Shulou(Shulou.com)06/01 Report--

Product introduction of Huawei Firewall

USG2000, USG5000, USG6000 and USG9500 constitute the four major parts of Huawei firewall, which are respectively suitable for the network needs of different environments. Among them, USG2000 and USG5000 series are positioned as UTM (unified threat management) products, USG6000 series belong to next-generation firewall products, and USG9500 series belong to high-end firewall products.

1 、 USG2110

USG2110 is a firewall device released by Huawei for small and medium-sized enterprises and chain organizations, SOHO enterprises, etc., its functions include firewall, UTM, Virtual Private Network (please read the initials, I will be harmonious if I write simply), routing, wireless and so on. USG2110 has the characteristics of high performance, high reliability and convenient configuration, and the price is relatively low. It supports a variety of Virtual Private Network networking methods, and provides users with a secure, flexible and convenient integrated networking solution.

2 、 USG6600

USG6600 is a firewall product for Huawei's next-generation network environment, which is suitable for large and medium-sized enterprises and data centers. It has the characteristics of accurate access control, comprehensive protection range, simple security management and high protection performance. It can be used for networking applications such as intranet boundary protection, Internet exit protection, cloud data center boundary protection, Virtual Private Network remote interconnection, and so on.

3 、 USG9500

The USG9500 series includes USG9520, USG9560 and USG9580 series, which is suitable for cloud service providers, large data centers, large enterprise campus networks, and so on. With the most accurate access control, the most practical NGFW features, the most leading "NP+ multi-core + distributed" architecture and the richest virtualization, it is known as the most stable and reliable security gateway product, which can be used in large-scale data center boundary protection, radio and television and second-tier operator network exit security protection, education network exit security protection and other network scenarios.

4 、 NGFW

NGFW, the full name of Next Generation Firewall, that is, the next-generation firewall, was first proposed by Gartner. NGFW is more suitable for the new network environment. In terms of functions, NGFW should not only have the standard firewall functions, such as network address translation, state detection, Virtual Private Network and the functions needed by large enterprises, but also realize the real integration of IPS and firewall, rather than simply based on modules. In addition, NGFW also needs to have strong application awareness and application visualization capabilities, based on the deep integration of application policies, log statistics, security capabilities and application identification, and use more external information to help improve security policies, such as user identification.

5. The difference between traditional firewall and NGFW firewall:

Traditional firewalls can only be perceived based on time, IP and port, while NGFW firewalls are controlled and protected based on six dimensions, namely, application, user, content, time, threat and location. Where:

Application-based: use a variety of means to accurately identify more than 6000 of the application layer protocols and their ancillary functions in web applications, so as to carry out accurate access control and business acceleration. It also includes mobile applications, such as you can distinguish between voice and text in Wechat traffic through the firewall, and then achieve different control strategies.

User-based: access control, QoS management and in-depth protection based on users with the help of AD active Directory, directory server or AAA server.

Location-based: combined with global location information, intelligently identify the originating location of traffic, so as to obtain the originating location of applications and gong~ hits. It implements differential control of access traffic in different regions according to location information, and supports customization of location according to IP information.

In practical application, the application may use any port, but the traditional FW cannot identify and control the application according to the port. The progress of NGFW lies in finer access control. Its best use principle is based on application + whitelist control + minimum authorization.

At present, Huawei's NGFW products are mainly USG6000 series, covering from low-end immobilized module products to high-end module products. The scope of application identification capability of Huawei's next-generation firewall is 20% ahead of products in the same industry.

Let's talk about how it works around the firewall product of USG6600 model.

Second, the working principle of the firewall 1, the working mode of the firewall

Huawei firewall has three working modes: routing mode, transparent mode and mixed mode.

1) Route pattern:

If the interface between Huawei firewall and network is configured with IP address, it is considered that the firewall works in routing mode. When Huawei firewall is located between the internal network and the external network, the interfaces connecting the firewall with the internal network, the external network and the DMZ need to be configured with IP addresses of different network segments, so the original network topology needs to be replanned. At this time, the firewall is first a router. Other firewall functions are then provided. Route patterns require modifications to the network topology (internal network users need higher gateways, routers need to change routing configuration, and so on).

2) transparent mode:

If Huawei's firewall connects to the outside through layer 2 (the interface has no IP address), the firewall works in transparent mode. If Huawei firewall works in transparent mode, it only needs to connect Huawei firewall equipment like a switch in the network, and its biggest advantage is that there is no need to modify any existing IP configuration; at this time, the firewall works like a switch, and the internal network and external network must be in the same subnet. In this mode, the message is not only exchanged at the second layer in the firewall, but also analyzed and processed at a high level.

