Kerio Winroute Firewall 6
	Kerio WinRoute Firewall 6 ™ sets new standards in versatility, security and user access control. Designed for corporate networks, it defends against external attacks and viruses and can restrict access to websites based on their content.

Kerio WinRoute Firewall 6 is a robust network firewall operating at the lowest possible layer of the OS. The stateful inspection firewall protects the whole local network and also the computer it is installed on. regardless to whether its built-in NAT technology is utilized or not, it controls both incoming and outgoing communication on all available interfaces, thus giving users a comparable level of firewall protection found in far more expensive solutions.

Kerio WinRoute Firewall 6 brings the revolutionary conception of traffic rules configuration. This allows configuring the packet filter, NAT, port mapping and access control rules easily from one comprehensible table. The built-in configuration wizard will help you to set-up the firewall in minutes and your network will be connected to the Internet securely in no time at all.

Protocol inspection

Another level of protection is added by WinRoute's inspection modules. These understand network communication protocols and ensure that only standard behaviour is allowed. Inspection modules are available for a wide range of standatd protocols, including HTTP, FTP and IRC. Multimedia and VoIP protocols, such as MMS, H.323, SIP and Cisco SCCP are also supported.

An inspection module, applied to a traffic rule, checks that communication allowed by the rule also corresponds with the given protocol. For example, an HTTP inspection module applied to a rule allowing communication on port 80 ensures that only HTTP traffic will actually be accepted.

Fast Internet sharing
Support for DSL, cable modems, ISDN, satellite, dial-up or wireless Internet allows users to deploy Kerio WinRoute Firewall in networks of all sizes and in all locations. All users can share one or multiple Internet connections. The built-in DNS forwarder accelerates DNS queries, while the built-in transparent HTTP proxy server caches content, for web browsing at blazing speeds.

Kerio WinRoute Firewall 6 can easily connect the whole Local Area Network to the Internet. This can be achieved by utilizing the NAT (Network Address Translation) facility of the WinRoute's router or by using the built-in proxy server.

NAT Router

Kerio WinRoute Firewall 6 includes the best implementation of NAT technology available today. It is designed to provide users with the ultimate in routing capability and network protection. The NAT driver, written exclusively for Kerio WinRoute, offers a security solution comparable to more expensive products at substantially less cost.

The advanced routing features of Kerio WinRoute Pro's NAT allows for the easy integration of a LAN into the corporate WAN while keeping the option available for separate Internet access. There is no need to manually edit routing tables in a DOS prompt. WinRoute 6 has a simple graphical interface to the routing table and editing is both easy and comfortable.

Proxy Server

Although a bit more limited compared to the NAT technology, a simple proxy server is included in Kerio WinRoute Firewall 6 for old-fashioned users. The advantage of this is that there is no need to edit any of the TCP/IP paramatres on the local workstations.

Combined with the DHCP server (also built in WinRoute 6) it is one of the easiest ways to connect the local network to the Internet instantly. The proxy server features automatic configuration for browsers so any browser supporting this, such as Microsoft Internet Explorer, will be able to connect immediately after Kerio WinRoute Firewall is installed.

Cache Server

Built-in Kerio WinRoute Firewall 6 is a sophisticated HTTP cache server. This stores frequently visited websites in a local cache file. The next time a webpage is visited it is not downloaded off the Internet but from the local server. This speeds up webpage download time tremendously. WinRoute's Cache Server can operate regardless to whether the built-in proxy server is used or not.

To prevent the problem of a certain website not being updated when required, found in similar solutions, Kerio WinRoute Firewall offers to store files in the local cache for a limited time only and also exclusions can be set for certain websites so they are not cached at all. In addition to this, users can manually delete files from the cache using the WinRoute's web interface.

DHCP/DNS Services

In a network, each computer has to have its TCP/IP protocol properly configured. This means that the IP address, network mask, default gateway address, DNS server address, etc. must be configured on each computer. If the administrator has to set theses parameters manually on a large number of workstations, it is difficult to avoid mistakes, e.g. using an address twice - which may cause collisions and consequently an incorrect function of the entire network.

Dynamic Host Configuration Protocol (DHCP) is a feature of Kerio WinRoute Firewall designed to simplify the task of network administration. Built-in DHCP server can provide all TCP/IP parameters to all workstations on the local network.

Kerio WinRoute Firewall also features a simple DNS module that is able to forward DNS queries to a chosen DNS server on the Internet. The DNS module stores the results of the queries in its internal cache where they are kept for a certain time. Subsequent repeated queries are then answered using the cached data without the need to wait until an answer from the Internet arrives.

