Ultimate Control: Manage Access to Your Services with Custom Firewalls

October 13th, 2012

Can I block this one IP that is scanning our accounts?  Can I restrict my account so that people can only access it from our office network, or require that they authenticate to WebMail first (using two-factor authentication)?

LuxSci is constantly asked for fine-grained access controls by customers who are in shared environments (sharing the same servers with many other accounts).  However, blocking access from IP addresses globally at the request of one customer may potentially affect other customers using the same system.

That is, until now. LuxSci customers can now configure their own custom firewalls to allow and deny access as they see fit without affecting other customers sharing the same server(s).

Layers of Firewalls

LuxSci has many layers of access controls and firewalls:

  1. Hardware Firewalls that protect many servers
  2. Software Firewalls protecting each individual server from traffic that passes the hardware firewalls
  3. NEW! Account Firewalls protecting access to specific accounts, domains, and users from traffic that is allowed past the software firewalls
  4. Account Settings which may further limit access to services based on account security policies, service licenses, etc.

Introducing Account Firewalls

Every LuxSci customer can now control access to the services provided by their accounts, independent of the access controls of all other accounts.

Specify rules at the user, domain, and account levels

For ultimate flexibility, firewall rules can be created to apply to:

  • Only a specific user,
  • All users in a domain, or
  • All users in an account
The user-level rules take precedence over the domain-wide rules, which take precedence over the account-wide rules.

Allow and Deny usage by IP and CIDR block:

You can configure allow and deny rules for specific IP addresses and for ranges of IP addresses designated by CIDR blocks (e.g. 1.2.3.4/24 is a range of 256 IP addresses).

“Allow” rules will take priority over “Deny” rules, but you can create “Deny All” rules that will effectively deny all access except from certain explicitly allowed IPs.

Allow and Deny usage by service

Control access for all services or by selected services.  Services that you can control access to include:

  • LuxSci’s Web Interface (e.g. WebMail)
  • Secure POP, Insecure POP
  • Secure IMAP, Insecure IMAP
  • Secure SMTP, Insecure SMTP
  • Secure FTP, Insecure FTP
Using these rules, you could, for example, block access to insecure POP, IMAP, and SMTP completely and allow access to the secure versions of these protocols from only specific IP ranges.

Grant Access to Other Services Via Web Interface Authentication

Let’s say that you have restricted access to everything so that only your office IP addresses can login to your account.  How does this help your remote or roaming users? You can’t know what IP address they will be coming from ahead of time, and you don’t want to have to manually allow them and change your firewall all of the time.

The solution? Use the optional “Web Interface Login Grants Access” feature of the firewall.  With this enabled, a remote user need only login successfully to the Web Interface to have his/her current IP addresses added to his/her personal firewall, allowing access to all services from that IP.  You can configure how long this temporary “allow list” access remains (from 1 day to 90 days).

If you enable two-factor authentication for the Web Interface logins, restrict WebMail access by Country or Region, use OpenID, or use our good password guessing restrictions for WebMail, then this truly and effectively blocks password guessing on your user accounts and provides a very solid layer of user access security.

Login Failure Alerts

LuxSci provides emailed login failure (and success) alerts to customers so that they can be informed quickly if someone is trying to gain access to their accounts.  While logins that are blocked by your custom user, domain, or account firewall rules will still be logged as login failures in your audit trails, these block logins will not be emailed to you in your alerts.

Why? Because if they are blocked by your firewall, there is no way they could login successfully or guess your password — so pushing notices of these failures to you would be just annoying.  Instead, if you see people scanning your account, you can go and explicitly block their IPs to both (a) stop their guessing attacks, and (b) stop yourself from getting further alerts about them.

Note that LuxSci does place automatic blocks on IPs that are apparently performing password guessing attacks on our servers.  However, it is always possible to guess slowly enough to fall “under the radar” of automated systems.  Account Firewalls allow you to manage these attacks yourself when you are alerted to them and decide that they are malicious and not just inadvertent.

Ready to Configure your Firewall?

Go to: