The case for web filtering and web application firewalls: security | productivity | liability.


Risk Level: MODERATE

Internal threats now represent more than 60% of the risk to company data, 40% coming from hackers.

Type of Threat:

Web applications and web-enabled mobile devices for convenience is a green-field frontier for hackers. Corporate defenses were never designed to block web – they just allow port 80 and block playboy.com. Ok we’re way beyond security of 1998, so now we must re-look at our gateway devices and require them to control the most important aspects of our company, including web application access, usage, monitoring, website visits, reporting and more. We can no longer standby and hope our CRM access, our database, email and more is secure.

Why this is so important:

Convenience has driven faster than our security policies. Internal threats now represent more than 60% of the risk to company data, 40% coming from hackers. We must remember internal threats are dangerous for three main reasons;

  1. We trust them (authorized users)
  2. We don’t typically monitor them
  3. We give them access to everything.

End users and executives alike have a limited time with an organization. The best practice is to realize that loyalty is not what it used to be, and to get serious about a policy, then employ technology to ensure the data and assetts are protected. When people are conntected to the web or even their web mail, the natural belief is they can “send” important documents to their home email, from their home email, to “work” on it remote. That activity just lost your entire database of customers. Hopefully they dont work for a competitor in the future….

Liability has gone up? You bet!

Giving someone an ipad is enough to cause liability. Imagine them at home accessing things they should not with a copmany resources. Guess who’s fault it is? Yup – it’s the companies. Now imagine an employee downloading music and movies on a corporate owned system through open ports the traditional firewall/filter combos cant block. Again it’s the fault of the company. The third point brings up someone losing their laptop, which happens to have customer information. This happens all the time and brings hundreds of thousands of liability dollars, apologies, letters of shame, identity theft issues and more. Again, the companies responsibility and liability.

How to mitigate:

A couple easy ways; First you need a usage policy defining what can be accessed and what is inappropriate (BorderLAN can help with this template), Second a smart filter that monitors, reports and blocks inappropriate access both ON network AND OFF network on company devices or even personal devices. Third is to outline a web -app policy and procure a device to manage those apps. Think of it as a interal facing web-app firewall.

Technical Recommendations:

We recommend Appliance based Web Filtering with capabilities of controlling IPAD’s and mobile iDevices. We recommend Web Application Firewall appliances to mitigate and enforce usage policies on apps that are accessing critical and confidential data. BorderLAN can help consult with and size these appliances for your organization.

A switch from SonicWall – gateProtect


Security on an international level: Ameropa protects its global business with gateProtect

The Swiss company Ameropa AG was founded in 1948 and trades on an international basis. It currently manages the business of 22 Sectors located throughout the world from its headquarters in Binningen near Basel and is steadily expanding on all continents. Ameropa AG, which is not stockmarket listed, sees organic growth as instrumental in achieving this. Its core business is global trade in cereals and artificial fertilisers and also in petrochemicals and metals. Around 2,300 people work for the company, many of them in the field.

At the Ameropa headquarters in Binningen in Switzerland, administration of IT security is outsourced to the German service provider Computer Löwe. „In 2003, we put out 2 calls for tenders: for the replacement of the SonicWALL solution and an upgrade of the security infrastructure at Ameropa‘s international locations. In a direct comparison between SonicWALL and gateProtect, the Hamburg supplier clearly came out on top,“ says Markus Keller, Managing Director of Computer Löwe„This was mainly because the gateProtect firewall is so easy to operate, but also because SonicWALL were unable to offer German-speaking support.“ The intuitive and process-oriented front-end to the gateProtect administration client, the ergonomic Graphic User Interface (eGUI®), is the reason why it is so easy to operate.

The project has grown steadily over the last five years. Two gateProtect GPA 400 solutions have been implemented at Ameropa headquarters and guarantee high availability and failure safety. The foreign branches have acquired four GPA 250 and four GPO 125 solutions, which can be maintained remotely; however, the administrator can also make changes to the configuration locally, as required.


