Shulou(Shulou.com)06/01 Report--

Record the functional test of a virtual firewall

Record the manufacturer's interpretation of the test report

Purely technical testing, not involving production and application

The public network address has been invalidated

Virtual fire test document of a factory

1. Overview

This time, a manufacturer's deep security gateway VSG-4 (hereinafter referred to as vFW) is deployed in the vsphere platform to test the east-west security protection functions of virtual machines of different vlan and the access of north-south virtual machines to the external network and port mapping. In order to simplify the testing, the traditional deployment idea of hardware protective wall is adopted, and the test is carried out according to the policy control and basic prevention of the core basic functions of the firewall, and does not involve × × and other advanced security functions.

two。 Test idea-east-west protection

1.vFW, as a secure gateway, is deployed in route mode

2. The gateways of different vlan virtual machines point to the physical interfaces of vFW, and the interfaces are configured with gateways instead of VLAN subinterfaces.

3.vFW uses three interfaces, two as gateways for different vlan and one as management interface

4.vFW 's ge0 is the management port, which is configured with 172.31.101.8 Universe 24jie Ge1, 172.31.102.1 Universe 24 ge2, 172.31.103.1 Universe Ge2.

5.vFW configures three security domains corresponding to three different security domains. The security policy based on the security domain is the basic element to test the east-west protection function of vFW.

6. Using four virtual machines, vm1,vm2 address configuration 172.31.102.2-3xxue 24direction vm3people vm4 address configuration 172.31.103.2-3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx The virtual machine hardware configuration for the same operating system is exactly the same.

The following is the test simulation diagram:

3. Test idea-north-south protection

1.vFW configures the public network access interface according to the traditional firewall NAT deployment method, and simulates vm access to the public network through vfW

2. Use the method of source NAT translation to translate addresses many to one, that is, multiple private network addresses correspond to one public network address.

After the 3.vm is allowed by the vFW policy, the traffic is directed to the real firewall, and the access to the public network is controlled by the real firewall policy.

4. Use 172.31.205.31 as the ip address of the public network interface of vFW, and the next hop is 172.31.205.1. The test simulation figure is shown below:

(figure: interface between virtual firewall and real firewall)

5. Create a NAT pool, specify a single address 172.31.205.32 NAT 24, and all vm access to the public network will be translated. At the same time, create a security policy that can access the public network, and specify a default route on the firewall. The next one is 172.31.205.1. The general way to access the Internet is as shown in the following figure:

(figure: North-South access to the external network)

6. Test the port mapping and use the destination NAT mode to realize the port mapping.

4. Function configuration 4.1. Network Management-Interfac

Configure the physical interface, ge0,ge1,ge2, and configure IP 172.31.101.8ax 24172.31.102ax 24172.31.103.1 Universe 24 as the private network interface respectively, and ge3 configure the ip address 172.31.205.31Unigram 24 as the public network interface, as shown in the following figure:

(figure: interface configuration)

Take the ge1 port configuration as an example to illustrate the interface configuration, as shown in the following figure

(figure: Ge1 port configuration)

Configure each security domain, bind the corresponding interfaces, configure security policies based on the security domain, and do not enable mutual access of interfaces within the domain, as shown in the following figure:

(figure: security domain configuration)

4.2. Network Management-static rout

Configure a static default route of 0.0.0.0 0.0.0.0 172.31.205.1 to indicate access to the external network routing path, as shown in the following figure:

(figure: static route)

4.3. Network Management-NAT-NAT Pool

Configure the NAT pool so that the ip address accessing the public network is translated by NAT. This time, the single Nat address is 172.31.205.32, as shown in the following figure:

(figure: NAT address Pool)

4.4. Network Management-NAT- Source NAT

Configure source NAT rules to determine which addresses need to be NAT. The rules are based on address pool. Note that address book and other information configuration can be found later in this document, as shown in the following figure:

(figure: source NAT rule configuration)

4.5. Network Management-NAT- destination NAT

Destination NAT, commonly known as port mapping, translates an ip port of a private network address to a public network ip port to achieve specific external access, as shown in the following figure:

(figure: destination NAT uses port mapping, mapping port 22)

