smart firewall user guide - simplinet · determine the heath of the smart firewall and the exchange...

Smart Firewall User Guide

v20190318 © IoT Defense Inc. 2019 of 26

Smart Firewall User Guide © IoT Defense Inc. 2019. All rights reserved, worldwide.

No part of this document may be reproduced or transmitted in any form or by any means without prior written

permission of IoT Defense Inc.

IoT Defense makes cloud managed smart firewall solutions which protect all your connected devices, including

your router, from malware, botnets and hackers. The IoT Defense cloud-based management and configuration

interface enables you to view the health of your home network and customize the protection offered by the

smart firewall solutions. This interface can be accessed through one or more of the following means:

Web Portal https://portal.myrattrap.com/login/

Android App https://play.google.com/store/apps/details?id=com.myrattrap.rattrap

iOS App https://itunes.apple.com/us/app/rattrap-security-privacy/id1239250919

Web Portal

This section shows the UI elements available in the web portal. Each element appears in its own panel and the

panels are grouped together under tabs accessible through the navigation/menu bar.

Terminology Smart Firewall IoT Defense cyber-security as a service (CaaS) offering is available through one of the

following delivery mechanisms, all of which are collectively referred to as the smart

firewall.

▪ Standalone smart firewall device referred to as “Standalone Smart Firewall”

▪ WiFi mesh system with integrated smart firewall referred to as “Integrated Smart

Firewall”.

▪ Smart firewall as a software agent integrated into third party platforms referred to as

“Smart Firewall Agent”.

Upstream The upstream device is the one closer to the Internet with respect to the placement of

smart firewall on the user’s home network. This device is typically a broadband modem or

an integrated router modem.

Downstream The downstream device is the one further away from the Internet with respect to the

placement of smart firewall on the user’s home network

Panel A collection of User Interface (UI) elements grouped together.

NavBar Navigation Bar displayed at the top of a page or as a menu which enables you to access

various sections of the dashboard.

https://portal.myrattrap.com/login/

https://play.google.com/store/apps/details?id=com.myrattrap.rattrap

https://itunes.apple.com/us/app/rattrap-security-privacy/id1239250919



Smart Firewall Placement

The following illustrations describe the placement of the smart firewall in your home network.

Standalone smart firewall

The Standalone smart firewall device has two (2) Gigabit Ethernet ports and can be connected with CAT5e or

CAT6 Ethernet cables between two non-switch type devices. These devices can be a modem, router, integrated

router modem (gateway) or an endpoint device such as a PC or Mac as show in the illustration below:

Integrated smart firewall

The WiFi Mesh device has a three (3) Gigabit Ethernet ports. The WAN Ethernet port is for connecting to the

upstream device which could be a modem or an integrated modem + router and the two (2) LAN Ethernet

could be used to connect a switch or any Ethernet enabled device such as a PC, Mac or Smart TV. The WiFi

Mesh Router and the WiFi Mesh Extenders also provide a WiFi network which any your WiFi devices can

connect to.



Smart firewall agent

The Smart Firewall software agent is directly built into the home gateway device provided by your Internet

Service Provider (ISP) and hence does not require installation of any new hardware device in your home

network. Please contact your ISP for details.



Dashboard

The following panels show up in the Dashboard tab in the navigation bar.

The following information is displayed in the Protection Summary panel.

Last Security Check is the last time the IoT Defense cloud received a heartbeat from the smart firewall. The

Smart Firewall sends out a heartbeat every few minutes. These heartbeats are used by the IoT Defense cloud to

determine the heath of the Smart Firewall and the exchange configuration information. This field is not

populated if the Smart Firewall is unable to communicate to the Internet.

Threats Blocked is the number of inbound and outbound threats that have been detected and stopped by the

smart firewall cumulatively over the last 30 days. This counter is accurate as of the last heartbeat, which is why

you may see some fluctuation and differences. You can dive deeper in the threats that have been blocked by

selecting the “Threat Events” page in the NavBar.

