- Fundamentals of Firewall Security
- safe area
- security strategy
- Stateful inspection and session mechanism
- ASPF technology
- Application Scenarios of Firewalls in Network Security
1. Basic principles of firewall security
A firewall is not just an "entrance barrier", but should be an access control point for multiple networks. All data streams entering and exiting the intranet should first pass through the firewall to form a gateway for information to enter and exit.
As an important part of the enterprise network, the firewall connects the enterprise network management network, marketing department network and server network. Firewalls are generally deployed at the egress of the enterprise network and connected to the Internet. Therefore, firewalls are generally deployed between different areas for network control. (Routers are used for data forwarding, firewalls are used for data control)
1.1. Safe area
Security Zone (Security Zone): It is a collection of one or more interfaces, and it is the main feature that distinguishes a firewall from a router. The firewall divides the network and identifies the "route" of packet flow through security zones. When packets flow between different security zones, security checks are triggered.
In each network divided by firewalls, all computers are considered "trusted", and the communication between them is not interfered by the firewall. Between the various networks separated by the firewall, access must be carried out according to the "policy" stipulated by the firewall.
By default, Huawei firewall products provide three configurable security zones: Trust, DMZ, and Untrust.
The Trust area
network has a high degree of trust;
it is usually used to define the network where internal users reside.The DMZ area
network has a medium level of trust;
it is usually used to define the network where internal servers reside.The Untrust zone
network has a low degree of trust;
it is usually used to define unsecured networks such as the Internet.
Local security zone (the security zone of the firewall itself, which cannot be configured)
1. The Local zone provided on the firewall means that any message sent by the firewall itself can be regarded as sent from the Local zone. Packets that are processed (not forwarded) can be considered to be received by the Local area.
2. No interface can be added in the Local area, but all service interfaces on the firewall belong to the Local area.
3. Due to the particularity of the Local area, in many applications that require the device itself to send and receive messages, it is necessary to open the security policy between the security area where the peer is located and the Local area. For example, Telnet login, web page login, access to SNMP network management, etc.
Different networks have different levels of trust. After the security zone is used to represent the network on the firewall, each security zone has a unique priority on the Huawei firewall, which is represented by a number from 1 to 100. The larger the number, the more important it is. The network in the region is more trustworthy.
Default security zone trust level: Local >Trust > DMZ > Untrust;
users can create security zones and define their priorities according to actual networking needs.
1.2, security policy -- inter-domain communication
The data communication firewall in the same domain is safe by default, and the communication between different domains needs to rely on the security policy of the firewall for access control.
The basic role of a firewall is to control the access behavior of the network, to protect a specific network from "untrusted" network attacks, but it must also allow legal communication between the two networks. A firewall generally implements the above functions through security policies.
A security policy is a control rule composed of matching conditions (quintuple, user, time period, etc.) and actions. After receiving traffic, the firewall identifies the attributes of the traffic (quintuple, user, time period, etc.) Attributes are matched against the matching conditions of the security policy.
A security policy is a control rule composed of matching conditions (such as quintuple, user, time period, etc.) Match the attributes of the traffic with the matching conditions of the security policy. If all conditions match, this traffic successfully matches the security policy. After the traffic matches the security policy, the device will execute the action of the security policy:
If the action is "Allow" and no content security inspection is configured, the traffic will be allowed to pass.
If the action is "Allow" and the content security inspection is The conclusion of the security detection is used to determine whether to allow the traffic;
if the action is "prohibited", the traffic is prohibited from passing.
Features:
Any two security zones constitute a security interzone (Interzone) and have a separate security interzone view; the
data flow between security zones has directionality, including the inbound direction ( lnbound ) and the outbound direction ( Outbound ).
The matching process of the security policy:
1. The most basic design principle of a firewall is generally that traffic that is not explicitly allowed will be banned by default, so as to ensure that once the firewall is connected to the network, it can protect the security of the network.
2. If you want to allow certain traffic to pass, you can create a security policy. Generally, multiple security policies are configured on the device for different service traffic.
