Principle and Definition of Firewall (1)
table of Contents
1. What is a firewall
1) Official definition: A firewall is used to protect one network from attacks and intrusions from another network. Its essence iscontrol
2) In the network security market, there is a device called ISR, the full name is Integrated Multiservice Router Router
3) The firewalls on the market now mainly exist in the following forms:
①Hardware firewall (independent)
②Firewall module (can be integrated into supported devices)
③Virtualized firewall, (an application based on the software level)
4) Why is virtual firewall only a trend and has not become the mainstream?
①The performance and stability of virtual firewall are limited. At present, hardware firewalls are superior to virtual firewalls in these two points
2. The history of firewall development
1) The first generation,Packet filtering firewall
①Access Control List Access Control List
in Routing&Switching mainly learns the access control list. There are two types
-standard access control list, simple and efficient, but the control element is single, only based on IP
-extended access control list, which is more complicated than standard access control list. The mining elements are more abundant, for example, based on the source and destination IP address, source and destination port number, and protocol
2) The second generation,Proxy firewall
①Similar to the middleman (intermediary), it can replace the request initiator and send data packets to the requestee ②Single
function, limited performance, not becoming the mainstream of the firewall market
③Currently, the proxy firewall model is used in SSL VPN
3) The third generation,Stateful inspection firewall
①What is the initial flow?
The first data packet at the beginning of the whole communication is the initial flow, or the first packet flow
②What is the stateful entry?
When the first packet traverses the firewall, the firewall will record the information of the data packet (for example The source and destination IP address, source and destination port number, protocol)
and then store the above information in the stateful entry
③What is the stateful detection technology?
At this time, the returned traffic, the firewall first checks whether there is a stateful entry that matches the traffic.
If If yes, then the traffic is released directly.
If not, check the access control policy.
If the access control policy is released, the traffic can be forwarded.
If the access control policy is not released, the traffic is directly discarded.
④Stateful inspection firewall is the concept of which security vendor first promotes ?
CheckPoint, the number one security vendor in international firewalls
4)Next generation firewall
①A product strongly recommended by security vendors.
②Next-generation firewall features:
one data packet, one policy, including the execution of all check items.
Trend: Visualization.
③Which security vendor is the first concept of next-generation firewall?
PaloAlto, international firewall #1 security vendor
3. Huawei Security Product Line
1) Different levels of firewalls, differencesIt's performance, not function
2) Judge the performance of the firewallPure throughput, it is recommended to refer to the throughput after simultaneous activation of multiple protocols and multiple security technologies
3) Most high-end firewalls of security vendors areModular firewall, Such as Huawei’s 9500 series USG/Cisco’s 9000 series Firepower
4) In the production environment, the device version I0S needs to be usedThe most stable, Not the latest!
5) Huawei’s firewall,The business log function is not the default, but through the optional log hard disk, the log function is only supported after installation
6) At present, Huawei's security product line mainly includes the following:
①Low-end series 6100
②Mid-low-end series 6300
③High-end series 9500
Expansion: Some well-known vendor platforms and technologies about virtualization
①VMware -VM
Workstation Personal Home-
VM vSphere Enterprise Edition for servers ②Microsoft
Hyper-v
Extension: Optoelectronic multiplexing module
①There is a module with repeated port serial numbers
②Two interfaces with the same serial number can only use one of them
③It often appears in radio and television conforming interface modules
Fourth, the firewall zone (Firewall zone)
1) The company needs to be based on "Network credibility"To divide the area
2) Based on different areas, security engineers can deploy different access control strategies through the firewall
3) Huawei firewall believes that,There is no risk for traffic in the same security zone, and it is directly connected
4) Huawei USG firewall, by default, there are four zones:
①Untrus t external network
②Trust intranet
③DMZ isolation zone/demilitarized zone In
most cases, the DMz zone is used to store
Untrust, Trust, DMz three Each area engineer can perform configuration and modification on the firewall
④Local
Local area cannot perform configuration and modification, and by default, all interfaces of the firewall belong to the local area
By default, all traffic arriving at the firewall is discarded, and policy release is required
All data packets sent by the firewall are considered to be sent from the LOCAL area
Extension: Cisco firewall zone
1) Cisco ASA firewall also has four zones by default
①Inside internal
network②Outside external
network③DMZ same as Huawei
④Local same as Huawei
2)By default, the local traffic of Cisco ASA firewall is connected and does not need to be released. The rule is opposite
3) Cisco firewall believes thatThe traffic in the same security zone is at risk. By default, it is not allowed to pass. It can be changed to pass through configuration.
verification
By default, all traffic arriving at the firewall is discarded, and policy release is required
HUAWEI firewall default: all traffic to him is discarded
Execution policy release: the ping packet of the management port is permitted
