6.7.2. Detector policies

Detector policies can be used in firewall rules with DetectorServices: they specify which service should Application-level Gateway start for a specific type of protocol or certificate found in the traffic of connection. Currently Detector policies cam detect the HTTP, SSH, and SSL protocols. In SSL/TLS-encrypted connections, Application-level Gateway can select which service to start based on the certificate of the server.

For example, you can use this feature for the following purposes:

  • to enable HTTP traffic on non-standard ports

  • to enable SSL-encrypted traffic only to specific servers or server farms that do not have public IP addresses (for example, Microsoft Windows Update servers)

  • to enable access only to specific HTTPS services (for example, enable access to Google Search (which has a certificate issued to www.google.com), but deny access to GMail (which uses a certificate issued to accounts.google.com))

Detector policies

Figure 6.64. Detector policies

Detector policies contain a detector that determines if the traffic in a connection belongs to a particular protocol or not. Firewall rules can include a list of detector-service pairs. When a client opens a connection that is handled by a DetectorService, Application-level Gateway evaluates the detectors in the Detector policy of the DetectorService, starting with the first detector. When a detector matches the traffic in the connection, Application-level Gateway starts the service set for the detector to handle the connection. If none of the detectors match the traffic, then Application-level Gateway terminates the connection.

Example 6.9. Defining a Detector policy

Python: Below is a Detector policy that detects SSH traffic in a connection.

DetectorPolicy(name="DemoSSHDetector", detector=SshDetector())
DetectorPolicy(name="DemoHTTPDetector", detector=HttpDetector()

The following firewall rule uses the DemoSSHDetector Detector policy to start the DemoSSHService service if SSH traffic is found in a connection, and drops other connections.

Rule(rule_id=1,
    proto=6,
    detect={'DemoSSHDetector' : 'demo_instance/DemoSSHService',}
    )

The following firewall rule uses the DemoSSHDetector and the DemoHTTPDetector Detector policies to start the DemoSSHService or the DemoHTTPService services if SSH or HTTP traffic is found in a connection, and drops other connections.

Rule(rule_id=1,
    proto=6,
    detect={'DemoSSHDetector' : 'demo_instance/DemoSSHService',
            'DemoHTTPDetector' : 'demo_instance/DemoHTTPService',}
    )