The traffic in the same security zone and the traffic between different security zones are controlled by the default security policy respectively:
For traffic between different security zones (including but not limited to traffic sent from the firewall,
traffic received by the firewall, different security zones The traffic transmitted between them) is controlled by the default security policy;
for the traffic in the same security zone , it is not controlled by the default security policy by default, and the default forwarding action is allow. If you want traffic in the same domain to be controlled by the default security policy, you need to enable the default security policy to control traffic in the same security zone. After it is enabled, the configuration of the default security policy will take effect for the traffic in the same security zone, including the actions and logging functions of the default security policy.
The default security policy can modify the default actions and logging functions (including policy hit logs, session logs, and traffic logs).
Example of security policy configuration:
Configuration ideas: Divide security zones, configure interfaces, configure security policies, save and submit.
During the configuration process, the configuration of the security policy needs to be precisely configured first and then broadly configured.
Commonly used configuration commands are as follows:
1.3, state detection and session mechanism
Status detection:
A stateful inspection firewall uses a connection state-based detection mechanism, and treats all packets belonging to the same connection exchanged between two communication parties as the entire data flow. In the view of the stateful inspection firewall, the packets in the same data flow are no longer isolated individuals, but are connected.
When the status detection mechanism is enabled, only the first packet passes through the device to establish a session entry, and subsequent packets are directly matched to the session entry for forwarding.
When the state detection mechanism is disabled, even if the first packet does not pass through the device, subsequent packets can generate session entries as long as they pass through the device.
In a networking environment where the forward and backward paths of packets are inconsistent, the firewall may only receive subsequent packets during the communication process. In this case, in order to ensure normal business, it is necessary to disable the status inspection function of the firewall. After the status detection function is disabled, a session can be established through subsequent packets to ensure normal operation of services.
Session mechanism:
The firewall treats all packets belonging to the same connection as a whole data flow (session). The session table is an entry used to record the connection status of protocols such as TCP, UDP, and ICMP, and is an important basis for the firewall to forward packets.
The firewall adopts a "state"-based packet control mechanism: only the first packet or a small number of packets are detected to determine the state of a connection, and a large number of packets are directly controlled according to the state of the connection to which they belong. This stateful detection mechanism rapidly improves the detection and forwarding efficiency of the firewall. The session table exists to record the state of the connection. When a device forwards TCP, UDP, and ICMP packets, it needs to query the session table to determine the connection to which the packet belongs and take corresponding measures.
Five-tuple of session entries:
A session is a concrete embodiment of the connection between the two communicating parties on the firewall, and represents the connection status of the two parties. A session represents a connection between the two communicating parties.
A connection between the communication parties can be uniquely determined through the quintuple information in the session; the
time when the firewall will delete the session is called the aging time of the session;
a session represents a connection between the two communication parties, and the collection of multiple sessions is called the session table.
Firewalls set session aging mechanisms for various protocols. When a session is not matched by any packet within the aging time, it will be deleted from the session table. This mechanism can prevent the device resources of the firewall from being consumed by a large number of useless and stale session entries. However, for some special services, the interval between two consecutive messages of a session may be very long. For example,
when a user downloads a large file through FTP, it takes a long time before continuing to send control packets on the control channel;
the user needs to query the data on the database server, and the time interval of these query operations is much longer than the session aging time of TCP.
In the above scenario, if the session entry is deleted, the corresponding service will be interrupted. The long connection (LongLink) mechanism can set a long aging time for some connections, effectively solving this problem.
1.4. ASPF technology
Background of ASPF technology
1. In the TCP/IP model, the application layer provides common network application services, such as Telnet, HTTP, FTP and other protocols. The application layer protocol can be divided into single-channel application layer protocol and multi-channel application layer protocol according to the number of ports occupied.
Single-channel application layer protocol: a protocol that only needs to occupy one port during the communication process. For example: Telnet only needs to occupy port 23, and HTTP only needs to occupy port 80;.Multi-channel application layer protocol: A protocol that needs to occupy two or more ports during the communication process. For example: FTP passive mode needs to occupy port 21 and a random port.
