In this section, we provide an overview of the software bundles that are available for AXS Guard. See our software feature overview for a detailed explanation of all software options listed below or click on a specific option in the table for additional information.
|AXS Guard Security Extensions: Term License per User per Year|
|AXS Guard Remote Workspace|
|Clientless HTML5 browser-based VPN|
Included with your license and continuously updated as part of a yearly license renewal.
Requires a yearly service subscription.
* Requires an additional bare metal or virtual appliance.
** Requires hardware or software tokens.
The AXS Guard Cloud is an essential tool for our partners and their employees.
- Register and activate new appliances on the fly.
- Contract and license management: the administrative section of the cloud platform provides a clear overview of all deployed systems, their license status, activated features and much more.
- Remote troubleshooting and systems management: via the technical section of the platform, authorized employees can securely log in to the appliances of customers and assist them as needed.
The configuration wizards are a user-friendly way to configure your appliance step by step and allow you to carefully review and tweak system settings, for example:
- Setup wizard: Create a new administrator, configure essential system settings and network devices.
- License wizard: Enter your customer information, register online and upload your license to get your appliance to full operational, in-service status.
- Group and user wizard: Allows you to easily create new users and groups and also to import and synchronize LDAP users and groups.
- Office 365 FAST Lane: Automatically configures your bandwidth and firewall security for Office 365 applications and services.
Adaptive Web-based Configuration Tool
AXS Guard offers more than 30 different features. Because each customer has different needs, all security features have been organized into bundles.
Administrators can enable or disable any feature included in their bundle via the appliance's web-based configuration tool. Unused features will not be shown in the configuration menu, which makes the abundance of configuration options and pages more manageable, easier to configure and contributes to a better user experience.
Various administrator levels are available to define user access privileges for the AXS Guard web-based administration tool.
Routing is the decision process by which packets are moved from one network to another. Entries in routing tables specify the interface or gateway through which a packet must leave a network to reach another.
The AXS Guard appliance is an internal DNS server, which specifically serves the secure LAN and the DMZ. It also caches requests and can be configured to forward DNS and WINS requests to specific servers. The internal DNS automatically collects the following information:
- Names given to network devices
- Names assigned to computers in the LAN
- SRV records
Built-in Time Server
The AXS Guard appliance has an internal NTP server which can be used by clients in your network. A correct system time is essential for time-sensitive processes such as two-factor and Kerberos authentication, but also for scheduled tasks and system logging.
The Dynamic Host Configuration Protocol (DHCP) is an application protocol that enables your appliance to dynamically assign IP addresses to computers and other devices in its network. The AXS Guard appliance supports:
- DHCP Relay Agents
- Dynamic Address Allocation (Authoritative DHCP)
- Static and dynamic leases
The AXS Guard appliance provides the following web-based tools for basic network troubleshooting:
- Subnet calculator
- Animated, real-time network flow analysis (netstat)
- Internet speed test
Network Address Translation
Five NAT types can be configured on the AXS Guard appliance. The types are defined based on the altered header information:
- SNAT (Source Network Address Translation)
- (Authenticated) Port Forwarding
- DNAT (Destination Network Address Translation)
- Port Redirection
NAT helpers are available for the following protocols: FTP, PPTP, IRC, H.323, SIP, SNMP, TFTP, Amanda, DCCP, SCTP and UDP-lite.
Virtual Local Area Networks (VLAN)
VLANs are used to add one or more segments to your network without the need to add an additional physical network interface. Some benefits associated with the use of VLANs include:
- Help with network efficiency by reducing extraneous traffic.
- Enhance security by creating a virtual boundary around distinct business units.
- Improve bandwidth performance by limiting node-to-node and broadcast traffic.
- Eliminate the need to physically match up ports and switches in a network.
Channel bonding or Ethernet bonding is a computer networking arrangement in which two or more network interfaces on a host are combined for redundancy or increased throughput.
Bonding allows you to effectively combine the bandwidth into a single connection or to create multi-gigabit pipes to transport traffic through the highest traffic areas of your network. The following bonding types are supported:
- Round Robin: Packets are transmitted in a round robin fashion over the available slave interfaces. This type provides both load balancing and fault tolerance.