4.6. Network Management-DHCP Server-DHCP Server

Open the DHCP server on the interface ge2, as shown in the following figure:

(figure: DHCP server is enabled via API)

4.7. Network Management-DHCP Server-Server

Configure the address and DNS assigned by the corresponding DHCP server, so that vm3 and vm4 under the ge2 interface can use the dhcp server to obtain the ip address, as shown in the following figure:

(figure: DHCP list configuration)

4.8. Resource Management-address object

The firewall policy uses a five-tuple to determine whether the message meets the policy control, in which the address object is the most basic and important configuration. The address object of this test is shown in the following figure:

(figure: address object)

4.9. Resource Management-Schedul

Configure the schedule working time, which is from 9:00 to 18:00, as shown in the following figure:

(figure: timesheet configuration)

5. East-west strategy testing

The so-called east-west direction refers to the access security control between different vm in the same virtualized platform or cloud environment. The addresses and service applications that use vm for this test are shown in the following table:

Security domain

The serial number name contains the interface address field description

1 trust_zone_mange ge0 172.31.101.0 ram 24 administrator domain where the jumper is located

2 trsut_zone_test1 ge1 172.31.102.0 the security domain in which 24 vm1,vm2 is located

3 trsut_zone_test2 ge2 172.31.103.0 the security domain where 24 vm3,vm4 is located

4 WAN ge3 172.31.205.31ax 24 external domain

Address object

Serial number name content description

1 Netip_vlan102_vm1 172.31.102.2 Netip_vlan102_vm1 32 vm1 (windows) address

2 Netp_vlan102_vm2 172.31.102.3 Netp_vlan102_vm2 32 vm2 (linux) address

3 Netp_vlan103_vm3 172.31.103.2 Netp_vlan103_vm3 32 vm3 (windows) address

4 Netp_vlan103_vm4 172.31.103.3 Netp_vlan103_vm4 32 vm4 (linux) address

5 Netip_vlan101_mange 172.31.101.110Accord 32 administrator jumping machine address

6 NetIP_public_1 172.31.205.32Universe 32 Analog Public Network address

7 NetGP_VLAN102 172.31.102.0ram 24 vm1,vm2 address range

8 NetGP_VLAN103 172.31.103.0 the address range of 24 vm3,vm4

(table: address object)

5.1. Administrator jumpers to access vm1,vm2

Create a new security policy so that the administrator jumper 172.31.101.110 can access vm1,vm2,vm3,vm4, allowing all applications and service protocols.

 strategy

Test destination source interface source address destination interface destination address service application action decision method

Administrator jumper accesses vm1,vm2 trust_mange Netip_vlan101_mange trsut_zone_test1 any any any permit 1) 172.31.101.110 can ping vm1,vm2

2) 172.31.101.110 can log in to vm2 with ssh

(table: East-West Strategy 1)

(figure: East-West Strategy 1)

 test results

① 172.31.101.110 can ping 172.31.102.2172.31.102.3

(figure: test results of east-west strategy 1 1-ping 172.31.102.2)

(figure: test results of east-west strategy 1 1-ping 172.31.102.3)

② 172.31.101.110 can log in to 172.31.102.3 using the ssh client

(figure: test results of east-west strategy 1-2-ssh login 172.31.102.3)

 decision

This strategy has been successfully implemented.

5.2.vm1 uses the ssh client to log in to vm4

Create a new security policy that makes vm1 (172.31.102.2) SSH to vm4 (172.31.103.3), but cannot be accessed using other services.

 strategy

Test destination source interface source address destination interface destination address service application action decision method

Vm1 can only connect to vm4 trsut_zone_test1 Netip_vlan102_vm1 trsut_zone_test2 Netip_vlan103_vm4 ssh any permit by ssh) vm1 can log in to vm4 by ssh

2) vm1 cannot ping vm4

(figure: East-West Strategy 2)

 test results

① Vm1 can log in to vm4 through the ssh client

(figure: 1-ssh login for east-west strategy 2 test results)

② Vm1 cannot ping vm4

(figure: East-West Strategy 2-Test result 2-unable to ping 172.31.103.3)

 decision

This strategy has been successfully implemented.

