Netify Firewall Agent - FWA

While Netify is primarily an analytics and reporting service, there may be cases when taking real-time action on the network intelligence provided by Netify is desirable - for example, integration with a network firewall.

The Netify's API, while convenient and allows for greater insights to be gained through 3rd party services like IP reputation and Machine Learning Netify Firewall Agent (FWA) models, is impractical for use when dealing with network flow control because the feedback loop (at best, between 5-20 seconds) is far too long. For example, to block or throttle Facebook traffic, a Facebook web page would almost certainly have been downloaded in its entirety before a flow could be marked and acted on for control.

Turning Informatics into Action

QoS and Firewall Hooks

Fortunately for Netify system integrators, we offer an on-premise solution called Netify Firewall Agent, or FWA. FWA consumes real-time, post flow-analysis data streams from the Netify agent through a live socket on the host (details). FWA uses this flow data to provide a firewall agnostic[1] solution to blocking, prioritizing or shaping traffic on the gateway host. The open-source code can be fully containerized, simplifying the integration and ease in which it can be deployed into the CI/CD software lifecycle.

Netify FWA uses a simple, yet versatile configuration file to block, route or prioritize flows based on:

  • time of day
  • day of week
  • application or protocol detection (Facebook, VoIP etc.)
  • application or protocol categories (Social Media, Peer-to-Peer etc.)
  • MAC or IP address
  • any combination of the above

[1] Netify FWA currently supports iptables, firewalld and Shorewall firewall frameworks, but can be extended to work with almost any platform.

Configuration Details

To get a feel for the features provided by Netify FWA, let's take a look at an example configuration file.

Block Application

The first configuration section defines a block rule for application #201: Instagram. Any network connection associated with this domain will be blocked, even encrypted HTTPS traffic.

Block Application Category

Similarly, the second configuration section defines a block rule, but this one is for an entire application category - #24 / Social Media.

Time of Day

You may want to allow certain types of traffic during certain times, for example an office lunch hour. The third and fourth configuration blocks provide an example configuration for this scenario. Facebook (ID #119) is blocked during work hours except from noon to 1 pm.

QoS Prioritize

The fifth rule configuration block is an example for QoS priority. In this case, SIP traffic (protocol ID #100) is given a higher network priority.

Whitelist

Finally, we have the whitelist block at the bottom of the JSON payload. You can exempt IPs or network blocks from the FwA rule set.

{
    "version": "1.0",
    "rules": [
        {
            "type": "block",
            "application": 201
        },
        {
            "type": "block",
            "application_category": 24
        },
        {
            "type": "block",
            "application": 119,
            "weekdays": "Mo,Tu,We,Th,Fr",
            "time-start": "9:00",
            "time-stop": "12:00"
        },
        {
            "type": "block",
            "application": 119,
            "weekdays": "Mo,Tu,We,Th,Fr",
            "time-start": "13:00",
            "time-stop": "17:00"
        },
        {
            "type": "prioritize",
            "protocol": 100,
            "priority": 2
        }
    ],
    "whitelist": [
        {
            "type": "ipv4",
            "address": "192.168.0.10\/32"
        },
        {
            "type": "ipv6",
            "address": "fe80::10\/64"
        }
    ]
}

Source Code to Get You Started

The Netify Firewall Agent can used as-is, or modified and extended to meet your needs. You can find the source code here: https://gitlab.com/netify.ai/public/netify-fwa. For more information or to schedule a demonstration, please contact us.

Integration and Custom Solutions

Do you have any questions about integration, APIs or custom development?

Contact Us