Skip to content

Host-based Firewall Management

Available in manifest version 19.0 and later.

Enclave offers the ability to manage the host-based firewall on deployed devices. This allows you to configure security groups from the EMC and have them applied to the host-based firewall on the device. This is useful for managing the firewall rules on your devices remotely and to lock down your network after migration to the Enclave overlay network.

host-based firewall security groupsSecurity groups in the EMC

host-based firewall security group viewManaging a security group in the EMC

adding a host-based firewall inbound ruleAdding a security group inbound rule

Supported platforms

The table below details the supported platforms for Enclave host-based firewall management.

WindowsLinuxMacOS
Supported✖️
ImplementationWindows Filtering Platform (WFP)nftables
IPv4/IPv6 support

General notes

Enclave host-based firewall management is supported on Windows and Linux devices. MacOS devices are not supported at this time.

In order to manage the host-based firewall on a device, the device must have the Enclave agent installed and running. The agent is responsible for applying the security groups from the EMC to the host-based firewall on the device.

To ensure that the agent can still communicate with the EMC, default rules is applied in addition to the rules defined by the user. These default rules allows the agent to communicate with the EMC as well other necessary services (MQTT, beacons, agent update endpoints, VPN subnet). These default rules are visible in the EMC under the Firewall management view. DNS and DHCP traffic is also allowed by default to ensure that the device can still communicate with the network. If you have specific requirements for DNS and DHCP traffic (i.e. DoH), you will need to define the rules in the EMC before they are applied to the device or you risk losing connectivity.

By default, the EMC creates a disabled All outbound table. When adopting Enclave host-based firewall management, we recommend that you enable this table to ensure that all outbound traffic is allowed. For most devices this will ensure that connectivity is working as expected.

If the agent is logged out, the firewall state persists. If for any reason you need to reset the firewall completely, you can do so by logging out of the agent and running enclave firewall reset on the device. We maintain the state of the firewall, even when unauthenticated, to maintain compliance of the device.

Linux platform notes

Enclave uses nftables to manage the host-based firewall on Linux devices. This is a modern replacement for iptables and is the default packet filtering framework in the Linux kernel. nftables must be installed and active on the device for Enclave to manage the host-based firewall.

Installation steps

To install nftables on a Linux device, follow the steps below:

  1. Install nftables using your package manager. For example, on Ubuntu, you can install nftables with the following command:
bash
sudo apt install nftables
  1. Start and enable the nftables service. For example, on Ubuntu, you can start and enable the nftables service with the following commands:
bash
sudo systemctl start nftables
sudo systemctl enable nftables

Enclave will then detect the nftables service and manage the host-based firewall on the device and be able to apply securty groups from the EMC.

Implementation details

Enclave creates a separate inet table for managing the host-based firewall on Linux devices. This table is named enclave and is used to apply rulesets from the EMC. The enclave table is created when the host-firewall has active rules returned from the EMC. If no rules are returned, the enclave table is not created.

Currently, host-firewall management can only be used for simple ingress and egress packet filtering. Actions such as dnat and bridge filtering must be done outside of the enclave table and managed outside of Enclave.

Windows platform notes

Enclave uses the Windows Filtering Platform (WFP) to manage the host-based firewall on Windows devices. This is a set of API and system services that provide a platform for creating network filtering applications. The WFP is used by services such as Windows Defender Firewall and IPsec to implement network access control.

Implementation details

Enclave creates a WFP sublayer at the top of the filtering stack. This sublayer is used to apply permit or block verdicts based on the ruleset returned from the EMC. The WFP sublayer is created when the host-firewall has active rules returned from the EMC. If no rules are returned, the WFP sublayer will not exist.

When permit verdicts are applied at the enclave WFP sublayer, they are issued as a hard action so they can bypass lower rules in the filtering stack. This ensures that the ruleset from the EMC is applied correctly and bypasses any other rules that may be in place (i.e Windows Defender Firewall rules). Unless a veto is issued somewhere else on the WFP stack, the permit verdict will be applied.

The WFP sublayer rules are applied on the ALE connect layer. This is the layer that is responsible for the connection setup and teardown. This keeps packet processing to a minimum. When rules are updated, connections are re-evaulated to ensure that the new rules are applied correctly.

MacOS platform notes

Enclave does not support host-based firewall management on MacOS devices at this time. We are actively looking to add support for MacOS devices in the future.

Future improvements

  • Add support for MacOS devices
  • Collect dropped packets for analysis and alerting on the EMC