PART 3: Protect
Firewalla can utilize deep insight at the network flow level together with your control policies, mixing our unique behavioral analytics engine using millions of Active Protect entries to actively protect your network.
How does Firewalla Active Protect work?
Firewalla Red through Blue Plus, are one port devices that have two logical ports (input and output) so all data traffic flows from your ISP through Firewalla to your devices. Firewalla Purple and Gold are multi-port devices that are usually physically inline as well so all data egress (outbound) or ingress (inbound) is monitored, assessed, and managed by Firewalla.
To protect your network, internally, Firewalla has various layers of protection that all data flows are compared against. These all work in concert to determine what traffic is risky. Block, or warn you to let you make the final decision.
Here is a quick tutorial on what we do exactly under the covers.
For connections that are certain to be “bad”, Firewalla can block them automatically. For connections that are questionable but possibly legitimate, alarms will be raised and you will be given the option to block the connections. There can be uncertainty because the same servers that host legitimate, safe websites sometimes house shady actors too and bad guys often stay on the move and change tactics to avoid detection.
What does Firewalla Active Protect do?
1. Security Protection
Firewalla when running in router mode all have a stateful ingress firewall (from outside to the inside of your network) This is the "block Traffic from Internet" rule. This rule will block anything coming to your network.
Firewalla is also an egress firewall. (filter traffic from inside out). See PART 2: Control
Keep Active Protect On
Active Protect is an IDS/IPS (Intrusion Detection Service / Intrusion Prevention Service) provided by Firewalla. It automatically:
- detects suspicious activities by analyzing traffic going in and out of your network
- blocks high-risk type of connections
- alerts you for abnormal activities via alarms and notifications
Active Protect uses both signature-based algorithms and behavioral analytics to detect anomalies. For example, it utilizes machine learning to establish the "normal" upload behavior of a device, and if any "abnormal" upload activity occurs, it generates an "abnormal upload" alarm. You can then evaluate and decide what action to take. Learn more about Abnormal Upload Alarms.
Active Protect can also detect attacks using known signatures.
Active Protect is enabled by default and forms a baseline defense against cyberattacks for the whole network as soon as your Firewalla is on duty, even without any other configurations. Keep it on unless you need to run testing. Changing Active Protect from Default to Strict Mode blocks more connections and makes your network more secure.
1.1. Behavioral Detection
Firewalla's IDS and IPS prevention system can understand the intent of the attacker (or user), and based on the intent, it can take action, generate alarms, or block. Unlike signature-based detection, this type of detection look beyond matching, and look deeply into what is happening. (some of these are done via traditional IDS/IPS on the network) Examples:
- The ability to detect SSH login failure attempts and generate alarms.
- Detect/block heartbleed attacks (also signature-based)
- and detect unusual upload or transfer of data.
There are some forms of machine learning involved.
Some of the IDS/IPS are also signature-based.
Some may refer to this as anomaly-based detection.
1.2. Signature-Based Detection
Firewalla has an extensive network of security intelligence feed. This feed is extremely large (much more than a typical small computer can handle) and also dynamic (the reputation of site changes often). When network flows are generated or about to be generated, firewalla will use a two-stage lookup system on the Firewalla box. For performance reasons, the most frequently used intel is always synced to the Firewalla periodically.
- Identify the flow (source and destination) via DNS and also inline with TLS header sniffing. (TLS header sniffing is to take care of cases where DNS may be bypassed).
- Check local Firewalla intelligence to see if the flow needs to be blocked.
- Check if there is a possibility this flow may be bad, go to the cloud for a secondary check if needed.
- You do not need to bring in your own lists, but if you do, see 1.3 (Target Lists)
1.2.1 Strict vs Default Active Protect
Strict mode will check the cloud more often, and the probability of blocking a flow is also higher.
1.2.2 Why Alarms? Can't everything be blocked immediately?
Firewalla system is based on reputation, and the reputation of activities and sites do change over time and depending on the changes, and always block policy will likely cause 'false positives and disturb your internet experience. Due to this, we have the active protect default mode and the active protect strict mode, the first one blocks a bit lesser than the latter.
Behavioral-based detections are also much more difficult to categorize since it doesn't know you are traveling and need to watch your cameras from another foreign country (for example).
1.3. Target Lists
Since firewalla's cloud already has a very large list of security intel that's dynamically computed, there is no real reason to start importing your own list. But, in case you want the flexibility, we do offer the target list function.
- A user-defined target list can be used to group domains and IP together. There is a limit on the length of this list to prevent misconfiguration to the system.
- Firewalla also automatically syncs some of the more popular lists like (OISD, and log4j attack sites), and the system will be able to automatically manage these for you.
1.3.1 Difference between using target list to block vs Firewalla Active Protect
Firewalla active protect is dynamic and reputation-based, so it may not block a site if the site has a better reputation. The target list blocks will always block, regardless of the site's reputation. Firewalla's intel may be more dynamic, it will be able to remove and add intel much faster than syncing a list.
Active Protect signatures are also constantly being checked by the system to ensure there are no mistakes that may block legit sites. (The total size of this specialized signature list is >60 million entries as of 1/1/2022)
2. New Device Quarantine
With New Device Quarantine turned on, all new devices joining the network will be automatically placed into a Quarantine group, and an alarm will be generated. You can:
- Control the quarantine group with any rules/policies (controlling adult content, to games) and use smart queues to rate limit devices (available on the purple/gold)
- Have full visibility of the quarantined devices.
- Freely remove devices from the Quarantine group.
3. Trusted LAN:
Active Protect doesn't just protect your devices on your local network. When you are on the road or at your favorite coffee shop, you can connect to the built-in VPN server on Firewalla to surf the internet as if you are at home with the same level of protection. Learn more about A Trusted LAN.
To test all your settings to verify if everything is working as expected, check this: How to validate Firewalla features?