There is a new feature in SecureSchool that allows firewall rules to be created using Firewall Tables. This allows you to create one firewall rule that can affect a list of computers and/or hosts at one time. Another new feature is the ability use DNS based entries that are updated dynamically. This is a powerful feature since Websites/Applications, like PARCC Testing, State Testing Sites, and Email Providers are using Content Delivery Networks (CDN), like Amazon CloudFront, Akamai or Internal Servers to host part of their Website/Application so they can increase capacity to handle the additional demand and shed the load over a larger number of servers.
Now you can create a Firewall Table with DNS/Hostnames that are updated dynamically every time SecureSchool sees a new IP address resulting from a DNS lookup. For example, smtp.gmail.com is constantly changing its IP address to handle the load based on geographic location. So if you were to make a firewall rule and use smtp.gmail.com as the destination address, SecureSchool would resolve that DNS name to an IP address when the firewall service was restarted, it is restarted every night, and then create a firewall rule based on that IP address. So during the day when that IP address changed, the firewall would NOT dynamically update the IP address and you would get blocked trying to access that site. But if you use a Firewall Table and create an entry with smtp.gmail.com the firewall rule would now be updated dynamically every time SecureSchool sees a new IP address resulting from a DNS lookup for smtp.gmail.com. This is one of the most significant new abilities provided by the new Firewall Tables feature.
Another new feature is a change to how the Proxy Exceptions are handled. Now any DNS/Hostname or IP address listed in the Proxy Exception page will bypass the proxy server and will automatically have direct access to the internet, you no longer have to also create a firewall rule for every Proxy Exception. Also, the DNS/Hostname entries are updated dynamically, so now it is much easier to deal with dynamic websites/applications that do not work thru the proxy or completely ignore the proxy setting. For example, Avast Antivirus client ignores the workstation Proxy settings and tries to go out to the internet direct, so if you create a Proxy Exception entry for avast.com and all traffic destine for *.avast.com would then be allowed thru the firewall, again updated dynamically every time SecureSchool sees a new IP address resulting from a DNS lookup for avast.com domain.
We have pre-configured five Firewall Tables that should handle the majority of the reasons for Firewall rules but you have the ability to add up to 10 more if needed.
BlockedWorkstations - This table is for any internal computer/device that you want to restrict access to the internet. This is helpful if you have a computer/device that has is causing a problem on your network or infected with a virus and you want to prevent it from accessing the internet until you can find the device and resolve the problem.
InternalServers - This table is for any internal computer/device that you want to give unrestricted access to the internet. This is helpful if you have a computer/device that does not need filtering or logging at all, such as Servers, Printers, Copiers, Postage Machines, or Monitoring Equipment.
MailServers - This table is pre-configured with the host names of the most popular mail providers (Gmail, Yahoo, Aol, Comcast, Outlook, Office365) and configured to allow access to the most common mail protocol ports (25, 110, 143, 465, 587, 993, 995). You can add more host names to the table and/or ports to the firewall protocol rule if need to accommodate your mail provider.
ProxyExceptions - This table automatically built using the entries from the Proxy Exceptions page, and anything in this table will bypass the proxy and go direct. This is a very powerful feature and allows you to enter a host name or IP address/range for any website or service that does not work thru the proxy or does not honor the proxy setting on the client computer/device. We have added all of the PARCC testing domains to the Proxy Exceptions for all of our customers.
RemoteAdmin - This table is to be used if you want to limit access to the administration interface of the SecureSchool appliance from outside IP address and/or networks. But for this firewall table to be effective you will ned to create a Protocol Rule to Deny access for everyone else. This is based on our recommendation of when trying to prevent access to a service or TCP/IP port, create a deny all rule to prevent anybody and then a rule to creating a rule to explicate allowing access to specific IP address and/or range.
Firewall Table Administration
Login to SecureSchool Web Interface > Firewall > Firewall Tables
Click "Manage Table Entries"
Click "Add a New Entry..."
- CIDR Value - 192.168.0.1 or 192.168.0.0/24 - This is the most common Type or Firewall Table Entry, allows a single IP address or IP subnet in CIDR notation.
- IP Range Value - 192.168.0.1-192.168.1.254 - This allows you to specify an IP address range that does not have to be in an IP subnet, ex 192.168.1.10 - 192.168.1.25
- Country - internally stored IP tables defined for various countries - This is a new feature that allows you to select all of the know IP subnets for an entire country. Especially useful for blocking access to a server from a remote country.
- DNS - A Host/domain such as example.com - This a new feature that allows you to enter a DNS/Host name that will be dynamically updated to the corresponding IP address based on DNS request that the SecureSchool appliance sees.
Firewall Protocol Rules
Login to SecureSchool Web Interface > Firewall > Protocol Rules
Add a Rule
Now when you add a rule you can select a Firewall Table for the Source Address Type or Destination Address Type.