New in version 3.0: Application Firewall (Application Control)
The Endian UTM Appliance comes with a pre-configured set of rules for outgoing traffic, i.e., to allow traffic flow of specific services, ports, and applications from the various zones to the RED interface and therefore the Internet. These rules are needed to ensure that the most common services always be able to access the Internet and work correctly. Two boxes are present on this page, one that shows the current rules and allows to add new ones, and one that allows to set the outgoing firewall options.
Note
Rules defined in the outgoing firewall are disregarded when the Endian UTM Appliance is in no uplink mode. When operating in Stealth uplink mode, only part of the traffic from the zone behind the Endian UTM Appliance to the outside is considered as outgoing, see the description of the stealth uplink.
Endian UTM Appliance and Application Firewall (Application Control).
Application firewalls are a recent development and improvement to stateful firewalls, that combine the ability of the latter to keep track of the connection’s origin and path with those of Intrusion Prevention Systems to inspect packets’ content, with the purpose to provide higher security from worm, viruses, malware, and all types of threats. The final result from the user experience point-of-view is that firewalls can block not only traffic between ports and IP addresses, but also traffic generated by single applications. This requires however, more efforts from the firewall: While traffic between IP addresses only needs that the first packet be inspected to block or allow the whole flow, to correctly recognise traffic generated by application, it is sometimes necessary the analysis of a few packets -usually not more than 3- of the flow.
Starting with version 3.2, every Endian UTM Appliance is equipped with nDPI, an open source library implementing Deep Packet Inspection, thus allowing the deployment of rules for application firewalling. nDPI is deployed as a kernel module and interacts with iptables for the packet analysis.
Hence, there are now two different types of rules that can be defined on the outgoing firewall:
When no application rules have been defined, the behaviour of the firewall is exactly the same as in previous version. Whenever an application rule has been defined, however, the steteful rules preceding it behave normally, while all the rules after undergo nDPI.
It is worth noting that the use of nDPI might present some subtleties, illustrated by the following example, and therefore might produce some unwanted side effect.
Suppose that a company wants to allow all HTTP traffic, except for youtube and gmail. The first default rule defined in Endian UTM Appliance is to allow all HTTP traffic, with no restriction. This rule must therefore be disabled as first step. Then, two rules must be defined:
If rule 2. were an application rule with protocol HTTP, then only traffic recognised as HTTP by nDPI would be allowed, but other protocols using HTTP, like e.g., Yahoo and FaceBook would pass, since nDPI does not consider them as being HTTP, but indipendent protocols.
In detail, these are the services and protocols allowed by default to access the REDIP from the zones and shown in the top box:
GREEN: HTTP, HTTPS, FTP, SMTP, POP, IMAP, POP3s, IMAPs, DNS, ICMP
BLUE: HTTP, HTTPS, DNS, ICMP
ORANGE: DNS, ICMP
Everything else is forbidden by default except for the System rules which allow access to the services in the Endian Network. The system rules are defined even if the corresponding zones are not enabled.
Note
Access to Endian Network is not permitted to Community Edition appliances.
Possible actions on each rule are to enable or disable it, to edit it or delete it. Additional rules can be added by clicking on the Add a new firewall rule link at the top of the page. Please remember that the order of rules is important: the first matching rule decides whether a packet is allowed or denied, regardless of how many matching rules follow. The order of the rules can be changed by using the up and down arrow icons next to each rule.
The following settings differ from the default common options.
This search widget allows to select the applications that should be part of the rule. Applications are dividend into categories (e.g., Database, filesharing, and so on).
Hint
Enter at least one letter to show all applications whose name starts with that letter.
It is possible to disable or enable the whole outgoing firewall by clicking on the Enable Outgoing firewall switch. When disabled, all outgoing traffic is allowed and no packet is filtered: This setting is however strongly discouraged and the recommendation is to keep the outgoing firewall enabled.
Proxy and outgoing firewall.
Whenever the proxy is activated for a given service (e.g., HTTP, POP, SMTP, DNS), the firewall rules in the outgoing firewall will take no effect, because of the nature of the proxy.
With the proxy activated, whenever a connection starts from a client to the Internet, it will either be intercepted by the proxy on the Endian UTM Appliance (in transparent mode) or go directly to the firewall, but never go through the firewall. The proxy then starts a new connection to the real destination, gets the data and sends it to the client. Those connections to the Internet always start from the Endian UTM Appliance, which hides the clients internal IP address. Therefore, such connections never go through the outgoing firewall, since in fact they are local connections.