Skip to content

Advanced Firewall

Overview


The Advanced Firewall application can be used to create object-based firewall rules to manage the traffic flow between various zones in the Crystal Eye XDR network.

The advanced features of this application allow CE XDR administrators to create:

  1. Default and custom security zones

  2. Traffic rules and assign them to security zones

  3. Application rules to assign DNAT rules

  4. Gateway traffic rules.

Note

The advanced firewall application has numerous default traffic and application rules. In addition to this, the CE XDR also provides options to create customised traffic rules (with actions such as Allow, Reject, Block, IDPS, and Web Filtering) and customised application rules to optimize DNAT rules.

Installation


The advanced firewall application is installed by default and can be accessed from the left-hand navigation panel.


Left-hand navigation panel > Security Configuration > Advanced Firewall Application

crystal-eye-xdr-navigation-advanced-firewall

Audit Report


Audit report provides a visual depiction of total number of default and custom zones created and shows the Incoming, Outgoing and Interzone traffic policies (Allow/Reject/Block).

In the screenshot below there are four zones: LAN, WAN, HOTLAN, DMZ. All these zones have explicit interzone incoming and outgoing traffic policies depicted with colour codes green and red, where red indicates blocked traffic and green indicates allowed traffic.

crystal-eye-xdr-audit-report

Note

The visual audit report is auto updated as soon as the custom zones are created as per the requirements. Know how to create custom zones.

Security Zones in Crystal Eye XDR


A security zone can consist of multiple network segments that can be governed with the help of inbound and outbound rules. These security zones created in the Crystal Eye XDR network are bound with the interfaces which then processes traffic.

Note

A Security Zone of the CE XDR can be assigned to multiple interfaces whereas an interface can only be assigned to only one zone.

The security zones created in the Crystal Eye XDR are used to define the traffic with the help of object-based firewall policies. By default, there are four security zones in the Crystal Eye XDR namely, LAN, WAN, DMZ and HotLAN.

Note

Refer to the use case under the traffic rules section to know how security zones are used in inbound and outbound traffic rules.

Default Security Zones in Crystal Eye XDR


Crystal Eye XDR has 4 default security zones namely, LAN Zone, HotLAN Zone, WAN Zone and DMZ Zone.

The Crystal Eye XDR network can be configured to accommodate multiple default access policies so that the flow of traffic can take place between different security zones such as LAN Zone, HotLAN Zone, WAN Zone and DMZ Zone.

LAN Zone Related Access Policies & its Communication Details with Other Default Security Zones

  • All communications from LAN Zone to External Zone are permitted by default.
  • All communications between network assets within the LAN Zone are permitted by default.
  • All communications from the LAN Zone to HotLAN Zone are permitted by default.
  • All communications from LAN Zone to DMZ Zone are blocked by default.

Hot LAN Zone Related Access Policies & its Communication Details with other Default Security Zones

  • All communications from HotLAN Zone to External Zone are permitted by default.
  • All communications from HotLAN Zone to LAN Zone are blocked by default.
  • All communications between network assets within the HotLAN Zone are permitted by default.
  • All communications from HotLAN Zone to DMZ Zone are blocked by default.

External Zone Related Access Policies & its Communication Details with other Default Security Zones

  • All communications from WAN Zone to LAN Zone are blocked by default.
  • All communications from WAN Zone to HotLAN Zone is blocked by default.
  • All communications from WAN Zone to DMZ Zone are blocked by default.

DMZ Zone Related Access Policies & its Communication Details with other Security Zones

  • All communications between the DMZ Zone to the External Zone are permitted by default.
  • All communications between DMZ Zone to LAN Zone are blocked by default.
  • All communications between DMZ Zone to HotLAN Zone are blocked by default
  • All communications between network assets within the DMZ Zones are permitted by default.

Custom Security Zones


The Crystal Eye XDR offers feature to create custom zones and inter-zone policies. Such zones can be used to customize traffic movement and access across different zones and network depending upon use case.