5.3.Vm3 uses the ftp client to connect to VM2 and transfer files

Vm3 (windows) 172.31.103.2 as a ftp client and vm4 (linux) 172.31.102.3 as a ftp server, test the FTP service and create a new security policy, so that vm3 can connect to VM4 through ftp.

 strategy

Test destination source interface source address destination interface destination address service application action decision method

Vm3 can only ftp to vm1 and transfer files trust_zone_tes2 Netip_vlan103_vm3 trsut_zone_test1 Netip_vlan102_vm1 ftp any permit 1) 172.31.103.2 cannot ping 172.31.102.2

2) 172.31.103.2 you can ftp to 172.31.102.2

3) accept files can be sent normally

(figure: East-West Strategy 3)

 test results

① Vm3 cannot ping vm1

(figure: East-West Strategy 3-Test results 1-ping does not work)

② Vm3 can use the ftp client to connect to vm1

(figure: East-West Strategy-3-Test results 2-FTP login successful)

③ Vm3 can use the ftp client to upload files to vm1

(photo: East-West Strategy Test 3-Test results 3-FTP upload files)

(figure: East-West Strategy Test 3-Test results 3-FTP download file)

 decision

This strategy has been successfully implemented.

5.4. Conclusion

1) the east-west policy between vm is normal.

2) Policy control that supports ftp multichannel protocol

3) support NGFW state detection mechanism, that is, only one-way policy can ensure the two-way access of subsequent messages.

6. North-south strategy test

The north-south policy test means that vm can surf the Internet normally through vFW and can configure basic port mapping at the same time. It has been configured on the physical firewall and docked with vFW successfully.

The vFW public network address is 172.31.205.32 (relatively speaking), and the physical firewall public network address is 58.19.180.65. For the vm that needs to access the public network, such as vm1172.31.102.2, it is first converted to 172.31.205.32 through the source nat of vFW, and then converted to 58.19.180.65 through the physical firewall nat, and then access the public network.

For port mapping, the destination nat is also implemented through two nat.

Source NAT,NAT address pool, destination NAT configuration is shown in the following table:

NAT address pool

Serial number name address pool list description

1 Natpool_test 172.31.205.32 public network address pool, which is used by source NAT translation

2 Natpool_vlan102_vm2_tcp22 172.31.102.3 address to be used for destination NAT translation

Source NAT

Serial number source address destination address service interface translation address description

1 NetGP_VLAN102 any any ge3 Natpool_test 172.31.102.0 Universe 24 segment NAT

2 NetGP_VLAN103 any any ge3 Natpool_test 172.31.103.0Universe 24 segment NAT

Objective NAT

Serial number source address destination address service interface translation post-address translation port description

1 any NetIP_public_1 ssh ge3 Natpool_vlan102_vm2_tcp22 22 translates the public network address 172.31.0.32 to port 22 of 172.31.102.2

6.1. VM1 focus vm2, access to the public network

Create a new security policy so that all vm1,vm2 can access the external network and allow all applications and protocols.

 strategy

Test destination source interface source address destination interface destination address service application action decision method

Vm1,vm2 can access the public network trsut_zone_test1 NetGP_VLAN102 WAN any any any permit 1) vm1,vm2 can ping telecom dns server

2) vm1 can use a browser to access web pages

3) vm2 can be downloaded by yum

(figure: North-South Strategy 1)

 test results

① Vm1 can ping DNS server 202.103.24.68

(figure: North-South Strategy Test 1-Test results 1-vm1 can ping DNS)

② Vm2 can ping DNS server 202.103.24.68

(figure: North-South Strategy Test 1-Test results 2-vm2 can ping DNS)

③ Vm1 can access www.163.com by

(figure: North-South Strategy Test 1-Test results 3-vm1 can access the web page)

④ Vm2 can download software packages using yum

(figure: North-South Strategy Test 1-Test results 4-vm2 can download software packages by yum)

 decision

This strategy has been successfully implemented.

