Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Articles in this section

How to Secure Your Network with Firewalla (Part 3): Protect

Avatar
Support
  • Updated
Follow

← PART 1: Visibility

← PART 2: Control

→ PART 4: Zero Trust Network Architecture

 

 

PART 3: Protect

In addition to providing complete visibility into your network and giving you the tools you need to control how your network is used, Firewalla works in the background to continuously and actively shield your network from malicious entities.

Firewalla is a 24/7 barrier against suspicious connections that leverages network flow insights, your control policies, and our unique cloud-based behavioral analytics engine. As an Intrusion Detection System (IDS), Firewalla monitors your network and alerts you when it detects malicious activities and vulnerabilities. As an Intrusion Prevention System (IPS), Firewalla will automatically identify and block risky connections.
 

 

Firewalla uses several modes of protection to keep your devices as secure as possible:

  1. Ingress and Egress Firewalls
  2. Device Active Protect
  3. Active Protect
    1. Behavioral Detection
    2. Signature-Based Detection
    3. Multi-Engine Active Protect
  4. On-The-Go Security
  5. Ask Firewalla AI Assistant
  6. FAQs

Firewalla also enables you to understand, evaluate, and take action to improve your network experience. To make sure your network is serving you as best as possible, learn more about how you can use your Firewalla to create a better network.

 

1. Ingress and Egress Firewalls

Ingress Firewall

When running in router mode, all Firewalla boxes have a stateful Ingress Firewall (network traffic from outside coming into the inside of your network). This rule will block anything that attempts to intrude into your network, and at the same time, does NOT impact your normal traffic.

IngressFirewall.png

 

Egress Firewall

Firewalla is also an egress firewall, which filters traffic from the inside out. You can configure egress firewalls by setting up rules on your devices (see Part 2: Control for more information).

Screen_Shot_2022-02-10_at_11.25.33_AM.png

 

Segment Firewalls

The ingress and egress firewalls can also be applied to network segments under the Firewalla boxes supporting router mode. Here you can use ingress and egress firewalls to control going into the segment and coming out. Learn more about creating and using network segments.

SegmentRules1.PNG    SegmentRules2.PNG    SegmentRules3.PNG

 

Learn more about what Firewalla can block.

 

2. Device Active Protect

In a Zero Trust Network, it’s important to give each device least privilege access; in other words, limit a device to access only what’s needed for it to function, and block everything else. 

That’s why Firewalla offers Device Active Protect (DAP) to handle all the work for you. Firewalla will learn which connections are necessary, allow what’s trusted, and block everything else, while continuously optimizing the allowed connections over time. 

This feature requires Firewalla App 1.66 + Box 1.981 or later. Learn more about Device Active Protect.

 

DAP2 (1).gif

 

3. Active Protect

Active Protect is an IDS/IPS (Intrusion Detection Service / Intrusion Prevention Service) provided by Firewalla. It automatically:

  • Detects suspicious activities by analyzing the traffic going in and out of your network
  • Blocks high-risk connections
  • Alerts you with alarms and notifications when it detects abnormal activities

Firewalla Red through Blue Plus are one-port devices with two logical ports (input and output) so all data traffic flows from your ISP through Firewalla to your devices.

Firewalla Purple and Gold are multi-port devices that are usually physically inline as well so all data egress (outbound) or ingress (inbound) is monitored, assessed, and managed by Firewalla.

Frame_3.jpg

 

Network-based Protection: 

To protect your network internally, Active Protect has various layers of protection that all data flows are compared against. These all work in concert to determine what traffic is risky. Here is a quick tutorial on what exactly we do in the background.

 

For connections that are certain to be “bad,” Firewalla can block them automatically. For connections that are questionable but possibly legitimate, alarms will be raised, and you will be given the option to block the connections. Active Protect uses both signature-based algorithms and behavioral analytics to detect risky connections.
 

 

For example, if any "abnormal" upload activity occurs, Active Protect generates an "abnormal upload" alarm. From there, you can ignore the alarm or allow or block the activity. Learn more about Abnormal Upload Alarms.

mute.png

 

Firewalla's system is based on reputation, and the reputation of activities and sites does change over time. Depending on the changes, an always-block policy will likely cause false positives and disturb your internet experience. Due to this, Firewalla offers two different configurations for Active Protect: Default Mode and Strict Mode.

  • Strict Mode checks Firewalla's cloud database of security intel more often.
  • In Strict Mode, the probability of blocking a flow instead of raising the alarm is higher. 
  • Strict Mode may raise more false positives due to its higher blocking probability.

Active Protect can only be paused when you manually turn off this feature or monitoring. 

 

3.1 Behavioral Detection

Firewalla's IDS and IPS prevention system can understand an attacker's (or user's) intent. Based on their intent, Firewalla can generate alarms or block their access. Unlike signature-based detection, this type of detection looks beyond matching and dives deep into what is happening. Some of this detection is done via traditional IDS/IPS on the network. Behavioral detection can:

BehavioralDetection.png

 

Firewalla's behavioral detection is informed in part by machine learning. Some of these IDS/IPS are also signature-based. This may be referred to as anomaly-based detection.

 

3.2 Signature-Based Detection

Firewalla Intelligence has access to an extensive network of security intelligence feeds. These feeds are extremely large (much more than a typical small computer can handle) and dynamic (the reputation of sites changes often). When network flows are generated or about to be generated, Firewalla will use a two-stage lookup system from the Firewalla box. For performance reasons, the most frequently used intel is always synced to each Firewalla box periodically. 