Security Health indicator should always show solid green. It momentarily turns red (for 1 sec) when a new

threat is stopped by the client. If the status indicator shows solid red, it indicates that the IoT Defense cloud has

not been able to communicate with the client for more than 3 minutes which may indicate a problem with your

Internet connectivity. The security health is also used to indicate if the client device is placed directly on the



public Internet (WAN mode) or behind another router (NAT mode). This indication is only applicable to the

standalone smart firewall. If the Security Health shows solid green with an exclamation it indicates that the

client is behind a NAT.

Please see the document “Why does Smart Firewall show zero threats blocked?” for additional information.

Web Browsing Protection displays the status of DNS proxying. IoT Defense cloud hosts DNS resolvers similar

to the one provided by your ISP or Google (8.8.8.8). The IoT Defense DNS resolver however provides features

such as web browsing privacy and malicious domain protection which may not provided by other DNS

resolvers. When Web Browsing Protection in the Smart Firewall is enabled, all DNS requests originating from

any device on the network is securely proxied to the IoT Defense DNS resolvers. This provides privacy for all

domain name translations, protects against access of malicious URLs, enforces parental controls, black lists and

white lists etc.

Ad Blocking displays the status of the Ad blocking functionality of the Smart Firewall. Ad blocking is enforced

enabled only if “Web Browser Protection” and “Ad Blocking” are both enabled.

Live Threat Map

Last Threat Map is a visual tool which displays where the last few threats are originating on the world map.

The location of the client on the world map is indicated by the home icon. This map is updates in real-time and

shows a heat map of where most threats are originating from.



Top threat sources by country

Top threat sources by country displays is displays in aggregate which countries are performing the largest

number of scans and intrusion attempts in to your network.

Recently blocked threats

The Recently blocked threats panel displays the five most recent threats blocked by the smart firewall. For

outbound threats the destination IP address and protocol type are displayed. For inbound threats the

originating IP address and protocol type is displayed. The protocol type is derived from the destination or

source port numbers depending on the traffic direction. The country name is derived from the IP address.



Internet Bandwidth Usage

The Internet Bandwidth Usage panel displays the amount of data transferred through the smart firewall

device over the selected period. The period selections are - Now (last 30 minutes), 24H (last 24 hours), 7D (last

7 days) and 30D (last 30 days). Amount of data transferred upstream (uploaded to the Internet) and

downstream (downloaded to the Internet) are displayed simultaneously.



Domain (DNS) Protection

The IoT Defense cloud provides domain (DNS) protection which comprises of the following:

▪ Malicious domains based on Threat Intelligence (TI) and heuristics such as malware Domain Generation

Algorithms (DGA) detection.

▪ Ad-blocking

▪ Parental controls

▪ Domain Black and White Lists

The IoT Defense cloud retains domain blocking information only for the last 30 days. For certain non-consumer

product offerings this period is extended to 365 days.

The Domains graph (histogram) displays the number of ad-network domains that were blocked over time for

the selected time period.

The Ads Blocked counter shows the total number of ad-network domains which were blocked for the selected

period.



The Sites Protected counter shows the total number of unique domains blocked by DNS protection which

comprises of malicious domain protection, ad-blocking and parental controls. Note that parental domains are

included in the “Sites Protected” count irrespective of whether parental controls i.e. “Web Filtering” is enabled

or not.

For any domain based (DNS) protection to work, including malicious domains, ad-blocking and parental

controls, “Web Browsing Privacy” must be enabled. For ad-blocking to work “Ad Blocking” must be enabled.

For Parental Controls to work “Web Filtering” must be enabled.

Consumed Throughput and Measured Latency

This panel displays the overall data usage and throughput through the smart firewall. The traffic statistics

information (Max, Mean and Monthly Usage) displayed reflects the actual consumed throughput over the

selected period.