The default zone policies of the CE XDR can be edited to suit the security policies and traffic policies of the organisation using Traffic Rules, Application Rules and Gateway Traffic Rules.

How to Create Custom Security Zones?

                  Firewall Parameters that can be Configured while Creating Custom Zones
Parameters Description
Allowed Zones These are the zones that are explicitly allowed to communicate with the interface/zone to which this zone will be assigned to (even if the Interzone Traffic Policy Setting is set to Block)
Blocked Zones This parameter is useful when you have configured the Interzone Traffic Policy to Allow traffic between zones, but you want to exclude (explicitly block) a zone from that. Then you would select that zone as a blocked zone
Incoming Traffic Policy Select to allow incoming traffic.
Outgoing Traffic Policy Select to allow outgoing traffic.
Interzone Traffic Policy Select Allow to permit traffic between zones and Block to prevent communication between zones.
NAT Select when this Zone should perform NAT

Step 1: In the Advanced Firewall app page, click the Add button under the Security Zones tab. crystal-eye-xdr-custom-security-zone1

Step 2: You will now see the Add New Zone section. Enter a name and description for the Zone. Select the Allowed Zones and Blocked Zones if applicable, Select the Incoming/Outgoing/Interzone Traffic Policies and check the NAT tick box if this zone will be doing Network Address Translation (NAT). crystal-eye-xdr-custom-security-zone4

Step 3: Click the Add button. crystal-eye-xdr-custom-security-zone3

Traffic Rules


Crystal Eye XDR’s Advanced Firewall application has enhanced capabilities to govern, and control inter zone traffic. The traffic rules feature is designed to determine access rights and allow or reject traffic between network object /hosts.

These rules can play a vital role to assign access rights allowing enhanced level of protection to the network objects (such as a subnet) or a network host. It is through these rules that traffic can be controlled by its Source, Destination, Zone, and Service.

In addition, the CE XDR administrator can assign various firewall policy actions to the traffic such as:

  1. Allow
  2. Reject
  3. Block
  4. IDPS
  5. Web Filter (Authentication based & IP/MAC based)

Default Traffic Rules


The advanced firewall application in CE v4.0 comes pre-configured with default traffic rules. These rules are discussed in detail below.

Allow ICMP: ICMP protocol is enabled on CE XDR so that incoming ping requests from any source are allowed to ensure smooth functioning of the vulnerability scanning feature.

Allow SSH Access: This rule allows all SSH protocol related incoming traffic from any source.

Allow Webconfig Access: This rule allows CE XDR administrators to access it via webconfig.

Allow BGP Access:

Allow Transparent Web Filter: This is default firewall policy rule related to content filtering across CE XDR network. However, this is the only rule among the other default rules that can be edited and customised as per network requirements. The user can bypass web filtering for the entire network and can also switch to four modes of content filtering i.e Transparent, Transparent with SSL decryption, Explicit & Eplicit with SSL decryption.

Custom Traffic Rules Use Case Scenario (Firewall Rule Action - Allow)


Let’s learn how the Traffic Rules feature of the Advanced Firewall Application can be used to create firewall rule with an ‘Allow’ rule action. In the use case below, we will create a firewall rule specially designed for an Operational Technology (OT) environment (refer to the diagram below).

crystal-eye-xdr-custom-traffic-rules1

In the diagram above, we have created an OT environment with the following zones:

  1. SCADA Zone consisting of SCADA workstations and SCADA servers.
  2. DMZ Zone consisting of DMZ hosts
  3. Industrial Control System (ICS) Zone consisting of engineering workstations, Historian Servers and HMI.
  4. PLC Zone consisting of PLC workstations.
  5. Manufacturing Operating System consisting of Lab Workstation, File Server, and MES/MOM.
  6. Infrastructure Management Zone consisting of Infra Management hosts.
  7. HOT LAN Zone which can be considered as an untrusted zone.
  8. The Business Enterprise Zone is connected with the OT environment with IPsec VPN and the remote workers are connected to the OT environment using SSL VPN.

