Implementing Firewall Policies
The Halo portal makes the process of creating and deploying firewalls as simple as possible. First, you optionally define some related components such as IP zones. Then you create a firewall policy that applies to a group of similar servers. Finally, you assign the policy to that server group.
Halo then takes care of the rest, automatically assigning a firewall based on that policy to each server in the group, patching in all the correct IP addresses, updating all the servers if you ever change the policy, and adding the firewall to any new servers that join the group, either by manual addition or by cloning/auto-scaling.
Create and Assign a Firewall Policy
Now use the Halo portal to create a firewall policy and assign it to a server group. Once the policy is active and any server comes online through cloning or re-activation of a server in this group, that new server automatically receives the latest appropriate firewall from Halo.
1 Go to the Add New Firewall Policy page.
In the Halo portal, go to Policies > Firewall Policies and click Add New Windows Firewall Policy or Add New Linux Firewall Policy.
- Give the policy a descriptive name and optionally add an additional description.
- Windows only: Specify your logging preferences. (For Linux, you will specify a preference with each rule.)
2 Create firewall rules and save the policy.
A firewall policy is just a set of rules that, when applied to a server, control which inbound and outbound connections will be permitted. To create the policy, you set up those rules. For examples of rules you might create, see Example: Firewall Policies for a Web Application.
Note: When you create an inbound or outbound rule that permits a connection, Halo automatically takes care of creating the corollary rule that allows return communication. You do not need to add the corollary rule in the policy. For details, see Implicitly Create Automatic Corollary Rules.
You'll see from the instruction below that Windows firewall rules differ somewhat from Linux rules. Follow the instructions below that apply to your servers' operating system.
Create inbound rules:
Each inbound rule describes the specifics of one kind of connection from the outside into the server. To create a new rule, click Add New or the Add Rule icon () beside any existing inbound rule.
For each that rule you add or edit, specify the following attributes:
- Active. Leave the checkbox selected to keep the rule in effect. (Or clear it to temporarily disable the rule.)
- Interface (Linux only). For a Linux policy, specify the hardware or software interface (for example,
eth0) through which a connection will be established. For more explanation about interfaces, see Add a Network Interface.
- Source. Select the IP zone, server group, or GhostPorts user that is the source of the connection attempt. . For more explanation about IP zones, see Add an IP Zone. For instructions on creating a firewall rule for GhostPorts users, see Administering Multi-Factor Network Authentication in the Multi-Factor Network Authentication Setup Guide
- Service. Select the name and port number (for example, https (tcp/443)) of the service that is establishing a connection. For more explanation, see Add a Network Service.
- Connection State (Linux only). For a Linux policy, specify the state of the connection that this rule applies to: NEW, ESTABLISHED, or RELATED. Halo firewall policies for Linux are stateful, meaning that you can create different rules for different times during a connection. See Specify Connection States for more information.
- Action. This is the core of the rule—the action the firewall should take when the above attributes apply to an inbound connection. In Linux, the possibilities are ACCEPT, DROP, or REJECT; in Windows, only ACCEPT or DROP are supported.
Note: DROP means that the connection request is simply ignored; REJECT means that an ICMP "unreachable" error message is sent to the requestor.
- Log (Linux only). Select this checkbox to create a log entry each time this rule is invoked.
Note: On Linux you specify logging per rule. On Windows you specify logging of all accepted connections and/or all dropped connections.
- Log prefix (Linux only). Optionally enter a text string that will uniquely identify matches to this rule in the firewall logs. One use case for this feature is to allow Log-Based Intrusion Detection to easily identify important firewall events when it scans the firewall log. The string may be up to 29 characters long, and it may contain spaces or special characters. For more information, see Use Log Prefixes for Firewall Events in the Log-Based Intrusion Detection Setup Guide.
- Description or Comment. Optionally enter a description for this rule. A comment or description can be useful for explaining the purpose of the rule, especially to security auditors.
Note: For Linux firewalls, the set of acceptable characters for the Comment field includes letters, numbers, and spaces, plus comma, #, @, :, /, and single and double quotes. Windows firewalls accept only letters, numbers, spaces, periods, and underscores in the Description field.