Dial-on-Demand

For users with dial-up, VPN, ISDN, PPPoE or any other connection type using Windows Remote Access Service (RAS), Kerio WinRoute Firewall is capable of calling/closing this connection based on the following conditions: Outgoing network activity is detected (demand dial), user dials using the WinRoute Administration or the Web Interface (manual dial), or the time of day or day of week indicates when the connection should be active (scheduled dial).

Anti-virus protection
In terms of antivirus control, Kerio WinRoute Firewall comes in two variations:
1. Kerio WinRoute Firewall
2. Kerio WinRoute Firewall with integrated McAfee Anti-Virus

Gateway antivirus scanning
Having anti-virus installed at the perimeter of the local area network substantially decreases the risk of spreading virus infection. Kerio WinRoute Firewall provides optional scanning of inbound and outbound HTTP and FTP traffic for viruses. In addition to integrated McAfee, there are several other anti-virus vendors to choose from.

Scanning HTTP and FTP traffic at the gateway has several advantages:

All Internet traffic is always scanned.
It is easy to maintain an virus scanner installed in single location.
It is easy to update virus definitions for a gateway anti-virus.
All computers accessing Internet are protected against web-borne viruses, whether they have their own anti-virus or not.
As an additional security measure, Kerio recommends installing anti-virus software on each computer. For email virus protection, we recommend running Kerio MailServer with one of the optional anti-viruses.

Simple anti-virus administration
enabling virus scanning in Kerio WinRoute Firewall requires very little configuration. The interface lets the administrator choose which anti-virus will be used and how often the virus database should be updated.

One advanced option allows the administrator to set which files are to be scanned and which not, according to the file type.

Content and web filtering
In corporate and educational environments, it is often desirable to restrict access to websites with offensive or counterproductive content and filter the traffic to ensure that malitious code doesn't get through and unwanted activities are not performed.

There are serveral measures to choose from:

1. User access rights
The fundamental step in creating security and access policy is defining users and their rights.

A "user" can be defined as an IP address or computer name, user names with password, user group, entire network, etc. Each user can be associated with different restrictive access rights. Variable restrictions can be applied for specified time intervals.

User may be required to input their user name and password before being allowed to view certain websites or downloading certain types of files.

2. Cobion content filter
To increase employee productivity and to protect the company from potential lawsuits, Kerio WinRoute Firewall can deny access to certain websites. As an optional component, the firewall integrates Cobion content filter, an extensive database of several billion websites divided into 50 different categories such as news, shopping, porn, hate or lifestyle sites.

Every time a user attempts to visit a website, Kerio WinRoute Firewall asks Cobion database whether the page is listed in any of 50 categories. If the page matches the database, Kerio WinRoute Firewall automatically denies access to the page or a user can be prompted with a warning that such activity can be monitored, logged and an administrator can be nofitied.

Cobion database is stored on a central server on the Internet therefore there's no need to locally download daily updates with thousands of newly added URLs. Since the database is remote, the system requirements are low and Kerio Kerio WinRoute Firewall with Cobion technology can be deployed on a regular PC.

Even under heavy load, the Cobion database responses are faster than responses from web servers so there's no delay when surfing Internet.

3. Administrator-defined restricted pages
In addition to the Cobion database, an administrator can create its own list of web pages that users are not allowed to view.

4. Attachment filtering
Kerio WinRoute Firewall 6 can check all passing communication directly and deny the transfer of any potentially dangerous files. Filtering is performed for all files according to their extensions (eg. .exe, .com, .vbs, etc.) or their MIME type (application, image, text).

This might be desireable in case, for instance, when anti-virus software is not yet aware of a new virus and classifies a potentially dangerous attachment as safe.

5. HTTP filtering & blocking pop-up windows
With HTTP filtering, each user can can block annoying pop-up and pop-under advertising windows when surfing Internet.

HTTP filtering allows to define filters for ActiveX and JavaScript content, ensuring that no potentially malicious code gets through the firewall. What's more, an administrator can apply global filters.

6. FTP filtering
Similarly to HTTP filter rules, FTP rules can also be applied to restrict access to FTP servers on the Internet. Access can be restricted solely to transferring files between the permitted FTP server and the client or only certain FTP commands can be permitted/denied.

In practice
If we combine all the above features we can, for instance, achieve the following results:

Users will only be able to access websites, selected FTP servers and a corporate mailserver
Nobody in the company will ever be able to access sites containing porn
Everybody will allways be able to access news websites (such as CNN, BBC, MSN, etc.)
Access to sites containing topics such as leisure, chat, music, etc. will only be permitted outside working hours and during lunchtime
Nobody will be permitted to download MP3 files
Selected users will be able to access everything with no limitations after a successful authentication

All this should not take more than 15 minutes to set up in a network environment of 20-50 users. Nice, isn't it?