- Active Backup: One slave interface is active at any time. If one interface fails, another interface takes over the MAC address and becomes the active interface. Provides fault tolerance only. Does not require special switch support.
- XOR Balancing: Tranmissions are balanced across the slave interfaces based on source MAC) XOR (dest MAC modula slave count. The same slave is selected for each destination MAC. Provides load balancing and fault tolerance.
- Broadcast: Transmits everything on all slave interfaces. Provides fault tolerance.
- 802.3ad: This is classic IEEE 802.3ad Dynamic link aggregation. This requires 802.3ad support in the switch and driver support for retrieving the speed and duplex of each slave.
- Balance TLB: Adaptive Transmit Load Balancing. Incoming traffic is received on the active slave only, outgoing traffic is distributed according to the current load on each slave. Doesn2019t require special switch support.
- Balance ALB: Adaptive Load Balancing provides both transmit load balancing (TLB) and receive load balancing for IPv4 via ARP negotiation. Does not require special switch support, but does require the ability to change the MAC address of a device while it is open.
Sometimes it is useful to divide a physical network (such as an Ethernet segment) into separate network segments. Network bridges do not require separate IP subnets and routers to connect the individual segments. If your appliance has two or more network interfaces, they can be configured as a bridge. There are various use cases:
- Connecting Networks: Joining two or more network segments together. There are many reasons to use a host-based bridge over plain networking equipment such as cabling constraints, firewalling and routing. A bridge can also connect a wireless interface running in hostap mode to a wired network and act as an access point.
- Filtering / Traffic Shaping Firewall: A common situation is where firewall functionality is needed without routing or network address translation (NAT).
- Network Tap: A bridge can be used to inspect all Ethernet frames that pass between the connected network segments. This can be achieved with a traffic analyzer such as tcpdump or by sending a copy of all frames to an additional interface (span port).
- Layer 2 Redundancy: A network can be connected together with multiple links and use the Spanning Tree Protocol to block redundant paths. For an Ethernet network to function properly, only one active path can exist between two devices. Spanning Tree will detect loops and put the redundant links into a blocked state. Should one of the active links fail then the protocol will calculate a different tree and reenable one of the blocked paths to restore connectivity to all points in the network.
IP tunnels are often used for connecting two disjoint IP networks which don't have a native routing path to each other, via an underlying routable protocol across an intermediate transport network. The AXS Guard appliance supports the following tunnel types:
- IP in IP, sometimes called ipencap, is IP encapsulation within IP and is described in RFC 2003.
- GRE in IP. GRE is a tunneling protocol that was originally developed by Cisco and can be used to transport multicast traffic through a GRE tunnel. GRE (defined in RFC 2784 and updated by RFC 2890) goes a step further than IP in IP, adding an additional header of its own between the inside and outside IP headers.
The Domain Name System (DNS) is a crucial component to the Internet. The AXS Guard appliance supports the following features:
- DNS Zone Transfers
- Forward and reverse lookup zones
- Round Robin
Dynamic DNS, also known as DDNS, solves the problem of ever changing residential IP addresses by associating your address with a consistent domain name without the need to buy a pricey static IP.
Bandwidth management is the process of measuring and controlling communications (traffic, packets) on a network link, to avoid filling the link to its full capacity or even overfilling the link, which would result in network congestion and poor performance.
The AXS Guard appliance allows administrators to easily classify traffic based on various properties. Bandwidth management policies are enforced through schedules and can also be configured for virtual network devices, such as VPN devices.
The Internet Redundancy module is only available on appliances with two or more Internet interfaces and offers the following features:
- Load Balancing: Distribute data across two or more Internet interfaces to ensure that a single Internet interface does not get overloaded with network traffic.
- Internet Failover: The capability to switch over automatically to a redundant or standby Internet interface, upon the failure of the previously active interface.
- Dedicated Routing: The capability to dedicate an Internet interface to a certain type of traffic, e.g. VoIP.
