Launch of the Managed Firewall service
- From RSS
Almost a month ago, through the ticket system, we invited all our customers who use the services for hosting and renting dedicated servers to participate in the closed testing of our new service - “Managed Firewall”. Now we are ready to offer this service for public use.
What is it?
Managed firewall - a service for providing a secure Internet channel with a managed firewall. The main objective of the service is to monitor and filter network packets passing through it in accordance with the specified policies and screen options.
We tried to simplify its billing as much as possible and reduced accounting to only one parameter - the bandwidth of the protected band. The step with which it is possible to increase the throughput of the firewall is 5 Mbps.
The service can be activated only for physical servers located in St. Petersburg data centers (for Moscow this service is not yet available).
To start using the service, you must have at least one dedicated subnet for the servers in the data centers of St. Petersburg and pay for the protected band in the required amount.
The secure lane is an independent resource and any subnet you have can be connected to it (paid, free, PI addresses). Transferring a subnet from an unprotected network to a firewall occurs in manual mode after agreeing on a convenient time; network downtime when transferring a subnet is about 1 minute.
After activating the firewall service, you can change the bandwidth of the protected band "on the fly" through the control panel . When changing (increasing or decreasing) the bandwidth of the protected band, there is no downtime.
Beginning of work
By default, traffic protection is turned off - traffic is already passing through the firewall, but no actions are applied to it. After paying for the firewall service and transferring the subnet to protection, you get access to the firewall control panel , where the schedule for utilization of the protected band, the schedule with counters for "bad" traffic, and the tabs for managing the settings of policies and screen options for traffic validation are available.
Traffic validation process
Initially, the package belongs to existing sessions, if the package does not belong to any existing sessions, then it passes through the screen, after which it passes a chain of policies, if no anomalies were detected, the package is delivered to the destination address. If the package belongs to an existing session, then it is immediately sent to check for anomalies on the screen without going through a chain of policies, after which it is delivered to the destination address. Policies can be set in both directions, both for incoming traffic and for outgoing traffic. The screen checks all traffic passing through the firewall, regardless of its direction. Unidirectional policies do not mean that you have to configure the resolution of the response from the destination address, since the session consists of two directions.
To protect specific IP addresses from your subnet, you need to add them in the Addresses tab. After adding addresses, they will be available for specifying as the source address or destination address when creating policies. Also on this tab, you can add any other IP addresses (not only your own, but also global), which will later be used in policies.
When passing through the screen, each packet is tested against the following types of attacks:
- IP spoofing
- port scans;
- ping scan;
- Winnuke attacks;
- Land attacks;
- tear drop attacks;
- fragmented ICMP packets;
- Ping of death;
- large ICMP packets;
- fragmented traffic;
- SYN fragments;
- TCP packets without flags set;
- packets with the FIN flag set without the ACK flag;
- packets with the SYN and FIN flags set at the same time;
- packets with invalid headers;
- and others ..
When creating a policy, you can choose the direction for filtering: from the Internet to the protected zone and vice versa. In addition to the direction, the policy contains the source address, destination address and destination port (application). Policies also need to specify the action that will be taken with the package: allow, deny, reject with a response to the sender about unavailability. For each policy, you can view a graph of the consumed band. The order of the policies is also important, as they are checked sequentially, if there is no match with any policies, then the default policy is worked out - disable.