Introduction to Hardware Firewall

Overview

SoftLayer’s Hardware Firewall service offering provides customers with an essential layer of security that is provisioned on demand without service interruptions.  Upon its activation, the Hardware Firewall service blocks all unwanted activity from hitting your server, allowing its full abilities to be dedicated for its intended use, rather than having an increased workload due to unnecessary traffic.

The Hardware Firewall service is available as an add-on feature for all servers on the SoftLayer network.

How Hardware Firewall Works

A Hardware Firewall is a network device that is connected upstream from server, blocking unwanted traffic before it reaches your server.  The external, high-speed firewall module we use provides data rates of up to 37 Gbps throughput and 2M concurrent connections.  It delivers virtualized network security through its Virtual Domain (VDOM) technology, providing virtualized security domains that can be separately provisioned and managed.

Each server firewall rule is fully managed through the SoftLayer Customer Portal in real time with the ability to bypass on demand.  Firewalls can be added at any time without the need to re-IP the server and can be activated instantly.  Monthly server bandwidth is recorded at the server switch port, preventing traffic blocked by the firewall from counting against your monthly allotments.  This reduces your monthly costs by eliminating the need to pay for unwanted traffic.

Hardware Firewall Concepts

Firewalls are the best way to ensure your data and devices are protected.  SoftLayer offers options for both shared and dedicated firewalls as part of the Hardware Firewall Service.  After a firewall has been purchased, it is added to your device or VLAN in bypass mode, meaning the firewall is available, but has not yet been activated.  In order to activate your firewall, it must be enabled and rules associated with the firewall must be created.  In this section we’ll review the concepts of both shared and dedicated firewalls, as well as rule creation for both firewalls.

Shared Firewalls

Shared Firewalls are intended to protect a single server and  are shared devices that may be purchased with a server.  Because a Shared Firewall has multiple customers associated with the hardware, if the firewall fails or is attacked, all customers behind the firewall will be impacted.  Rules on shared firewalls may be set for all IPs on the server or for a single IP.  To add a rule for multiple IPs associated with the server, but not all IPs on the server, individual rules must be created for each IP.  Reports for Shared Firewalls are run based on the activity of a single IP for the selected date range.

Dedicated Firewalls

Dedicated Firewalls exist to protect an entire VLAN and is a single, dedicated piece of hardware that only protects your VLAN.  With VLAN protection enabled, all IPs on your VLAN are protected, even if the IP addresses exist on separate servers.  When a Dedicated Firewall fails or is attacked, only the devices associated with the firewall is impacted.  Dedicated Firewalls allow rules to be applied to your entire VLAN or to single servers.  Reports for Dedicated Firewalls are run based on the activity of a single server for the selected date range.

Firewall Rules

When enabling a firewall, rules must be set for the firewall to block or allow various traffic associated with your IP(s).  Rules are set in the Edit portion of your device.  There are a few rules to thumb to ensure that your firewall works to best of its ability, the best being to write rules based on your personal or business needs.  Also, when possible, write only permit rules.  This ensures your firewall will only permit wanted traffic and will block anything that is not identified as permissible by you.  When applying any rule to a range of ports, the rule applies to the entire range.  If you want to exclude a port from the range, for example, applying a rule to ports 80 through 85 and 89 through 95, you may either create two rules, one that applies to each range, or you may create one rule that applies the entire range (80-95) and another rule to exclude rules 86-88.  Create these rules based on what makes most sense to your business.

The only caveat to creating rules with your Hardware Firewall service is that the number of rules that may be created for the firewall are not unlimited.  The more rules you create for a firewall, the more prompts are run on each request, causing greater latency for your devices and greater workload on the firewall.  Because of this, we limit the number of rules on each firewall to 50.  This ensures that your firewall will function to the best of its ability at all times.