3 outgoing traffic, Current rules – NEXCOM IFA 1610 User Manual

Copyright © 2014 NEXCOM International Co., Ltd. All Rights Reserved.

IFA 3610/IFA 2610/IFA 1610 User Manual

Chapter 5: The Firewall Menu

51

5.3 Outgoing Traffic

The appliance comes with a pre-configured set of rules for outgoing traffic, i.e., to allow traffic flow of specific services,
ports, and applications from the various zones to the RED interface and therefore the Internet. These rules are needed to
ensure that the most common services always be able to access the Internet and work correctly. Two boxes are present
on this page, one that shows the current rules and allows to add new ones, and one that allows to set the outgoing
firewall options.

IFA 3610/IFA 2610/IFA 1610 appliances and Application Firewall.

Application firewalls are a recent development and improvement to stateful firewalls, that combine the ability of the
latter to keep track of the connection’s origin and path with those of Intrusion Prevention Systems to inspect packets’
content, with the purpose to provide higher security from worm, viruses, malware, and all types of threats. The final
result from the user experience point-of-view is that firewalls can block not only traffic between ports and IP addresses,
but also traffic generated by single applications. This requires however, more efforts from the firewall: While traffic
between IP addresses only needs that the first packet be inspected to block or allow the whole flow, to correctly
recognise traffic generated by application, it is sometimes necessary the analysis of a few packets -usually not more
than 3- of the flow.

Starting with version 3.0, every appliance is equipped with nDPI, an open source library implementing Deep Packet
Inspection, thus allowing the deployment of rules for application firewalling. nDPI is deployed as a kernel module and
interacts with iptables for the packet analysis.

Hence, there are now two different types of rules that can be defined on the outgoing firewall:

▪ Stateful firewall rules, that filter traffic between IP addresses and ports.

▪ Application Rules, i.e., rules that filter traffic generated by application.

When no application rules have been defined, the behaviour of the firewall is exactly the same as in previous version.
Whenever an application rule has been defined, however, the steteful rules preceding it behave normally, while all the
rules after undergo nDPI.

It is worth noting that the use of nDPI might present some subtleties, illustrated by the following example, and therefore
might produce some unwanted side effect.

Suppose that a company wants to allow all HTTP traffic, except for youtube and gmail. The first default rule defined
in appliance is to allow all HTTP traffic, with no restriction. This rule must therefore be disabled as first step. Then, two
rules must be defined:

1. An application rule blocking the Gmail and Youtube protocols.
2. A stateful rule allowing all http traffic.

If rule 2. were an application rule with protocol HTTP, then only traffic recognised as HTTP by nDPI would be allowed,
but other protocols using HTTP, like e.g., Yahoo and FaceBook would pass, since nDPI does not consider them as being
HTTP, but independent protocols.

Current Rules

In detail, these are the services and protocols allowed by default to access the REDIP from the zones and shown in the
top box:

GREEN: HTTP, HTTPS, FTP, SMTP, POP, IMAP, POP3s, IMAPs, DNS, ICMP

BLUE: HTTP, HTTPS, DNS, ICMP

ORANGE: DNS, ICMP

Everything else is forbidden by default except for the System rules which allow access to the services in the HENGE

TM

Network. The system rules are defined even if the corresponding zones are not enabled.

Note:

Access to HENGE

TM

Network is not permitted to Community Edition appliances.