Perimeter Firewall Layer 4 Manageable

What is a Firewall?

A firewall, is a system that allows to protect a server or a network of servers from intrusions that come from another network. The most common use is to protect your internet network.

How does a Firewall work?

A firewall works like security personnel at the door of a nightclub. Any traffic that is not on the allowed list can not enter or exit. This list of a firewall contains a set of predefined rules that allow:

• Authorize a connection (Allow)
• Block a connection by notifying the sender (Deny)
• Block a connection without notifying the sender (Drop)

There are two types of security policies:

• Explicitly accept and denying everything else: "everything that is on the list can pass, the rest is forbidden".
• Explicitly deny and accept everything else: "everything that is on the list is forbidden, the rest can pass".

The first method is the safest, but requires a precise definition of the communication needs of the entire network. In this way we make sure to block the doubt and let only what we know go by.

What does Layer 4 Firewall mean?

The main difference between firewalls known as layer 3 or layer 4, lies in the ability of these to remember the analyzed packages and analyze sessions.

• L3 Firewalls or layer 3 firewalls (packet filtering firewalls): traffic filter based only on source/destination IP, port and protocol (also known as stateless packet inspection).
• L4 Firewalls or layer 4 firewalls (session filtering firewalls): ability to do the above, in addition to the ability to actively track network connections, and allow/deny traffic based on the state of those sessions (that is, stateful packet inspection).

You should also know that there are new and more modern firewalls, which are capable of analyzing another type of traffic or deepen more in what a user is asking your server and make better decisions to block or not. Always based on offering maximum security. These firewalls are called “Next Generation Firewalls” or layer 7 firewalls.

• L7 Firewalls or layer 7 firewalls (application filtering firewalls): ability to do the above, in addition to the ability to analyze whether traffic belongs to one application or another and make decisions based on whether it can be harmful or not for such application.

What does Manageable Firewall mean?

Being Manageable means that you can define, create, modify or eliminate both the filtering rules and the actions performed by the Firewall at any time and for any of the IPs of your server or Cloud. For this, SW Panel provides you with a series of options and tools that will allow you, in a very simple way, to customize your Firewall and, consequently, protect your environment and your data.

What is a Firewall rule?

A Firewall rule is a set of conditions that allow the Firewall to determine if a traffic should be managed and what type of management should be done on it.

• Parts and conditions of a rule

A rule is formed through different parts and conditions that we detail below:

• Traffic

Traffic is the flow of data that goes through the network to your Cloud or server

In relation the to traffic, we can

• Allow it
• Deny it

The traffic can be

• Incoming: from the Internet to your cloud or server

• Outgoing: from your cloud or server to the Internet

• IPs

The IPs indicate the origin or destination of the traffic we want to filter.

IP of origin

Indicates the IP from which we will receive the traffic. Selecting "any IP" means that this rule affects all Internet IPs.

Destination

Indicate to which IP of our Cloud or server we wish to apply this rule.

If our Cloud or Server has several IPs we can create independent rules for each of our IPs

• Protocols

We will indicate the communication protocols used on which we wish to apply the rule. TCP or UDP protocols are accepted.

TCP (Transmission Control Protocol)

TCP is used to a large extent in data communications.

TCP functions

In the TCP/IP protocol stack, TCP is the intermediate layer between the network (IP) protocol and the application. Many times, applications require that communication through the network is trustworthy. For this the TCP protocol is implemented since it ensures that the data that the client issues is received by the server without errors and in the same order that they were issued, despite working with the services of the IP layer, which is not reliable . It is a protocol oriented to the connection, since the client and the server must announce themselves and accept the connection before starting to transmit the data to that user who should receive them.

Characteristics of TCP

• It allows to place the segments again in order when they come from the IP protocol.
• It allows the monitoring of the flow of the data and thus avoid saturation of the network.
• Allows the data to be formed in segments of varying length to "deliver" them to the IP protocol.
• It allows to multiplex the data, that is to say, that the information that comes from different sources (for example, applications) in the same line can circulate simultaneously.
• Finally, it allows to start and end the communication kindly, without collisions.

Format of the TCP segments

At the transport level, the bit packets that constitute the TCP protocol data units are called "segments".

