Do you have an outdated firmware Watchguard ... ?

Are you tired of the expensive yearly subscription ... ?

Do you like to have the Free live update of IDS, IPS, IP reputation, ET, Cisco autosense, autodefense ...

You can consider upgrade to pfsense ... all firewall rules can be kept & remain unchanged

We are offering a 'unharmful' upgrade by using a new pfsense M.2 SSD or a new pfsense sata SSD, it is a reborn of your outdated Watchguard firewall.  (you original Watchguard firmware will be kept in the same hardware)

Watchguard XTM 505 Watchguard XTM 510 Watchguard XTM 520 Watchguard XTM 530

call +852.23120878 for support

WatchGuard XTM 5XX Series Firewall Appliance with latest version pfsense and come with free Cisco autosense, autodefense subscription.

What a magical cost effective combination ... ?

Do you have an outdated firmware Sophos  ... ?

Are you tired of the expensive yearly subscription ... ?

Do you like to have the Free live update of IDS, IPS, IP reputation, ET, Cisco autosense, autodefense ...

You can consider upgrade the firmware to pfsense ... all firewall rules can be kept & remain unchanged

We are offering a 'unharmful' upgrade by using a new pfsense M.2 SSD or a new pfsense sata SSD, it is a reborn of your outdated Sophos firewall.  (you original Sophos firmware will be kept in the same hardware)

Sophos XG 210 Sophos XG 230 Sophos XG 310

call +852.23120878 for support

Sophos XG Series Firewall Appliance with latest version pfsense and free Cisco autosense, autodefense subscription. What a magical cost effective combination ... ?

The following Flexi Port modules are available for our current Sophos 1U Firewall appliances

	XG 210 Rev. 3	XG 230 Rev. 2	XG 310 Rev. 2	XG 330 Rev. 2	XG 430 Rev. 2	XG 450 Rev. 2	Previous XG 1U Models
8 Port 1GE Copper
8 Port 1GE Fiber SFP
2 Port 10GE Fiber SFP+
4 Port 10GE Fiber SFP+
2 Port 40GE QSFP+
4 Port PoE
8 Port PoE
4 Port copper LAN Bypass

Sophos XG-310

Autosense/Autodefense : ransomware; trojan; hacker; Brute Force attacks...

for Netgate, Osigate, Mikrotik, Fortinet, Watchguard, Sophos, Juniper, Sonicwall, Snort, Suricata ... most firewall platforms

1. Live Tarpits ( AI machine learning from global clusters, Vulnerability prophet engine ... have hourly update)

Snort Global research team is constantly examining threats, the AI machine learning vulnerability fingerprint from different sources, and a variety of pfsense to analyze exploits and vulnerabilities. New fingerprints are published as needed through our cloud server. Tarpits unique defense Matrix, a prophet engine, collaborating threat fingerprint form the expensive infrastructures.  We should implement Live Tarpits at the first gate of defense. Tarpits prophecy signatures is written to detect; predict and prevent intrusions; worms; trojan; ransomware; DDoS exploits; Brute force cracking ...

Read More

We are in the IEEE Communications Society research team. 

* IEEE : Institute of Electrical and Electronics Engineers,  The world's largest technical professional organization for the advancement of technology.

After extensive research, AI defense team created unique defense matrix below, which includes hourly/daily updates via our AI defense clusters.

Advantages: Detect & deny the dangerous connections at the beginning, don't go further protocols negotiation; avoid further inner defense rules calculation; avoid further dangerous in depth sessions, save more session slots, save more bandwidth and CPU time ...

• botnet : Current global robot zombie PC list, botnets can be used to perform DDoS attacks, steal data and hacker may access the device and hijack its connection. daily updates via our Tarpits cluster.
• sslbl : SSL cert is not 100% secured, SSL Blacklist is a collection of global malicious SSL certificates server IP list, daily updates via our Tarpits cluster.
• cisbl : Central Intelligence Security black list, a subset of global active hackers' IP, daily updates via our Tarpits cluster.
• IQRisk : delivers actionable threat IP intelligence to help ensure networks are safe from malicious and potentially malicious threats.
• DQlists : Rep Query Delivers Multi-Level, Robust Threat Intelligence to Meet the Needs of SME to Enterprises,daily updates via our Tarpits cluster.
  

