FireBrick

FireBrick - Firewalls, Bonding ADSL, Routers, Traffic Shaping...

FireBrick 105 Features

Type

Standard

Optional

Out-of-the-box Protection Extras Feature
Easy-to-use web-based
configuration pages 		Shaping Feature
Managed Switch Profiles Feature
Session Tracking Firewall Tunnels Feature
Stealth Reporting Feature
Status Information Bonding Feature
IP Groups 5 Port Feature
Port Groups VLAN Feature
Subnets  
Routing  
Mapping  
Profiles  

Out-of-the-box Protection

  • Simply connect FireBrick between your computer or network, and your internet connection
  • Provides instant firewall protection using default filter rules, without any configuration, in a typical application
  • Uses Stealth mode to route traffic between WAN and LAN without needing an IP address
  • Select 1 of 4 most common configurations using simple Factory Reset procedure
  • Load a pre-defined configuration file for instant bespoke configuration

Easy-to-use web-based configuration pages

  • Use any web browser, no bespoke configuration software needed
  • Access from LAN or WAN, with password protection
  • Multiple Administrative Users, each with configurable access restrictions, including read-only
  • Configurable User Interface (e.g. choose subnet masks format, date format, etc.)
  • FireBrick Configuration can be saved to a PC, and reloaded to FireBrick
  • Software upgrades - download free from website, and load easily using web browser
  • LEDs on FireBrick for configurable at-a-glance diagnostics

Managed Switch

  • WAN port and 4 port LAN Switch as default
  • WAN and LAN can be swapped (e.g. to use switch for multiple WAN connections)
  • All ports RJ45, 10/100Mbps, Full/Half Duplex, Auto Crossover, fully configurable
  • Throughput 100Mb/s switching, approx. 14Mb/s routing (typical)
  • Built-in Cable Tester - diagnose cable shorts or breaks, disconnected or powered-down far end, distance to damage or far end, etc.
  • Optional 5 Port Feature - all 5 ports independent, create DMZs etc.
  • Optional VLAN Feature - VLAN tagging for when 5 ports are not enough

Session Tracking Firewall

  • Default filters for most typical requirements, but fully customisable
  • Ordered filter matching on new sessions
  • Session tracking with configurable time-outs
  • Filter on source and/or target ports and protocol (e.g. allow in TCP port 80 to web server)
  • Filter on source and/or target IP addresses
  • Use IP and Port Groups for source and/or target
  • Filter on source and/or target interface(s) (e.g. WAN, LAN, DMZ, Tunnel, etc.)
  • Filter on TCP SYN and TOS
  • Each rule can Allow, Drop, Bounce, or Reject
  • Notify using Alert LED and log (configurable)
  • With optional Reporting Feature, stats by syslog, email, and SNMP

Stealth

  • Allows FireBrick to be plugged between WAN & LAN and filter traffic without having its own IP address
  • Passes ARP requests between WAN and LAN
  • ARP request/reply is tracked to avoid ARP stealing
  • Makes FireBrick invisible to traceroute and portscans
  • Easily disabled - configure as router with own IP address(es)

Status Information

  • Log file records all critical events (configurable)
  • Full RMON stats available for the routing core and each of the 5 ports
  • Throughput stats available for each filter rule, with per-second, per-5-minute, per-day and total counts
  • Session list - shows all active sessions. Filter list by various parameters such as protocol
  • DHCP report - shows all DHCP allocations, including renewal time, machine name and MAC
  • ARP cache report - shows all active ARPs requested by FireBrick
  • MAC cache report - shows all visible MAC addresses on per port basis
  • Optional Reporting Feature for syslog, email and SNMP

IP Groups

  • Define groups of addresses (e.g. addresses of all your web servers)
  • Use IP group by name in multiple places (e.g. filters)
  • Allows a single control (e.g. filter) to apply to many IP addresses, so reducing number of filters required
  • Allows even single addresses to be given a logical name, for ease of use
  • IP of logged-in user - a special group ideal for allowing timed pin hole access from a dynamic IP address

Port Groups

  • Port groups - Define sets of protocol/ports (e.g. TCP 1024-65535->80/443 for web traffic)
  • Use Port Group by name in multiple places (e.g. filters)
  • Allows a single control (e.g. filter) to apply to many protocol/ports, so reducing number of controls required
  • Allows even single protocol/port to be given a logical name, for ease of use