Commonly used speed measurement tests use a short burst of traffic which attempts to saturate the

broadband connection for a few seconds to determine maximum possible throughput. Examples of such

services in the US are speedtest.net and fast.com. The smart firewall, which it is in a unique position to measure

ALL of your home network traffic, uses a different throughout measurement technique. Instead of showing the

possible throughput of your broadband connection, the smart firewall computes and displays the consumed

throughput. This measurement is performed based on traffic actually being transiting the smart firewall from all

the devices on the home network. This gives you a very good perspective on how much of the bandwidth you

are actually utilizing over the selected period.

In addition, this panel displays the ISP by name (for US ISPs only) and the network latency measured using

speetest.net.



Threat Events

The following panels show up in the Threat Events tab in the navigation bar

Threat Events

The Threat Events panel displays the number of inbound and outbound threats detected for the selected

period. The Total Blocked count is the sum of the number of Inbound and Outbound threats.

Inbound threats could be a port scan from sites such as Shodan.io or Censys.io or it could be to data sourced

from the IoT Defense global threat sensor network which continuously monitors the Internet threat landscape

to detect the latest evolving threats.

The smart firewall’s locally available threat intelligence data, which is updated in near-real-time, enables it to

block traffic that meets the malicious confidence score. Outbound threats (threats that originate from within



your home network) are escalated, resulting in email and/or mobile push notifications being sent to you, based

on the preferences you have setup in “Account Settings” -> “Real-time notifications”.



Most frequently blocked IP addresses

The “Top Persistent Blocks” panel lists the IP addresses that are blocked most frequently by the smart firewall.

Blocked IP address details



The “Blocked IP” address lists in chronological order, the connection attempts that are blocked by the smart

firewall. The output can be sorted by Date, IP Address and Port Number in ascending or descending order. The

output can be filtered to show either blocked inbound traffic or blocked outbound traffic or both.

The “Download” button allows you to download all the blocked threat data available for your smart firewall

over the past 30 days. The document is made available in JSON format and information similar to the following

is included for each threat that is blocked. The downloaded file can be ingested by any tool that can read data

in JSON format. The number of records in the file depend on the value of the “Limit” setting.

{ "_id": "5bf617eb8ee75440feb7a57b", "direction": "Incoming", "src": "71.6.233.25", "sport": "65535", "sGeoCity": "", "sGeoCountry": "", "dst": "100.36.18.4", "dport": 65535, "dGeoCity": "", "dGeoCountry": "", "geo_dst": { "zip_code": "20191", "longitude": -77.3489, "ip": "100.36.18.4", "country_name": "United States", "latitude": 38.9311, "country_code": "US", "region_name": "Virginia", "region_code": "VA", "city": "Reston" }, "_created": "2018-11-22T02:43:55.000Z", "geo_src": { "zip_code": "92123", "longitude": -117.1324, "ip": "71.6.233.25",



"country_name": "United States", "latitude": 32.8073, "country_code": "US", "region_name": "California", "region_code": "CA", "city": "San Diego" }, "offending_ip": "71.6.233.25", "offending_port": 65535, "offending_city": "San Diego", "offending_cn": "United States" }



Device Control Panel

The following panels show up in the “Device Control Panel” tab in the navigation bar.

Please note that for any changes to settings made through the Device Settings Panel to be effective, you must

to click on the “Update” button at the bottom of the panel. Depending on the refresh interval configured for

your specific device it may take a few minutes for the changes to take effect.



Device Settings

Current IP Assignment - IP address assigned to the device which is downstream from the standalone smart

firewall, typically your WiFi router or the IP address assigned to the WiFi mesh router with integrated smart

firewall. When the standalone smart firewall product, is in WAN mode, i.e. placed between a standalone

modem and a router, this would be the public IP address your ISP has assigned to your router. When the

standalone smart firewall product, is in NAT mode, i.e. placed between an integrated router modem and a

secondary router, this would be a private IP address (similar to 192.168.X.Y). which your integrated router

modem has assigned to your secondary router.



Smart Firewall ID – Every smart firewall has a unique ID assigned by IoT Defense at the time of manufacture.

This ID is used by the IoT Defense cloud to uniquely identify your smart firewall and the all information that is

associated with it. This ID will also be required by the IoT Defense support staff to provide technical support.

