Shulou(Shulou.com)06/01 Report--

Blog outline

Huawei Firewall products introduce the working principle of Firewall

1. The working mode of the firewall

2. Security zone division of Huawei firewall

3. What are the Inbound and Outbound of the firewall?

4. The meaning of state information

5. related concepts of security policy Huawei firewall product introduction

USG2000, USG5000, USG6000 and USG9500 constitute the four major parts of Huawei firewall, which are suitable for different environmental requirements. Among them, USG2000 and USG5000 series are targeted at UTM (unified threat management) products, USG6000 series belong to next-generation firewall products, and USG9500 series belong to high-end firewall products. 、

The products of each series are introduced as follows:

1. USG2110:USG2110 is a firewall device released by Huawei for small and medium-sized enterprises and chain organizations, SOHO enterprises, etc., its functions include firewall, UTM, Virtual Private Network (please read the initials for yourself, I will be harmonious if I write simply), routing, wireless and so on. USG2110 has the characteristics of high performance, high reliability and convenient configuration, and the price is relatively low, so it supports a variety of Virtual Private Network networking methods.

2. USG6600: Huawei's firewall products for next-generation network environment are suitable for large and medium-sized enterprises and data centers and other network environments. It has the characteristics of accurate access control, comprehensive protection scope, simple security management and high protection performance. It can be used for enterprise network boundary protection, Internet exit protection, cloud data center boundary protection, Virtual Private Network remote interconnection and other networking applications.

3. USG9500: this series includes three series of USG9520, USG9560 and USG9580, and is suitable for cloud service providers, large data centers, large enterprise campus networks, etc. With the most accurate access control, the most practical NGFW features, the leading "NP+ multi-core + distributed" architecture and the richest virtualization, it is known as the most stable and reliable security gateway product, which can be used in large-scale data center boundary protection, radio and television and second-tier operator network exit security protection, education network exit security protection and other network scenarios.

4. NGFW: the full name is the next generation firewall, and NGFW is more suitable for the new network environment. In terms of function, NGFW should not only have the standard firewall functions, such as network address translation, state detection, virtual private Network and the functions needed by large enterprises, but also realize the real integration of IPS (Invasion defense system) and firewall, rather than simply based on modules. In addition, NGFW also needs to have strong application awareness and application visualization capabilities, based on application policies, log statistics, security capabilities and deep integration of applications, using more external information to help improve security policies, such as identity identification.

The differences between traditional firewalls and NGFW firewalls:

Traditional firewalls can only be perceived based on time, IP and port, while NGFW firewalls are controlled and protected based on six dimensions, namely, application, user, content, time, threat and location. Where:

Application-based: use a variety of means to accurately identify more than 6000 of the application layer protocols and their ancillary functions in web applications, so as to carry out accurate access control and business acceleration. It also includes mobile applications, such as you can distinguish between voice and text in Wechat traffic through the firewall, and then achieve different control strategies.

User-based: access control, QoS management and in-depth protection based on users with the help of AD active Directory, directory server or AAA server.

Location-based: combined with global location information, the originating location of traffic is intelligently identified, thus the originating location of application and * * is obtained. It implements differential control of access traffic in different regions according to location information, and supports customization of location according to IP information.

In practical applications, applications may use any port, but the traditional firewall can not identify and control the application according to the port. The progress of NGFW lies in finer access control. Its best use principle is based on application + whitelist control + minimum authorization.

Next, I will write how it works around the USG6600 model of the firewall product.

The working principle of firewall 1. The working mode of firewall

Huawei firewall has three working modes: routing mode, transparent mode and mixed mode.

1. Route mode: if the interface between the firewall and the network is configured with an IP address, it is considered that the firewall works in the routing mode, at which time the firewall is first a router, and then provides other firewall functions. Most firewalls are in routing mode, between inside and outside the company and outside the network.

2. Transparent mode: think of it as a switch. If the interface is not configured with IP, it works in transparent mode. Generally, no company will use the router as a switch, which is too extravagant.

3. Mixed mode: if Huawei firewall not only has an interface in routing mode (the interface is configured with IP), but also has an interface that works in transparent mode (the interface has no IP address), then the firewall works in mixed mode, which is basically a mixture of transparent mode and routing mode. It is only used in special applications that provide dual-computer hot backup in transparent mode, and it is not recommended in other environments.

2. Security zone division of Huawei firewall

The default areas of Huawei firewall are:

Trust area: mainly used to connect to the company's internal network, priority is 85, high security level. UNtrust area: usually connects to an external network, with a priority of 5 and a low level of security. This area represents an untrusted area, and there are too many security risks on the Internet, so Internet is generally included in the UNtrust zone. DMZ zone: demilitarized zone, which is generally used to connect servers that need external services. Its security is between Trust and Untrust zones, with a priority of 50 and a medium security level. Local zone: refers to the firewall itself with a priority of 100. in addition to forwarding messages between areas, the firewall also needs to receive or send traffic, such as remote management, running dynamic routing protocols, and so on. Other areas: user-defined areas, up to 16 custom areas by default. Custom areas have no default priority and need to be specified manually.

