Launch of the Managed Firewall service

Almost a month ago, through the ticket system, we invited all of our customers who use the services of hosting and renting dedicated servers to participate in the closed testing of our new service, Managed Firewall. Now we are ready to offer this service for public use.

What is it?

Managed Firewall is a secure Internet channel service with a managed firewall. The main task of the service is to monitor and filter network packets passing through it in accordance with the given policies and screen options.

Billing

We tried to simplify its billing as much as possible and reduced accounting to only one parameter - bandwidth of the protected band. The step with which you can increase the bandwidth of the firewall is 5 Mbit / s.

Restrictions

The service can be activated only for physical servers located in St. Petersburg data centers (this service is not available for Moscow yet).

Service activation

To start using the service, you must have at least one dedicated subnet for servers in St. Petersburg data centers and pay for the protected band in the required amount.
A protected band is an independent resource and any subnet that you have (paid, free of charge, PI addresses) can be connected to it. Translation of a subnet from an unprotected network under the firewall occurs in manual mode after agreeing on a convenient time, the network downtime when transferring a subnet is about 1 minute.

Bandwidth change

After activating the firewall service, you will be able to change the bandwidth of the protected strip on the fly through the control panel . When changing (increasing or decreasing) the bandwidth of the protected band, there is no downtime.

Beginning of work

By default, traffic protection is turned off - traffic already passes through the firewall, but no actions are applied to it. After paying for the firewall service and transferring the subnet under protection, you get access to the firewall control panel , which provides a schedule of utilization of the protected band, a schedule with counters for “bad” traffic, as well as tabs for managing the settings of policies and options for traffic validation.

Traffic validation process

Initially, the packet is checked for existing sessions, if the packet does not belong to any existing session, then it passes the check through the screen, after which a chain of policies passes, if no anomalies were found, the packet is delivered to the destination address. If the packet belongs to an existing session, then it is immediately sent to check for anomalies on the screen without going through a chain of policies, and then delivered to the destination address. Policies can be set in both directions for both incoming and outgoing traffic. The screen checks all traffic passing through the firewall, regardless of its direction. Unidirectional policies do not mean that you have to adjust the resolution resolution from the destination address, since the session consists of two directions.

Addresses

To protect specific IP addresses from your subnet, you need to add them in the Addresses tab. After adding addresses, they will be available to indicate as the source or destination address when creating policies. Also on this tab, you can add any other IP addresses (not only your own, but also global ones), which will later be used in policies.

Screen options

When passing through the screen, each packet is tested from the following types of attacks:

• IP spoofing;
• port scanning;
• ping scan;
• WinNuke attacks;
• Land attacks;
• tear drop attacks;
• fragmented ICMP packets;
• Ping of Death;
• large ICMP packets;
• fragmented traffic;
• SYN-ACK-ACK;
• SYN fragments;
• TCP packets without flags set;
• packets with the FIN flag set without the ACK flag;
• packages with simultaneously installed SYN and FIN flags;
• packages with invalid headers;
• and others ..

Policy Definition

When creating a policy, you can choose the direction for filtering: from the Internet to the protected zone and vice versa. In addition to directions, the policy contains the source address, destination address and destination port (application). Politicians also need to specify the action that will be performed with the package: allow, deny, discard the sender about unavailability with the answer. For each policy, you can view the band consumption schedule. The order of policies is also important, as they are checked sequentially, if no policy is matched, then the default policy is to be banned.

Order

You can familiarize yourself with the price of this service on our website .
This service is already available for order in the control panel: “Service Order” → “Network Services” → “ Managed Firewall ”