Dynamic Firewall Policies
Dynamic firewall policies are enforced at the user, group or computer level. User and group policies are enforced after successful authentication with the AXS Guard appliance. Computer policies are intended for servers which need specific access to the Internet, e.g. to download software updates, and to which physical access is ideally restricted.
Static Firewall Policies
Static firewall policies are always enforced and apply to all users and computers which are physically connected to the network. They must be used to allow access to a service, e.g. the L2TP service.
Advanced Firewall Rules and Policies
The internal firewall system is based on iptables. Advanced firewall rules require specific syntax and have priority over dynamic and static firewall rules configured via the AXS Guard web-based administration tool.
Block lists are lists of IP addresses or IP ranges that are blocked by the firewall. Predefined lists contain malicious IP addresses and are updated automatically. Custom lists can be added if necessary.
Office 365, Azure and Other Automated Lists
As IP addresses of various cloud applications and services - such as Office 365 apps - may change regularly and without prior notice, automated lists are available to keep your network environment secure and reliable.
The following features are also supported by the firewall:
- Denial Of Service Checks
- Unclean Packet Checks
- Global Bad Packet Management
The application control system monitors the application layer (layer 7 of the OSI model) of the network.
This is also known to as Deep Packet Inspection (DPI), a form of computer network packet filtering that examines the data part of a packet as it passes the AXS Guard appliance, searching for defined criteria, such as protocols or websites, to decide whether the packet may pass or needs to be blocked.
AXS Guard also collects and reports statistical information about all layer 7 traffic.
The following applications can be blocked:
- Social Media, e.g. Facebook
- Remote Desktop, e.g. RDP and VNC
- VPN, e.g. PPTP
- P2P, e.g. Bittorrent
- File Sharing, e.g. Dropbox
- Messaging and VoIP, e.g. Skype, Viber
- Multimedia, e.g. Spotify, YouTube, avi files
- Others, e.g. Gmail, FTP
The AXS Guard proxy server services requests on behalf of clients in the secure LAN by forwarding these requests to the Internet. Web access policies can be configured at the user, group, computer or the system level (a.k.a. a system-wide configuration).
Web Access Filters
Web access filters or Access Control Lists (ACL) define which sites users are allowed to visit and which ones are off limits. ACLs consist of categories which in turn are composed of site or word lists related to specific content.
Basic Content Scanning
- URL filtering
- ClamAV antivirus protection
- Protection against other malware lists
Advanced Content Scanning
- Filtering based on custom and predefined word lists.
- Advanced URL filtering
- Trend Micro antivirus engine.
- ClamAV antivirus engine for additional protection against malware, trojans and other malicious software.
- Protection against various other types of malware
Advanced Threat Protection AXS Guard Cloud (CTRS)
CTRS is an AXS Guard cloud service which inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. Malware signatures are updated frequently as they are distributed by antivirus companies, which ensures that CTRS uses the latest signature sets.
Over the last few years many popular web sites including Google, Youtube, Reddit and Facebook have started enabling HTTPS encryption by default. This means that without configuring SSL inspection, proxies have limited filtering, monitoring and logging capabilities.
AXS Guard supports man-in-the-middle SSL filtering, which will allow you to more effectively monitor web traffic passing through the proxy server.
The AXS Guard appliance can be used as a transparent proxy server. Transparent proxies are also commonly known as intercepting proxies.
Transparent or intercepting proxies are commonly used in businesses to prevent avoidance of implemented user policies (ACLs) and to ease administrative burden, since no browser configuration is required on the clients.
- Customizable WPAD configuration
- Automated WPAD configuration for Office 365
- Support for parent proxy
- Customizable user login page
- Strong authentication and SSO
- Advanced logging, reporting and statistics
The Intrusion Prevention System (IPS) is a preemptive approach to network security. IPS identifies potential software exploits and takes immediate action against them. The actions to be taken are based on existing preprocessors and a set of dynamic rules divided in classes.
IPS rules are organized in categories. Each category describes the type of software or protocol used to perform an attack, e.g. pop3, backdoor, etc. Categories contain individual rules, each within their own classification. The AXS Guard appliance can be configured so rules are updated automatically.