UDP (User Datagram Protocol)

It is a minimum message-oriented transport level protocol documented in RFC 768 of the IETF.

In the Internet protocol family, UDP provides a simple interface between the network layer and the application layer. UDP does not grant guarantees for the delivery of its messages (so it really should not be found in layer 4) and the UDP origin does not retain states of UDP messages that have been sent to the network. UDP only adds application multiplexing and checksum of the header and payload. Any type of guarantees for the transmission of information must be implemented in higher layers.

Use in applications

Most of the key Internet applications use the UDP protocol, including: the Domain Name System, where queries must be quick and have only one request, after a single response package, the Network Management Protocol , the Routing Information Protocol (RIP) and the Dynamic Host Configuration Protocol.

• Ports

TCP and UDP use ports to allow communication between applications. The port field has a length of 16 bits, so the range of valid values goes from 0 to 65535. Port 0 is reserved, but it is a value allowed as a source port if the sender process does not expect to receive messages in response.

• Ports 1 to 1023 are called "well-known" ports and in Unix-like operating systems, linking to one of these ports requires access as superuser.
• Ports 1024 to 49151 are registered ports.
• Ports 49,152 to 65,535 are dynamic ports and are used as temporary ports, especially by clients when communicating with servers.

In the case of our perimeter firewall, it indicates the port that will manage the rule. There is the possibility of not specifying any port and the traffic of any port will be managed, as well as the possibility of specifying a set or range of ports.

Activation of Layer 4 Firewall Management

Activation using the Service Dashboard

• The first step will be to choose the Cloud or server where you want to activate Firewall management

Go to the service tree of your SW Panel.

Select, by clicking on it, the server or Cloud in which you want to activate the Firewall management.

• Once selected, SW Panel will show you the Dashboard of this service.

In the Dashboard you will find the Available Improvements box, and in it you will find the Firewall Layer 4 Management option and a switch to activate or deactivate on its right.

Press on the switch to activate it.

Once you have clicked on it, you will access the activation confirmation screen. Simply check the "checkbox" of the blue box and confirm the activation by clicking on the lower button Activate Now.

As simple as that, in a few seconds it will be activated, and now the Dashboard of the service will show you the switch in green as you already have it activated.

Activation through service management menu

• The first step will be to access the service tree of your SW Panel.

Search for the Cloud or server to which you want to activate Layer 4 Firewall Management and click to open the ·· menu, which you will find on the left side

Within the menu you will find the section Security Services, click on the Perimeter Security option

• SW Panel will take you to the Security Profiles tab of your service

In this tab, you will find a blue button that will allow you to activate the management of your Firewall.

Once you have clicked you will access the confirmation screen of the activation. Simply check the "checkbox" of the blue square and confirm the activation by clicking on the lower button Activate Now.

As simple as that, in a few seconds it will be activated, and now the Dashboard of the service will show you the switch in green as you already have it activated.

Deactivating Firewall Management Layer 4

• The first step will be to choose the Cloud or server on which you wish to deactivate Firewall management

Go to the service tree of your SW Panel.

Select, by clicking on it, the server or Cloud in which you wish to deactivate the Firewall management.

• Once selected, SW Panel will show you the Dashboard of this service.

In the Dashboard you will find the Available Improvements box where the Firewall Layer 4 option will appear and a switch that will be active (green).

Press on the switch to deactivate it.

Once you have clicked, you will access the confirmation screen of the deactivation. Simply check the "checkbox" of the blue box and confirm that you want to deactivate the Layer 4 Firewall Management by clicking on the Deactivate now button.

As simple as that, in a few seconds it will be deactivated, and now the service Dashboard will show you the blank switch (off).

Important:

When you deactivate Layer 4 Firewall Management, all the rules that you have created and all the IPs that you have Banned will be eliminated, passing the Firewall to work in transparent or standard mode again.

Manage my Layer 4 Edge Firewall

Once you have activated the management, it will appear in the side menu of SW Panel in the Dashboard of your service, within Security, in the FW Layer 4 section, there is the option of Layer 4 Firewall Management

Click on this option and you will access your Layer 4 Firewall for the service you have selected.

