Shulou(Shulou.com)06/01 Report--

As a kind of security device, firewall is widely used in various network environments, and it plays a role of spacing between networks. Huawei, as a famous network equipment manufacturer, released the first firewall card in 2001, and then launched a series of protective walls and security products generation after generation according to network development and technical requirements. This blog mainly introduces Huawei firewall products and how they work.

Blog outline:

I. brief introduction of Huawei Firewall products

1.USG2110

2.USG6600

3.USG9500

4.NGFW

Second, the working principle of firewall

1. The working mode of the firewall

(1) Route pattern

(2) transparent mode

(3) mixed mode

two。 Security Zone Division of Huawei Firewall

3. Firewall Inbound and Outbound

4. Stateful information

5. Security policy

I. brief introduction of Huawei Firewall products

USG2000, USG5000, USG6000 and USG9500 constitute the four major parts of Huawei firewall, which are suitable for different network requirements. Among them, USG2000 and USG5000 series are targeted at UTM (unified threat management) products, USG6000 series belong to next-generation firewall products, and USG9500 series belong to high-end firewall products. Next, let's introduce the differences of each version series of firewalls in detail!

1.USG2110

USG2110 series is the firewall equipment released by Huawei for small and medium-sized enterprises and chain organizations, and its functions include firewall, UTM, virtual private network, routing, wireless and so on. USG2110 series firewall has the characteristics of high performance, high reliability and convenient configuration, and the price is relatively low. It supports a variety of virtual private network networking methods, and provides users with secure, flexible and convenient integrated networking solutions. As shown in the figure:

2.USG6600

USG6600 series is Huawei's firewall products for the next generation network environment, which is suitable for large and medium-sized enterprises and data centers and other network environments. It has the characteristics of accurate access control, comprehensive protection scope, simple security management and high protection performance. It can be used for enterprise intranet boundary protection, Internet exit protection, cloud data center boundary protection, virtual private network remote interconnection and other networking applications. As shown in the figure:

3.USG9500

The USG9500 series includes USG9520, USG9560 and USG9580 series, which is suitable for cloud service providers, large data centers, large enterprise campus networks, and so on. It has the most accurate access control, the most practical NGFW features, the most advanced "NP+ multi-core + distributed" structure, that is, the richest virtualization, and is known as the most stable and reliable security gateway product. It can be used for large-scale data center boundary protection, radio and television and second-level operator network exit security protection, education network exit security protection and other network scenarios. As shown in the figure:

4.NGFW

NGFW, the next generation firewall, is more suitable for the new network environment. In terms of functions, NGFW should not only have the functions of standard firewall, such as network address translation, state detection, virtual private network and large enterprises, but also realize the real integration of IPS and firewall, rather than simply based on modules. In addition, NGFW also needs to have strong application awareness and application visualization capabilities, based on the deep integration of application policies, log statistics, security capabilities and application identification, and use more external information to help improve security policies, such as user identification.

Traditional firewalls can only be perceived based on time, IP and port, while NGFW firewalls manage, control and protect based on six dimensions, namely, application, user, content, time, threat and location.

Where:

Application-based: use a variety of means to accurately identify more than 6000 of the application protocols and their ancillary functions in Web applications, so as to carry out accurate access control and business acceleration. It also includes mobile applications, such as: you can distinguish between voice and text in Wechat traffic through a firewall, thus realizing different control strategies; based on user: with the help of AD active Directory, directory service or AAA server, etc., based on user access control, QoS management and in-depth protection; location-based: combined with global location information, intelligently identify the originating location of traffic, so as to obtain the originating location of applications and * *. It implements differential control of access traffic in different regions according to location information, and supports customization of location according to IP information.

In practical application, the application may use any port, but the traditional FW cannot identify and control the application according to the port. The progress of NGFW lies in finer access control. Its best use principle is "based on application + whitelist control + minimum authorization".

At present, Huawei's NGFW products are mainly USG6000 series, covering from low-end fixed module products to high-end pluggable module products. The application identification capability of Huawei's next-generation firewall is 20% ahead of products in the same industry and 3% 5 times higher than that of domestic brands.