The directory services module allows you to synchronize users and groups by establishing an LDAP connection with a directory server. The imported user accounts and groups remain updated if changes are made to the records on the directory server. The directory services module provides:
- LDAP back-end authentication
- Synchronization of users and groups in multiple domains
- Support for LDAP over SSL
- SSO for web access and firewall access (SSO tool in domain mode)
- Support for Microsoft Active Directory and POSIX LDAP
Strong Authentication & 2FA
Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which users provide two authentication factors to verify they are who they say they are. 2FA can be contrasted with single-factor authentication (SFA), a security process in which the user provides only one factor, typically a password.
- OATH Microsoft and Google Authenticators
- OneSpan DIGIPASS® Tokens
- OneSpan Cronto App with Push Notifications
Kerberos is a time-sensitive network protocol that uses secret-key cryptography to authenticate client-server applications. The following back-ends are supported:
- Microsoft Windows Servers
- Servers running the MIT implementation
- Servers running the Heimdal implementation
LDAP user authentication is the process of validating a username and password combination with a directory server such MS Active Directory or OpenLDAP. Also see the Directory Services feature.
The Remote Authentication Dial-In User Service (RADIUS) is a widely deployed protocol enabling centralized authentication, authorization, and accounting for network access. RADIUS authentication and authorization are defined in RFC 2865.
EAP-TLS, defined in RFC 2716, is an IETF open standard, and is well-supported among wireless vendors. It offers a good deal of security, since TLS is considered the successor of the SSL standard. It uses PKI to secure communications with the AXS Guard RADIUS server.
HTTP Basic authentication is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers, or login pages. Basic authentication uses standard fields in the HTTP header, removing the need for handshakes.
The Ident Protocol, defined in RFC 1413, is an Internet protocol that helps identify the user of a particular TCP connection. This simplifies management in that you do not have to match IP addresses to computers to regulate web traffic.
Brute-force Attack Protection
A brute-force attack is an attack method that relies on one's ability to guess passwords to illegally access a target system. Most typically, the attacker uses software that tries a vast number of username / password combinations until the target system is accessed or the intrusion attempt is detected and blocked.
The AXS Guard appliance can be configured to block brute-force attempts at the following levels:
- The user level: consecutive failed logins from the same user are blocked, regardless of the source IP from which a suspected attack originates. Anonymizers are herewith rendered ineffective.
- The host level: consecutive failed logins from the same source IP are blocked, regardless of the account that is used to launch a suspected attack.
The AXS Guard PKI tool allows you to create, manage, store, distribute, and revoke Public Key Certificates for VPN applications, such as IPsec Road Warriors, OpenVPN and L2TP clients. It is also used for secure e-mail relaying and secure web applications (reverse proxy). The following types and standards are supported:
- PEM certificates, with or without separate key files
- The PKCS #12 standard
Trusted Certificate Authorities
AXS Guard automatically maintains a root store that is used to determine if a certificate issued by a particular Certificate Authority (CA) is trusted. System administrators also have the possibility to disable certificates or import company-issued CA certificates. This feature was implemented to support SSL Inspection.
The reverse proxy services Internet client requests by forwarding these requests to the correct server in the LAN, while providing strong authentication, request filtering and SSL offloading.
- TCP/IP protocols: HTTP(S) and FTP
- Application protocols: WebSocket, RPC over HTTP, MAPI over HTTP, EWS and RDP (via a remote desktop gateway)
- Base URL Protection
- RFC Compliance & Request Filtering
- Predefined & Custom Applications
- SSL Offloading & Two-factor Authentication
- Ability to add custom login pages for your application servers
A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. A VPN enables you to send data between two computers across a shared or public internetwork in a manner that emulates the properties of a point-to-point private link.
Personal AXS Guard
Personal AXS Guard (PAX) is an appliance based on the VPN security model, designed specifically for telecommuting and industrial applications, such as IoT device management. PAX units are configured and centrally managed on the corporate AXS Guard appliance which pushes the configuration to each individual unit.
