Disclaimer, this is not a legal document, it is a design document written by engineers. We will try our best to keep this as up to date as possible. And to be nerdy, the best reference is still code, https://github.com/firewalla/firewalla Firewalla is open source.
If you have questions or want to know more please send us email firstname.lastname@example.org we will add your question to the FAQ section.
Design Overview -
- Keep data local on the firewalla box.
- Anything sends to the cloud should be one way encrypted. (unless specified here)
- App to Firewalla box communication must be encrypted. The private encryption keys are stored on the customer's equipment. No access from Firewalla Company.
- Firewalla's IDS and IPS functions run inside the Red or Blue Box.
- Portions of Meta Data will be sent to the cloud if needed. See the Cloud section.
- Unless specified, all data remain local on the Firewalla Box
- Firewalla Box only looks at the unencrypted portion of the traffic.
- IP Header
- Protocol Headers (TCP, https, ssh ...)
- Port Numbers
- Domain Name
- Duration of the flow
- Length transferred (upload / download)
- Firewalla Box may also look at known vulnerabilities locally based on the network traffic. This may involve looking at the unencrypted data.
- Firewalla cannot look inside https connections. For example, you are browsing https://chase.com/something Firewalla will know, you are going to chase.com, but not the /something and anything transmitted, Firewalla will not know.
- Firewalla App and the Firewalla Box communicates via an encrypted tunnel. When you load data/flows on your phone from Firewalla, your content is encrypted end to end. The 'private' keys for this encryption are stored on Firewalla box and inside of the keychain of your app, Firewalla cloud will only have the public keys, which is needed to pair the devices.
- Firewalla App/Box to the cloud are encrypted using the normal https protocol.
- The private key + your license number is the account number.
Local Data Storage
- All the detail flow data are stored on the Firewalla Box.
- All private keys are stored on Firewalla Box + App's keychain (Android app may store in local storage and we are changing in the future)
The Firewalla Cloud most of the time will work only with Meta Data and Hashed Data (one way encrypted). The cloud will only know your devices visited sites computed using SHA hash. The Hash's are not clear text.
- Clear Text
- The cloud will store your device names in cleartext. (This is used to send you notifications)
- The cloud may store your device type. (iPhone, iPad, Thermostat, etc ...)
- The cloud will store the OUI part of your device MAC address. (This is for identification processing)
- Your email (or whatever you registered) when loading the app.
- The public key generated when you first register.
- The IP address your Firewalla is connecting from. This is to track license usage.
- Hashed / One-way encrypted data
- Device profiles
- Temporary / transitory / Clear text
- Hashed flow data for lookups. (less than a few seconds)
- Debug logs. (rotated every 6 or 24 hours)
- Alert/Alarms. (less than a few seconds, or until they are sent to your phone, some alarms may stay in debug logs for less than 24 hours)
- Family protect uses OpenDNS servers. Please see https://opendns.com for more information
- Debug information may be sent and will be used to make the system more stable.
WEB INTERFACE - PRE-ALPHA
For those of you who are using the web interface prototype, the data visibility is a bit different
- When you scan the QR code and login to the WEB system, your encryption keys will be temporarily shared with the webserver for the duration of the login. At the moment of writing this, it is 12 to 24 hours. After, the encryption key will be wiped from the system.
- The webserver during the prototype and beta stage may have debug-logs, and traces to help us improve the system. Logs are rotated 24 hours to 7 days.
- The webserver will dynamically decrypt and encrypt communications between Firewalla Blue/Gold and the webserver
What is an SHA hash or one way encryption?
The string https://a.test.site.com/cool.html is hashed to 537387EC17E1158DE52E2FEAEF15BFFAFCA04ED69F5FD52E71B61D3203F0AB1F
As you can see it is impossible (at the moment) to decrypt 537387EC17E1158DE52E2FEAEF15BFFAFCA04ED69F5FD52E71B61D3203F0AB1F back to the clear text url.
Can firewalla see which youtube video is being watched?
No. Firewalla can only see youtube is being used, video information is normally encrypted via https.
Can you access the firewalla box remotely?
Firewalla support can access your box only when you allow us to. Without you giving us the access keys, we have no way of getting into the box.
Can you see or log all internet traffic?
Internet traffic is logged and stored locally on the box. Anything sends to the cloud is likely to be one way encrypted via SHA hash. See "Cloud"
Can you see or log all local network traffic?
Firewalla does not see local to local traffic. It only sees WAN traffic.
Do you need a firewalla account?
There is no firewalla account. "Firewalla User" is simply the public key (generated every time you reset the box) and the license number that came with Firewalla. We may be asked for your email, and that is entirely for communication purposes.
How are iOS notifications generated, where are they stored, and how are they analyzed?
iOS/Android notifications are generated on Firewalla Box example "laptop is being attacked by 18.104.22.168". This text string then is sent to the cloud via https encryption and the cloud will tell apple via https encryption. We may change this string for localization or other services before sending them to apple/google. Apple/Google will then send the string to your phone via their own encryption protocol.
And how can any and all data collection and analytics be disabled?
Depends on what service. Take the iOS notifications as an example, you can disable notifications in our settings, then you won't be able to receive anything ... You still can pull down and load alarms, but that is a manual process. Disabling security events will render the IPS/IDS functionality to be not useful.