Second, the working principle of firewall 1. The working mode of the firewall

Huawei firewall has three working modes: routing mode, transparent mode and mixed mode.

(1) Route pattern

If the interface on which Huawei firewall connects to the network is configured with an IP address, the firewall is considered to be working in routed mode. When the Huawei firewall is located between the internal network and the external network, the interfaces connected to the firewall and the internal network, the external network and the DMZ need to be configured as IP addresses of different network segments, so the original network topology needs to be replanned. At this time, the firewall is first a router, and then provides other firewall functions. The route pattern needs to modify the network topology, which is more troublesome!

(2) transparent mode

If Huawei's firewall connects to the outside through layer 2 (the interface has no IP address), the firewall works in transparent mode. If Huawei firewall works in transparent mode, it only needs to connect Huawei firewall like a switch in the network, its biggest advantage is that Wu Xia modifies any existing IP configuration; at this time, the firewall works like a switch, and the internal network and external network must be in the same subnet. In this mode, the message is not only exchanged at the second layer in the firewall, but also analyzed and processed at a high level.

(3) mixed mode

If Huawei firewall has both interfaces working in routed mode (interfaces with IP addresses) and interfaces working in transparent mode (interfaces without IP addresses), the firewall works in mixed mode. This working mode is basically a mixture of transparent mode and routing mode. At present, it is only used in special applications that provide dual-computer hot backup in transparent mode, and it is not recommended in other environments.

two。 Security Zone Division of Huawei Firewall

Safe area, referred to as the area. The firewall distinguishes the secure network from the insecure network through the zone. On Huawei firewall, the secure zone is a collection of one or more interfaces, which is the main feature that distinguishes the firewall from the router. The firewall divides the network through security zones and controls the transmission of messages between areas based on these areas. When the data message is passed between different security zones, the security policy will be triggered to check.

When a security zone is assigned to an interface, the interface and the network behind it are treated as a security zone, and a security zone can contain one or more network segments. The security zone is divided based on the degree of trust zone or protection of the network. After dividing different interfaces into corresponding security zones, the firewall can associate the security zones with the network through the interfaces. When we mention the traffic in a security zone, we think of the correspondence between the interfaces managed under that security zone and the network.

Huawei firewall has four zones by default, namely, Trust, Untrust, DMZ and Local. Different areas have different trusted priorities, and firewalls distinguish the protection levels of these areas according to their trusted priorities.

On Huawei's firewall, each security zone has a unique security level, which is represented by the number 1100. The higher the number, the more trusted the network in the area. For the default security zone, their security zone is fixed: the security level of the Local zone is 100, the security level of the trust zone is 85, the security level of the DMZ is 50, and the security level of the untrust zone is 5.

Users can create more security zones according to their actual situation and configure priorities for these security zones. When configuring priorities, you need to pay attention to the relationship between security levels. For example, if the security of a custom network is worse than that of the existing DMZ zone, but safer than that of the Internet, the value of priority should be in the range of 5-50.

Several common areas of Huawei firewall:

Trust area: mainly used to connect the company's internal network, priority is 85, security level is high; DMZ area: demilitarized area, is an area between strict military control zone and public area, is usually defined as a network that needs to provide services in the firewall, its security is between Trust area and Untrust area, priority is 50, security level is medium Untrust area: usually defines an external network with a priority of 5 and a very low level of security. The Untrust zone represents an untrusted zone, and there are many threats on the Internet, so insecure networks such as Internet are generally classified into the Untrust zone; Local zone: usually defines the firewall itself, with a priority of 100. In addition to forwarding messages between regions, firewalls also need to receive and send traffic, such as network management, running dynamic routing protocols and so on. Messages initiated by the firewall are considered to be sent out of the Local area, and messages that need to be responded to and processed by the firewall (not traversing) are considered to be received and processed by the Local area. There is no need to add interfaces to the Local area, but all the interfaces implicitly belong to the Local region. Although one of our interfaces is divided into a certain area, it only means that the messages sent or received by this interface belong to that area and do not represent the interface itself. Other regions: user-defined regions, with a maximum of 16 custom regions by default, with no default priority, so you need to specify them manually.