6.2. Source NAT test

Use the tool to check whether the NAT policy accessing the public network has used the source NAT to the private network address of the vm1,vm2, and check whether the connection with the physical firewall is smooth. At the same time, you can query the real public network ip.

 test method

(1) query the physical firewall log software, query whether the source NAT is performed, and convert 172.31.101.2 to 172.31.205.32

(2) Log in to ip138 on vm1 to query whether it is converted to a correct real public network address after multi-channel NAT translation.

 test results

① queries the traffic record of 172.31.0.32 on the physical firewall, indicating that the address of vm1 has been translated.

(figure: North-South Policy Test 2-Test result 1-physical Firewall queries the source NAT of vFW)

② logs in to ip138.com on vm1. Can the public network address of 58.19.180.65 be displayed?

(figure: North-South Policy Test 2-Test results 1-ip138 query to vm1 converted to correct public network address)

 decision

(1) the source NAT of vFW is normal.

(2) the connection between vFW and physical firewall can satisfy the external network access of vm.

6.3. Objective NAT test

After the vFW is docked with the physical firewall, the correct policy is configured to realize the port mapping function and convert the public network-specific interface into the private network-specific interface. This new policy enables ssh port 22 of vm2 (172.31.102.3) to be accessed by the public network 58.19.180.67.

 strategy

Test destination source interface source address destination interface destination address service application action decision method

Port 22 of vm1 can be accessed from port 22 of the public network address, using SSH protocol WAN any trsut_zone_test1 Natpool_vlan102_vm2 ssh any permit 1) Port 22 of 172.31.205.32 can be detected by tcping on specific virtual machines.

2) it can be accessed by 58.19.180.67 (real public network address) using ssh client.

(figure: North-South Strategy 3)

 test results

① can detect the opening of port 22 of 172.31.205.32 using tcping.

(figure: North-South Strategy Test 3-Test results 1-tcping detected port 22 open)

② uses the ssh client to log in to 58.19.180.67 and can log in through port 22

(figure: North-South Strategy 3-Test result 2-Log in to Port 22 of the public network address)

 decision

(1) vFW can achieve the destination NAT and specific port mapping.

(2) after docking with the physical firewall, the purpose of vm NAT can be met.

6.4. Conclusion

(1) vFW in the virtualization platform, the NAT configuration requirements of vm can be realized according to the configuration of traditional firewalls.

(2) after docking with the physical firewall, vFW can achieve north-south vm access policy control.

7.vFW in-depth security function testing

NGFW generally not only has UTM function, but also can achieve in-depth message monitoring, but also many advanced security functions.

The security function is configured according to the firewall policy. This test only tests the deep security function in the case of north-south direction, that is, when vm accesses the public network and port mapping.

7.1. Apply filter-filter qq function

Configure the policy so that the vm2 can access the public network, and at the same time configure the application filtering in the policy to test the security function.

The detailed strategy is no longer described, as before.

 security function

Enable application filtering and filter qq chat programs. The relevant control contents and determination methods are as follows:

Serial number description function configuration decision method

1 Control vm3 can log in to qq but cannot send messages normally

At the same time record audit 1. Application-QQ

two。 Related behavior-send messa

3. Audit behavior-all

4. Keywords-all

5. Action-reject 1.vm3 to log in to qq

2.qq cannot send any messages

(figure: apply filter-filter qq function)

 test results

① Vm3 can log in to qq normally

(figure: application filter Test 1-Test result 1-you can log in to qq normally)

② Vm3 cannot send message, showing send rejection

(figure: application filtering Test 1-Test results 2-qq cannot send messages)

 decision

Filter is applied, and the qq control function takes effect successfully.

7.2. Application filtering-filtering Thunderbolt download

 security function

Turn on application filtering to control Thunderbolt download.

Serial number description function configuration decision method

1 Control vm3 can log in to Thunderbolt, but can not use the download function 1. Application-Thunderbolt

two。 Related behavior-download

3. Audit behavior-all

4. Keywords-all

5. Action-reject 1.vm3 to activate Thunderbolt

two。 Thunderbolt cannot download files.

(figure: application filtering-restrict Thunderbolt download)

 test results

① Vm3 can activate Thunderbolt.

(figure: application filter 2-Test result 1-turn on Thunderbolt normally)

② Thunderbolt cannot be downloaded

(figure: application filter 2-Test results 2-Thunderbolt cannot be downloaded normally)

 decision

With the application of filtering, the lightning control function takes effect successfully.

