6.7.2. Detector policies

Detector policies can be used in firewall rules with DetectorServices: they specify which service should Zorp start for a specific type of protocol or certificate found in the traffic of connection. Currently Detector policies cam detect the HTTP, SSH, and SSL protocols. In SSL/TLS-encrypted connections, Zorp can select which service to start based on the certificate of the server.

For example, you can use this feature for the following purposes:

  • to enable HTTP traffic on non-standard ports

  • to enable SSL-encrypted traffic only to specific servers or server farms that do not have public IP addresses (for example, Microsoft Windows Update servers)

  • to enable access only to specific HTTPS services (for example, enable access to Google Search (which has a certificate issued to www.google.com), but deny access to GMail (which uses a certificate issued to accounts.google.com))

Detector policies

Figure 6.64. Detector policies

Detector policies contain a detector that determines if the traffic in a connection belongs to a particular protocol or not. Firewall rules can include a list of detector-service pairs. When a client opens a connection that is handled by a DetectorService, Zorp evaluates the detectors in the Detector policy of the DetectorService, starting with the first detector. When a detector matches the traffic in the connection, Zorp starts the service set for the detector to handle the connection. If none of the detectors match the traffic, then Zorp terminates the connection.

Example 6.9. Defining a Detector policy

Python: Below is a Detector policy that detects SSH traffic in a connection.

DetectorPolicy(name="DemoSSHDetector", detector=SshDetector())
DetectorPolicy(name="DemoHTTPDetector", detector=HttpDetector()

The following firewall rule uses the DemoSSHDetector Detector policy to start the DemoSSHService service if SSH traffic is found in a connection, and drops other connections.

Rule(rule_id=1,
    proto=6,
    detect={'DemoSSHDetector' : 'demo_instance/DemoSSHService',}
    )

The following firewall rule uses the DemoSSHDetector and the DemoHTTPDetector Detector policies to start the DemoSSHService or the DemoHTTPService services if SSH or HTTP traffic is found in a connection, and drops other connections.

Rule(rule_id=1,
    proto=6,
    detect={'DemoSSHDetector' : 'demo_instance/DemoSSHService',
            'DemoHTTPDetector' : 'demo_instance/DemoHTTPService',}
    )