3) mixed mode:

If Huawei firewall has interfaces that work in routed mode (interfaces have IP addresses) and interfaces that work in transparent mode (interfaces have no IP addresses), the firewall works in mixed mode. This working mode is basically a mixture of transparent mode and routing mode, and is currently only used in special applications that provide dual-computer hot backup in transparent mode. It is not recommended in other environments.

2. Security zone division of Huawei firewall

Security zone (Security Zone), referred to as Zone for short. The firewall distinguishes the secure network from the insecure network through the zone. On Huawei firewall, the secure zone is a collection of one or more interfaces, which is the main feature that distinguishes the firewall from the router. The firewall divides the network through security zones and controls the transmission of messages between areas based on these areas. When a data message is passed between different security zones, a security policy check will occur.

Several common areas are as follows:

Trust area: mainly used to connect to the company's internal network, priority is 85, high security level.

DMZ zone: demilitarized zone, is a military term, is an area between strict military control zone and public area, usually defined in the firewall as a network that needs to provide external services, its security is between Trust zone and Untrust area, priority is 50, security level is medium.

Untrust area: usually defines an external network with a priority of 5 and a very low level of security. The Untrust zone represents an untrusted zone, and there are many threats on the Internet, so insecure networks such as Internet are generally classified into the Untrust zone.

Local zone: usually defines the firewall itself, with a priority of 100. In addition to forwarding messages between regions, firewalls also need to receive or send traffic, such as network management, running dynamic routing protocols and so on. Messages initiated by the firewall are considered to be sent out of the local area, and messages that need to be responded to and processed by the firewall (not traversing) are considered to be received and processed by the local area.

Other areas: user-defined areas, default up to 16 custom areas, custom areas do not have a default priority, so you need to specify manually.

The firewall zone is divided as shown in the following figure:

In practical application scenarios, you need to pay attention to the following points:

The priority of the security zone must be unique, that is, each security zone needs to correspond to a different priority, because the firewall will determine the trust level of the network according to the priority.

In Huawei's firewall, only one security zone can be added to an interface.

Huawei's traditional firewall defaults to release traffic from high-priority areas to low-priority areas, but the latest NGFW firewall forbids all traffic by default. 3. Inbound and Outbound of firewall

Firewalls handle traffic between zones, and even traffic initiated by the firewall itself belongs to the flow of traffic between local zones and other zones. When the data flow flows between security zones, Huawei firewall will be stimulated to check its security policy, that is, Huawei firewall's security policy is usually based on inter-domain (such as between Untrust zone and Trust zone), and different security policies can be set between different zones. The data flow between domains is divided into two directions:

Direction of entry (Inbound): the direction in which data is transferred from a low-level security zone to a high-level security zone.

Outbound: the direction in which data is transferred from a high-level security zone to a low-level security zone. 4. State information (the basic technology of firewall to realize security protection)

In the firewall technology, the traffic in the two directions is usually treated differently. Because of the stateful detection mechanism of the firewall, only the first message is processed for the data flow. Once the security policy allows the first message to pass, a session table will be formed. If the subsequent message and the returned message match to the session table, they will be released directly, instead of checking the policy, so as to improve the forwarding efficiency of the firewall. For example, when the client in Trust area accesses the Internet in UNtrust area, it only needs to apply security policy in the Outbound direction from Trust to UNtrust, and there is no need to make security policy in UNtrust to Trust area.

The firewall uniquely distinguishes a data stream through a five-tuple, namely, source IP, destination IP, protocol, source port number, and destination port. The firewall regards the data with the same five-tuple content as a data stream, and the packet must match the specified five-tuple to match this strategy, otherwise it will continue to match the subsequent strategy, and its matching rule is also match-stop.

The stateful inspection firewall uses the detection mechanism based on the connection state to treat all the messages belonging to the same connection exchanged by both sides of the communication as the whole data flow. From the point of view of the stateful inspection firewall, the messages in the same data stream are no longer isolated individuals, but connected. If a session is established for the first message of the data stream, the subsequent messages in the data stream will be forwarded according to the session, thus improving the forwarding efficiency.

5. Security policy

The basic function of a firewall is to protect a particular network from gong~ attacks by "untrusted" networks, but it must also allow legitimate communication between the two networks. The function of the security policy is to verify the data flow through the firewall, and only the legitimate data flow that conforms to the security policy can pass through the firewall. Different security policies can be applied to different domains for different controls.