Your Layer 4 Firewall will allow you complete management through 3 large security blocks:

• Security Profiles
• Firewall Rules
• Blocking of IPs

Security Profiles Tab

A predefined security profile is a set of rules, which SW Panel already automatically offers, which will be applied to your Layer 4 Firewall to allow the services associated with each profile to work correctly and securely.

The first thing you should select is the IP of your Cloud or server on which you want to apply the profiles. If you have several IPs you will have to select them in the upper drop-down.

SW Panel offers you already, pre-established, multiple security profiles depending on the services that your cloud or server is using.

To activate or deactivate any of these profiles, simply press the switch that appears on the right side of each of the profile blocks.

Once you have made changes, a blue warning will appear at the top of the screen to apply the changes you have made.

Important:

Until you click on the apply change button, these will not be applied to your Layer 4 Firewall, so the changes will not be active.

The profiles that have assets will appear in green; those that are blank are not active.

Firewall Rules Tab

The information on this tab is much more technical, and it informs you of the rules that your Layer 4 Firewall currently applies and the IPs on which they apply.

The rules that appear in green are rules associated with security profiles, and can not be modified or removed from this tab. These rules must be managed directly from the security profiles tab.

The rules in yellow are those associated with a blocked IP. These rules must be managed from the IP Blocking tab.

Fields of the list

• First field

• Indicates if the rule is activated or deactivated in the Firewall.

• Id

• Indicates the identifier of the rule (internal control numbering), it is simply an informative value

• Order

• Indicate the order in which this rule is applied in the filtering that your Layer 4 Firewall is doing.

• The order is very important, since the rules will be executed in the order indicated. You must bear in mind that the rules that are contradicted may be valid if they are executed in the correct order.

• The order of execution is always from least to greatest.

• First name

• Name of the rule (merely informative)

• Origin

• It will indicate the origin of the traffic that this rule will manage.

• If the "any" box appears, it means that it applies to any source IP

• Destination

• It will indicate on which destination IP this rule will apply. Normally these IPs are the IPs of our cloud or service.

• Protocol

• It will indicate the type of protocol on which the rule applies, TCP or UDP.

• Port

• Indicate the port or range of ports over which this rule will apply.

• If the "any" box appears, it means that it applies to any port.

• To define a range of ports, the hyphen should be used as a separator. For example: 4500-5000 (without spaces). This will open the ports from 4500 to 5000 (both included).

• Address

• Indicates whether the rule should be applied to stop incoming traffic or outbound traffic

• Allow

• The green box "Allow" means that this traffic is allowed.

• The orange box "Deny" indicates that this traffic is not allowed.

• Manage

• Shows the menu of available options for this rule

Create a Firewall rule

By clicking on this button, you can create a new rule in your Layer 4 Firewall.

To create the rule you must fill in all the fields that are requested.

We have detailed the meaning of each field in the previous section.

Help

You will find a blue information box with a link to consult the ports on which you can create your rules and the use of each port.

IP Blocking Tab

This tab will show you all the IPs that have blocked access to your Cloud or Server regardless of the port or protocol with which they want to access.

Fields in the list

• Situation

• Indicates if it is being applied or not. If the lock is activated, a blue box will appear indicating "activated".

• ID

• Indicates the blocking identifier (internal control numbering), it is simply an informative value

• Origin

• IP of origin that we want to block

• Destination

• To which of the IPs of our cloud or server do we wish to have the IP of Origin blocked

• Manage

• Displays the menu of available options for this IP blocking.

Block an IP

The process of blocking an IP is very simple:

Click on the "block an IP" button

The IP blocking screen will open

Indicate the IP you want to block in the Source field

In Destination you must mark the IPs of your cloud or server to which you wish to block the access of the IP that you have indicated in Origin

If you want to activate the lock right now remember that you must have marked the "checkbox" of the yellow box.

Once everything is completed correctly, the "Block IP" button will appear, you just have to press it to block it.

Unblock an IP

If you want to unblock an IP that you have blocked, the easiest way is to clear the block.

To delete the block, use the "manage" menu of the blocked IP line of the list and select the option "Delete this IP blocked".

Once you have confirmed that you want to delete it, the IP will stop being blocked in a few moments and this line will disappear from the list of blocked IPs.