OpenVPN is an open source virtual private network (VPN) program for creating point-to-point or server-to-multiclient encrypted tunnels between hosts. It is capable of establishing direct links between computers across networks which use network address translation (NAT) and firewalls. OpenVPN is popular, easy to use, secure and widely supported on mobile devices. The AXS Guard implementation also offers the possibility to enforce two-factor authentication.
IPsec is an Internet Engineering Task Force (IETF) open standard suite of protocols (framework) providing data confidentiality, integrity, and authentication. The AXS Guard appliance only supports ESP in Tunnel Mode. This has to be taken into consideration when connecting other IPsec appliances or clients to the AXS Guard IPsec server, which offers the following features:
- Support for IKEv1 and IKEv2 tunnels
- IPsec Road Warrior setups
- GRE over IPsec tunnels
- DHCP over IPsec (IKEv1 only)
- XAUTH (two-factor authentication for IPsec road warriors)
The Secure Socket Tunneling Protocol (SSTP) provides a mechanism to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking. The SSTP server uses TCP port 443 by default, allowing SSTP clients to traverse virtually all firewalls and proxy servers, except for authenticated web proxies. The AXS Guard SSTP server can also be configured to enforce strong user authentication.
The Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used with Virtual Private Networks (VPNs) based on the IPsec framework. It enables roaming users to establish a secure connection to the private network of their company HQ using an L2TP client. The L2TP client software is available on any Windows version. The AXS Guard L2TP server also provides two-factor authentication.
The Point to Point Tunneling Protocol (PPTP) is an extension of the PPP protocol, defined per RFC 1171. The AXS Guard PPTP server also provides two-factor authentication.
AXS Guard Remote Workspace
AXS Guard Remote Workspace is a browser-based VPN solution that relies on HTML5. It allows users to remotely access corporate computers via a browser session over a secure connection (HTTPS). No dedicated software is required on the client side. Two-factor authentication is also supported.
- RFC compliance checks
- Anti-relay check
- Policy-based Transport Layer Security (TLS)
- Helo message check.
- Preventing connections from MTAs with Dynamic IP addresses (potential spam vectors).
- SPF protection.
- Bad header checks.
- Black listing, white listing and grey listing.
- Anti-spoofing, i.e. validation of e-mail addresses.
- Validity check of the sender and recipient e-mail address formats.
- Verification of recipient addresses based on the origin.
- Policy-based filtering system.
- Predefined and custom mail policies.
- Specific policies can be assigned to users, groups or computers in addition to the system-wide mail policy or to overrule it.
- Automated blocking of potentially dangerous e-mail attachments, such as executable files, office documents containing macros and encrypted archives.
- E-mail Quarantine.
- Automated and manual spam learning.
AXS Guard Cloud Threat Protection (CTRS)
E-mails are scanned for potentially harmful links and automatically quarantined when a threat is detected (Google Safe Browsing technology).
Roundcube webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking.
POP3 (Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is downloaded to the client computer. The AXS Guard appliance also supports POPS.
The Internet Message Access Protocol (IMAP) is an Internet standard protocol used by e-mail clients to retrieve e-mail messages from a mail server over a TCP/IP connection. The e-mail messages remain on the e-mail server. IMAP is defined in RFC 3501. The AXS Guard appliance also supports IMAP over SSL (IMAPS).
The AXS Guard MTA can be configured to distribute e-mails collected by a “catch-all” mailbox on the Internet. A “catch-all” mailbox refers to a mailbox in a domain that will "catch all" of the e-mails destined for that domain. A “catch-all” address provides a cheap method for companies to receive e-mail.
Managing log files is a vital part of network administration. The AXS Guard syslog management engine offers you the ability to log system activities locally and remotely. This capability can be essential if you need to archive log files for a long period of time or simply want log files to be available on other systems in your network.
Supported Delivery Types
- Local delivery: refers to logs that are generated by and stored on the AXS Guard appliance.
- Network delivery: refers to logs that are forwarded by a dedicated log server to the AXS Guard appliance.
