Netify Firewall Agent - FWA

The Netify Informatics API provides high level network intelligence based on a holistic view of the network. Though Informatics is convenient and allows for greater insights to be gained through 3rd party services like IP reputation and Machine Learning models, it is impractical for use when dealing with real-time network flow control.

Netify Firewall Agent (FWA) There are cases where it is desirable to take real-time action on the network metadata provided by the Netify DPI Agent. Today, Netify DPI metadata powers Cybersecurity solutions, digital experience monitoring on mobile networks, SD-WAN routing policy engines, and more.

Turning DPI Metadata into Action


Network, QoS, and Firewall Hooks

Fortunately for Netify system integrators, we offer a client solution called Netify Firewall Agent, or FWA. The software consumes real-time Netify DPI Data Streams through a live socket on the host. FWA then uses this flow metadata to provide a firewall agnostic[1] feature set:

  • IP Sets - identifies specified traffic using IP sets
  • Mark - tracks specified traffic flows using iptables/nftables marks
  • Block - blocks specified traffic using firewall rules

Though the vanilla Netify Firewall Agent software can be used as-is, it is typically a starting point for building custom solutions. For example, a cybersecurity solution uses Netify DPI metadata to block all SSL/TLS connections using weak ciphers or old SSLv3 connections. See the Data Streams documentation to get an overview of the available metadata.

To keep the free on-system version of the Netify Agent open source, cloud-based heuristics are not included. However, the cloud-enhanced version of the Netify Agent can be configured to maintain IP sets and connection marking directly. This reduces the overhead and latency involved with using the Netify Firewall Agent. Contact us for details.

The open-source code can be fully containerized, simplifying the integration and ease in which it can be deployed into the CI/CD software lifecycle.

[1] Netify FWA currently supports iptables, firewalld, IP sets, marking, and specific operating systems, but it is designed to be extended to work with almost any Linux/xBSD OS.

Configuration

To get a feel for the features provided by the vanilla Netify FWA software, let's take a look at the example configuration file below. You will see three different rule types in use:

Type Description
ipset Creates and maintains an IP set for a given detection
mark Marks traffic for a given detection
block Blocks traffic for a given detection

Please see the Network Policies Overview to get a deeper understanding of the ipset and mark features.

Every firewall implementation is different, but the fundamentals are the same. The Netify Firewall Agent is going to populate a lookup table that a Layer 3 firewall can understand. The adjacent table is an example configuration file.

Application Category IP Set

The first configuration section defines an IP set rule for the Streaming Media application category (Netflix, YouTube, Hulu, etc.). This IP set can then be used to - among other things - create a multiWAN / SD-WAN routing policy for a bulk traffic Internet connection.

BitTorrent Marking

The second configuration section defines a mark rule for BitTorrent traffic. This firewall mark - among other things - can be used in a native QoS or traffic shaping system.

Blocking and Time of Day

You may want to allow certain applications during certain times, for example, an office lunch hour. The third and fourth configuration blocks provide an example configuration for this scenario. Facebook is blocked during work hours except from noon to 1 pm.

Whitelist

Finally, we have the whitelist section at the bottom of the configuration file. You can exempt IPs or network blocks from the FWA rule set.

{
    "version": "1.0",
    "rules": [
        {
            "type": "ipset",
            "application_category": "streaming-media"
        },
        {
            "type": "mark",
            "protocol": "bittorrent",
            "mark": 3
        },
        {
            "type": "block",
            "application": "netify.facebook",
            "weekdays": "Mo,Tu,We,Th,Fr",
            "time-start": "9:00",
            "time-stop": "12:00"
        },
        {
            "type": "block",
            "application": "netify.facebook",
            "weekdays": "Mo,Tu,We,Th,Fr",
            "time-start": "13:00",
            "time-stop": "17:00"
        }
    ],
    "whitelist": [
        {
            "type": "ipv4",
            "address": "192.168.0.10\/32"
        },
        {
            "type": "ipv6",
            "address": "fe80::10\/64"
        }
    ]
}

For quick reference, you can find the tags (e.g. netify.facebook and streaming-media in the example configuration) used in the detection rules here:

Further Reading

Integration and Custom Solutions

Do you have any questions about integration, APIs or custom development?

Contact Us