Shulou(Shulou.com)06/03 Report--

Huawei Firewall USG5500

Key points: what is firewall; firewall foundation; firewall function configuration

one。 What is a firewall:

1. What is a firewall:

Firewalls are mainly used to protect a network from * and * behaviors from another network. Because of its isolation and defensive properties, firewalls are flexibly applied to network boundaries, subnet isolation and other locations, such as enterprise network egress, large-scale network internal subnet isolation, and data center (IDC) boundaries.

two。 Compare switches, routers and firewalls:

1) switch: set up a local area network and quickly forward messages through layer 2 or layer 3 switching

2) Router: connect different networks, interconnect through routing protocols, and ensure that messages are forwarded to the destination

3) Firewall: deployed at the border to control access to and from the network, security protection is the core feature

Summary: the essence of router and switch is forwarding, and the essence of protective wall is control.

3. Development history and characteristics of firewall:

1) access control is becoming more and more accurate

2) the protective ability is getting stronger and stronger.

3) the processing performance is getting higher and higher

4. The relationship between firewall interfaces, networks, and security zones:

1) security zone: a zone is a collection of one or more interfaces that divide the network and identify the "route" of table text flow; it is controlled only when messages flow between different security areas.

2) the relationship among firewall interface, network and security zone: the interface connects the network, and the interface is added to the area to associate the security zone with the network through the interface. It is usually said that a security zone represents the network where the interface in the security zone is located; (note that Huawei firewall, an interface can only be added to one security zone)

3) default security zone of Huawei firewall:

Trust zone: highly trusted, usually on the network of internal users

DMZ zone: moderately trusted, usually on the same network as the internal server

Untrust zone: an untrusted network, usually an insecure network such as Internet

Local zone: in the firewall itself, all messages sent by the firewall actively are sent by the local zone, and all messages that need to be responded to and processed by the firewall (not forwarded) are received by the local zone. No interfaces can be added to the local zone.

4) Security level (trust level): 1-100 (the larger the number, the more trusted), local=100, trust=85, DMZ=50, untrust=5

5) rules for the flow of messages between two secure areas:

Inbound (incoming direction): messages flow from low-level security zones to high-level security zones

Outbound: messages flow from high-level security zones to low-level security zones

6) the firewall connects each network by dividing the area with clear security level, and realizes the control of the flow of messages (data transmission flow) between each network.

5. How does the firewall determine which two areas the message flows between?

1) confirm the destination security zone: look up the table (routing table, MAC address table) to confirm the forwarded interface. The area where the interface is located is the destination security zone.

2) confirm the original security zone: check the routing table to confirm the original security area

Note: determining the source and destination security areas of the message is a prerequisite for the precise configuration of security policies.

two。 Basic configuration of Huawei firewall:

1. Huawei Firewall configures security zones:

The system attempted to create or enter a security zone: the name of the firewall zone name zone

Zone attempt: set security level (0-100): set prio security level

Zone attempt: add interface to zone: add int interface number

The system attempted to: view the zone configuration: display zone

two。 Stateful inspection firewall:

The stateful inspection firewall uses the detection mechanism based on the connection state to treat all the messages belonging to the same connection between the two sides of the communication as the whole data flow. The session is established for the first message of the data flow, and the subsequent messages in the data stream are directly configured for session forwarding, so that there is no need for rule checking to improve the forwarding efficiency.

3. Firewall session:

1) session: the concrete embodiment of the connection established by both sides of the communication on the firewall, representing the connection status of the two sides. A session represents a connection between the two sides of the communication. The set of multiple sessions on the firewall is called the session list (session table).

2) quintuple: a connection (that is, a session) is uniquely confirmed by five elements: source address, source port, destination address, destination port and protocol, that is, as long as the messages with the same five elements belong to the same session flow. Protocol firewalls without destination ports use fixed values, such as ICMP:ID= source port, 2048 = destination port; IPSsec (× ×: AH authentication header / ESP: encapsulating security payload): source and destination ports = 0.