Standalone smart firewall The device ID is printed on the label at the bottom of the device.

Integrated smart firewall The device ID is printed on the label at the bottom of the router unit.

Smart firewall agent The device ID is displayed on the third-party router or gateway device.

TI Version – The version of threat intelligence (TI) package which is smart firewall is using to offer protection.

The smart firewall downloads Threat Intelligence updates automatically as frequently as every hour. The TI

version will change to reflect the latest update.

Web Browsing Protection – This setting controls the Smart Firewalls transparent DNS proxying functionality.

When enabled, the Smart Firewall intercepts all DNS requests originating from any device in your home and

uses IoT Defense hosted DNS servers to resolve these DNS requests. This is necessary for the Smart Firewall to

provide malicious domain protection as well as other functionality based around DNS such as Ad-Blocking,

Parental Controls, Blacklist and Whitelists.

Ad Blocking – This setting controls the Smart Firewall’s blocking of advertisements on add devices. The IoT

Defense backend maintains a curated list of ad-networks such as doubleclick.net ads.forbes.com etc. The Smart

Firewall makes ad-blocking decision based on this list. For Ad-Blocking to work Web Browsing Protection must

also be enabled. Domains and IP addresses specified in the White List Manager supersede the ad-blocking.

Protection Level – This setting controls the traffic blocking mechanism used by the smart firewall. The

following options are available:

Level Description

Off Smart Firewall will pass all traffic through.

Default Smart Firewall will block inbound and outbound traffic using Threat Intelligence.

High Smart Firewall blocks all inbound traffic. Outbound traffic is blocked based on Threat

Intelligence. The Remote Access Control feature only works in this mode.

Speed Boost – This controls the balance between analysis and the throughout. The smart firewall performs

traffic analysis in software which limits the throughput that can be sustained. To give preference to throughout,

in speed boost mode the smart firewall only analyzes the initial connection handshake as opposed to every

single packet flowing through the firewall device. Since the initial handshake is necessary to establish a

connection the protection is not compromised in anyways. The only downside of Speed Boost is that the smart

firewall is unable to enforce threat intelligence on connections that were established before the smart firewall

was plugged into the network.

Pause the Internet – This controls whether the Smart Firewall pauses (blocks) or resumes (allows) all Internet

traffic. Software and threat intelligence updates will continue to be applied even when the Internet is paused.

This feature is meant to be used during quality family times to reduce distraction from social media and

another Internet activity.



Parental Controls

IoT Defense has chosen to offer a “Simple One Click” approach to parental control. IoT Defense maintains a

curated list of sites which are deemed inappropriate to non-adult members of the family. This list is enforced to

all devices in the user’s home, when “Web Filtering” under “Parental Controls” is enabled.

Enabling “Enforce Bing Safe Search” redirects searches to strict.bing.com.

Enabling “Enforce Google Safe Search” redirects searched to forcesafesearch.google.com.

Enabling “Restrict YouTube Content” redirects YouTube searches to forcesafesearch.google.com.

Please note that domains specified in Blacklist or Whitelist supersede (take priority over) the protection offered

by Parental Controls.



Black Lists and White Lists

The Whitelist Manger and Blacklist Manager panel enables you to add domain names and IP addresses that will

be allowed or blocked, respectively. Entries in these lists will supersede the sites determined to be malicious by

the smart firewall threat intelligence. You have the option of blacklisting or white listing domains or IP

addresses - forever, for the next 24 hours or just the next hour. Entries in these lists can be individually enabled

or disabled. IP addresses can be specific as individual addresses or net blocks such as “2.144.0.0/16”

Blockage or allowance of domains will only take effect after the DNS cache entries for these domains have

expired. These DNS cache entries may be present at your endpoint device (PC or Mac), on your intermediate

router or any other intermediate device in the DNS data path.



Currently any allow or block actions on domains in the blacklist or whitelists aren’t automatically extended to

subdomains of that domain. For example, adding facebook.com to the block list does not automatically block

www.facebook.com or m.facebook.com. Each individual subdomain needs to be added separately.



