TeamF1’s professional
services can provide the resources and expertise to build customized
implementations of FireFly and support for specific provisioning
configurations for the firewall rules.
FireFly
Embedded IP Packet-Filtering
and Stateful Inspection Firewall
FireFly
is a high performance, embedded IP
packet-filtering firewall implementation. It enables
filtering based on a wide variety of criteria such as
source and destination IP address, TCP/UDP ports, protocol
type, incoming and outgoing interfaces and many other
packet fields. Its core engine permits or denies packets
from passing through it based on pre-defined and easily
configurable policies that may be specified using rules
files, a command line interface or programmatically using
its flexible APIs. FireFly includes hooks for dynamic
firewalling and stateful inspection. Its small footprint,
low latency and robustness make it the firewall of choice
in embedded networking applications and an ideal perimeter
security complement to network security technologies such
as IPsec, SSH and SSL.
FireFly supports
a variety of filtering options, including:
Source and
destination IP addresses.
Source and
destination port numbers.
IP/TCP/UDP/ICMP
Protocol based filtering.
TCP flags such
as FIN, SYN, RST, PUSH, ACK & URG.
All ICMP
types.
IP options
such as strict source route, loose source route,
record route, and time stamp.
Fragment flag
in the IP header.
Hooks for Stateful
Inspection
Stateful inspection provides the ability to track and
control the flow of communication passing through the
firewall filter. The ability to keep track of state and
context information about a session simplifies rules and
tries to interpret higher-level protocols. FireFly does
not force any specific implementation of such inspection
but enables custom versions of circuit-level filtering
and application-level filtering to be easily added with
the hooks provided.
Customization
Flexibility
Available in full-source format
Interface, port, and direction specific rules
Support for adding custom filtering options
Customization hooks and callouts
Unwanted components can be scaled out
Management Support
FireFly supports a customizable management interface
presented through a string-based command layer, which can be
easily controlled through a web-server, with structured data
files such as XML or via a command line interface (CLI). Support
for rule numbering provides ease of overriding at any level.
Customizable hooks for logging and forwarding enable specific
actions to be taken when accepting or rejecting packets.
Complements Network Security
Securing a connected embedded device requires security in
different dimensions. FireFly’s system security typically
involves keeping an embedded device protected from external
access on specific ports. This perimeter or system security acts
as a powerful complement to network security which protects data
in transit, when it is used with security solutions such as
TeamF1’s SSHield Secure Shell (SSH) or V-IPSecure IPsec/IKE. For
example, a combination of SSHield’s tunneling and FireFly’s
restricted external access enables sophisticated security policy
settings by allowing only a single or few secure points of
entrance through the network to the embedded device. Fine
grained control over the accessibility of application ports from
the public network can be gained while at the same time allowing
full access from within the tunneling capabilities of a protocol
such as SSH or IPsec.