The traditional access control based on IP, port and protocol can no longer meet the current network needs. According to the current network demand, Huawei puts forward an integrated security strategy. The current V100R001 version of USG6000 series firewalls adopts an integrated security strategy. The so-called integration can be reflected in two aspects, one is the integration of configuration, such as anti-virus, email filtering, content filtering, application behavior filtering and other security detection is realized by referencing configuration files in the policy, which reduces the difficulty of administrator configuration. The other is the business integration, the integration strategy only detects the message, and the multi-service functions can be processed in parallel, thus the processing efficiency is greatly improved. However, traditional firewalls, such as UTM products, use serial mode, and traffic is detected every time it passes through a module.

In addition to the traditional quintuple (source IP, destination IP, protocol, source port, destination port), Huawei's new generation firewall can also deeply detect traffic based on application, content, time, user, threat and location, truly realizing omni-directional three-dimensional detection capability and accurate access control and security detection, as shown below:

An integrated security policy consists of several rules, which are composed of conditions, actions, configuration files and options, as shown in the following figure. The function of configuration files is to detect the content security of messages, including anti-bing du, qin defense, URL filtering, file filtering, content filtering, application behavior control and email filtering. A rule can reference one or more profiles. Different types of rules contain corresponding default profiles, and administrators can manually reference one or more other profiles. The configuration file can be referenced only if the action allows.

According to the picture, we can see that the condition is the basis for matching a certain rule, such as the source area, destination address, time and so on. Only if all the conditions of the rule are met can the conditional rule be matched, for example, the message matches the source-destination area, source-destination address, user, application, and service of rule 1, but even if there is no matching time, the message cannot match the first rule, but should continue to match down. In a rule, you don't need to configure all the conditions, you can specify one or a few conditions. If the condition for configuring a rule is that the source area is Trust and the destination area is Untrust, but no other conditions are configured, it means that the other conditions are any, that is, the source area is Trust and the destination area is Untrust. Messages with any user, application, service and time period can match the rule.

If each element in the condition is called repeatedly in multiple rules, or if the element itself contains multiple related contents, you can consider configuring it as an object, which can be called by multiple rules.

The action is the way the firewall handles the matching traffic, including allow, deny, and so on. Different strategies can choose different processing methods. If the processing method is allowed, then you can continue to do subsequent processing of the message based on the configuration file.

Options are some additional functions of the rule, such as whether to log for the rule, whether this rule is in effect, and so on.

The relationship between the elements in the condition is "and", and the attributes of the message must be matched with each element in order to consider that the message matches this rule. On the other hand, the relationship between multiple objects of the same element in the condition is "or". As long as the attributes of the message match one of the objects, it is considered that the attributes of the message match this element. For example, the administrator defines three address objects A, B, C, which correspond to three IP address ranges. When the source address in the condition refers to A, B, C at the same time, as long as the source IP address of the message belongs to any of these three address objects, it is considered to match this rule.

Different from the traditional security policy, the integrated security policy has the following characteristics:

Policy configuration is based on the global and no longer based on inter-zone configuration. Security zones are only optional configurations for conditions, and multiple source or destination zones can be configured in a rule.

All interregional traffic, including Outbound traffic, is denied by default. The required traffic must be released through policy configuration.

The default actions in the security policy replace the default packet filtering. The packet filtering of the traditional firewall is based on the inter-zone and only takes effect between the specified areas, while the default action of the new generation firewall takes effect globally, and the default action is rejected, that is, all traffic is denied unless allowed.

At the same time, in order to flexibly deal with various networking situations, Huawei firewall also supports the configuration of intra-domain (within the same security zone) policy. security check for traffic passing through the firewall in the same security zone (by default, all intra-domain messages are allowed to pass through the firewall). Firewalls process rules in a very similar order to ACL. If multiple security policies are applied between or within the same domain, the firewall will match from top to next in the order of policy rules when forwarding messages. If a rule is not matched (the condition of the rule is not met), continue to match other rules; if a rule is matched, the message is processed according to the action of that rule; if all the rules do not match, then the default action of the security policy is performed.

By default, Huawei's firewall policy has the following characteristics:

1) any two security zones cannot have the same priority.

2) messages between different interfaces in this domain are forwarded directly without filtering.

3) the interface cannot forward messages before joining the domain.

4) there is no security policy by default on USG series firewalls, that is, no matter what regions access each other, security policies must be configured unless they are delivered in the same zone.

This is the end of this blog post, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.