| |
 |
iwall |
 |
 |
Iwall is a firewall system that integrates an intrusion detection engine. Iwall protects data network. From a business standpoint data network are vulnerable and need protection because of:
- The confidentiality of data residing within and traveling across a network.
- The integrity of the above data
- The availability of a network and its components
Iwall can participate in insuring the confidentiality, the integrity and the availability of a network by granting or denying access to the network resources and by analyzing the traffic flow searching for unauthorized accesses via the allowed traffic.
Si.net Iwall is an appliance that supports several interfaces:
- Outside: one interface connected to the outside world. This interface has the lower security level
- Inside: One interface connected to the local network
- DMZ: One or more additional interfaces where you can connect some servers or parts of your network to split them from your main local area network.
Characteristics:
Si.Net Iwall has three main characteristics:
The following actions are defined:
- Accept: accept an authorized packet to reach the inside networks
- Drop : dropping the unauthorized packets without notifying the sender
- Reject: dropping the unauthorized packets and sending an ICMP error message to the sender notifying him of the unavailability of the host or the service.
Rules:
Si.Net Iwall uses a set of rules to accept or block packets. These rules can be configured using a web interface (https)
States:
Si.Net Iwall is a multi layered stateful firewall with a built in IDS. It inspects datagram headers and application services , but also applies the stateful packet filtering principles. Stateful firewalls have two advantages: they operate more quickly than the non stateful firewalls because they don’t need to operate inspections on packets belonging to existing authorized communications and not only replying on the ACK TCP flag.
Si.Net firewall defines four connection states. A protocol , source and destination IPs and ports determine each state:
New: a client attempts to contact a server
Established: the state changes from new to established when the server answers otherwise, the new communication or after a certain inactivity time.
Related: a related connection is one that has an association with an Established connection but with a different protocol, source or destination IP addresses, source or destination ports. An example of a related connection is the ICMP datagram sent by a router when a communication across an established connection is interrupted.
Invalid: When an error occurs during the processing of a datagram.
Fields:
We are using the following fields:
- Protocol : tcp , udp or icmp
- Input interface
- Output interface
- Source IP
- Destination IP
For the TCP datagrams, we are also using:
-Source Port
- Destination port
- SYN and other TCP flags
- TCP options
- Type of services
For the UDP datagrams, we are also using:
- Source ports
- Destination port
For the ICMP datagrams, we are also using the ICMP type.
Si.Net Iwall has also filters using the source MAC address It can perform source and destination NAT and has anti spoofing capabilities
Si.Net Iwall has also an auto-regenerating system for the firewall rules if they were deleted in an inappropriate way. The last know configuration for the rules will be restored. If no rules are active, the default actions are:
- deny all traffic from the outside zone
- deny all packet forwarding between the different zones
An alarm system is implemented to generate the appropriate alarms due to the firewall rules violations.
Si.net Iwall implements also the VPN tunneling in GRE mode and in IPSEC mode. It can also act as a DHCP server.
Si.Net Iwall has an integrated Intrusion Detection System which reduces the number of the false positives. It also blocks the allowed traffic in case of an attack on Iwall.
The built in IDS has the following features:
- Real time monitoring of the traffic and real time alerts generation
- Process the generated alerts with a web interface
- Regular updates of the detection rules
- Several sensors on the same hardware instead of several standalone sensors
|
|
|
