PART 3: Protect
In addition to providing complete visibility into your network and giving you the tools you need to control how your network is used, Firewalla works in the background to continuously and actively shield your network from malicious entities.
Firewalla is a 24/7 barrier against suspicious connections that leverages network flow insights, your control policies, and our unique cloud-based behavioral analytics engine. As an Intrusion Detection System (IDS), Firewalla monitors your network and alerts you when it detects malicious activities and vulnerabilities. As an Intrusion Prevention System (IPS), Firewalla will automatically identify and block risky connections.
Firewalla uses several modes of protection to keep your devices as secure as possible:
- Ingress and Egress Firewalls
- Active Protect
- On-The-Go Security
- FAQ: Default vs. Domain-Only Blocking
Firewalla also enables you to understand, evaluate, and take action to improve your network experience. To make sure your network is serving you as best as possible, learn more about how you can use your Firewalla to create a better network.
1. Ingress and Egress Firewalls
When running in router mode, all Firewalla boxes have a stateful ingress firewall (network traffic from outside coming into the inside of your network). This is the "Block Traffic from the Internet" rule. This rule will block anything that attempts to intrude into your network, and at the same time, does NOT impact your normal traffic.
Firewalla is also an egress firewall, which filters traffic from the inside out. You can configure egress firewalls by setting up rules on your devices (see Part 2: Control for more information).
The ingress and egress firewalls can also be applied to network segments under the Firewalla boxes supporting router mode. Here you can use ingress and egress firewalls to control going into the segment and coming out. Learn more about creating and using network segments.
Learn more about what Firewalla can block.
2. Active Protect
Active Protect is an IDS/IPS (Intrusion Detection Service / Intrusion Prevention Service) provided by Firewalla. It automatically:
- detects suspicious activities by analyzing the traffic going in and out of your network
- blocks high-risk connections
- alerts you with alarms and notifications when it detects abnormal activities
Firewalla Red through Blue Plus are one-port devices with two logical ports (input and output) so all data traffic flows from your ISP through Firewalla to your devices. Firewalla Purple and Gold are multi-port devices that are usually physically inline as well so all data egress (outbound) or ingress (inbound) is monitored, assessed, and managed by Firewalla.
To protect your network internally, Active Protect has various layers of protection that all data flows are compared against. These all work in concert to determine what traffic is risky. Here is a quick tutorial on what exactly we do in the background.
For connections that are certain to be “bad,” Firewalla can block them automatically. For connections that are questionable but possibly legitimate, alarms will be raised, and you will be given the option to block the connections. Active Protect uses both signature-based algorithms and behavioral analytics to detect risky connections.
For example, if any "abnormal" upload activity occurs, Active Protect generates an "abnormal upload" alarm. From there, you can ignore the alarm or allow or block the activity. Learn more about Abnormal Upload Alarms.
Firewalla's system is based on reputation, and the reputation of activities and sites does change over time. Depending on the changes, an always-block policy will likely cause false positives and disturb your internet experience. Due to this, Firewalla offers two different configurations for Active Protect: Default Mode and Strict Mode.
- Strict Mode checks Firewalla's cloud database of security intel more often.
- In Strict Mode, the probability of blocking a flow instead of raising the alarm is higher.
- Strict Mode may raise more false positives due to its higher blocking probability.
Active Protect can only be paused when you manually turn off this feature or monitoring.
2.1 Behavioral Detection
Firewalla's IDS and IPS prevention system can understand an attacker's (or user's) intent. Based on their intent, Firewalla can generate alarms or block their access. Unlike signature-based detection, this type of detection looks beyond matching and dives deep into what is happening. Some of this detection is done via traditional IDS/IPS on the network. Behavioral detection can:
- Detect SSH login failure attempts and generate alarms
- Detect/block heartbleed attacks
- Detect unusual uploads or transfers of data
Firewalla's behavioral detection is informed in part by machine learning. Some of these IDS/IPS are also signature-based. This may be referred to as anomaly-based detection.
