and netblocks that were known to be malicious, since it scaled O(log1024 n)*.
- Outgoing: Opposite of Incoming. The local_out, and outgoing to the interface that contained the NetRanger, usually had a stealth filter applied to cause the IDS package to be invisible to network scans.
- Last:A final filter, which all packets go through. Normally used by the NetRanger system to place short-term "shuns" to block traffic to or from a specific host.
The netsentry system could select based on arbitrary bit fields in packets, and then copy, edit, fail, or allow the packet.
*Yes, I am aware that log1024 n is equivalent to log n in order of growth functions.
The BorderGuards are great. I wish StorageTek still made them. I have one in my network at home, very underutilized, but with the most advanced filter set of any BorderGuard in use today.