 

Signature-based detection works by:

  1. Identifying the flow (source and destination) via DNS and with TLS header sniffing (TLS header sniffing can watch out for cases where DNS may be bypassed). 
  2. Checking its IP address/Port to see its origin and intended destination.
  3. Checking local Firewalla intelligence to see if the flow needs to be blocked.
  4. Checking if there is a possibility that this flow may be bad and referencing the Cloud for a secondary check if needed.
  5. Checking against user-defined Target Lists (you do not need to bring in your own lists for signature-based detection to work).

 

Since Firewalla has to track millions and millions of sites, to make things easier, we attach a reputation score to each of the sites. This reputation score is not a binary good or bad rating, but rather a score between good and bad. Over time, a site's reputation may change due to many factors. If the site's reputation is not that bad but not that good, you may receive an alarm; if it is bad, it may result in a block and an alarm.

 

Target List

Since Firewalla already has a very large database of dynamic security intel, there is no reason to import your own list unless you want to. However, we do offer the target list function in case you want to choose your own targets. 

  • A user-defined target list can be used to group domains and IPs together. There is a limit on the length of this list to prevent harm to the system.
  • Firewalla also automatically syncs some of the more popular lists (such as OISD and log4j attack sites). Firewalla automatically manages these for you.

TargetList.png

 

Active Protect is dynamic and reputation-based, so it may not block a site if it has a good reputation. If you create a rule to block a target list, the target list entries will always be blocked, regardless of the site's reputation.

 

Firewalla's signatures are constantly being checked by the system to ensure there are no mistakes that may block legit sites. Additionally, since Firewalla's intel is dynamically managed, Firewalla may be able to remove and add intel much faster than manually syncing a target list. The total size of Firewalla's specialized signature list is >60 million entries as of 1/1/2022.

 

3.3 Multi-Engine Active Protect

Firewalla offers multiple Active Protect engines that can run in parallel with each other:

  1. Default Engine: The built-in, default IDS/IPS engine that comes with each Firewalla box.
  2. Suricata Engine: A signature-based, open-source engine to identify even more threats.
  3. MSP-based Engine: Deeper behavior-based detection with Firewalla MSP.

 

Suricata Engine 

In addition to Firewalla's Default engine, Suricata provides a more advanced layer of signature-based detection. It's designed for high performance and can inspect traffic at greater depth and speed, using a much larger and actively maintained set of open-source threat signatures.

With Suricata, your Firewalla can detect a wider range of attacks, from malware infections to targeted exploits, and respond faster when suspicious activity is found.

 

MSP-Based Engine 

Firewalla MSP supports up to 30 or 180 days of flow history, allowing deeper behavioral pattern analysis of your network and alarm activities. MSP Active Protect offers Alarm Optimizer, which archives alarms identified as “normal” behavior, and Advanced Behavioral Alarm, to generate new alarms for anomalies. This engine focuses more on “behavioral” based detection.

 

4. On-The-Go Security

Firewalla doesn't just protect your devices at home. When you are on the road or at your favorite coffee shop, you can connect to Firewalla's built-in VPN server to surf the internet as if you are at home, with the same level of protection. Learn more about how Firewalla can protect you while you're not at home.

Firewalla VPN Server toggled on with WireGuard and OpenVPN

 

5. Ask Firewalla AI Assistant

Firewalla's built-in smart assistant, Firewalla AI, helps you make smart network decisions easily. Ask AI for help understanding an alarm, learning about unknown domains, or identifying unknown devices with just a tap of a button. Learn more about Firewalla AI Assistant here.

 

6. FAQ

Default vs. Domain-Only Blocking

When you set up a domain-blocking firewall, you can choose between Default and Domain-Only modes. In Default mode, if two different domains map to the same IP address, then blocking one domain blocks the other as well. Domain-Only mode is a less restrictive option that won't block other domains hosted on the same IP. However, some applications access servers by IP address rather than domain, so Domain-Only rules may not work as intended.

BlockModes.jpeg

 

To verify if everything is working as expected, you can learn more about how you can validate Firewalla features. If you have questions about how well Firewalla can protect you from cyber threats, you can learn more about Firewalla's outlook on cybersecurity.

In addition to providing comprehensive protection for your network, Firewalla can also help you have a more reliable and enjoyable network experience. Learn more about how you can use your Firewalla to create a better network.

 

Why is Suricata not supported on my box?

Firewalla already includes a Default IDS/IPS engine. Suricata is an additional engine designed to run in parallel with the default one. Unless you need something specific from Suricata, the Default engine should be perfectly sufficient for most users.

IDS/IPS engines are extremely hardware-intensive, as they are both CPU- and memory-bound processes. When two engines run simultaneously, they typically require more than double the CPU and memory resources of a single engine. This means most boxes would experience severe performance throttling if both were enabled at the same time.

Currently, the Firewalla Gold Pro is the only model equipped with a larger CPU and 2x the memory, allowing it to efficiently handle both engines without throttling throughput as much.

Our team is experimenting with optimizations to make Suricata available on other platforms by reducing or partitioning rule sets (and possibly integrating with Firewalla MSP to manage memory more efficiently). However, it may still involve other trade-offs, like lower throughput.

 

Data Visibility

  • Firewalla Box only looks at the unencrypted portion of the traffic.  
    • IP Header
    • Protocol Headers (TCP, HTTP/S, ssh ...)
    • Port Numbers
    • Domain Name
    • Duration of the flow
    • Length transferred (upload/download)
  • Firewalla Box may also look at known vulnerabilities locally based on the network traffic.  This may involve looking at unencrypted data.
  • Firewalla cannot look inside https connections.  For example, if you are browsing https://chase.com/something, Firewalla will know, you are going to chase.com, but not the /something, and if anything is transmitted, Firewalla will not know.

 

→ PART 4: Zero Trust Network Architecture

Related articles

Comments

4 comments

Sort by Date Votes

Please sign in to leave a comment.