As operation has been trouble-free, the gateProtect implementation is being steadily extended. For example, there are plans to deploy more gateProtect solutions at the locations in the UK, Brazil and the Czech Republic. The existing Cisco VPN solution is also set to be replaced by the equivalent gateProtect product.

Security as a service: managed Security from gateProtect leased to start-up companies


The Research and Development Centre (Forschungs- & Entwicklungszentrum) Witten GmbH is a service provider for innovative start-ups with five to fifteen employees. FEZ undertakes its main functions (management consulting, provision of infrastructure and technology transfer) in close collaboration with the University of Witten/Herdecke, with sponsors of business in the region and with partners from other regions. Currently, 57 companies with around 150 employees work in the FEZ.

One of the most important of the services provided by FEZ is making a modern infrastructure available. The basic equipment includes a powerful data network with a 100 Mbit/sec direct connection to the backbone. The data network is managed by an external IT service provider. In order to protect the intellectual property of the tenants, FEZ offers a security service in the form of a firewall to safeguard their corporate networks.

Since the beginning of 2007, FEZ has implemented version 8.0 of the GPX 800 UTM solution from gateProtect, currently licensed for 100 users. The firewall divides the network into 40 subnetworks, using the VLAN functionality that became available with version 8.

The gateProtect firewall has been running reliably and with practically no interruptions since it was launched. The neutrality of the gateProtect solution regarding the hardware and software platforms used behind the firewall should also be highlighted.

With the implementation presenting no problems so far, e-Systems is campaigning at FEZ for the gateProtect appliance to be used as a UTM solution. For example, virus protection on the gateway would be offered to the tenants as an additional service.

On top of that, it is planned to protect a second start-up centre with the implemented gateProtect solution. This is the Zahnbiologische Zentrum (ZBZ), the most modern dental biology institute in Europe, which is under construction opposite FEZ and is almost complete. To allow this, it is merely necessary to increase the number of licensed users on the existing gateProtect appliance because, according to Christoph Weimann, the potential of the GPX 800 is by no means exhausted.



AREVA Wind develops, constructs and installs high-efficiency 5 MW wind energy systems specially designed for offshore operation and also commissions them. AREVA Wind also offers installation services as well as short- and longterm service plans to ensure an optimal energy generation capacity at sea.

The next-generation firewalls by gateProtect have been previously successfully used by the mother company of AREVA Wind. AREVA Wind was especially pleased with the easy operation of the eGUI®, the ergonomic graphic user interface which has won many awards. The process-orientated user interface allows for particularly easy management of the entire network configuration. This is visually presented in its totality along with the active services. In addition, the display always only provides exactly the information which the relevant user requires for processing. This does away with the protracted, error-prone input of codes and commands while switching between various screens and views. The network can be really easily set up and managed by using mouse clicks and the drag&drop function. The immediate visual feedback of the eGUI® thus not only increases the effective security of the system, but also saves a lot of time and money.

AREVA Wind currently makes use of ten next-generation UTM firewalls by gateProtect – including the GPO 75, the GPA 250, the GPA 400 and the GPX 800. Two virtual firewall appliances – the VMX 1000 – are being used at sea, while two virtual appliances – the VMA 400 – have been installed in the wind farms on land, linking them to headquarters via SSL VPN. The GPO 75 and the GPA 250 in turn link two locations. In addition, approximately 150 service technicians and developers are linked to each SSL VPN. A solution has also been found for the many constantly changing service workers who only require safe, encoded access on a temporary basis. This simultaneously makes use of monitored certificates for up to 100 clients in parallel.

AREVA Wind would find it difficult to do without the gateProtect firewalls. It is especially the uncomplicated way of working directly with the manufacturer that appealed to this customer. „gateProtect has a very friendly and competent team that offers long-term solutions, even to difficult problems,“ says Martin Burgholte. AREVA Wind will certainly be making use of gateProtect solutions in future. The introduction of a VPN gateway for SSL clients has been planned, for instance, and any additional onshore and offshore wind farms will, of course, be equipped with a gateProtect HA cluster.