  DQlist is providing maximum protection with minimum false positives, daily feed from Global anti-hackers alliance, global DQ lists suitable for most routers and firewalls. 

  DQlist IP signature service integrates an ultra-high performance deep packet inspection architecture and dynamically updated IP signature database to deliver complete network protection from application exploits, worms and malicious traffic. A scalable solution supporting virtually any network size.

  • DQlist_classC  : Global ipset in CIDR format, shorter list and most effective, any bad guy found then block whole class of network.
  • DQlist_48hrs   : Global ipset made from track of attacks, spyware, viruses, detected in the last 48 hours. 
  • DQlist_30days : Global ipset made from track of attacks, spyware, viruses, detected in the last 30 days. 
  • DQlist_90days : Global ipset made from track of attacks, spyware, viruses, detected in the last 90 days. 
    
    
• tarpits : AI learning from Global hackers/ransomware/spyware/ fingerprint once triggered the alert of protocols sensors,  hourly updates via our Tarpits cluster.   * Tarpits includes most defense matrix above (certainly very good enough)

       Effective Cyber Security proposal

• deploy AI defense matrix at first layer, can detect and block the most active threats, less resources, more efficiency. Hourly update is crucial.
  
• apply CISBL, which wiill have global hackers/ransomware/threats source, need to work with IDS/IPS, defend the rest of the most possible threat, the list is big and involves IDS/IPS rules computation,  more resources, more CPU demand, more secured for OSI layers 5~7.
  
• deploy ET-open, Snort-open at 2nd layer for behavior rules set autosense/autodefense.

AI Defense matrix, Monthly Subscription, hourly update: US$ 26

AI Defense matrix, Half year Subscription, hourly update: US$ 156

AI Defense matrix, Annual Subscription, hourly update: US$ 312

* [AI Defense] included all the above defense matrix (for most case of cyber security, It is very good enough)

Intelligent for most kinds of Firewall

2. Global IDS/IPS (Vulnerability Signatures and Defense rules from ET open, Cisco Snort Talos, IQRisk, Proofpoint ET Pro, CINS ... daily update)

We have Cisco Snort Talos, Proofpoint ET, CINS (Collective Intelligence Network Security) ... We should apply Global IDS/IPS at the middle layers of defense. IP Reputation pre-processor provides IP blacklist/whitelist capabilities, to alert/block/drop/pass traffic from reputation IP  list. We can use popular Snort or Suricata IDS/IPS engine to implement Reputation-enabled defense and Network behaviour defense. This pre-processor will address the performance issue and make the IP reputation management easier. Reputation pre-processor runs before other pre-processors then rules base behaviour detection ...

We are offering subscription base Cisco Snort, Proofpoint ET Pro IDS/IPS :

i. Snort Talos at yearly subscription at US$399 per sensor, daily update 

ii. Proofpoint ET Pro at yearly subscription at US$999 per sensor (Paid service includes daily update, FREE subscription service with 30 days delay) 

iii. Emerging Threats IQRisk daily update yearly subscription at US$399 per sensor, daily update

• The same Snort ruleset developed for our NG IPS customers, immediately upon release – 30 days faster than registered users, provide daily update.
• Priority response for false positives and rules
• Snort Subscribers are encouraged to send false positives/negatives reports directly to Talos

Multi sources of AI Defense Matrix support daily update, FREE subscription with 30 days delay, paid subscription have daily update ... please call us for integration, We have FREE update or paid daily update or paid hourly update.

* Tarpits : meant rescue operation for live being who slowly sink in a swamp, a technical term in AI Defense Matrix system.