Based on the diagram above the following security policies/firewall rules (refer to the table below) can be created and implemented using the Advanced Firewall Application in this scenario. However, we will discuss how the first rule below can be created with the help of screenshots. In this rule we will allow RDP traffic to flow from an Untrusted Zone’s corporate subnet to DMZ Zone’s DMZ-Host1.

Security%20Policy%20%28rules,%20firewall%20rules,%20etc%29

How to Create an Object-based Traffic Rule in the Advanced Firewall application?

Based on the scenario discussed below, we will be creating a traffic rule as mentioned in the first rule in the table above.

Just to recall the contents of the firewall rule, the RDP traffic (TCP, 3389) originates from the corporate subnet of the untrusted zone and the destination of this traffic is DMZ Zone’s DMZ Host 1 (refer to the table below for more clarity).
table-2-advanced-firewall-crystal-eye-xdr

We will also create network-based object such as corporate subnet, a host-based object DMZ-Host 1 and service-based object protocol RDP (tcp/3389). All these objects will be created using the Host & Groups application and will finally be used to created object-based firewall policy/rule.

Step 1: Go to Host and Groups application under the System Configuration menu. crystal-eye-xdr-custom-traffic-rules2

Note

You will now see the user interface of the Host and Groups application. We will now create the objects before the traffic rule is created. The three objects we will create is RDP protocol (tcp/3389), Corporate Subnet (10.10.1.0/24) and DMZ - Host1 (10.10.2.1/24). The diagram and the tabular format of the firewall rule below can be reviewed to understand more about the objects that would be created and where these objects are positioned in the OT Environment diagram. crystal-eye-xdr-custom-traffic-rules3

Step 2: We will now create an object for RDP protocol (tcp/3389). To do so, click the Services tab on the Hosts and Groups application page.
crystal-eye-xdr-custom-traffic-rules4

Step 3: You will now see the Add Services page. Enter RDP in the Names textbox. crystal-eye-xdr-custom-traffic-rules5

Step 4: Enter the Port Number as 3389, select the Group as Default_ Service_Group, enter the Description and click the Add button. crystal-eye-xdr-custom-traffic-rules6

Step 5: You will now be directed to the Services page. The service-based object created for RDP protocol will be listed on this page. crystal-eye-xdr-custom-traffic-rules7

Step 6: Now click the IP Host tab and you will now see The IP Host page. Click the Add button on the top-right corner of the IP Host page. We will now create an object for the Corporate Subnet. crystal-eye-xdr-custom-traffic-rules8

Note

The IP address of the corporate subnet is 10.10.1.0/24.

Step 7: You will now see the Add IP Host page. Enter Corporate_Subnet in the Name textbox, Select the Family as IPV4 and the Type as Network, enter the corporate subnet network IP address (10.10.1.0/24) in the value field, select the Group and the description. After updating these values click the Update button. crystal-eye-xdr-custom-traffic-rules9

Step 8: You will be directed to the listing page of IP Host where you will be able to see the object (corporate_subnet) created in the IP Host list. crystal-eye-xdr-custom-traffic-rules10

Step 9: We will now create the third and the last object for the DMZ Host 1 (Refer to the image in the Note section below to understand the positioning of DMZ Host 1 in the diagram and in the firewall rule). Click the IP host tab and then click the Add button on the top right corner of the IP Host section. crystal-eye-xdr-custom-traffic-rules11

Note

In the following diagram you will be able to understand the positioning of DMZ-Host1 and also know the firewall rule in context of the traffic flow between two objects i.e Corporate subnet and DMZ-Host1.crystal-eye-xdr-custom-traffic-rules12

Step 10: You will now see the Add IP Host page. Enter DMZ-Host1 in the Name textbox, Select the Family as IPV4, Select the Type as IP from the dropdown, enter DMZ-Host1 IP address 10.10.2.1/24 in the Value field, leave the Group as default (DEFAULT_IPHOST_GROUP) unless there is a requirement to change this, enter the description and click the Add button. crystal-eye-xdr-custom-traffic-rules13

Step 11: You will now see DMZ_Host1 listed in the IP Host section. crystal-eye-xdr-custom-traffic-rules14

We have now successfully created three objects that will be used to create an object-based firewall policy/rule. In the steps below, we will use the 3 objects created above and then create the traffic rule to allow RDP communication if the traffic originates from the corporate subnet of untrusted zone and has its destination as the DMZ_Host1 server in the DMZ Zone.

