2018 Resolution: Keep Cyberattacks Behind the Datto Firewall
It’s 2018, folks. And if this year is anything like the last, you can bet it will be filled with more disastrous cyberattacks, global ransomware infections and other assaults on businesses of all sizes. Now is the time to configure your Datto firewall settings for optimal protection against all of these outside threats.
What do we mean by “Datto firewall?”
Well, depending on how you’re using the term, you’re probably talking about one of two things:
- The firewall built into the Datto Network Appliance (DNA)—Datto’s fully integrated Wi-Fi edge router, which is designed to provide network continuity with 4G LTE failover and failback.
- The firewall settings on your existing network infrastructure that allow your Datto BDR to communicate with the Datto Cloud for backup replication and remote device management.
Below, we address both of these scenarios in greater detail to ensure you’re doing everything you can to block unwanted traffic from entering your network, while also allowing your Datto devices to operate optimally for total data protection.
Beginner’s first: What’s a firewall?
No discussion of firewalls is complete without a basic explanation of what they are. If you’re not an IT person, it’s worth taking the time to understand what a firewall does and how it protects your network from outside threats.
Here’s what you need to know:
- A firewall is a network security feature that controls what kinds of traffic come into a network and communicate outward with the Internet and external networks.
- On smaller networks, such as a home network, the firewall is typically built into your network device (i.e. router), and its settings are accessible via your device’s web-based management console. Corporate networks will often deploy their own firewall appliances for maximum threat inspection.
- Over the years, firewalls have gotten better at identifying and controlling the various types of traffic coming and going through a network. Today, firewalls typically enable application-layer and/or network-layer (or packet filtering) inspection to prevent unwanted data from bypassing the firewall using protocols on allowed ports.
- The term “next-generation firewall” (NGFW) is often used today to define firewalls that provide this deeper inspection of traffic, with enhanced capabilities such as intrusion prevention systems, network user identification integration and dynamic threat identification (sometimes referred to as “threat-focused NGFW”).
In simplest terms…
Your firewall acts like a filter, preventing outside threats from running amok on your network.
When you give a computer access to the “outside world,” whether it’s the Internet or other external networks, you inherently expose it to a host of threats.
Without a firewall:
- Cyberattackers could practically enter your network willy-nilly to steal sensitive data
- Spam sites could install harmful programs on your machines
- Malware could infect your computers more easily
In business environments specifically, firewalls can be used in a number of ways for greater control over the incoming and outgoing data. For example, a company could configure the firewall to:
- Prevent employees from transmitting sensitive data outside the network
For example, let’s say a healthcare worker tries to email sensitive patient data to a list of internal recipients within the facility, but unbeknownst to her, the list also contains one unknown gmail address outside the network—a big “no-no” per the organization’s policies. A firewall could stop that email from being sent at all.
- Stop certain types of emails from entering the network (or from being sent)
In the reverse scenario of above, a firewall can block emails from known spam addresses or restrict all incoming mail to only approved IP addresses.
- Block access to malicious sites
Beyond email, firewalls also allow companies to block known malicious websites and networks, so that even if employees receive a bad email, clicking on the links won’t take them to the destination.
- Prevent access to social media platforms or other disruptive sites
For productivity and other reasons, a firewall can be set to block access to sites like Facebook, Twitter and any other websites that do not comply with company policies.
- Designate select computers for fire sharing, while restricting it on all others
If it’s not necessary to have all company devices used for file sharing, then restrict it wherever possible to reduce the risks of malware being spread across the network. You can use firewall settings to restrict file sharing accordingly.
You likely already use other security measures, such as anti-virus software, to prevent things like cyberattacks from infecting your computers. But your firewall can serve as a crucial first line of defense against the data you don’t want coming into your network in the first place.
Recommended Datto Firewall & Network Settings
If you’re adding a Datto BDR, such as the SIRIS 3 or ALTO, or even the DNA, to your infrastructure it needs to be set up properly on your network and must be able to communicate with the Datto Cloud to ensure your data is replicated the way it should be (and also so that your MSP can manage the system remotely).
Be sure to check out the full networking requirements on Datto’s site, but here are some of the essentials you need to know for Datto firewall and network settings.
- LAN speed: A gigabit LAN connection is required for all SIRIS 3 devices. Anything slower, and the BDR device will not function.
- WAN speed: Datto strongly advises that your BDR appliance and all protected devices should be on the same LAN. However, if a WAN is required, a 50-Mbps dedicated uplink is needed for every terabyte of protected data. “Otherwise, backups will not be reliable,” Datto says.
- Internet connection: Your Datto device should be deployed in a secure LAN environment, with no inbound Internet access. Network access controls should be used to limit the accessibility of appliance network daemons and services.
- Uplink speed: Datto requires an uplink of 1 Mbps (125 KBps) per terabyte of protected data stored locally on the Datto device to ensure that data is reliably synced to the Datto cloud.
- Firewall: Datto requires that all ICMP packets be allowed through your network firewall. If the firewall can filter application-specific data, configure the application profile to “all” / “any.” If you need to specify specific ports and IP addresses to allow access to the Datto appliance, here’s the configuration:
- TCP ports 22, 80, 443 and 2200-2250, as well as UDP port 123, must allow outbound communication between the Datto appliance and dattoremote.com.
- TCP ports 25567 and 25568 must be open inbound to the protected machine for agent calls.
- Port 3260 must be reachable from the protected machine to the Datto device.
- On Datto Windows Agent, port 3262 must also be reachable from the protected machine to the Datto device.
- Local DNS: All Datto devices need to be able to resolve the following sites in the local DNS for synchronizing time and downloading OS updates:
- IPs: View the full list of IP ranges that your Datto appliance must be able to access for Cloud infrastructure, DNS failback and device management.
Datto Firewall in DNA
Unveiled in 2015, Datto’s first networking appliance (DNA) made headlines for its 4G failover and remote configuration capabilities, which enable MSPs to provide better, more flexible service to their SMB clients from off-site. Datto markets the appliance as “everything a network needs in a single, compact device” – and of course such a device requires a dependable firewall to keep threats at bay.
Here are some key specs and features of the Datto firewall and IDPS built into DNA:
- Layer 2 protocol analysis for intrusion detection and prevention (IDPS)
- Unified Threat Management (UTM) system identifies unwanted packets and proactively blocks them from entering the network
- Port scanning prevention and built-in malware protection, governed by signature-based rule files
- Web filtering blocks access to/from known malicious sites
- Stateful packet inspection monitors active connections
- Port forwarding
- DMZ host
- Client VPN using IPSec IKEv2
- Site-to-site VPN
- VLAN segregation
Could a dedicated Datto firewall appliance be in the works?
Maybe? But this is purely speculation.
In early 2017, Datto launched its “Datto Networking” division with its acquisition of Open Mesh. This enabled the company to add a suite of networking switches and Wi-Fi access points (built by Open Mesh) to its existing networking offering: the DNA.
There’s no doubt that Datto plans to grow its networking division alongside its BDR suites and other offerings. While the company has not yet announced plans for future networking products, it’s certainly plausible that there could be a dedicated Datto firewall appliance in the works (someday). Datto has become a formidable name for data protection, so there’s no reason to believe it couldn’t compete against other firewall appliance manufacturers like Cisco and SonicWall. But, we’ll have to wait and see to find out.
Request a free demo
To take Datto’s BDR solutions for a spin, register for a free demo or request more information by contacting our business continuity experts at Invenio IT. Call (646) 395-1170 or email success@invenioIT.com.