Subnets

  • Define multiple subnets on multiple interfaces, each with:-
    • DHCP server with persistent allocation, configurable IP range, gateway, DNS servers, etc.
    • DHCP client, configurable, works with any standards-compliant server
    • Network Address Translation (NAT)
    • VLAN ID (with optional VLAN Feature)
  • FireBrick uses different MAC address for each subnet
  • Multiple DHCP client subnets with different MACs (useful for some cable modem installations)
  • DHCP Restrict - allocate specific addresses or subnets to specific machines, based on name or MAC of machines
  • DHCP Mirror -
    • allows a DHCP allocated address (e.g. from cable modem) to be passed on to another machine, via DHCP server
    • holds allocation while the other machine is switched off (useful if allocated address is dynamic)
  • Supports /31 subnets (RFC3021, not widely supported so use with care)

Routing

  • Normal and Stealth routing
  • Ordered routing rules (first criteria match is followed)
  • Routes can be placed before or after routing to subnets
  • Routing match criteria:-
    • Route on source interface(s)
    • Route on target IP, port and/or protocol
    • Route on source IP, port and/or protocol
  • Routing actions:-
    • Route to general interface or specific subnet/tunnel
    • Tag route as NAT or no NAT
    • Specify gateway address for ethernet routes
    • Proxy ARP (not a routing action as such)
  • Weighted routing (%) with optional Bonding Feature (e.g. for load sharing between multiple links)

Mapping

  • Map IP address and/or port of sessions
  • E.g. map incoming traffic to internal server on private IP address
  • Mapping match criteria:-
    • Any traffic, including stealth (make it routed)
    • Source IP, target IP, port/protocol
    • Source interface(s), target interface(s)
  • Mapping action - change some or all attributes:-
    • New target interface (and specific subnet/tunnel)
    • New source IP (with option for self using 255.255.255.255)
    • New target IP
    • New target port
    • Block IP mapping if direct range of IPs used (not if IP group used)
  • Weighted mapping (%) with optional Bonding Feature (e.g. for load sharing between web servers)

Profiles

  • Profiles are used to modify the FireBrick's behaviour according to circumstance
  • Enable/disable rules (routing, subnets, filters, mapping, users, tunnels, shaping, etc.)
  • Standard FireBrick includes fixed time-based profiles:-
    • "24/7" is default (always active) profile
    • "9-5 M-F" is 9am-5pm Monday-Friday (typical working hours)
    • "2am Sunday" is 2am-3am Sunday (ideal for things that must be done occasionally)
    • "NOT" profiles available, "NOT 24/7" being never (i.e. disabled)
  • Optional Profiles Feature for configurable time, manual and ping-scan profiles

Optional Features

  • All above-mentioned features are included as standard, the following are optional
  • This means a simple pricing structure - buy the base model and optional features as required
  • There are no ongoing charges, per user licenses, or software upgrade fees
  • Features can easily be added as you need them, over the internet in a few seconds

Extras Feature (optional)

  • More of everything (e.g. 100 filter rules instead of 30)
  • Creates price difference between simple and complex applications
  • See Manual for full list of extras

Shaping Feature (optional)

  • Allows different types of traffic to be allocated different bandwidth and priority
  • Ensure high priority traffic (e.g. Voice-Over-IP) always has sufficient bandwidth and minimum latency
  • Ensure low priority traffic (e.g. email) does not affect time-critical services
  • Speed lanes define min/max bandwidth, and queue-jumping priority
  • Shaping rules identify traffic (like filter rules) and choose relevant speed lane
  • Master speed lanes ensure aggregate traffic does not fill link, for minimum latency
  • Fast Priority causes all traffic in specified lane to jump queue in master lane
  • Fast ACK allows TCP ACKs (no payload) to jump queue, for faster browsing
  • Fast QOS allows priority service type (TOS) to jump queue
  • Bandwidth trade-off between speed lanes if required
  • Usage is metered for each speed lane, useful for monitoring (available by SNMP with Reporting Feature)
  • Useful for selling bandwidth to tenants in shared or managed offices

Profiles Feature (optional)