Security for the multimedia world: Mediencampus Leipzig relies on gateProtect


Unbeatable flexibility and superior support from gateProtect

Media campus Leipzig, which was opened in 2006, was designed specifically to provide training and professional development in the field of digital media. It makes sound and TV studios and computers available to journalists and media creators for the professional production and editing of multimedia content. As part of the Leipzig Master‘s Programme for Media Studies, the University of Leipzig in cooperation with the University of Applied Sciences (Hochschule für Technik, Wirtschaft und Kultur) in Leipzig and the Media Foundation of the Leipzig Savings Bank offers three courses at Master‘s level: Web Content Management (web journalism and content management), Crossmedia Publishing (CMP) and New Media Journalism (NMJ). In order to ensure that the courses reflect real practice as much as possible, the teaching staff is drawn from various universities and from the media.

During the construction work on the new media campus, tenders for various IT projects were put out, including a firewall project. The latter was intended to serve the segmentation of the in-house network infrastructure into three areas and their protection from unauthorised or harmful access from outside.

The Solution
A gateProtect GPX 800 Enterprise solution was installed and configured in just half a day. Whilst the employees‘ internal network is sealed off like the IT infrastructure of a bank, the students have unrestricted access to the Internet per WLAN and can send and receive e-mails.In the meantime, the internal network for the building‘s control systems has been safeguarded with the gateProtect UTM solution; technicians such as sound engineers frequently have to access this from outside. „As we have had practically no system problems, I can concentrate fully on the administration itself, even though our company headquarters are around 100 kilometres from the Mediencampus. Around 90% of my work consists of changes to configurations, in order to authorise access to network ports for example, the remainder involves firmware updates.“

„It is not an exaggeration to say that the support offered by gateProtect is unparalleled. The service levels are not merely writing on a piece of paper, which is the case with many other suppliers, but you can rely on the company to keep to them. Working with gateProtect, we have been able to solve every problem within two hours,“ says Heiko Pälecke.

Solidarity meets security: Johanniter Unfallhilfe protects its data and applications with gateProtect


gateProtect provides central security in the virtual network of the North Rhine-Westphalia association

The Johanniter-Unfall-Hilfe e.V. is part of the Protestant Order of St. John. It is involved in various social and charitable activities ranging from outpatient care for the elderly to working with children and young people to aid projects on an international scale. In Germany alone, the Johanniter-Unfall-Hilfe e.V. has around 8,500 permanent employees, more than twice as many volunteers and over a million members providing financial support.

The North Rhine-Westphalia regional association based in Cologne is one of the largest in the national Johanniter association. The organisation manages 15 of the total of 60 retirement homes throughout Germany and four of the fifteen Johanniter hospitals. There are also dozens of day nurseries for children, emergency services and domestic services such as Meals on Wheels.

Security requirements
Decentralising the use of central IT resources helps to cut costs and improve productivity. This applies particularly to sectors such as social services, which are growing quickly, but must withstand the huge pressure of rising costs. The North Rhine-Westphalia regional Johanniter association decided therefore to allow as many users from the branch offices as possible to access data and applications at headquarters in Cologne. As this is sensitive personal data, data protection was given the highest priority when the retirement homes and seven other sites were linked in via VPN. And, as the users also need Internet and e-mail communication, the firewall had to offer more functionality such as virus protection, spam protection and content/web filtering like a UTM solution.

The GPX 800 solution from gateProtect has been in operation successfully since 2003. Since then, the retirement homes and other sites have been connected by VPN to the central network and employees can use data and applications from headquarters. When senior regional association managers are on the road, they can also access the IT resources in Cologne, which is where most of the IT infrastructure is located. Approximately 50 users have access to core applications such as management software for outpatient care and homes, bookkeeping software, programmes for planning menus and excursions etc. The hardware – servers, desktop PCs, Notebooks etc. – is all supplied by Hewlett Packard. Only the head office has its own IT department; the other sites are supported by external IT administrators as required.

Copyright © 2012 BorderLAN. All rights reserved.
Privacy policy | Terms of service
Find us on Google+