|AXS GUARD Core OS|
|Networking, routing and monitoring|
|Authentication (SSO, PKI, Kerberos, 2FA* including support for OATH Google and Microsoft Authenticators as well as OneSpan DIGIPASS® technology)|
|Firewall with IPS|
|Client-Server (PPTP, L2TP, OpenVPN)|
|Site to Site (IPsec, e-tunnel)|
|Personal AXS GUARD (SSL)|
|Web Traffic Control|
|Multiple Internet connections|
|SSL VPN Portal|
|Content Scanning Basic||Optional
(per user per year)
(per user per year)
(per user per year)
|Relay (Antispam, Antimalware, Antivirus)|
|E-mail server with webmail|
|Web Proxy traffic|
|URL filtering, Blacklists, Antivirus|
|Content Scanning Standard||Optional
(per user per year)
(per user per year)
(per user per year)
|Trend Micro Licenses|
|Web content Scanning|
* 2FA requires an OATH or DIGIPASS® server authentication license.
** High Availability requires an additional appliance with RAS Enterprise backup software.
The configuration wizards are a user-friendly way to configure your appliance step by step and allow you to carefully review and tweak your system settings, for example:
Routing is the decision process by which packets are moved from one network to another. Entries in routing tables specify the interface or gateway through which a packet must leave a network to reach another.
The AXS GUARD appliance is an internal DNS server, which specifically serves the secure LAN and the DMZ. It also caches requests and can be configured to forward DNS and WINS requests to specific servers. The internal DNS automatically collects the following information:
Built-in Time Server
The AXS GUARD appliance has an internal NTP server which can be used by clients in your network. A correct system time is essential for time-sensitive processes such as two-factor and Kerberos authentication, but also for scheduled tasks and system logging.
The Dynamic Host Configuration Protocol (DHCP) is an application protocol that enables your appliance to dynamically assign IP addresses to computers and other devices in its network. The AXS GUARD appliance supports:
The AXS GUARD appliance provides the following web-based tools for basic network troubleshooting:
Network Address Translation
Five NAT types can be configured on the AXS GUARD appliance. The types are defined based on the altered header information:
Virtual Local Area Networks (VLAN)
VLANs are used to add one or more segments to your network without the need to add an additional physical network interface.
Channel bonding or Ethernet bonding is a computer networking arrangement
in which two or more network interfaces on a host are combined for
redundancy or increased throughput.
Bonding allows you to effectively combine the bandwidth into a single connection or to create multi-gigabit pipes to transport traffic through the highest traffic areas of your network. The following bonding types are supported:
Sometimes it is useful to divide a physical network (such as an Ethernet segment) into separate network segments. Network bridges do not require separate IP subnets and routers to connect the individual segments. If your appliance has two or more network interfaces, they can be configured as a bridge. There are various use cases:
IP tunnels are often used for connecting two disjoint IP networks which don't have a native routing path to each other, via an underlying routable protocol across an intermediate transport network. The AXS GUARD appliance supports the following tunnel types:
The Domain Name System (DNS) is a crucial component to the Internet. The AXS GUARD appliance supports the following features:
Dynamic DNS, also known as DDNS, solves the problem of ever changing residential IP addresses by associating your address with a consistent domain name without the need to buy a pricey static IP.
Bandwidth management is the process of measuring and controlling
communications (traffic, packets) on a network link, to avoid filling
the link to its full capacity or even overfilling the link, which would
result in network congestion and poor performance.
The AXS GUARD appliance allows administrators to easily classify traffic based on various properties. Bandwidth management policies are enforced through schedules and can also be configured for virtual network devices, such as VPN devices.
The Internet Redundancy module is only available on appliances with two or more Internet interfaces and offers the following features:
Dynamic Firewall Policies
Dynamic firewall policies are enforced at the user, group or computer level. User and group policies are enforced after successful authentication with the AXS GUARD appliance. Computer policies are intended for servers which need specific access to the Internet, e.g. to download software updates, and to which physical access is ideally restricted.
Static Firewall Policies
Static firewall policies are always enforced and apply to all users and computers which are physically connected to the network. They must be used to allow access to a service, e.g. the L2TP service.
Advanced Firewall Rules and Policies
The internal firewall system is based on iptables. Advanced firewall rules require specific syntax and have priority over dynamic and static firewall rules configured via the AXS GUARD web-based administration tool.
Block lists are lists of IP addresses or IP ranges that are blocked by the firewall. Predefined lists contain malicious IP addresses and are updated automatically. Custom lists can be added if necessary.
Other Automated Lists
As IP addresses of various cloud applications and services - such as Office 365 apps - may change regularly and without prior notice, automated lists are available to keep your network environment secure and reliable.
The following features are also supported by the firewall:
The application control system monitors the application layer (layer 7 of the OSI model) of the network.
