General FAQ

Why would a Bandura TIG be needed when we have a firewall with some of the same features?

The Bandura TIG does not replace a firewall, it compliments the firewall and other security appliances in your network. The Bandura TIG filters traffic before it gets to the firewall and can operate much more efficiently. Firewalls typically update their threat feeds once a day, whereas we have patented and patent pending technology that allows us to do updates in near real time of multiple threat feeds. The Bandura TIG processes large access lists that are not even possible on convention firewalls and has passed tests with access lists containing 100 million single IP addresses. The Bandura TIG is considerably faster than any of our competition, and allows for very granular exceptions that are unavailable on firewalls.

Will the Bandura TIG slow down my network?

No. The Bandura TIGs high-speed filtering algorithms can process packets with virtually no latency. Even our entry level products can process over 100,000 packets per second.

Will I have to reconfigure my routers and firewalls?

No. The Bandura TIG is a layer 2 IP-bridge device. Simply insert it between the firewall and router and turn it on. You won't even need to flush an ARP cache.

Does the Bandura TIG have to go between the firewall and router?

No. It can be placed anywhere in the network where you want to stop malicious traffic. Placement between the firewall and router is usually the best place, but every network is different.

Can the Bandura TIG sit outside the border router?

Most customers place the Bandura TIG between the router and firewall, but the Bandura TIG can be deployed outside the edge router if the connection to the network is Ethernet.

What happens if there is a hardware or software failure? Will traffic flow be impacted?

No. The Bandura TIG is equipped with a bypass card that will automatically and immediately trigger allowing the unit to pass traffic, wire to wire, in the event of a failure of any kind.

How does traffic flow when the Bandura TIG is in normal mode and what happens when it is placed in bypass mode?

When the Bandura TIG is in normal mode, it reads the packets of one interface, evaluates the policy, and if the packet should be allowed, writes it out on the other interface. If there are multiple bridge interfaces, the packets are always written to the other interface of the bridge pair it came in on. When the Bandura TIG is in bypass mode, relays in the network card connect the ports directly to each other, disconnecting them from the network processing chip.

Where does country mapping IP information come from?

Bandura gets this information from IANA (https://www.iana.org/) and the regional internet registries. This data is updated daily.

What is DCEL and how frequently is the IP Threat Reputation data updated?

DCEL is dynamically compiled from difference or delta files that are delivered to the Bandura TIG in near real-time whenever new threats are discovered. A single DCEL engine can handle threats in 32 categories from up to 32 different IP threat intelligence sources.

Can the IP Threat Reputation feeds be customized regarding risk tolerance?

Yes. The addresses on the list are given a score which indicates the confidence level the provider has in that address' classification. Increasing the slider value for a particular category decreases the number of addresses from the category included in the policy, i.e. it includes addresses of higher confidence.  Decreasing the slider increases the number of addresses included in the policy, i.e. it starts including addresses of a lower confidence.

Is the Bandura TIG compatible with a firewall configuration with High Availability?

Yes. The BT-1G-A, BT-1G-X, and the BT-10G all have High Availability for and Active/Active or Active/Standby configuration.

Will the Bandura TIG support external logging to a log server for denied traffic or SNMP polling?

Yes. It will log denied traffic, and in fact all traffic, to an external server via Syslog.  It does support SNMP polling with SNMP version 2c and version 3.  The SNMP interface contains traffic statistics aggregated by country.

Will the Bandura TIG interfere with a VoIP phone system?

No. The Bandura TIG introduces less than 1 millisecond of latency to the network, so you should see no difference in the performance of your VoIP.

Does the Bandura TIG allow VPN connections?

The Bandura TIG will handle VPN traffic like any other traffic and will allow/block it based on the policy applied. You can create a separate policy specifically for VPN traffic if a different policy is desired.

How is the Bandura TIG different from an IDS?

An IDS uses deep packet inspection to detect signatures of known malware or intrusion attempts. The Bandura TIG works by blocking high-risk traffic from IP addresses that have previously been associated with malicious behavior. By using the "IP Reputation" of the external IP address, Bandura TIG can block malicious traffic when a signature is not currently available, helping reduce the possibility of zero-hour security breaches.

What DDoS capabilities does the Bandura TIG have?

While the Bandura TIG isn't specifically a DDoS prevention device, it can help in certain types of DDoS attacks. The Bandura TIG is typically downstream from your ISP, so it can't help if the DDoS is using up all your ISP bandwidth since by the time the packets get to the Bandura TIG, the bandwidth is already used up. However, if the attack is targeting resources that are inside the perimeter of the Bandura TIG, like firewall sessions or application resources, it can help in many situations. The Country Blocking or Throttling features can stop or reduce much of an attack if you don't need to allow traffic from many of the countries being used in the attack. Also, many hosts used in a DDoS are compromised and could be known members of botnets or on blacklists. Blocking these by enabling the threat intelligence and available blacklists can stop them before they use up resources on firewalls or application servers.

If a failure is experienced, is there a convergence time for network connectivity while entering failover mode on the unit? Will switching into failover mode be noticeable to the users?

There really is no convergence time during a failover, as the bridge pair is transparent. Although there would be a few lost packets as the physical relay closes and shuts the internal circuitry of the Bandura TIG off from the network, the users would most likely not notice any change.

What does the Bandura TIG need Outbound access to?

- A DNS server (UDP port 53), this may be inside your network
- The Bandura support site over HTTPS (support.bandurasystems.com, TCP port 443)
- GMC over HTTPS (gmc10.bandurasystems.com or gmc15.bandurasystems.com, TCP port 443)

Will the Bandura TIG support VLAN over a trunk?

It will support VLANs for a trunk, with the requirement that each VLAN has unique subnets. We don't do VLAN aware filtering, but do properly handle packets that are part of a VLAN.