7.3.url filter-filter NetEase

Configure the security feature, enable url filtering, and add NetEase www.163.com to the filter, so that vm3 cannot access NetEase.

 security function

Url filtering

Serial number description function configuration decision method

1 Control vm3, except www.163.com can not access, all other web pages can access 1.URL classification-NetEase

two。 Action-deny 1.vm3 cannot access www.163.com

2.vm3 can access www.sina.com

(figure: url filtering configuration)

 test results

① Vm3 access to www.163.com is prohibited

(figure: url filtering-Test result 1-filtering www.163.com)

② Vm3 accesses www.baidu.com normally

(figure: url filtering-Test results 2-access to Baidu is normal)

 decision

URL filtering, a specific web page filtering function has been successfully implemented.

7.4. Virus Protection-http

Configure the virus protection security feature, vm3 attempts to log on to a malicious web page, download malicious programs, and test the security feature.

 security function

(figure: virus Protection-http)

In the case that the third security software is not turned on and the system has its own firewall, vm3 visiting malicious websites and downloading malicious software can effectively block it.

 test results

① downloads malicious programs and does not run successfully

(figure: virus protection-http test results-malicious programs cannot be run at will)

 decision

Virus protection function, http protection is effective.

7.5. Virus Protection-FTP

Vm3 as the FTP client, VM1 as the server, upload malicious files to the server to test the FTP protection function.

Copy and paste the following string in notepad:

(slightly)

Save as an eicar.com file.

EICAR files simulate virus files to verify anti-virus functionality. EICAR files are provided by the European Anti-virus Association for testing anti-virus functions, allowing users to test anti-virus functions without using a real virus.

 security function

When ftp protection is enabled, virus files should be blocked by vFW and logged.

 test results

① virus files cannot be uploaded through ftp

(figure: virus protection-FTP- test result 1-virus files cannot be uploaded)

② virus files will be blocked by vFW and log at the same time

(figure: virus protection-FTP- test results-2-virus files are blocked and logged)

 judges that the security function of virus protection ftp is effective.

7.6. Application filtering-filter Wechat information by keywords

 security function

Configure the keyword list, add keywords, and apply policies, as shown in the following figure:

(figure: list of keywords)

 test results

The computer version of Wechat can send general messages, whether or not it contains keywords.

(photo: Wechat keyword filtering)

 decision

The keyword filtering control function does not work.

7.7. Conclusion

VFW can achieve in-depth security protection based on policy.

VFW has the basic deep security features of NGFW.

VFW keyword filtering is not implemented.

8.vFW security protection test

VFW enables all security protection features including:

1. Anti-arp***

2.Protective measures

3. Floodproof protection

Configure all security protection function subitems, and enable ip protection for all interfaces and vm.

Install the analysis software on vm1 (172.31.102.2), use the packet playback function, play back the typical * * packet messages, query the vFW log, and check whether the security function is normal.

8.1. Arpies are available *

 test package playback

(figure: arp*** package playback)

 test results

(figure: arp*** log)

 decision

When the arp function is fully enabled, vFW can handle the relevant *.

8.2. Exception package *

 * package playback

(figure: ip sharding exception package * * playback)

 test results

(figure: exception package * log)

 decision

When the security protection feature is fully enabled, vFW can handle relevant exception packages * *.

8.3. Scan *

 * package playback

(figure: scan probe * * packet playback)

 test results

(figure: scan * log)

 decision

VFW did not recognize the corresponding scan * * and classify it.

8.4. Floodwaters *

 * package playback

(figure: flood*** package playback)

 test results

(figure: flood*** log)

 decision

VFW does not recognize the corresponding flood*** and classifies it.

8.5. IPSs benchmark *

 * package playback

(figure: ips*** package playback)



 test results

(IPS Security Log)

 decision

VFW recognizes the corresponding ips*** and classifies it

8.6. Conclusion

After upgrading the virus database and ips feature library, vFW can protect against ips.

VFW can have a certain security protection capability, and can make effective control against the underlying *.

VFW cannot specifically identify * * types and features, and most of them are identified as exception packages * *.