This is also known to as Deep Packet Inspection (DPI), a form of computer network packet filtering that examines the data part of a packet as it passes the AXS GUARD appliance, searching for defined criteria, such as protocols or websites, to decide whether the packet may pass or needs to be blocked.
AXS GUARD also collects and reports statistical information about all layer 7 traffic.
The following applications can be blocked:
The AXS GUARD proxy server services requests on behalf of clients in the secure LAN by forwarding these requests to the Internet. Web access policies can be configured at the user, group, computer or the system level (a.k.a. a system-wide configuration).
Web Access Filters
Web access filters or Access Control Lists (ACL) define which sites users are allowed to visit and which ones are off limits. ACLs consist of categories which in turn are composed of site or word lists related to specific content.
Basic Content Scanning
Advanced Content Scanning
The AXS GUARD appliance can be used as a transparent proxy server.
Transparent proxies are also commonly known as intercepting proxies.
Transparent or intercepting proxies are commonly used in businesses to prevent avoidance of implemented user policies (ACLs) and to ease administrative burden, since no browser configuration is required on the clients.
The Intrusion Prevention System (IPS) is a preemptive approach to network security. IPS identifies potential software exploits and takes immediate action against them. The actions to be taken are based on existing preprocessors and a set of dynamic rules divided in classes.
IPS rules are organized in categories. Each category describes the type of software or protocol used to perform an attack, e.g. pop3, backdoor, etc. Categories contain individual rules, each within their own classification. The AXS GUARD appliance can be configured so rules are updated automatically.
The directory services module allows you to synchronize users and groups by establishing an LDAP connection with a directory server. The imported user accounts and groups remain updated if changes are made to the records on the directory server. The directory services module provides:
Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which users provide two authentication factors to verify they are who they say they are. 2FA can be contrasted with single-factor authentication (SFA), a security process in which the user provides only one factor, typically a password.
Supported 2FA Technologies
Kerberos is a time-sensitive network protocol that uses secret-key cryptography to authenticate client-server applications. The following back-ends are supported:
LDAP user authentication is the process of validating a username and password combination with a directory server such MS Active Directory or OpenLDAP. Also see the Directory Services feature.
The Remote Authentication Dial-In User Service (RADIUS) is a widely
deployed protocol enabling centralized authentication, authorization,
and accounting for network access. RADIUS authentication and
authorization are defined in RFC 2865.
EAP-TLS, defined in RFC 2716, is an IETF open standard, and is well-supported among wireless vendors. It offers a good deal of security, since TLS is considered the successor of the SSL standard. It uses PKI to secure communications with the AXS GUARD RADIUS server.
HTTP Basic authentication is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers, or login pages. Basic authentication uses standard fields in the HTTP header, removing the need for handshakes.
The Ident Protocol, defined in RFC 1413, is an Internet protocol that helps identify the user of a particular TCP connection. This simplifies management in that you do not have to match IP addresses to computers to regulate web traffic.
Brute-force Attack Protection
A brute-force attack is an attack method that relies on one's ability to
guess passwords to illegally access a target system. Most typically,
the attacker uses software that tries a vast number of username /
password combinations until the target system is accessed or the
intrusion attempt is detected and blocked.
The AXS GUARD appliance can be configured to block brute-force attempts at the following levels:
The AXS GUARD PKI tool allows you to create, manage, store, distribute, and revoke Public Key Certificates for VPN applications, such as IPsec Road Warriors, OpenVPN and L2TP clients. It is also used for secure e-mail relaying and secure web applications (reverse proxy). The following types and standards are supported:
The reverse proxy services Internet client requests by forwarding these requests to the correct server in the LAN, while providing strong authentication, request filtering and SSL offloading.
A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. A VPN enables you to send data between two computers across a shared or public internetwork in a manner that emulates the properties of a point-to-point private link.
Personal AXS GUARD
Personal AXS GUARD (PAX) is an appliance based on the VPN security model, designed specifically for remote use. Its integration with home networks is easy and allows telecommuters to safely connect to corporate network resources and the Internet. PAX units are configured and centrally managed on the corporate AXS GUARD appliance which pushes the configuration to each individual unit.
OpenVPN is an open source virtual private network (VPN) program for creating point-to-point or server-to-multiclient encrypted tunnels between hosts. It is capable of establishing direct links between computers across networks which use network address translation (NAT) and firewalls. OpenVPN is popular, easy to use, secure and widely supported on mobile devices. The AXS GUARD implementation also offers the possibility to enforce two-factor authentication.
IPsec is an Internet Engineering Task Force (IETF) open standard suite of protocols (framework) providing data confidentiality, integrity, and authentication. The AXS GUARD appliance only supports ESP in Tunnel Mode. This has to be taken into consideration when connecting other IPsec appliances or clients to the AXS GUARD IPsec server, which offers the following features:
The Secure Socket Tunneling Protocol (SSTP) provides a mechanism to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking. The SSTP server uses TCP port 443 by default, allowing SSTP clients to traverse virtually all firewalls and proxy servers, except for authenticated web proxies. The AXS GUARD SSTP server can also be configured to enforce strong user authentication.
The Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used with Virtual Private Networks (VPNs) based on the IPsec framework. It enables roaming users to establish a secure connection to the private network of their company HQ using an L2TP client. The L2TP client software is available on any Windows version. The AXS GUARD L2TP server also provides two-factor authentication.
The Point to Point Tunneling Protocol (PPTP) is an extension of the PPP protocol, defined per RFC 1171. The AXS GUARD PPTP server also provides two-factor authentication.
SSL Web Portal
The SSL Web Portal is a browser-based VPN solution that relies on Java. No other software is required on the client side. All network traffic is encrypted (HTTPS). The configuration of applications and users is entirely web-based and centralized. Two-factor authentication is also supported.
SquirrelMail is a standards-based webmail package written in PHP.
It includes built-in pure PHP support for the IMAP and SMTP protocols,
maximum compatibility across browsers. It has very few requirements and
is very easy to configure.
Roundcube webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking.
POP3 (Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is downloaded to the client computer. The AXS GUARD appliance also supports POPS.
The Internet Message Access Protocol (IMAP) is an Internet standard protocol used by e-mail clients to retrieve e-mail messages from a mail server over a TCP/IP connection. The e-mail messages remain on the e-mail server. IMAP is defined in RFC 3501. The AXS GUARD appliance also supports IMAP over SSL (IMAPS).
The AXS GUARD MTA can be configured to distribute e-mails collected by a “catch-all” mailbox on the Internet. A “catch-all” mailbox refers to a mailbox in a domain that will "catch all" of the e-mails destined for that domain. A “catch-all” address provides a cheap method for companies to receive e-mail.
Managing log files is a vital part of network administration. The AXS GUARD syslog management engine offers you the ability to log system activities locally and remotely. This capability can be essential if you need to archive log files for a long period of time or simply want log files to be available on other systems in your network.
Supported Delivery Types
Supported Log Types
The log type mainly influences the formatting of log messages.
The following log types are supported:
Network and data protection measures, such as a firewall, an anti-virus engine or an Intrusion Prevention System, are no longer sufficient in a GDPR world; organizations need to know what data they are collecting and how it's being used.
AXS GUARD is equipped with a threat reporting feature, allowing organizations to get actionable insights from raw data in various system log files.
This reporting feature is also capable of delivering selected reports automatically to administrators and authorized personnel, allowing them to better identify potential cyber threats in a GDPR context.
Firewall and IPS
The reports show information related to traffic that was dropped by the firewall and IPS. Connection tracking allows administrators to view information about active connections, such as the source and destination IP addresses, port number pairs, etc.
The reports show detailed information about traffic dropped by the application control system, e.g. blocked Facebook connection attempts. A graphical representation of all connection data is also available.
Web access statistics consist of a database from which the following reports can be extracted:
The reports contain information about queued, quarantined and blocked messages. The MTA statistics provide information about all e-mail activity including, but not limited to, the total percentage of blocked messages and the number of messages per recipient.
Consists of a graph, showing the averages of outgoing traffic per (sub)class and the total average over an 8-hour period. This graph allows you to monitor and detect unusual traffic peaks and adjust your bandwidth management configuration if needed.
The authentication status report provides information about authenticated and blocked users. Users and hosts which have been blocked by the brute-force protection system are also visible and can be unblocked on the fly.
High-Availability clusters (also known as failover clusters) are implemented primarily for the purpose of improving the availability of services that the cluster provides. They operate by having redundant nodes, which are then used to provide services when system components fail. The most common size for an HA cluster is two nodes, a master and a slave unit, which is the minimum requirement to provide redundancy.
The AXS GUARD fax module is a heavy-duty telecommunication system supporting:
Software revisions correct small, non-blocking software issues and contain minor improvements or features. Revision updates can be installed manually or automatically. Administrators are notified via e-mail when a new software revision is available.
Version upgrades include major improvements and introduce new features. They can be installed manually or automatically. Administrators are notified via e-mail when a new system upgrade is available.
Hotfixes occur automatically and transparently. They are used to ensure the optimal operation of appliances in the field and are pushed automatically by our update servers. Hotfix installations are beyond the control of resellers and system administrators.
This method allows you to manually download a backup of the current AXS GUARD configuration via the web-based administrator tool.
Weekly Backup via E-mail
This method allows you to automatically send a backup of the AXS GUARD configuration via e-mail to a dedicated user.
Backup on Network Share
A daily backup on a network share allows you to make a backup of the AXS GUARD configuration and critical user data, such as e-mails and log files. System administrators receive a backup report via e-mail and are also automatically notified in case of errors. Backups can be restored with a few simple clicks.
The CLI is a Linux-based command line interface for advanced troubleshooting. It can be accessed directly by connecting a screen and keyboard to the appliance or remotely with a secure connection (SSH).