| |
 |
firewall |
 |
 |
- The confidentiality of data residing within and traveling across a network
- The integrity of the above data
- The availability of a network and its components
A firewall can participate in insuring the confidentiality.
The integrity and the availability of a network by granting or denying access to the network resources.
SI.Net Firewall is a firewall system that helps protecting your network against attacks compromising the confidentiality, the integrity and the availability of your data and networks.
SI.Net Firewall is a firewall appliance that supports several interfaces:
Outside: One interface connected to the outside world. This interface has the lower security
Level
Inside: One interface connected to the local network.
DMZ: One or more additional interfaces where you can connect some servers or parts of your
network to split them from your main local area network.
Characteristics:
SI.Net Firewall has three main characteristics:
Actions:
The following actions are defined:
Accept: accept an authorized packet to reach the inside networks.
Drop: dropping the unauthorized packets without notifying the sender
Reject: dropping the unauthorized packets and sending an ICMP error message to the sender
notifying him of the unavailability of the host of the service.
Rules:
SI.Net Firewall uses a set of rules to accept or block packets. These rules can be configured using a web interface (htps).
States:
SI.Net Firewall is a multi layered statefull firewall. It inspects datagram headers and application services, but also applies the statefull packet filtering principles.
Statefull firewalls have two advantages: they operate more quickly than the non statefull firewalls because they can't need to operate inspections on packets belonging to existing authorized communications. They are also more secure because they keep a state table for the connections and not only relying on the ACK TCP flag.
SI.Net Firewall defines four connection sates. A protocol, source and destination IPs and ports determine each state:
New: a client attempts to contact a server.
Established: the state changes from New to Established when the server answers; otherwise, the new connection is removed at the end of the communication or after a certain inactivity time.
Related: a related connection is one that has an association with an Established connection but with a different protocol, source or destination IP addresses source or destination parts. An example of a related connection is the ICPM datagram sent by a router when a communication across an established connection is interrupted.
Invalid: when an error occurs during the processing of a datagram.
We are using the following field:
- Protocol: TCP, UDP or ICMP
- Input interface
- Output interface
- Source IP
- Destination IP
For the TCP datagrams, we are also using:
- Source port
- Destination port
- SYN and other TCP flags
- TCP options
- Type of services
For the UDP datagrams, we are also using:
- Source port
- Destination port
For the ICMP datagrams, we are also using the ICMP type.
Si.Net Firewall also filters using the source MAC address. It can perform source and destination NAT and has anti spoofing capabilities.
Si.Net Firewall has also an auto-regenerating system for the firewall rules if they were deleted in an inappropriate way. The last know configuration for the rules will be restored. If no rules are active, the default actions are:
- Deny all traffic from the outside zone
- Deny all packet forwarding between the different zones
An alarm system is implemented to generate the appropriate alarms due to the firewall rules violations.
Si.Net Firewall implements also the VPN tunneling in GRE mode and in IPSEC mode. It can also act as a DHCP server.
Si.Net Firewall also blocks the allowed traffic in case of an attack on the firewall.
|
|
|
