How eTrust Firewall Operates

The operation of eTrust Firewall is completely transparent. Present, as well as future, applications, both client and server, function without a need for modification. You will not notice any changes to your operating system after the installation of eTrust Firewall.

The state of open connections is maintained by analyzing the contents of transmitted packets. In the case of connectionless protocols, UDP for instance, a "pseudo" connection is created to ensure that the packets sent between two IP addresses are expected, acceptable, and that unexplained packets do not suddenly appear.

eTrust Firewall ensures that packets are received on the proper network interface for the source IP address. In addition, source IP addresses that enter the firewall from an external network interface (not part of the internal network) are checked to ensure that the addresses do not reflect an internal address. This mechanism protects against invalid addresses and provides the best available level of security against IP "spoofing" .

eTrust Firewall Components

The eTrust Firewall is comprised of several main components that function together to provide, manage, and access the firewall. These components are:

eTrust Firewall Engine
The firewall engine is the component that performs the actual traffic filtering in the firewall to enforce policy deployed from the Admin server. In the case of an Internet firewall, the firewall engine is installed in the Internet gateway. In the case of an intranet firewall, the firewall engine is installed on each firewall host. The engine consists of two modules—kernel and user. The kernel module is the engine that intercepts and filters IP packets according to rules that have been established by the firewall administrator. The user module communicates with the Admin sever to control, monitor, and support kernel module operation. Each firewall engine is registered to only one Admin server. Therefore, it can only be managed from that server. The firewall policy for each firewall engine is compiled to binary form (Network Security Binary, or NSB) and pushed to the firewall engine. The firewall engine is in constant communication with the Admin server through the secure channel established during installation. Whenever the Admin server is down and communication is lost, the firewall engine remains operational using the policy in the NSB. However, the engine enforces rules that depend on dynamic evaluation by the Admin server (e.g., user client authentication, etc.) in the most restrictive mode. For example, you can create a rule to permit a particular type of traffic for a specific user. If connectivity is lost, user logins will not work and the rule will remain inactive.
eTrust Firewall Admin Server
The Admin server is the centralized database used to store polices of registered firewall engines. It is also the place to store related information such as network service definitions, firewall administrator credentials, collected alert messages, reports, and other real-time firewall monitoring information. The Admin server is also responsible for performing firewall user authentication. Depending on the type of authentication selected (OS or RADIUS), the Admin server accepts login credentials and performs authentication on behalf of the engine. An Admin server can manage one or more firewall engines. eTrust Firewall engines can be a mix of Internet or intranet firewalls. Common firewall policies can be created and deployed to multiple firewall engines.
eTrust Firewall Admin Client
The Admin client is the graphical interface (GUI) for the Admin server. Since the Admin client is a Java application, the appropriate Java Runtime Environment must be installed on the machine where the client is to be located.  The Admin client can be installed with the Admin server, or in other hosts that have TCP/IP connectivity to the Admin server. The Admin client can connect to any Admin server (if more than one Admin server exist in the network), provided the proper privilege is granted. From an Admin client, the proper credentials must be supplied during the login process to the Admin server. Upon successful authentication, a secure channel is constructed for that session. The Admin client is the only GUI used to perform administrative tasks to the firewall via the Admin server. The GUI is an intuitive graphical tool that provides all necessary functionality to configure, monitor, and administrate the firewall engines.
The following two options are required for user authentication based rules:
eTrust Firewall User Client
The user client is an optional software utility that enables users to be authenticated for permission to pass through the firewall. Most of the time, firewall rules are specified using IP addresses. However, in some circumstances, a user may not have a fixed IP address, or their IP address is not sufficient to grant access to certain resources. Network traffic can be restricted to authorized users that have been authenticated and their current IP address registered in the firewall. The user client allows authorized users to log into the firewall for authentication and to register their current IP address. The user client is installed in the current host of the user. Before accessing protected resources, the user attempts login by running the user client. A secure channel is established so the user can provide login credentials to the firewall in encrypted form. After verifying the credentials via the Admin server, the firewall remembers the IP address where the login has been performed. Traffic is allowed from the registered IP address according to the firewall rules that are created for this user.
eTrust Firewall Login Agent
The Login Agent is another installation option that facilitates user-based rules without requiring the installation of a user client on the machines of all users. The Login Agent for NT runs on the PDC or BDC of the NT domain that you wish to use for authentication. The Login Agent detects login and logout events on the PDC or BDC and informs the admin server of these events. This eliminates the need to put a user client on the machine of the user who wishes to log in to the firewall. The user simply logs into the domain using the standard NT mechanism, and the Login Agent detects the login.