Allow Current Location

The following dialog box show when you click on the “Allow Current Location” tab in the navigation bar

Allow Current Location

This setting only applies in “High” protection mode and if you have any services inside your network which you

would want to access remotely from the Internet. Examples of such services are IP Cameras, NAS Devices,

Gaming Consoles etc. In order to make services accessible from the Internet, these services would require your

router to be configured with Port Forwarding or DMZ rules to open it up for allows inbound access to the

service. Routers can be configured with these rules manually or automatically using protocols such as UPnP.

When your router is configured as described above, malicious actors on the Internet can attempt to gain access

to your service through the open ports.

The smart firewall’s “Allow Current Location” provides an additional layer of security for such services by

controlling who can access to the services remotely. When the smart firewall is set to "High" protection mode,

it blocks all connection attempts that originate from the outside. While you are traveling and connecting

remotely to your home network from public WiFi access point or a hotel, you can click “Allow Current Location”

on your web dashboard or mobile app (as shown above) and your smart firewall will automatically allow only

your location to connect to your home network remotely and only for the limited time period you have

selected after which all remote access is blocked.



Account Settings

The following panels show up in the “Account Settings” tab in the navigation bar

User Contact Information

User Contact Information – Please provide your contact information to help us provide better customer

support. Providing this information is optional. IoT Defense does not use this information for any other

purpose or share this information with third parties.



User Identity Update

Username – Specifying a new Username and clicking “Update” will update the username associated with your

smart firewall.

Email - Specifying a new Email and clicking “Update” will update the username associated with your smart

firewall.

User Password Update

Set Password – This panel is used to update your password. You will need to specify your current and your

new passwords and click on “Set Password” to apply the change.



Real-time notifications

You can use these setting to receive real time notifications for outbound threats i.e. threats that are originating

from you network. The following table describes the level of detail about outbound threat that various forms of

smart firewall and display during these notifications.

Standalone smart firewall The standalone smart firewall, sits outside your home network i.e. upstream from

your router, has no visibility in to your home network and hence is unable to tell

you which device in your network originated the outbound threat.

The advantage of this mode of operation is that the MAC and IP addresses of

your connected devices and traffic flowing between these devices remain

completely private.

Integrated smart firewall The integrated smart firewall, has visibility on both the WAN (Internet) and LAN

(Local) side of your home network and will be able to inform you about the

particular device on your home network which originated the outbound

connection.

Smart firewall agent The smart firewall agent, has visibility on both the WAN (Internet) and LAN

(Local) side of your home network and will be able to inform you about the

particular device on your home network which originated the outbound

connection.

Mobile Notify -If you set this ON, you will receive real-time push notification on your smart firewall mobile

apps for Android and iOS.

Email Notify -If you set this ON, you will receive email notifications when your smart firewall blocks any

outbound threats.



The email you receive will similar to the one below:

** THIS IS UNDER CONSTRUCTION ** More useful information will be contained in this email as it develops

Hi Your Email Address,

We've blocked something potentially malicious originating from within your home.

This threat was destined for: Country

Destination IP Address: Destination Port

Location Details

Data Deletion

IoT Defense respects your privacy and provides you with multiple options to you give you complete control of

your data. In addition, the IoT Defense backend only collects the bare minimum amount of data that is

necessary to provide you the service and to improve it over time. All the data collected by the IoT Defense

cloud from your device is clearly described in the IoT Defense privacy policy available at

http://www.iotdef.com/privacypolicy.html.

Data Cleanse – This option allows you to completely delete all the data that the IoT Defense cloud has

collected about your network traffic such as blocked domains and blocked IP addresses for a period of thirty

(30) days.



Account Destruction – This option allows you to completely delete all data associated with your account and

delete the account. This data is deleted permanently and is not recoverable and you will need to re-register

your device. If you are returning a defective hardware unit back to IoT Defense, please exercise this option

before shipping your device back.

smart firewall user guide - simplinet · determine the heath of the smart firewall and the exchange...

Documents