Firewall Policy
This section describes a NetworkShield Firewall 2006 Firewall policy and provides instructions on how to configure Firewall policy.
- Overview
- Predefined Firewall Policy Rules
- Access rules
- Redirect rules
- Firewall Policy: How to
Firewall Policy Overview
NetworkShield Firewall allows you to create your network security policy based on Firewall Policy rules. There are two types of Firewall Policy rules: Access Rules and Redirect Rules. Firewall Policy rules together with Network rules completely define the access policy of clients (including the NetworkShield Firewall host) to resources in other networks.
What is a firewall
A firewall is a complex software system that is designed to control client access from one network to another. You can use a firewall to specify which information resources clients can use. It protects computers and servers on your network against malicious access. A set of rules that permit or deny access from one network to another constitute a Firewall Policy.
To ensure protection against malicious access, NetworkShield Firewall performs Stateful packet inspection (the ACC technology). Stateful inspection provides enhanced security by keeping track of the state of network connections over a period of time. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.
How firewall rules work
NetworkShield Firewall uses Firewall Policy rules (Access and Redirect) and Network rules to completely specify the rules of client access from one network to another. While processing a connection request, NetworkShield Firewall checks Network rules and Firewall Policy rules to decide if the access is forbidden or not.
Network rules and Firewall rules are arranged in the form of ordered lists (chains). Once a connection request is received, NetworkShield Firewall first checks Network rules to determine the type of network relationship (NAT or Route). If no connection between networks is specified, the connection will be blocked. If it finds the network relationship rule, NetworkShield Firewall checks Firewall Policy rules one by one to determine if the administrator allows this connection. If there is a permitting rule set for the connection in the list of Firewall Policy rules, it will be allowed.
The list of Firewall rules contains one built-in rule that blocks the entire traffic. This rule is located at the very end of the list. If there is no permitting rule set for the connection, the last default rule will be applied to it and it will be blocked.
Example
Suppose you have a server with two network interface cards (NIC) and installed NetworkShield Firewall. The local area network is connected to one NIC, the other one is connected to the Internet. LAN IP addresses are within one of private ranges (as defined in RFC 1918). You need to give all LAN clients access to web resources in the Internet. To do it, you need to:
- Define the network connection type (local network and Internet). To do it, create a Network rule with the source specified as Local Network and the destination specified as Internet. Set the network relationship as NAT.
- Create a permitting Firewall Policy rule. To do it, create an Access rule with the source specified as Local Network, the destination specified as Internet and the HTTP and HTTPS protocols.
Predefined Firewall Policy Rules
Predefined firewall policy rules define access to the main services necessary for the operating system where NetworkShield Firewall is installed to run normally. Predefined firewall policy rules cannot be deleted. You can either disable the rule you do not need, or edit some of its properties. Predefined firewall policy rules always determine access for the NetworkShield Firewall computer so you can change their source or destination only if it is different from Local Host object.
Predefined firewall policy rules are always applied before User-defined firewall rules. That is why you should disable a Predefined firewall rule if you need to redefine it by one of User-defined firewall rules.
Firewall Access rules
Firewall Access rules define the rules of client access from one network to another. Rules are specified in the form of an ordered list. The first matching rule will be used in the process of checking connections.
You can use Networks, Users, Computers, IP ranges and their groups as sources and destinations in Firewall Access rules. Each rule can contain more than one source, destination and protocol.
NetworkShield Firewall contains the set of the most popular protocols that are used in Firewall Rules. You can specify additional protocols yourself. It is not recommended to edit the protocols predefined in the system.
Note
- Predefined firewall policy rules are always applied before User-defined firewall policy rules. To redefine
- Predefined firewall policy rules, you have to disable them.
Firewall Redirect rules
NetworkShield Firewall can provide secure access from the Internet to servers inside your local area network. For example, web servers, FTP servers, mail servers, etc. To publish LAN resource, you should create a Firewall Redirect rule. If a server from the internal network is published via NetworkShield Firewall, the external client actually interacts with NetworkShield Firewall that redirects all requests to the internal server. At the same time, the IP address of the internal server remains hidden because clients send their requests to the IP address of the NetworkShield Firewall server.
Using server publishing, you protect your internal network against possible attacks from untrusted networks because they will be aimed at the protected NetworkShield Firewall server.
Besides server publishing, Redirect rules allow you to redirect connections to another destination and also to change the number of an access port. The server publishing process is also known as Port mapping or Port forwarding.
Note
- Publishing is possible only for the TCP, UDP and ICMP protocols.
- Redirect rules must always be located above (meaning the order they are applied in) Access rules.
| 