VPN, VoIP & UPnP support
VPN support
In situations where a virtual private network needs to be established between two networks or between a server and clients, Kerio WinRoute Firewall includes support for IPSec NAT Traversal and PPTP VPN protocols, allowing a variety of third-party solutions to be deployed.

Kerio WinRoute Firewall supports both server-to-server and client-to-server types of VPN. It is even possible to take advantage of VPN capabilities of the Windows operating systems and create various VPN environments using only Windows and Kerio WinRoute Firewall. No third party software is required. WinRoute also supports the RRAS facility included in server editions of Microsoft Windows operating systems.

Voice over IP support

H.323
It has always been difficult to deploy IP telephony in firewall-protected networks since VoIP protocols such as H.323 were not designed to easily traverse the firewall. Kerio WinRoute Firewall allows VoIP to run from behind it, eliminating the need to publicly expose the VoIP infrastructure to the Internet.

Cisco SCCP
If a company wants to take advantage of VoIP devices in Cisco AVVID environment, Cisco's Skinny Client Control Protocol (SCCP) is used for establishing communication between an IP Phone and Cisco CallManager. The firewall of course needs to recognize it and understands the information passed within these signalling messages.

As of the start of 2003, there is only one firewall besides Kerio WinRoute Firewall that supports SCCP, and that is Cisco's own PIX Firewall.

Kerio WinRoute Firewall automatically detects SCCP protocol and perfoms NAT for address translation between the IP phone and Cisco CallManager. Since Kerio WinRoute Firewall performs dynamic IP address translation, an administrator does not need to manually configure an IP address within NAT for each IP phone.

UPnP support
Universal Plug and Play (UPnP) in Windows enables applications to communicate without additional settings at the firewall. Kerio WinRoute Firewall integrates UPnP technology so that compliant applications such as MSN Messenger can run instantly without hassle.

Network Administration
DHCP Server

With a large number of workstations on the network it is highly probable that one will make a mistake when configuring all the TCP/IP parameters. Assigning the same IP address to two different workstation is a very common problem, for example. And not only that, going from one computer to another and entering all the paramaters by hand can get very tedious and tiring indeed.

Kerio WinRoute Firewall 6 incorporates a full-featured DHCP server to take care of all TCP/IP configuration on your network. It is then enough to leave all workstation to "Obtain IP parameters automatically" and perform a few settings on the WinRoute gateway. Anything from simple Default Gateway and DNS Server settings to more advanced parameters, such as a TFTP server and time server, can be assigned.

In addition to this, the Kerio WinRoute Firewall Administration displays a nice chart showing how many parameters have been assigned and how many there are still left. This can be very useful on large networks where one can easily get lost in numbers and can underestimate the network's needs.

DNS Forwarder

The DNS Forwarder is a very simple yet very useful tool that forwards all DNS queries to a parent DNS server and then sends the reply to asking clients. Replies can be stored in local cache so that the next time the same DNS request is sent matters are handled locally. This is much faster than if every single query had to be sent to the real Internet DNS server.

Also, combined with a local HOSTS file, the DNS Forwarder can be used as a simple DNS resolution server for the local domain. There is no need to configure a real DNS server if the size of the network does not really require it.

Firewall traffic information

The administrator can view directly in the Kerio WinRoute Firewall Administration how effectively the Internet connection is being used. Comprehensible charts showing passing traffic in different time intervals and the list of active connection can both help the administrator to determine how to configure the firewall better.

The connection list shows a table of all active connections with all necessary information, such as the source and destination IP addresses, ports and protocols used and the amount of data transferred through the connection. It is even possible to kill a chosen connection from the WinRoute Administration.

Managing the routing table on the WinRoute gateway is very simple, too, as the WinRoute Administration contains a user-interface front to the table. Adding or removing routes is now both simple and comfortable and delving into the horrors of a DOS prompt is no longer necessary.

Web Interface

Kerio WinRoute Firewall 6 features a simples web interface that allows users to log on and off the firewall, change their password and perform other actions relating to the WinRoute firewall. For example, users can dial or hang-up a selected dial-up interface, delete files from the WinRoute cache, filter ActiveX or JavaScript content and pop-up windows, and more. The interface can run on a secure (SSL) channel.

Remote Administration

Kerio WinRoute Firewall 6 provides the administrator with the benefit of remote administration. With proper settings and rights in place, it is possible to securely administer your firewall from any place in the world. Access to the Engine is secured by strong encryption and password.

Kerio Administration Console provides the configuration and settings for the Kerio WinRoute Engine. The Kerio Administration Console is a separate application (admin.exe) that may be run from any computer and connect via a TCP/IP connection to a Kerio WinRoute computer. The Kerio Administration Console can also be used to administer other server Kerio products, such as the Kerio MailServer 6.