2.2 Signature-Based Detection
Firewalla has access to an extensive network of security intelligence feeds. These feeds are extremely large (much more than a typical small computer can handle) and dynamic (the reputation of sites changes often). When network flows are generated or about to be generated, Firewalla will use a two-stage lookup system from the Firewalla box. For performance reasons, the most frequently used intel is always synced to each Firewalla box periodically.
Signature-based detection works by:
- Identifying the flow (source and destination) via DNS and with TLS header sniffing (TLS header sniffing can watch out for cases where DNS may be bypassed).
- Checking its IP address/Port to see its origin and intended destination.
- Checking local Firewalla intelligence to see if the flow needs to be blocked.
- Checking if there is a possibility that this flow may be bad and referencing the Cloud for a secondary check if needed.
- Checking against user-defined Target Lists (you do not need to bring in your own lists for signature-based detection to work).
Since Firewalla has to track millions and millions of sites, to make things easier, we attach a reputation score to each of the sites. This reputation score is not a binary good or bad rating, but rather a score between good and bad. Over time, a site's reputation may change due to many factors. If the site's reputation is not that bad but not that good, you may receive an alarm; if it is bad, it may result in a block and an alarm.
Since Firewalla already has a very large database of dynamic security intel, there is no reason to import your own list unless you want to. However, we do offer the target list function in case you want to choose your own targets.
- A user-defined target list can be used to group domains and IPs together. There is a limit on the length of this list to prevent harm to the system.
- Firewalla also automatically syncs some of the more popular lists (such as OISD and log4j attack sites). Firewalla automatically manages these for you.
Active Protect is dynamic and reputation-based, so it may not block a site if it has a good reputation. If you create a rule to block a target list, the target list entries will always be blocked, regardless of the site's reputation.
Firewalla's signatures are constantly being checked by the system to ensure there are no mistakes that may block legit sites. Additionally, since Firewalla's intel is dynamically managed, Firewalla may be able to remove and add intel much faster than manually syncing a target list. The total size of Firewalla's specialized signature list is >60 million entries as of 1/1/2022.
When you see an alarm and you decide to act upon it by muting/ignoring, archiving, or blocking it, you're giving valuable feedback to your Firewalla system. With enough feedback, the system will learn your habits and start tuning its behavior toward your habits. However, it is highly possible that we may make a mistake from time to time. When this happens, you can send feedback to us directly from the app.
For example, if you spend a few hours backing up your files to the Cloud, your Firewalla might register this as abnormal upload behavior and send you an alarm. Depending on how often and how much data you're uploading, your Firewalla may continue to flag this action and send you more alarms. To improve your Firewalla's learning, you can provide feedback that the abnormal upload alarm is "Too Frequent" directly from the alarm notification in the app.
3. On-The-Go Security
Firewalla doesn't just protect your devices at home. When you are on the road or at your favorite coffee shop, you can connect to Firewalla's built-in VPN server to surf the internet as if you are at home, with the same level of protection. Learn more about how Firewalla can protect you while you're not at home.
Default vs. Domain-Only Blocking
When you set up a domain-blocking firewall, you can choose between Default and Domain-Only modes. In Default mode, if two different domains map to the same IP address, then blocking one domain blocks the other as well. Domain-Only mode is a less restrictive option that won't block other domains hosted on the same IP. However, some applications access servers by IP address rather than domain, so Domain-Only rules may not work as intended.
To verify if everything is working as expected, you can learn more about how you can validate Firewalla features. If you have questions about how well Firewalla can protect you from cyber threats, you can learn more about Firewalla's outlook on cybersecurity.
In addition to providing comprehensive protection for your network, Firewalla can also help you have a more reliable and enjoyable network experience. Learn more about how you can use your Firewalla to create a better network.
- Firewalla Box only looks at the unencrypted portion of the traffic.
- IP Header
- Protocol Headers (TCP, HTTP/S, ssh ...)
- Port Numbers
- Domain Name
- Duration of the flow
- Length transferred (upload/download)
- Firewalla Box may also look at known vulnerabilities locally based on the network traffic. This may involve looking at unencrypted data.
- Firewalla cannot look inside https connections. For example, if you are browsing https://chase.com/something, Firewalla will know, you are going to chase.com, but not the /something, and if anything is transmitted, Firewalla will not know.