Windows firewall rule:
Linux firewall rule:
End this section of the policy with a default rule, to apply to any inbound connection attempt that is not described by any of the other inbound rules. Normally, it is a rule that drops (denies) all other inbound connections. You can construct the rule yourself, or you can click the Make this change or Add This Rule link on the form to have Halo insert it for you.
Create outbound rules:
Each outbound rule describes the specifics of one kind of connection attempt from this server to an outside entity. To create a new rule, click Add New or the Add Rule icon () beside any existing outbound rule.
Create outbound rules the same way you created inbound rules. The attributes for outbound rules are identical to those for inbound, except that there is an outbound Destination attribute in place of the inbound Source attribute.
End this section of the policy with a default rule, to apply to any outbound connection attempt that is not described by any of the other inbound rules. Normally, it is a rule that drops (denies) all other outbound connections. You can construct the rule yourself, or you can click the Make this change or Add This Rule link on the form to have Halo insert it for you.
Note: For evaluation or proof-of-concept installations of Halo firewalls, you may wish to leave all outbound communication unrestricted to avoid cutting off any necessary server access.
Rearrange or de-activate rules:
To refine your firewall policy, you can manipulate the rules in these ways:
- Use the up-down drag-and-drop arrows to change the ordering of the rules. In use, the firewall's inbound or outbound rules are tested in order from the top, and testing stops as soon as one rule's criteria are met. Make sure the ordering of the rules gives you the results you want, and make sure your default-drop rule is the last one in the list.
- Use the Active checkbox to de-activate or re-activate individual rules for testing purposes or to respond to changes in your cloud environment.
When you have finished creating and arranging your inbound and outbound rules, click Apply to save the policy.
Export the policy:
After creating your policy, you can at any time export it in text format to verify that its rules are as you expect them to be. Note that the export version of a firewall policy includes the hidden Halo agent-specific rules and automatic corollary rules that Halo creates, which do not appear when you edit the policy in the Halo portal. For explanation and examples, see Seeing the whole firewall.
3 Assign the firewall policy to your server group.
Return to the Halo Dashboard and, in the list of server groups, locate the name of the server group you want to assign this firewall policy to. Click the group's name, then click Edit Details beneath the name.
The Edit Group Details dialog opens. In the Firewall Policies area, open either the Windows policy or Linux Policy drop-down menu and select the name of the policy that you just created. Then click Save.
Your firewall policy is deployed automatically to the servers in your server group and it will immediately start protecting them. If you make changes to the policy in the future, those changes will be transmitted automatically to those same servers plus any clones dynamically generated from them.
Note: If at this point you find that your firewalls are not functioning as expected, you may need to add, edit, or remove some firewall rules. See Troubleshooting Firewalls for suggestions.
Specify Firewall-Related Components
This section gives additional information or instructions that may help you specify certain firewall rules, attributes, and values.
Specify Connection States
On Linux platforms, Halo firewall policies generate iptable firewalls that are stateful—they support three types of connection states, called NEW, ESTABLISHED, and RELATED in the Halo portal.
- From the standpoint of the firewall, a NEW connection is the first packet sent to the server.
- After the first packet has been received by the firewall, the connection is said to be ESTABLISHED.
To enable a connection to a server on most ports, use the connection states NEW and ESTABLISHED in your firewall rules. The Halo Firewall product will automatically create the corollary outbound rule with a connection state of ESTABLISHED only.
- The RELATED state is used for protocols like FTP that use one port for control and another port for data. If you want to enable external devices to be able to FTP files from a server, or use any other protocol that has a control port and a data port, create an inbound rule with the connection state of ANY (which is the same as NEW plus ESTABLISHED plus RELATED).
Note that in order to REJECT a packet, a RELATED entry must exist in the iptables firewall for the ICMP response. In this case also, the Halo Firewall does this for you automatically; you do not need to worry about creating any outbound rules allowing ICMP when you select one or more services to REJECT.
For more on connection states in iptables, see https://www.faqs.org/docs/iptables/userlandstates.html
Implicitly Create Automatic Corollary Rules
When you create an inbound rule in the Halo Firewall, the corollary outbound rule to allow return communication is automatically created—as also occurs with the common enterprise firewall offerings from Checkpoint, Juniper, Cisco, and so on.