Note:

In Huawei firewall, only one security zone can be added to an interface; by default, Huawei traditional firewall allows traffic from high-priority areas to low-priority areas, but Huawei's latest NGFW firewall forbids all traffic by default. If you want to release the specified traffic, the administrator needs to set the policy; 3. Firewall Inbound and Outbound

Firewalls handle traffic between zones, and even traffic initiated by the firewall itself belongs to the flow of traffic between Local zones and other zones. When the data flow flows between security zones, Huawei firewall will be stimulated to check the security policy, that is, the security policy of Huawei firewall is usually based on inter-domain, and different security policies can be set between different regions.

The data flow between domains is divided into two directions:

Inbound: the direction in which data is transferred from a low-level security zone to a high-level security zone; Outbound: the direction in which data is transferred from a high-level security zone to a low-level security zone

In firewall technology, the traffic in the two directions is usually regarded as different. Because of the stateful detection mechanism of the firewall, only the first message is usually processed for the data flow.

As shown in the figure: intranet computers belong to the Trust area and Internet computers belong to the Untrust area. When the intranet computer accesses the Internet computer, it belongs to the normal corporate business traffic, and the request packet belongs to the Outbound traffic, and it is the first packet, so the firewall needs to deal with the Outbound traffic based on policy, and when the response packet is returned, the traffic belongs to the Inbound traffic, and directly queries the status information to release the traffic. However, the access of the Internet computer in the external Untrust area to the intranet computer may be an illegal behavior from the outside, so the traffic risk is high, and the request packet belongs to Inbound traffic, and it is the first packet, so the firewall needs to deal with the Inbound traffic based on security policy. When the response packet is returned, the traffic belongs to Outbound traffic, and the traffic is released by directly querying the status information. So the risk of the first package is Inbound's inbound package is much greater than that of Outbound's outbound package. When specifying firewall policies, you should also focus on strict Inbound interdomain policies and relatively loose OUtbound interdomain policies.

4. Stateful information

Stateful detection firewall uses stateful detection and session mechanism, which has become the basic function of firewall products, and is also the basic technology of firewall security protection.

The processing of the data flow by the firewall is to check the security policy for the first message in the direction in which the access originates. If forwarding is allowed, it will generate a state information-session table. If the subsequent messages and returned messages match to the session table, they will be forwarded directly without policy checking, thus improving the forwarding efficiency, which is also a typical feature of the stateful firewall.

The firewall uniquely divides a data stream through a quintuple, that is, the source IP, the destination IP, the protocol, the source port and the destination port. The firewall treats data with the same quintuple content as a data stream. The firewall checks the security policy for the first message only once for the same data flow, and creates a session table to match the subsequent messages and return messages in the data flow. The session table cannot match other traffic, so this stateful mechanism of the firewall ensures efficient forwarding of data flows from the same session. However, for other traffic, it still has to go through the security policy check of the firewall, which makes at least one packet of each data flow must match the security policy, and illegal traffic will be discarded when the security policy is enforced.

The stateful inspection firewall uses the detection mechanism based on the connection state to treat all the messages belonging to the same connection exchanged by both sides of the communication as the whole data flow. From the point of view of the stateful inspection firewall, the messages in the same data stream are no longer isolated individuals, but are connected. if a session is established for the first message of the data stream, the subsequent messages in the data stream will be forwarded directly according to the conversation. as a result, the efficiency is improved.

The session is the concrete embodiment of the connection of both sides of the communication on the firewall, which represents the connection state of both sides, and a session represents a connection between the two sides of the communication. The collection of redundant sessions on the firewall is called the session table. On Huawei's firewall, execute the following command to view the current session table:

Focus on the key fields in this table:

Http represents the protocol; 1.1.1.1 represents the source address; 2049 represents the source port; 2.2.2.2 represents the destination address; 80 represents the destination port; through the "- >" sign, you can visually distinguish between the source and the destination, with the source before the symbol and the destination after the symbol.

