Shulou(Shulou.com)06/01 Report--

Stateful inspection firewall message processing flow

The processing process before the query session: basic processing in the query session: forwarding processing, the key is the session establishment query session processing process: security business processing and message sending

Before you understand the forwarding process, classify the message

Protocol message: a protocol message that makes the firewall run normally in the network, or is used for dual-computer hot backup and other functions, such as OSPF,HRP,ICMP, which passes through the firewall: users access Internet messages through the firewall, we are usually used to call them business messages, which may be layer 2 or layer 3 messages. Especially TCP,UDP is the most common. (there is no essential difference in the forwarding process between layer 2 and layer 3 messages. The main difference is that in the routing stage, layer 2 messages are forwarded according to the MAC address and layer 3 messages are forwarded according to the routing table)

The classification is made because firewalls have different processes for these two types of messages.

For protocol messages, firewall processing is special and does not apply to general principles. Take OSPF as an example, when the network type is Broadcast, its DD message is a unicast message, which needs to be checked by the security policy of the firewall. When the network type is P2P, the DD message is a multicast message, which does not need to be checked by the security policy of the firewall and is directly forwarded. For each protocol. The firewall treatment is not exactly the same. For business messages. Messages such as TCP header and UDP need to establish a session. After determining that the message is going to create a session, immediately query whether the session of the message has been created in the session table. -for a message that cannot match any item in the session table, the firewall determines that the message is the first packet of a certain traffic and enters the first packet processing process.

-for a message that matches an item in the session table, the firewall determines that the message is the subsequent packet of a certain traffic and enters the subsequent packet processing process.

Basic processing before querying the session table

The main purpose is to parse the frame header and IP header of the message. Perform some basic security checks according to the information in the head

A packet was received:

First, monitor whether MAC address filtering is configured.

Why first MAC address filtering and then parsing the frame header? .

When filtering MAC addresses, only MAC addresses are scanned and MAC addresses are filtered according to MAC addresses. The following parsing frame header can completely parse the entire frame header. (self-supplement: if the two positions are changed, it will only increase the performance consumption of the equipment.)

There are two processing methods depending on whether the interface that receives the message is a layer 2 interface or a layer 3 interface:

For the message received by the layer 3 interface, NGFW needs to mark the routing table according to the destination address in the message to determine the outgoing interface of the message. Therefore, this kind of message will enter the subsequent processing after parsing and stripping the header information. (the purpose of stripping the frame header to parse the IP message is to determine the destination IP for subsequent routing table queries)

For messages received by layer 2 interface, NGFW needs to determine whether the frame needs to be forwarded across VLAN. For messages in the same VLAN, NGFW needs to query the MAC address forwarding table according to the destination MAC address in the message to determine the outgoing interface of the message. For messages that need to be forwarded across VLAN, NGFW needs to obtain its VLAN ID and find the corresponding sub-interface or VLAN-IF interface. Subinterfaces and VLAN-IF interfaces are virtual layer 3 interfaces. So at this time, the message will be treated like a layer 3 interface, and NGFW looks up the routing table according to the destination address in the message to determine the outgoing interface of the message.

After extracting the required information, these two types of messages peel off the header and enter the subsequent processing.

The main features that are carried out at this stage are:

The feature shows that MAC address filtering filters packets according to the source MAC and destination MAC of the header of the message. VLANVLAN is a technology for users to control the flooding of Ethernet frames in the local area network. IP/MAC address binding to prevent IP address spoofing and ARP class *, administrators can configure the correspondence between IP and MAC This feature can determine whether the message is legal according to the Ip and MAC information carried in the message and filter the bandwidth threshold of the interface. The administrator can configure the bandwidth threshold of the accepted message on the interface. If the current traffic bandwidth has exceeded the threshold, the incoming interface will discard the excess message from a single packet. NGFW can check the validity and security of the message according to the type of single packet defense opened by the administrator, determine whether the message belongs to the message and filter it.

Query the session table, and do different security mechanism detection and processing of the message according to the query results.

This phase is the core processing link of NGFW, and the main security functions are implemented in this stage. Does NGFW have a matching session list entry based on the message?

There is no matching session table entry (some special messages are forwarded directly without creating a session, for example, except for ping's echo and replay's icmp packets)

At this time, the message is regarded as the first packet of a traffic and enters the first packet processing process.

No conversation

The state detection mechanism is detected to determine whether the message belongs to a normal first packet that can establish a session.

(this state detection is to check. This step is to see whether state detection is enabled in the firewall. NGFW is enabled by default. When traffic with inconsistent back and forth paths is to pass through NGFW, the state detection mechanism needs to be disabled.)

First package processing flow

Match the blacklist. If the message source address hits the blacklist, the message is discarded to query the Server-map table. If it is hit, record the information in the Server-map table (no processing, but in 3 the routing query uses the translated address recorded in the Server-map table) to check whether the packet has a corresponding server mapping (that is, the destination NAT). The packet must first translate the accessed destination address before further checking the routing table. So this explains why the service mapping phase does an online user list check for packets before the routing table lookup phase.

When the user is online, the online user list will be generated. If the traffic is not sent, the session will not be generated. When the traffic comes, the timeout of the online user list will be refreshed, and the subsequent packet forwarding process will continue to generate the session table.

(1) before accessing network resources, users need to be authenticated by NGFW in order to identify which IP address the user is currently using.

(2) for authenticated users, NGFW also checks the user's attributes (user status, account expiration time, IP/MAC address binding, and whether multiple people are allowed to log in using the account at the same time). Only the user-= user who passes both authentication and user attribute check can go online, which is called online user.

(3) the online user list on NGFW records the corresponding relationship between the user and the address currently used by the user, and implements the policy for the user, that is, the policy for the corresponding IP address of the user. After the user goes online, if the online user does not initiate business traffic within the timeout period (default is 30 minutes), the online user monitoring table entry corresponding to that user will be deleted. When the user initiates the business access next time, it needs to be re-authenticated. According to the record result of (2), which route is hit by the message is queried, and the policy route is queried first. Miss policy routing, query the routing table, and determine whether the next hop and exit interface query hits the security policy. Knowing the source address of the message input interface, determine the interface from (3), and determine whether the zone lookup security policy query hits the source NAT policy. If there is a match, the source IP address and port information after NAT translation are recorded, and a session is created according to the above recording result.

Subsequent package processing process

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.