Netify Firewall Agent
Netify Firewall Agent - FWA
The Netify Informatics API provides high level network intelligence based on a holistic view of the network. Though Informatics is convenient and allows for greater insights to be gained through 3rd party services like IP reputation and Machine Learning models, it is impractical for use when dealing with real-time network flow control.
There are cases where it is desirable
to take real-time action on the network metadata provided by the Netify DPI Agent. Today, Netify DPI
metadata powers Cybersecurity solutions, digital experience monitoring on mobile networks,
SD-WAN routing policy engines, and more.
Turning DPI Metadata into Action
Network, QoS, and Firewall Hooks
Fortunately for Netify system integrators, we offer a client solution called Netify Firewall Agent, or FWA. The software consumes real-time Netify DPI Data Streams through a live socket on the host. FWA then uses this flow metadata to provide a firewall agnostic[1] feature set:
- IP Sets - identifies specified traffic using IP sets
- Mark - tracks specified traffic flows using iptables/nftables marks
- Block - blocks specified traffic using firewall rules
Though the vanilla Netify Firewall Agent software can be used as-is, it is typically a starting point for building custom solutions. For example, a cybersecurity solution uses Netify DPI metadata to block all SSL/TLS connections using weak ciphers or old SSLv3 connections. See the Data Streams documentation to get an overview of the available metadata.
The open-source code can be fully containerized, simplifying the integration and ease in which it can be deployed into the CI/CD software lifecycle.
[1] Netify FWA currently supports iptables, firewalld, IP sets, marking, and specific operating systems, but it is designed to be extended to work with almost any Linux/xBSD OS.
Configuration
To get a feel for the features provided by the vanilla Netify FWA software, let's take a look at the example configuration file below. You will see three different rule types in use:
Type | Description |
---|---|
ipset | Creates and maintains an IP set for a given detection |
mark | Marks traffic for a given detection |
block | Blocks traffic for a given detection |
Please see the Network Policies Overview to get a deeper understanding of the ipset and mark features.
Every firewall implementation is different, but the fundamentals are the same. The Netify Firewall Agent is going to populate a lookup table that a Layer 3 firewall can understand. The adjacent table is an example configuration file.
Application Category IP Set
The first configuration section defines an IP set rule for the Streaming Media application category (Netflix, YouTube, Hulu, etc.). This IP set can then be used to - among other things - create a multiWAN / SD-WAN routing policy for a bulk traffic Internet connection.
BitTorrent Marking
The second configuration section defines a mark rule for BitTorrent traffic. This firewall mark - among other things - can be used in a native QoS or traffic shaping system.
Blocking and Time of Day
You may want to allow certain applications during certain times, for example, an office lunch hour. The third and fourth configuration blocks provide an example configuration for this scenario. Facebook is blocked during work hours except from noon to 1 pm.
Whitelist
Finally, we have the whitelist section at the bottom of the configuration file. You can exempt IPs or network blocks from the FWA rule set.
{
"version": "1.0",
"rules": [
{
"type": "ipset",
"application_category": "streaming-media"
},
{
"type": "mark",
"protocol": "bittorrent",
"mark": 3
},
{
"type": "block",
"application": "netify.facebook",
"weekdays": "Mo,Tu,We,Th,Fr",
"time-start": "9:00",
"time-stop": "12:00"
},
{
"type": "block",
"application": "netify.facebook",
"weekdays": "Mo,Tu,We,Th,Fr",
"time-start": "13:00",
"time-stop": "17:00"
}
],
"whitelist": [
{
"type": "ipv4",
"address": "192.168.0.10\/32"
},
{
"type": "ipv6",
"address": "fe80::10\/64"
}
]
}
For quick reference, you can find the tags (e.g. netify.facebook and streaming-media in the example configuration) used in the detection rules here:
Further Reading
Netify Agent
Getting Started
Integration
Netify Tools
Netify DPI Alternatives
Integration and Custom Solutions
Do you have any questions about integration, APIs or custom development?
Contact Us