Step 12: Go to Security Configuration > Advanced Firewall crystal-eye-xdr-custom-traffic-rules15

Step 13: You will now see the Advanced Firewall application page. Click the Traffic Rules tab. crystal-eye-xdr-custom-traffic-rules16

Step 14: You will now see the Rules page. Click the Add button on the top right corner of the Rules section. crystal-eye-xdr-custom-traffic-rules17

Step 15: You will now be directed to the Add New Traffic Rule pop-up page. crystal-eye-xdr-custom-traffic-rules18

Note

The screenshot above shows where we will create the firewall policy/rule to allow all RDP communications originating from the corporate subnet in the untrusted zone with the destination to the DMZ_Host1 in the DMZ Zone.

Step 16: Enter the Description, select the Protocol as TCP, select the Source Zone as HOTLAN, select the Network as corporate_subnet, select the destination zone as DMZ, select destination IP Address as dmz_host1, select the service/port as RDP, select the Actions as Allow and then click the Add button. crystal-eye-xdr-custom-traffic-rules19n

Note

The firewall rule created in the screenshot above can be elaborated in a tabular format below.table-2-advanced-firewall-crystal-eye-xdr

Outcome- You will see the firewall rule listed in the Rules page

Use Case Scenario for Custom Traffic Rules (Firewall Rule Action - Block)


The ‘block action’ of the advanced firewall can be used to enforce firewall policies where there’s a requirement to block traffic originating within the internal security zones or from the WAN side of the CE XDR.

In the use case scenario discussed below, we will use the ‘block action’ of the advanced firewall to enforce MAC based filtering in the wireless interface of the CE XDR.

MAC filtering relates to a security access control methodology where only known devices are permitted to access the network interface. MAC filtering is widely used to prevent unwanted devices to gain network access in a wireless environment (WLAN).

To achieve MAC filtering in the wireless interface of the CE XDR, we will block all the MAC addresses that are not permitted to access the internet via Wi-Fi.

Note

MAC address filtering as a security access control methodology is more reliable than IP based filtering since MAC addresses remain the same in an environment with DHCP. The dynamic IP addresses of the host change in a DHCP network environment and that’s why MAC based filtering is preferred as it makes it more feasible to identify and filter the source and destination of the traffic.

MAC filtering provides the much-required additional layer of security where any attempt by an attacker to access the network by masquerading the IP address is blocked. This is made possible since the MAC address is taken as the sole criterion to while providing access to the network.

How to use block firewall policy action using the traffic rules to enforce MAC based filtering?

The wireless interface of the CE XDR gets created automatically after the wireless access point app is installed from the marketplace. The Wi-fi interface gets assigned to the LAN zone by default (refer to the network settings application screenshot below). crystal-eye-xdr-mac-filtering1

Note

All the communications between Wi-Fi1 interface and WAN zone are allowed by default.

Step 1: Go to System Configuration > Hosts and Groups > MACHosts and create MAC Hosts Group of all the MAC addresses that are not permitted to have explicit access to the internet via Wi-Fi. crystal-eye-xdr-mac-filtering2

Note

In our use case scenario, we will name the group as WiFi_Restricted_Group.