- Relay delivery: refers to logs that have been delivered to the AXS Guard appliance (also see network delivery). Once the logs are received, the AXS Guard appliance relays them to another log server.
- Mail delivery: the AXS Guard appliance sends logs by e-mail to the specified addresses.
- The Sumo Logic log collector: a cloud-based log management and analytics service, which requires a subscription.
Supported Log Types
The log type mainly influences the formatting of log messages.
The following log types are supported:
- RFC 3164: This is the system default type and is the most human-readable format.
- RFC 3339: This format contains the most details (e.g. timestaps)
- Unix: Used by older servers and less detailed than RFC 3164 and 3339.
Network and data protection measures, such as a firewall, an anti-virus engine or an Intrusion Prevention System, are no longer sufficient in a GDPR world; organizations need to know what data they are collecting and how it's being used.
AXS Guard is equipped with a threat reporting feature, allowing organizations to get actionable insights from raw data in various system log files.
This reporting feature is also capable of delivering selected reports automatically to administrators and authorized personnel, allowing them to better identify potential cyber threats in a GDPR context.
Firewall and IPS
The reports show information related to traffic that was dropped by the firewall and IPS. Connection tracking allows administrators to view information about active connections, such as the source and destination IP addresses, port number pairs, etc.
The reports show detailed information about traffic dropped by the application control system, e.g. blocked Facebook connection attempts. A graphical representation of all connection data is also available.
Web access statistics consist of a database from which the following reports can be extracted:
- Requests per client.
- Hourly requests.
- Most frequently accessed websites.
- Blocked requests.
- Blocked sites.
The reports contain information about queued, quarantined and blocked messages. The MTA statistics provide information about all e-mail activity including, but not limited to, the total percentage of blocked messages and the number of messages per recipient.
Consists of a graph, showing the averages of outgoing traffic per (sub)class and the total average over an 8-hour period. This graph allows you to monitor and detect unusual traffic peaks and adjust your bandwidth management configuration if needed.
The authentication status report provides information about authenticated and blocked users. Users and hosts which have been blocked by the brute-force protection system are also visible and can be unblocked on the fly.
High-Availability clusters (also known as failover clusters) are implemented primarily for the purpose of improving the availability of services that the cluster provides. They operate by having redundant nodes, which are then used to provide services when system components fail. The most common size for an HA cluster is two nodes, a master and a slave unit, which is the minimum requirement to provide redundancy.
The AXS Guard fax module is a heavy-duty telecommunication system supporting:
- Up to 8 Fax Lines.
- Sending facsimile, including batch jobs via a connected workstation in a Novell, Windows or Unix network.
- Receiving facsimile via e-mail or a networked printer in a Novell, Windows or Unix network.
- PCL 5 and PostScript printers.
- Shared use of the available modem(s).
- Multiples queues, e.g. organized per department.
- Fax reporting via e-mail.
- Advanced logging.
Note that the fax module is sold exclusively in the BENELUX.
Software revisions correct small, non-blocking software issues and contain minor improvements or features. Revision updates can be installed manually or automatically. Administrators are notified via e-mail when a new software revision is available.
Version upgrades include major improvements and introduce new features. They can be installed manually or automatically. Administrators are notified via e-mail when a new system upgrade is available.
Hotfixes occur automatically and transparently. They are used to ensure the optimal operation of appliances in the field and are pushed automatically by our update servers. Hotfix installations are beyond the control of resellers and system administrators.
This method allows you to manually download a backup of the current AXS Guard configuration via the web-based administrator tool.
Weekly Backup via E-mail
This method allows you to automatically send a backup of the AXS Guard configuration via e-mail to a dedicated user.
Backup on Network Share
A daily backup on a network share allows you to make a backup of the AXS Guard configuration and critical user data, such as e-mails and log files. System administrators receive a backup report via e-mail and are also automatically notified in case of errors. Backups can be restored with a few simple clicks.
The CLI is a Linux-based command line interface for advanced troubleshooting. It can be accessed directly by connecting a screen and keyboard to the appliance or remotely with a secure connection (SSH).