This approach offers an increased measure of protection against internal threats as well as conventional Internet security concerns. You can update, configure and monitor the firewall and VPN connectivity of a workstation or server from any web browser. In the event of a breach, you have complete control over individual PCs' access policies independent of the host PC's operating system, even if the system has been subverted and is denying normal administrator access.
All network filtering and what can be CPU intensive cryptographic processing is handled entirely by the CyberGuard SG appliance. This has the advantage over the traditional approach of a
Bridged mode
By default, the CyberGuard SG PCI appliance operates in bridged mode. This is distinctly different from the NAT/masquerading behavior of the CyberGuard SG gateway appliance range.
In bridged mode, the CyberGuard SG appliance uses two IP addresses. Note that these addresses are both in the same range as the LAN, as no NAT/masquerading is being performed (see the chapter entitled Firewall for more information).
One IP address is used to manage the CyberGuard SG appliance via the Web Management Console web administration pages.
The other is the host PC's IP address, configurable through the host operating system identical to a regular NIC. This is the IP address that other PCs on the LAN see. It should be dynamically (DHCP) or statically configured to use the same gateway, DNS, etc. settings as a regular PC on the LAN.
It is possible to configure the CyberGuard SG PCI appliance to run in NAT mode. This is discussed in the chapter entitled Network Connections.
Secure by default
By default, all CyberGuard SG appliances run a fully secured stateful firewall. This means from the PC that it is plugged into, most network resources are freely accessible. However, any services that the PC provides, such as file shares or web services (e.g. IIS) will not be visible to the general office LAN without further configuration of the CyberGuard SG appliance. For details on how services on the host PC can be made available to the general office LAN, see the section Allowing individual ports in bridged mode at the end of the chapter entitled Firewall.
3