Client firewalls in Digital Access
This article describes how firewalls are used in Smart ID Digital Access component.
What is a client firewall?
Client firewalls consist of Internet firewall configurations. An Internet firewall configuration is a collection of rules that control traffic to and from the Access Client in Digital Access. Each configuration is connected to a corresponding tunnel set. The rules are downloaded to the client computer when downloading the tunnel set. The rules are then applied to prevent network traffic to be routed at the client.
What rules can be applied to a client firewall?
You can configure rules based on the following parameters:
- Network
- Incoming or outgoing traffic
- Ports
- Allow or block traffic
The order of the rules is significant since the client firewall starts in the top of the list and stops as soon as a match between the rule and the connection is found.
The client firewall is used locally on the user’s computers while they are connected to the access point using the Access Client in Digital Access. Its rules cannot be overridden by the user. The client firewall is typically activated when the user clicks an icon in the Digital Access Portal pointing to a tunnel set configured to use the client firewall. The client firewall is deactivated as soon as the user closes down the Access client or logs off the portal.
If several tunnel sets are used simultaneously by the same user, the firewall configurations of all the tunnel sets will be active and the most restrictive rules will apply.
The client firewall checks all TCP and UDP connections except the following:
Incoming connections from an IP address of a configured resource on the intranet (a connection through the tunnel).
- Connections towards Access point
- Connections towards an IP address of a configured resource on the intranet through the tunnel.
- Instead of checking the firewall rules, the access rules of the configured resource will apply
Client firewalls can be used to specify rules based on the path or checksum of the process that is trying to connect to the Internet. To make this possible, you must first add a device definition for the client firewall that specifies the values of the path, and/or checksum of the process.