Shulou(Shulou.com)06/01 Report--

Blog catalogue

1. What are the application layer filters?

1. File type filtering

2. Content filtering

3. URL filtering

1. What are the application layer filters?

File type filtering: mainly for different types of files (with different extensions), USG firewall can identify the application layer file types carried by packets. The checking process is not only to query the file extension, but to identify based on the file content. If the sender changes the a.exe file to a.docx, the firewall will identify it as the EXE file according to the content.

Content filtering: based on blog content sent in HTTP, forum post content, email subject and body content in SMTP, names of uploaded and downloaded files in FTP, file names in file sharing service, etc. Filtering can be based on specific text or regular expressions.

URL filtering: it mainly filters the Internet page URL that users visit, allowing or denying users access to certain types of URL website resources, in order to control users' use of Internet resources. 1. File type filtering

File type filtering is a security mechanism that filters file data passing through the firewall according to the type of file. The file type filtering feature can be identified based on:

Applications: application protocols that carry file transfer, such as HTTP, FTP, SMTP, POP3, NFS, SMB, IMAP.

Direction: the direction in which files are transferred, such as upload or download.

Type: the actual category of the file, such as an executable file (EXE extension) is modified to PDF by the gong~ explorer, and the firewall is still determined to be an executable file through content analysis.

Extension: the extension type of the file, such as DOC, PPT, etc.

The file type filtering of the firewall allows you to specify several rules to match, and once a rule is matched, the traffic is processed according to the configuration action of that rule. The types of actions are as follows:

Allow: default action, allow file transfer.

Warning: allow file transfer while logging.

Block: block file transfer while logging.

In addition to user-defined rules, firewalls can also handle abnormal traffic based on file filtering global configuration, such as checking the number of layers and file size of compressed files. The firewall will take appropriate action according to the default value (usually using the default value).

2. Content filtering

Content filtering is a security mechanism that filters the contents of files passing through the firewall. Content filtering is generally combined with file type filtering to achieve the best protection effect. Nowadays, enterprises not only pay attention to security, but also pay more attention to network efficiency. File type filtering can reduce the probability of employee leaks and security accidents to a certain extent, but it is impossible to check the contents of the file to find out whether it is illegal data. For example, in order to prohibit employees from leaking secrets and block all types of office documents, this way not only achieves the goal, but also seriously affects the work efficiency of employees, and some normal mail business exchanges will also be affected. Content filtering can determine whether the traffic is in violation by checking the contents of the file.

Content filtering can solve the following problems:

Block the transmission of confidential information and reduce the risk of employee disclosure.

Reduce the probability that employees will bring legal risks to the company by browsing sensitive information.

Improve productivity and prevent employees from browsing non-work-related content.

The contents that can be identified by firewall content filtering are as follows:

The content filtering function of the firewall identifies the sensitive information in the traffic through "keywords" and processes the traffic according to the configured action. Keywords can be defined based on the actual situation of the company (such as company secrets, violence, or other violation information), or you can use predefined keywords (such as bank card numbers, credit card numbers, social security numbers, etc.). Keywords also support fuzzy matching (regular expressions).

The content filtering of the firewall allows you to specify several rules to match, and once a rule is matched, the traffic is processed according to the configuration action of that rule.

The types of actions are as follows:

Warning: after the keyword is identified, it is allowed to transfer the contents of the file and log at the same time.

Block: after the keyword is identified, refuse to transfer the contents of the file and log at the same time.

Operation by weight: each keyword is configured with a weight value, and every time the keyword is matched, the weight value will be accumulated according to the matching times of the keyword. If the accumulated weight value result is greater than or equal to the "warning threshold" and less than the "blocking threshold", the "warning" action will be carried out; if the accumulated weight value result is greater than or equal to the "blocking threshold", the "blocking" action will be performed. 3. URL filtering

When the URL resource requested by the user matches the URL rule in the firewall, the firewall will allow / reject the request according to the action of the URL rule and send back the page.

The URL filtering function of the firewall is implemented in the following ways:

Blacklist: the firewall matches the received URL request with the configured blacklist and, if the match is successful, rejects the request and sends an error page to the sender.

Whitelist: the firewall matches the URL request received with the configured whitelist and, if the match is successful, allows the user to send the request.

URL classification query: the firewall decides whether or not to allow users to send URL requests based on the URL classification accessed by the user. URL categories include custom categories and predefined categories, in which custom categories are defined by users, and predefined categories are defined by default (can be upgraded from Huawei's security center). A URL category can contain several URL, and a URL can belong to multiple categories. Predefined classifications are divided into two query methods. The first is the local cache query, which usually loads the predefined classification information into the cache when the device is booted. When the firewall receives a URL request, it first queries the cache for the classification of the URL. If the corresponding URL classification is queried, it is processed according to the response action configured by the URL classification. When the processing action is rejected, the Web push page is sent to the sender. The second query method is remote classification server query, which is generally deployed on the Internet to provide larger URL classification information. When the matching classification is queried, it is processed according to the response action configured by the URL classification, and the URL classification information is saved to the local cache for the next quick query. When the processing action is rejected, the Web push page is sent to the sender. If the query cannot be found, it is processed according to the response action classified as "other".

The control actions of URL filtering include permission, warning and blocking, which are suitable for different situations.

Allow: the URL that allows the user to access the request

Warning: allows users to access the requested URL while logging.

Block: block the user's access to the requested URL while logging.

There is a default profile for URL filtering in the firewall, named default. By default, this file configures the response action of malicious websites to be blocked, and the default action of other URL categories is allowed. The default profile cannot be modified or deleted.

When configuring URL filtering, to ensure that Huawei firewall can access Huawei's security service center through the Internet, it is recommended to configure domain name resolution of the firewall.

4. Submit the configuration file

As shown in the figure above, all application layer filtering needs to be implemented by writing a configuration file (profile file) and calling it through the profile keyword in the security policy (action must be allowed). The modification of Huawei's next-generation firewall to the profile configuration file needs to take effect after commit (submission), otherwise it will not take effect. The configuration commands for commit operation are as follows:

[USG6300] engine configuration commit

Commit operations can also be performed in the Web management interface. For the configuration of Web management, please participate in the Bowenhua firewall management method. The operation of the Web management interface is as follows:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.