Step 2: Now go to Security Configuration > Advanced Firewall > Traffic Rules and click the Add button on the top-right corner of the Rules section. crystal-eye-xdr-mac-filtering3

Step 3: You will now see the General Settings section and Advanced Settings section in the Add New Traffic Rule pop-up. Select the Zones in the Source section and the Destination section as LAN and WAN respectively. crystal-eye-xdr-mac-filtering4

Step 4: In the Actions section, select Block from the Target dropdown. crystal-eye-xdr-mac-filtering5

Step 5: Click the Advanced Settings tab and select Wi-Fi1 from the Network dropdown under the Source section. Also select the MAC address group (Wifi_Restricted_Group) from the MAC Address dropdown and click Add. crystal-eye-xdr-mac-filtering6n

Note

Whenever you come across a MAC address which needs to be blocked go to the Host and Groups application and add the MAC address to the Mac group created there (in our case the group name is WiFi_Restrict_Group)

You have now restricted internet access via Wi-Fi for a bunch of devices in the CE XDR network through MAC address filtering.

Use Case Scenario for Custom Traffic Rules (Firewall Rule Action - IDPS)


Learn how to use the 'IDPS Target feature' of the traffic rules by referring to the IDPS Inline mode section

Application Rules


The Application rules feature of the Advanced firewall application is a perfect platform to apply DNAT rules. The DNAT Rules translates the IP address of an internal server positioned behind the Crystal Eye XDR to a Public IP address which can then be accessed by an end point client located in a remote location. We will discuss more about DNAT rules and how to create it with a use case below.

Use Case Scenario for Application Rule


Let’s review the use case scenario discussed below and understand more about using the Application Rules feature used for creating DNAT rules in the Crystal Eye XDR.

In the use case diagram discussed below, we have a server in a segmented network named as Host-1 with an IP address (172.16.0.10). Host-1 server has web services running on its port 8080. We will create a DNAT rule so that the remote client (with the IP address 198.41.100.6 and 198.41.100.7) gets access to the services running on the webserver. Application_Rules

How to Create Destination NAT Routes Using the Application Rules Feature of the Advanced Firewall Application?

In the steps below, we will create an object for the two clients (Client 1 & Client 2) which needs to be given explicit access to Host1 (172.16.0.10:8080). We will also create an object of Host1 and then use these objects to create a DNAT rule.

We will create the following objects in the Hosts and Groups application:

  • A single object for Client 1 and Client 2

  • Object for Host 1

  • Object for https service port (443)

Step 1: Go to System Configuration > Hosts and Groups and click the IP Host tab. crystal-eye-xdr-custom-traffic-rules-action-web-filter21

Step 2: You will now be directed to the Add IP Host page. Enter the following in the designated text boxes.

  • Client1andClient2 in the Name textbox

  • Enter the IP address of Client 1 and Client 2 in the Value textbox

  • Enter a suitable description

crystal-eye-xdr-custom-traffic-rules-action-web-filter22

Note

You will now see the object in the IP Host dashboard.crystal-eye-xdr-custom-traffic-rules-action-web-filter23

Step 3: Similarly, create another object for Host-1 with the IP address 172.16.0.10. crystal-eye-xdr-custom-traffic-rules-action-web-filter24

Step 4: Click the Services tab in the Hosts and Groups application. crystal-eye-xdr-custom-traffic-rules-action-web-filter25

Step 5: You will now see Add Services page.

  • Enter the Name as HTTPS Port

  • Enter port number as 443

  • Add a description

crystal-eye-xdr-custom-traffic-rules-action-web-filter26

Step 6: Go to Security Configuration > Advanced Firewall, click the Application tab and then click the Add button. crystal-eye-xdr-custom-traffic-rules-action-web-filter27

Step 7: You will now see the New Application Rule pop-up.

  • Enter the description

  • Select TCP from the Protocol dropdown

  • Select the WAN IP in the From IP Address dropdown

  • Select Host 1 object in the To IP Address dropdown (as created in step 3)

  • Select HTTPS_Port object in the From Service/Port (as created in step 5 and step 6)

crystal-eye-xdr-custom-traffic-rules-action-web-filter28n

Step 8: Click the Advanced Settings tab, select WAN in the Zones dropdown under the Source section and click the Add button. crystal-eye-xdr-custom-traffic-rules-action-web-filter29n

Note

You will now see the DNAT rule in the Application Rules dashboard.crystal-eye-xdr-custom-traffic-rules-action-web-filter30