Secure Tunnel with Cryptokey Routing & Roaming

Fast, Modern, Secure Tunel by Wireguard at pfsense+

Fast, Modern, Secure Tunel by Wireguard at pfsense+)

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

WireGuard white paper

 

Conceptual Overview

if you'd like a general conceptual overview of what WireGuard is about, read onward here. You then may progress to installation and reading the quickstart instructions on how to use it. If you're interested in the internal inner workings, you might be interested in the brief summary of the protocol, or go more in depth by reading the technical whitepaper, which goes into more detail on the protocol, cryptography, and fundamentals. If you intend to implement WireGuard for a new platform, please read the cross-platform notes. WireGuard securely encapsulates IP packets over UDP. You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it. All issues of key distribution and pushed configurations are out of scope of WireGuard; these are issues much better left for other layers, lest we end up with the bloat of IKE or OpenVPN. In contrast, it more mimics the model of SSH and Mosh; both parties have each other's public keys, and then they're simply able to begin exchanging packets through the interface.

Simple Network Interface

WireGuard works by adding a network interface (or multiple), like eth0 or wlan0, called wg0 (or wg1, wg2, wg3, etc). This network interface can then be configured normally using ifconfig(8) or ip-address(8), with routes for it added and removed using route(8) or ip-route(8), and so on with all the ordinary networking utilities. The specific WireGuard aspects of the interface are configured using the wg(8) tool. This interface acts as a tunnel interface.

WireGuard associates tunnel IP addresses with public keys and remote endpoints. When the interface sends a packet to a peer, it does the following:

1. This packet is meant for 192.168.30.8. Which peer is that? Let me look... Okay, it's for peer ABCDEFGH. (Or if it's not for any configured peer, drop the packet.)
2. Encrypt entire IP packet using peer ABCDEFGH's public key.
3. What is the remote endpoint of peer ABCDEFGH? Let me look... Okay, the endpoint is UDP port 53133 on host 216.58.211.110.
4. Send encrypted bytes from step 2 over the Internet to 216.58.211.110:53133 using UDP.

When the interface receives a packet, this happens:

1. I just got a packet from UDP port 7361 on host 98.139.183.24. Let's decrypt it!
2. It decrypted and authenticated properly for peer LMNOPQRS. Okay, let's remember that peer LMNOPQRS's most recent Internet endpoint is 98.139.183.24:7361 using UDP.
3. Once decrypted, the plain-text packet is from 192.168.43.89. Is peer LMNOPQRS allowed to be sending us packets as 192.168.43.89?
4. If so, accept the packet on the interface. If not, drop it.

Behind the scenes there is much happening to provide proper privacy, authenticity, and perfect forward secrecy, using state-of-the-art cryptography.

Cryptokey Routing

At the heart of WireGuard is a concept called Cryptokey Routing, which works by associating public keys with a list of tunnel IP addresses that are allowed inside the tunnel. Each network interface has a private key and a list of peers. Each peer has a public key. Public keys are short and simple, and are used by peers to authenticate each other. They can be passed around for use in configuration files by any out-of-band method, similar to how one might send their SSH public key to a friend for access to a shell server.

Built-in Roaming

The client configuration contains an initial endpoint of its single peer (the server), so that it knows where to send encrypted data before it has received encrypted data. The server configuration doesn't have any initial endpoints of its peers (the clients). This is because the server discovers the endpoint of its peers by examining from where correctly authenticated data originates. If the server itself changes its own endpoint, and sends data to the clients, the clients will discover the new server endpoint and update the configuration just the same. Both client and server send encrypted data to the most recent IP endpoint for which they authentically decrypted data. Thus, there is full IP roaming on both ends.

Ready for Containers

WireGuard sends and receives encrypted packets using the network namespace in which the WireGuard interface was originally created. This means that you can create the WireGuard interface in your main network namespace, which has access to the Internet, and then move it into a network namespace belonging to a Docker container as that container's only interface. This ensures that the only possible way that container is able to access the network is through a secure encrypted WireGuard tunnel.

Tracking IP via WireGuard ...