9. Other functional tests 9.1. Service quality management

You can ping the gateway of the egress network to determine the stability of the egress network, as shown in the following figure:

(figure: service quality Management)

9.2. Traffic management

Test the bandwidth and flow control management functions of the corresponding interface of vFW and a single ip.

 function configuration

Line settings, ge3 API public network access speed limit, uplink and downstream are all limited to 1Mb/s, as shown in the following figure:

(figure: line Settings)

After completing the line setup, vFW automatically generates a flow control policy, as shown in the following figure:

(figure: flow Control Policy)

VFW can finely control the bandwidth of each ip, and configure each ip as 200kb/S, as shown below:

(figure: each ip controls traffic)

 test method

Vm1 accesses the public network, starts the download, and checks the download rate

View real-time rates on vFW.

 test results

① Vm1 average download rate, 11.7KB/S, converted to bandwidth nearly 200kb/s

(figure: traffic Management Test-average download)

View real-time rate on ② vFW

(figure: traffic monitoring-implementation rate is less than 200kb/s)

 judgment

VFW can limit bandwidth on a per-ip basis.

9.3. Session monitoring

VFW can monitor all sessions that are currently connected, as shown in the following figure:

(figure: session monitoring function)

9.4.Tcp Syn

VFW has the TCP SYN feature to probe the tcp protocol port of the specified host, as shown below:

(figure: tcp syn function)

9.5. Bag grab tool

In addition to general packet capture, vFW also supports the capture of application-specific packages.

The test crawls all the messages of the qq application of 172.31.102.2, as follows:

(figure: grabbing QQ application messages)

Packets crawled by vFW can be analyzed by playback.

(photo: grab bag playback)

10. Conclusion

In view of the fact that this test is in the vsphere platform, limited by virtualized network, the multi-link load balancing and application caching functions of vFW cannot be tested, the wireless security interface cannot be tested, and most of the features in resource management, such as ip-mac binding, Weixin authentication, advertising push, etc., have not been tested.

This test is based on the standard function of NGFW and in-depth security protection testing, testing the weakness that the general FW can not deeply identify applications and audit Internet behavior management and control. At the same time, this test also focuses on the use of novel virtualization deployment methods for testing, which actually proves the feasibility of vFW and its ability to connect to the physical firewall normally. However, due to the constraints of the virtualized network deployed by vsphere, it is not possible to test other virtualization platforms such as vxlan functions and vmware NSX deployment methods.

After testing, the conclusions are as follows:

1.vFW has NGFW function.

2.vFW can be virtualized deployed in vsphere distribution machines and can be interfaced with physical firewalls

3.vFW implements east-west and north-south protection in virtualized or cloud computing environment.

= manufacturer answers questions =

Instructions related to Vfw testing

1. Apply filtering to filter Wechat information by keywords.

Original test results:

Keyword filtering control function does not work

Description:

Wechat encryption uses its own encryption method, not simply using https. Wechat decryption is not currently supported.

2, scan * *

Original test results:

Vfw did not recognize the corresponding scan * * and classify it.

Description:

The packet playback tool is used in the test. The destination ip of the packet is 192.168.10.103 and the destination mac is 00.23.54.cb.ab.0d. The interface ip and mac of vfw in the test are different from those in the packet, so they no longer belong to the scanning of the interface.

Test recommendations:

Scanning * * is divided into port scan and IP scan. Commonly used * * software can use x-scan and IP scanner. Both of these softwares are stupid and can be easily used.

Vfw configuration:

X-scan: after configuring the ip range, click OK, and then click start on the toolbar.

Port scan test results

Ip scanner: after configuring the ip range, start scanning directly. Note that the ip range needs to be set a little larger.

Ip scan test results

3The floodstones *

Original test results:

Vfw does not recognize the corresponding flood*** and classifies it.

Description:

The packet playback tool is used in the test. The destination ip of the packet is 192.168.10.103 and the destination mac is 00.23.54.cb.ab.0d. When testing, the tester should not modify the ip and mac of the corresponding interface of vfw, which can not be recognized.

Test recommendations:

Vfw configuration:

You can use IPOP software to simulate sending flood***.

Ipop: note that the addresses of the destination ip and destination mac should be the same as the corresponding vfw interfaces.

Flood test results

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.