2. Insufficient access control of multi-channel application layer protocols by traditional packet filtering firewalls:
traditional packet filtering firewalls can only implement simple access control;
traditional packet filtering firewalls can only block application data of single-channel protocols using fixed ports.The application of the multi-channel protocol needs to first negotiate the address and port of the subsequent data channel in the control channel, and then establish a data channel connection according to the negotiation result. Because the address and port of the data channel are dynamically negotiated, the administrator cannot predict it, so it is impossible to formulate a complete and accurate security policy. In order to ensure the smooth establishment of the data channel, all ports can only be released, which will obviously bring the risk of being attacked to the server or client.
ASPF (Application Specific Packet Filter) is a packet filter for the application layer.
By detecting the address and port information carried by the application layer of the negotiation message, the corresponding Server-map table is automatically generated. When the first packet of the data channel passes through the firewall, the firewall generates a session according to the Server-map, which is used to release the subsequent data channel. message, which is equivalent to automatically creating a fine-grained "security policy". For all connections of a specific application protocol, each connection state information will be maintained by ASPF and used to dynamically decide whether the data packet is allowed to pass through the firewall or discarded.
Applying ASPF in FTP active mode
The server-map table is a fine-grained security policy automatically generated by the ASPF function, and is an "invisible channel" on the firewall.
In FTP active mode, the client uses random port xxxx to initiate a connection request to port 21 of the server to establish a control channel, and then uses the PORT command to negotiate the port number for establishing a data channel between the two. The negotiated port is yyyy, and then the server actively sends the client The yyy port on the terminal initiates a connection request and establishes a data channel. After the data channel is established successfully, the data transmission will be carried out.
When configuring the security policy, if only the security policy that allows the client to access port 21 of the server is configured, the control connection can be established successfully. But when the message from the server to access the client's yyyy port arrives at the firewall, for the firewall, this message is not a follow-up message of the previous connection, but represents a new connection. In order for this message to reach the FTP client smoothly, a security policy must be configured on the firewall to allow it to pass through. If no security policy is configured for the direction from the server to the client, the message cannot pass through the firewall, resulting in failure to establish a data channel. . The result is that users can access the server, but cannot request data.
Because the application layer information of the PORT command carries the IP address of the client and the ports randomly opened to the server, the firewall analyzes the application layer information of the PORT command and predicts the behavior of subsequent packets in advance. Create a Server-map table. After the server initiates a data connection message to the client and reaches the firewall, it hits the Server-map entry and is no longer controlled by the security policy.
The relationship between the Server-map table and the session table
The relationship between the Server-map table and the session table is as follows:
1. The Server-map table records the key information in the application layer data. After the message hits the table, it is no longer controlled by the security policy ;
2. The session table is a concrete reflection of the connection status of the two parties in communication;
3. The Server-map table is not the current connection information, but the prediction of the upcoming message obtained by the firewall after analyzing the current connection.
The processing process of the firewall receiving the message:
1. When the firewall receives the message, it first checks whether it matches the session table;.2. If there is no hit, check whether it hits the Server-map table;.
3. Packets that hit the Server-map table are not controlled by the security policy;
4. The firewall finally creates a session table for the data that hits the Server-map table.
Server-map table configuration example:
Place ASPF: firewall interzone trust dmz
detect ftp
Automatically generate server-map.
2. Application Scenarios of Firewalls in Network Security
2.1. Application scenarios of firewalls in campus egress security solutions
·The campus network faces different security threats at all levels from the network layer to the application layer:
1. Network border protection2. Content security protection
As shown in the figure, the firewall is deployed at the campus network exit as a security gateway1. Provide security isolation and protection for mutual access between internal and external networks. For example: providing traditional IP address-based security policy formulation and network access control;
2. Provide user-based access control and behavior traceability at the same time.
2.2. Application of Firewall in Cloud Computing Network
With the rapid development of cloud computing, enterprises can easily access cloud computing networks, obtain resources such as servers, storage, and applications, reduce the investment cost of building IT infrastructure, and greatly accelerate the process of informatization.
As shown in the figure, deploying a firewall in the cloud computing network can achieve:
1. When different external network enterprise users access the virtual machine, they cannot affect each other and business isolation;
2. External network enterprise users can access the enterprise through the public network address Internal virtual machine and Portal system;
· 3. Improve business reliability, and service interruption cannot be caused by a device failure.
