Views:

The following are the key points to understand the Deep Security firewall:

You can configure the firewall in any of the following modes:

  • Prohibitive mode: The firewall automatically operates in this mode when a single Allow Rule is assigned to the host. This mode prohibits any traffic unspecified by the Allow Rules. Prohibitive policies are most commonly used.
  • Permissive mode: The firewall deploys in this mode when Deny Rule is used exclusively. This mode permits all traffic not matching a Deny Rule. However, this is not recommended.

If you assign only incoming rules, all outgoing traffic will be allowed. If you assign a single outgoing Allow rule, the outgoing firewall will operate in prohibitive mode.

You can use the firewall as either of the following filters:

  • Stateful packet filter: Activate this filter by enabling stateful inspection for a specific protocol in stateful configuration. This filter uses an internal state table that tracks the current status of a connection and uses the information to determine if a packet should be allowed or denied. This is recommended because it adds protection against attack.
  • Static packet filter: The firewall uses this filter when a stateful configuration is not assigned to the host. It handles packet individually and cannot track connection information because it has no knowledge of packets that have already passed through.

The firewall implements a pseudo-stateful approach in tracking stateless protocols like User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP). The firewall determines if a packet is part of an existing connection by using specific criteria from the packets such as source IP, source port, destination IP, and destination port. When no packet matches the connection criteria within the 60-second default timeout period of pseudo stateful connection, the connection is considered closed and the entry is removed from the pseudo state table.

In general, Allow action should be used. However, you should use Force Allow action instead of Allow action when:

  • Allowing incoming connections for a pseudo-stateful protocol (i.e. opening the port for a DNS server).
  • Using a trump card on a deny rule (i.e. subnet 10.0.0.0/8 is denied but you want to allow host 10.102.12.56).

Consider the priorities when using the following rule actions:

  • Force Allow rule: This only acts as a trump card to a deny rule at the same or higher priority. For example, if you have a Deny rule at priority 3 that prevents access to an allowed port from the 10.0.0.8/24 subnet, and you want to allow host 10.102.12.56 to access that, you must create a Force Allow rule at priority 3 or 4 to trump the Deny rule at priority 3. Once a packet triggers this rule, it is immediately allowed and the lower priority rules will not process it anymore.
  • Allow rule: This exists only at priority 0 to ensure it is processed after all Force Allow and Deny rules at higher priorities. Force Allow and Deny rules in priority 0 are processed before Allow rule.
  • Bypass rule: This is a special type of rule that allows a packet to bypass both the firewall and Deep Packet Inspection (DPI) engines. This rule must be placed at priority 4 and must be created in pairs, one rule for each traffic direction.

You should make the following rules mandatory because every firewall policy should start with these as foundation:

  • Address Resolution Protocol (ARP) rule: This allows incoming ARP requests for the host to reply to queries for its MAC address. If you do not assign this rule, no devices on the network can query the host for its MAC address, rendering the machine inaccessible from the network.
  • Allow solicited ICMP replies and Allow solicited TCP/UDP rules: These rules should be assigned if you want to allow any outgoing communication from the host. These allow replies to packets from your host (i.e. incoming SYN/ACK replies to outgoing SYN packets). Without these rules, outgoing packets would be allowed but their replies would be denied.

The following are the sample implementations of the firewall:

A web server requires only TCP ports 80 and 443 to be opened. No firewall policy will be enforced on outgoing connections.

Rules Required:

  • Stateful – This enables stateful inspection for TCP, UDP and ICMP.
  • ARP – This allows incoming ARP requests.
  • Allow solicited TCP/UDP replies – This allows replies to outgoing TCP/UDP packets.
  • Allow solicited ICMP replies – This allows replies to outgoing ICMP packets.
  • New Incoming Allow rule – This opens the web server ports.

    Action: Allow
    Packet Direction: Incoming
    Frame Type: IP
    Protocol: TCP
    Destination Ports: 80, 443

An accounting application requires TCP ports 4300-4400 to be opened only for the accounting subnet (192.168.100.0/24). Within the subnet, there is a range of workstations (192.168.100.55- 65) used by students that should be denied access to the application ports. One student is allowed to use the application from the workstation (192.168.100.60). No firewall policy will be enforced on outgoing connections.

Rules Required:

  • Stateful – This enables stateful inspection for TCP, UDP and ICMP.
  • ARP – This allows incoming ARP requests.
  • Allow solicited TCP/UDP replies – This allows replies to outgoing TCP/UDP packets.
  • Allow solicited UCMP replies – This allows replies to outgoing ICMP packets.
  • New Incoming rule – This allows access to the accounting application ports.

    Action: Allow
    Packet Direction: Incoming
    Frame Type: IP
    Protocol: TCP
    Source IP: 192.168.100.0/24
    Destination Ports: 4300-4400

  • New Incoming rule – This denies access to the student workstations.

    Action: Deny
    Priority: 4 – Highest (Any priority could be used)
    Packet Direction: Incoming
    Frame Type: IP
    Protocol: TCP
    Source IP: 192.168.100.55-65
    Destination Ports: 4300-4400

  • New Incoming rule – This allows the connection from the authorized workstation.

    Action: Force Allow
    Priority 4 – Highest (Must be the same or higher than the Deny rule)
    Packet Direction: Incoming
    Frame Type: IP
    Protocol: TCP
    Source IP: 192.168.100.60
    Destination Ports: 4300-4400

We will build on the second example by restricting the outgoing communication. The only allowed outgoing communication is the outgoing TCP connections to ports 80 and 443 on the Windows Server Update Service (192.168.1.50) for system updates.

Rules Required

  • All of the rules from the second example.
  • New Outgoing rule – This acts as the ARP rule for the outgoing direction.

    Action: Allow
    Packet Direction: Outgoing
    Frame Type: ARP

  • New Outgoing rule – This acts as the Allow solicited TCP/UDP replies rule for the outgoing direction.

    Action: Allow
    Packet Direction: Outgoing
    Frame Type: IP
    Protocol: TCP+UDP
    Flags: Not SYN

  • New Outgoing rule – This allows the connection to the WSUS server.

    Action: Allow
    Packet Direction: Outgoing
    Frame Type: IP
    Protocol: TCP
    Destination IP: 192.168.1.50
    Destination Ports: 80, 443

Keywords: Deep Security Firewall,configuring DS FW,using FW as packet filter,using rule actions,setting FW policies,pseudo state protocol,stateless packet filter