  • In addition to simple fixed time profiles in a standard FireBrick
  • Time profiles - configurable hour by hour, day by day (7 days a week)
  • Manual profiles - allows user to enable/disable configurations via web interface
  • Ping profiles:-
    • Ping other machines to monitor network health
    • Ping using specific interface, gateway, and TTL (if multiple paths exist)
    • Notify users of a problem (see Reporting Feature)
    • Implement Automatic Fallback if a link fails
  • Combine profiles using AND and/or OR for complex monitoring requirements
  • Use with Bonding Feature to provide fallback resilience on multiple lines

Tunnels Feature (optional)

  • Tunnels are a way to create a virtual route from one FireBrick to another over an IP link
  • Allows Virtual Private Networks (VPNs) to be created between FireBricks
  • Once created, a tunnel appears as a virtual interface in the FireBrick, for routing and filtering of content
  • Useful for routing fixed public IP addresses to remote sites, even sites on dynamic IP addresses
  • The protocol is proprietary but documented, and there is at least one linux implementation freely available
  • The protocol allows authentication of tunnels by IP and MD5/secret (but is not encrypted)
  • The protocol uses UDP port 1, and survives NAT, so easy to route through unusual networks

Reporting Feature (optional)

  • Provides Status Information events by a variety of means:-
    • Email
    • Syslog
    • SNMP - usage of each port (basic and RMON), each speed lane, and each filter rule
  • Provides stats (to log, syslog, or email) every 5 minutes, showing usage of each filter, speed lane, and interface
  • If Ping profiles used (see Profiles Feature), notify failure by log, syslog, or email

Bonding Feature (optional)

  • Provides Bonding of multiple links (e.g. multiple ADSL lines)
  • Automatic Fallback - use Profiles Feature to monitor links and fallback if one fails
  • Uplink Bonding:-
    • Sends packets to all uplinks on a round robin basis
    • Provides true aggregate uplink capacity even on a single data transfer session
    • Handles up to 4 routers (e.g. 4 ADSL lines)
  • Downlink Load Sharing:-
    • Distributes traffic on a session-by-session basis over multiple links
    • Uses NAT on outgoing sessions to ensure replies come via a specific link
    • Provides aggregate downlink capacity on multiple outgoing sessions
    • Downlink capacity on any individual session will be limited to the link it uses
    • Weighted routing allows for different capacity links
  • Tunnel Bonding (with Tunnels Feature):-
    • True aggregate bonding of both uplink and downlink - create a true fat pipe
    • Ideal for running busy servers on ADSL lines
    • Seamless Fallback if one or more links fails (does not need Profiles Feature)
    • Specific traffic types (TOS) handled specially to avoid issues with packet reordering affecting protocols like VoIP
    • Requires a second FireBrick at the far end of the multiple links (typically hosted by an ISP)
    • Total throughput limited to around 6Mbps
  • Weighted routing (%) for load sharing between multiple routes (e.g. downlink load sharing)
  • Weighted mapping (%) for load sharing between multiple machines (e.g web servers)

5 Port Feature (optional)

  • All 5 ethernet ports can be independent
  • Any combination of independent or switched ports
  • Individual firewall filtering on each logical interface
  • Create multiple Demilitarised Zones (DMZs) for servers etc.
  • Useful for complex routing scenarios
  • Full 100Mbps switching between ports on same logical interface

VLAN Feature (optional)

  • VLAN (virtual local area network) allows multiple LANs to share the same infrastructure (switches and interlinks) whilst remaining independent (i.e. providing multiple independent LANs in a virtual way)
  • VLAN subnets allow the FireBrick to operate with an external VLAN tagging network switch.
  • Use FireBrick to route and filter traffic between groups of ports on the VLAN switch
  • Use VLAN switch to effectively expand number of ports available to FireBrick
  • Ideal for a serviced office - can provide up to 30 VLAN subnets (with Extras Feature)
  • FireBrick DHCP Server can allocate addresses according to VLAN tag of requesting machine

Notes

  • More information can be found in the on-line Manual.
  • The FireBrick protects your network from attacks at the IP level, but is only as good as you configure it to be.
  • It is not a substitute for regular virus checking as viruses can arrive by a number of methods (web, email, zipped files, word documents, floppy disks, etc)
  • Whilst the FireBrick is a well establish product with many years of use in the field, it is constantly being enhanced with new features and improvements. As such these specifications are subject to change without notice.