4. Huawei firewall troubleshooting command:

The system attempts to: view area: display zone

The system attempted to check the lost packets: dis firewall statistic system discard

The system attempted to: view the session table: dis Firewall session table verbose

The system attempts to: modify the dns aging time to 3 seconds: firewall session aging-time dns 3 (there are a large number of dns queries in the intranet, modify the aging time to avoid running out of memory)

three。 Firewall feature configuration:

1. Configure DHCP:

Interface attempt: configure DHCP:dhcp select int-- > dhcp server gateway gateway-- > dhcp server dns dns server address-- > Q

two。 Configure SNAT intranet to surf the Internet:

1) configure NAT policy:

Enter nat configuration attempt: nat-policy interzone high area 1 low area 2 outbound

Nat configuration attempt: new policy 1:policy 1

Policy configuration attempt: specify source network segment: policy source source network segment anti-code

Policy configuration attempt: enable SNAT:action source-nat

Policy configuration attempt: specify nat type: easy-ip public network interface number

Policy configuration attempt: exit: return

2) configure security policy:

The system attempts: enter the security policy configuration attempt: policy interzone high area 1 low area 1 outbound

Security policy configuration attempt: create a new policy: policy 1

Policy configuration attempt: anti-code of policy source source network segment

Policy configuration attempt: set policy to allow: action permit-- > return

3) configure dynamic NAPT:

The system attempts to define the address pool: nat address-group group number start address end address

Policy configuration attempt: specify nat type: address-group group number

Other configurations are the same as easy-ip.

3. Huawei Firewall Security Policy:

1) Security policies are presented based on the relationship between security zones, including conditions (ports and addresses) + actions (permit allow or deny deny)

2) matching order of security policy: match from top to bottom, the match will stop, and no match will be rejected by default.

3) the development of Huawei firewall security policy: ACL quintuple (usg2000/5000 support)-> UTM (usg2000/5000 support)-> Integrated security policy (usg6000 support)

UTM (Unified threat Management) configuration syntax: policy interzone source area destination area outbound or inbound-- > policy name-> policy source or destination segment or ip-- > action deny or permit

Integrated security policy configuration syntax: security-policy-- > rule name name-> source-zone source area-> destination-zone destination area-> source-address original address-> action deny or permit

4) ASPF (application layer packet filtering): dynamically generate server-map items according to the information in the message application layer, that is, simplify the configuration of security policies and ensure security. ASPF is a technology that traverses firewalls. The server-map entries generated by ASPF are equivalent to opening a channel on the firewall, so that subsequent messages of multi-channel protocols similar to FTP (qq, msn) are not controlled by security policies, and can be used to pass through the firewall.

ASPF configuration syntax: firewell interzone trust unstrust-> detect {ftp | qq | msn}

Note: ASPF's service supports customization.

5) configuration and troubleshooting of Huawei firewall security policy:

Security policy configuration idea: configure default packet filtering to allow-- > debug the business-- > view the session table and configure the security policy with the information recorded in it as matching conditions-- > finally restore the default packet filtering policy configuration-- > debug the business.

Troubleshooting: dis pol int trust untrust outbound # View policy match-> poli move 2 before 1 # change policy order

4. Huawei Firewall load balancing:

1) load balancer is a kind of cluster, in which multiple servers handle tasks together to achieve a unified external and handle a large number of tasks.

2) configure load balancer:

System view: enable load balancing (SLB): slb enable

Slb view: set remote server: rserver 1 rip server ip address weight weight

Slb view: new group: group load balancer group name

Slb group view: set scheduling algorithm: metric algorithm

Slb group view: add remote server: addrserver 1

Slb view: set cluster vip:vserver grp vip cluster ip address group slb group vport cluster port rport real server port

System view: viewing: dis slb group slb group

5. Huawei Firewall nat-server publishes private network services:

1) the server-map table of nat server includes a forward table entry and a reverse table entry, which records the private network address and the mapping relationship between the private network address and the public network address and port of the server, which is used to translate the destination address of the message when the public network user accesses the server.

The function of the reverse table item is that when the private network server actively accesses the public network, it can directly use the source address of the table entry to translate the private network address into the public network address, instead of configuring the source SNAT policy for the server separately.

That is, a command simultaneously opens the address translation channel in both directions between the private network server and the public network.

2) nat-server publishes private network service configuration syntax:

The system attempts to release the private network service: nat server protocol tcp global public network address port inside private network server address port

3) publish the security policy configuration of private network server:

Note: the destination address of the policy is the server private network address, not the server mapping public network address. In order to avoid routing loops, nat server needs to configure black hole routing.

4) DNAT security policy configuration syntax:

Policy interzone dmz untrust inbound-- > policy 1 ip-> policy destination server private network ip address 0-> policy service service-set service-> action permit-- > return

5) Syntax for configuring black hole routing: ip route-static public network ip address 32 null 0

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.