The division of the region under the intuitive feeling of the previous picture:

There are a few things you need to know about zone configuration:

The priority of a security zone must be unique; an interface can only join one security zone, but a security zone can have multiple interfaces By default, Huawei NGFW firewall rejects traffic between any zones. If you want to release the specified traffic, you need to set a policy (Huawei's traditional firewall defaults to release traffic from high-priority areas to low-priority areas, but the latest NGFW firewall forbids all traffic by default. 3, what are the Inbound and Outbound of the firewall?

Firewalls handle traffic between zones, and when data flows between security zones, firewalls are triggered to check security policies. Therefore, it can be seen that firewall security policies are usually based on inter-domain (such as UNtrust zone and Trust zone), and the inter-domain data flow is divided into two directions:

Direction of entry (Inbound): the direction in which data is transferred from a low-level security zone to a high-level security zone. For example, traffic from the Untrust area (priority 5) to the trust area (priority 85) belongs to the Inbound direction.

Outbound: the direction in which data is transferred from a high-level security zone to a low-level security zone. For example, traffic from the trust area (priority 85) to the Untrust area (priority 5) belongs to the Outbound direction.

4. The meaning of state information

In the firewall technology, the traffic in the two directions is usually treated differently. Because of the stateful detection mechanism of the firewall, only the first message is processed for the data flow. Once the security policy allows the first message to pass, a session table will be formed. If the subsequent message and the returned message match to the session table, they will be released directly, instead of checking the policy, so as to improve the forwarding efficiency of the firewall. For example, when the client in Trust area accesses the Internet in UNtrust area, it only needs to apply security policy in the Outbound direction from Trust to UNtrust, and there is no need to make security policy in UNtrust to Trust area.

The firewall uniquely distinguishes a data stream through a five-tuple, namely, source IP, destination IP, protocol, source port number, and destination port. The firewall regards the data with the same five-tuple content as a data stream, and the packet must match the specified five-tuple to match this strategy, otherwise it will continue to match the subsequent strategy, and its matching rule is also match-stop.

As mentioned earlier, on the firewall, a session table is created after the first message is passed. The session table can only match the same tuple traffic, but not other traffic (maybe the destination IP is different, the destination port may be different). This also ensures efficient data flow forwarding and strict security policy checking for the same session. It should be noted that the session table is generated dynamically, but it does not exist permanently. If no message matches the session for a long time, it proves that both sides of the communication have been disconnected and the session is no longer needed. In order to save system resources, the session will be deleted after a certain period of time, which is called the aging time of the session. It usually doesn't take long. Remember that the default aging time of the conversation table on the Cisco firewall seems to be 300s.

5. Related concepts of security policy.

The basic function of a firewall is to protect a particular network from the threat of a "distrustful" network, but it must also allow legitimate communication between two networks. The function of the security policy is to verify the data flow through the firewall, and only the legitimate traffic that conforms to the security policy can pass through the firewall. Different security policies can be applied to different domains for different controls.

Huawei proposes an integrated security strategy according to the current network requirements. At present, the V100R001 version of USG6000 series firewalls adopts an integrated security strategy. The so-called integration can be reflected in two aspects, one is the integration of configuration, such as anti-virus, mail filtering, content filtering, application behavior filtering and other security checks are realized by referencing configuration files in the policy, and the other is business integration. The integrated strategy only detects the message once, and the multi-service functions can be processed in parallel, thus improving the processing efficiency. However, traditional firewalls, such as UTM products, adopt serial mode, and the traffic is detected every time it passes through a module.

Huawei new generation firewall not only detects messages based on traditional quintuple (source IP, destination IP, source port, destination port, protocol), but also deeply detects traffic based on application, content, time, user, threat and location, and truly realizes omni-directional three-dimensional detection capability and accurate access control.

The integrated security policy is composed of multiple rules, and the rules are composed of conditions, actions, configuration files and options, in which the function of configuration files is to detect the content security of messages, including anti-virus, intrusion prevention, URL filtering, file filtering, content filtering, application behavior control and email filtering. A rule can reference one or more profiles. The configuration file can be referenced only if the action allows. Let's take a picture!

In the figure above, you can see that a condition contains multiple elements, and each element in the condition is a "and" relationship, that is, the packet must match these elements at the same time before the packet is considered to match this rule. On the other hand, the relationship between multiple objects of the same element in the condition is "or", that is, as long as the packet matches one of the objects, the packet is considered to match this element. For example, when the source address in the condition defines three addresses A, B, and C at the same time, as long as the source address in the packet belongs to any one of them, it represents the element that matches the source address. But at the same time, the message must match other attributes in the condition, such as target address, time period, service, user, etc., in order to match this rule.

Different from the traditional security policy, the integrated security policy has the following characteristics:

Policy configuration is based on the global and no longer based on inter-zone configuration. Security zones are only optional configurations for conditions, and multiple source or destination zones can be configured in a rule. All inter-area traffic is denied by default, and the required traffic must be released through policy configuration. The default actions in the security policy replace the default packet filtering. The packet filtering of the traditional firewall is based on the inter-zone and only takes effect between the specified areas, while the default action of the new generation firewall takes effect globally, and the default action is rejected, that is, all traffic is denied unless allowed.

By default, Huawei's firewall policy has the following characteristics:

Any two security zones cannot have the same priority. Messages between different interfaces in this domain are forwarded directly without filtering. The interface cannot forward messages until it is joined to the domain. There is no security policy by default on USG series firewalls, that is, no matter what zones access each other, security policies must be configured unless they are delivered in the same zone.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.