For example, suppose you create the following inbound firewall rule for a Linux firewall:
It enables inbound NEW and ESTABLISHED communications of TCP to port 80. Halo will automatically create the outbound corollary rule, which enables outbound ESTABLISHED communications through the same hardware interface of TCP on port 80 to any destination. Note that the corollary rule will not permit NEW traffic to exit the server. This is an example of what makes the firewall stateful.
Automatic corollary rules do not appear on the Halo portal page that you use to create and edit firewall policies, but you can see them if you export a firewall policy.
Note: Halo also creates automatic corollary rules for Windows firewalls, although those rules are not stateful, because Windows firewalls do not distinguish between NEW and ESTABLISHED connections.
Add a Network Interface
Network Interfaces are the physical or virtual hardware interfaces used by a Linux server. In a Linux firewall policy rule, you specify which interface the rule applies to by selecting it from the Interface drop-down list. Typical device names are
Halo provides a list of common interface device names, and you can add custom names to the list as needed. Here is an example Interface list:
If you have implemented custom network interface devices on your servers, you can add their names to Halo so that they can be used in firewall rules.
- In the Halo portal, go to Policies > Firewall Policies and click Network Interfaces. Then click Add Network interface.
(Or, select "Add New" at the bottom of the Interface drop-down list in a firewall rule.)
- Enter the name of your custom interface device and click Create.
The interface will now appear in the Network Interfaces list and in the Interface drop-down list when you create a Linux firewall rule.
Add an IP Zone
IP Zones are arbitrary sets of IP addresses or CIDR blocks that specify the possible sources or destinations of a communication. In a firewall policy rule, you select an IP zone name from the Source or Destination drop-down list rather than entering individual IP addresses or ranges.
Halo provides only one default IP zone—"any (0.0.0.0/0)". It is up to you to define meaningful zones based on the IP addresses of your cloud servers, your other other installations, your suppliers and partners, and so on. Here is an example set of IP zones in a Source or Destination list:
You will likely want to define several IP zones for your firewall policies, to describe various parts of your corporate network. You may not need to define IP zones for the addresses of your Halo-protected servers, because you will be able to refer to them by server-group name in your firewall policies. However, if for example you need to specify only the internal IP addresses for a group of servers, you might want to create an IP zone for that purpose.
- In the Halo portal, go to Policies > Firewall Policies and click IP Zones. Then click Add IP Zone.
(Or, select "Add New" at the bottom of the Source or Destination drop-down list in a firewall rule.)
Here, the CIDR block defining all of the IP addresses in the U.S. call center is given a name.
- Enter a name for the zone, then enter one or more IP addresses or CIDR blocks, separated by commas. Then click Create.
The IP zone will now appear in the IP Zones list and in the Source and Destination drop-down lists in a firewall rule.
Note: CloudPassage recommends that you include no more than 300 IP addresses and CIDR blocks in a single IP zone. If you need to specify a larger number, you can allocate them among multiple IP zones, and assign the zones individually to multiple, otherwise identical firewall rules.
Add a Network Service
Network Services are named IP application protocol/port number pairs (for example, "ldap(tcp/389)") that you specify in firewall policy rules by selecting them from the Service drop-down list .
Halo provides a list of the most common Linux and Windows services, and you can define custom services as well. Here is the default Services list:
You may not have to add any new network services to Halo, but it is simple to do so if you need to.
- In the Halo portal, go to Policies > Firewall Policies and click Network Services. Then click Add Network Service.
(Or, select "Add New" at the bottom of the Service drop-down list in a firewall rule.)
Here, the service named "LoadBalancer" has been defined as the TCP protocol over port 8080.
- Enter a name for the service, specify a protocol, and specify a port. Then click Create.
The network service will now appear in the Network Services list and in the Service drop-down list in a firewall rule.
// <![CDATA[ var pdfTitle="Workload Firewall Management"; var pdfURL="http://www.cloudpassage.com/document_images/firewall/firewall_management.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>