Note: it is dynamically generated during a session and cannot be permanent. If there is no message match for a long time, the two sides of the communication have been disconnected and the session is no longer needed. At this point, in order to save resources, the firewall deletes the session after a period of time, which becomes the session aging time.

5. Security policy

The basic function of a firewall is to protect a particular network from the illegal operation of "untrusted" websites, but it must also allow legitimate communication between the two networks. The function of the security policy is to verify the data flow through the firewall, and only the legitimate data flow that conforms to the security policy can pass through the firewall. Different security policies can be applied to different domains for different controls.

With the rapid development of the network and the continuous increase of applications, there are more and more Web-based applications and mobile-based applications. Network security poses a new challenge to the firewall. The traditional access control based on IP, port and protocol can no longer meet the current network requirements. Huawei aims at the current network needs. An integrated security strategy is proposed. At present, the V100R001 version of USG6000 series firewalls adopts an integrated security strategy.

The so-called integration can be reflected in two aspects:

One is the integration of configuration, such as mail filtering, content filtering, application behavior filtering and other security monitoring can be realized by referencing configuration files in the policy, which reduces the configuration difficulty of network administrators; the other is business integration. The integrated strategy only detects the message once, and the multi-service functions can be processed in parallel, thus greatly improving the processing efficiency. On the other hand, the traditional firewall adopts serial mode, and the traffic is detected every time it passes through a module.

In addition to the traditional quintuple (source IP, target IP, protocol, source port, target port), Huawei's new generation firewall can also deeply detect traffic based on application, content, time, user, threat and location, so as to achieve omni-directional three-dimensional detection capability and accurate access control and security policy. As shown in the figure:

An integrated security policy consists of several rules, while rules consist of conditions, actions, configuration files, and options. As shown in the figure:

The function of the configuration file is to detect the content security of the message, including anti-virus, illegal entry defense, URL filtering, file filtering, content filtering, application behavior and email filtering. A rule can reference one or more profiles. Different types of rules contain default profiles that correspond to them, and administrators can reference one or more profiles manually. The configuration file can be referenced only if the action allows it.

The condition is the basis for matching a rule, such as the source area, destination address, time, and so on. Match the rule only if all the conditions of the rule are met, such as message matching the source area, source address, user, application, service of rule 1. But even if there is no matching time, then the message can not match the first rule, but should continue to match. In a rule, you do not need to configure all the conditions, you can specify one or more conditions.

If each element in the condition is reused in multiple rules, or if the element itself contains multiple related content, you can consider configuring it as an object, which can be called by multiple rules. If you define an object of address type that contains multiple network segments in the company, the object can be referenced by the source or destination address in the rule conditions; the action is the way the firewall handles the matching traffic, including allow, deny, and so on. Different strategies can choose different processing methods. If you handle the piping system, you can continue to do subsequent processing of the message based on the configuration file; the additional functions in the rule when you choose, such as whether to log for the rule, whether this rule is in effect, etc.

Note: the relationship between the elements in the condition is "and", and the attribute of the message must be matched with each element in order to think that the message matches this rule; while the relationship between multiple objects of the same element in the condition is "or". As long as the attribute of the message matches one of the objects, it is considered that the attribute of the message matches this element.

Different from the traditional security policy, the integrated security policy has the following characteristics:

Policy configuration is global and is no longer based on inter-zone configuration. Security zones are only optional configurations for conditions, and multiple source or destination zones can be configured in a rule; by default, all inter-area communication is denied, including Outbound traffic. The traffic required to be released must be configured through the policy; the default action in the security policy replaces the default packet filtering. The packet filtering of the traditional firewall is interval-based and takes effect only for the specified areas, while the default action of the new generation firewall takes effect globally, and the default action is denied, and all traffic is denied unless allowed.

Firewalls process rules in a very similar order to ACL. Match from top to bottom, stop when found, and reject by default!

By default, Huawei's firewall policy has the following characteristics:

The priority of any two security zones cannot be the same; messages between different interfaces in this domain cannot be forwarded directly without filtering; interfaces cannot forward messages before joining the domain; there is no security policy on USG6000 series firewalls, that is to say, no matter what zones access each other, security policies must be configured unless they are delivered in the same zone.

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.