Principle and Configuration of Digital China-DCFW-1800

Digital China-DCFW-1800

How Firewalls Work

As a network security product, the firewall protects the security of the network by controlling the flow in and out of the network.
The basic principle of a firewall is to allow or block data traffic according to existing policy rules by analyzing data packets. In addition, the firewall also has the function of connecting the network to realize the bridging between
the safe and trusted area (internal network) and the untrusted area (external network ).

system structure

The basic elements that make up the system architecture include:

security domain

A domain is a logical entity that divides a network into different parts. A domain to which a security policy is applied is called a "security domain".
For example, the trust security domain is usually a trusted network such as an intranet, and
the untrust security domain is usually an untrustworthy network with security threats such as the Internet.

interface

An interface is a channel for traffic to enter and exit a security domain. An interface
must be bound to a certain security domain to work
. By default, interfaces cannot communicate with each other. Only through policy rules can traffic be allowed to transmit between interfaces.

Virtual switch (VSwitch)

The virtual switch has the switching function
. VSwitch works on Layer 2. After binding the Layer 2 security domain to the VSwitch, the interface bound to the security domain is also bound to the VSwitch.
A VSwitch is a Layer 2 forwarding domain. VSwitch has its own independent MAC address table
, so the Layer 2 forwarding of the device is implemented in VSwitch. In addition, traffic can be forwarded between Layer 2 and Layer 3 through the VSwitch interface

Virtual Router (VRouter)

It is referred to as VR.
VRouter has the router function, and different VRs have their own independent routing tables.
There is a default VR named trust-vr in the system. By default, all three-layer security domains will be automatically bound to the trust-vr
system Supports multi-VR function and the maximum number of VRs supported by different hardware platforms is different.
Multi-VR divides the device into multiple virtual routers. Each virtual router uses and maintains its own completely independent routing table. At this time, one device can
act as multiple routers . .
Multiple VRs enable the device to implement address isolation in different routing domains and address overlap between different VRs. At the same time, it can avoid route leakage to a certain extent and increase
network routing security.

Strategy

Policy is the basic function of the network security device, which controls traffic forwarding between security zones/different address segments. By default, the security device will deny information transmission policy rules (Policy Rule)
between all security zones/interfaces/address segments on the device Decide which traffic should be allowed and which traffic should be denied
from a security zone to another security zone, or from one address segment to another address segment.

Binding relationship (affiliation)

In the system architecture, there is a subordinate relationship among security domains, interfaces, virtual routers, and virtual switches, which is also called a "binding relationship". The

relationship between each element is: an interface is bound to a security domain, and a security domain is bound to a VSwitch or VRouter, and then, the interface is bound to a VSwitch or
VRouter. An interface can only be bound to one security zone, and one security zone can be bound to multiple interfaces. The Layer 2 security domain can only be bound to the VSwitch, and the Layer 3 security domain
can only be bound to the VRouter.

Security Policy Rules

By default, all traffic between interfaces is denied. Interface traffic between different security zones and within the same security zone cannot communicate with each other. To realize mutual access of interfaces
, traffic can only be released by creating policy rules.
(Note: If there are both source-to-destination access and active access in the opposite direction, then two policy rules must be created to allow
traffic in both directions to pass; if there is only active access in one direction, and the reverse direction only returns package, then you only need to create a unidirectional
policy from source to destination.)

Depending on the security domain, VSwtich, or VRouter to which the interface belongs, different policies must be created to allow the interface to communicate with each other. The specific rules are as follows: Two
interfaces belonging to the same security domain
need to create a The policy for this security domain.
For example, to realize mutual access between eth0/0 and eth0/1 in the above figure, you need to create a policy that allows traffic from L3-zone1 to L3-zone1; or, to realize the mutual access between eth0/3
and eth0/4 For mutual access, create a policy with both source and destination L2-zone2.
The security domains where the two Layer 2 interfaces are located belong to the same VSwitch, to achieve interface mutual access:
two policies need to be created, the first policy allows traffic from one security domain to another security domain, and the second policy allows traffic in the opposite direction pass.
For example, to realize mutual access between eth0/2 and eth0/3 in the above figure, you need to create a policy from L2-zone1 to L2-zone2 and two policies from L2-zone2 to L2-zone1
.
The security domains where the two Layer 2 interfaces are located belong to different VSwtichs, and interface mutual access is realized:
each VSwtich has a unique VSwtich interface (VSwitchIF), and the VSwtichIF is bound to a Layer 3 security domain. To achieve mutual access, you need to create a pass
policy. The source is a Layer 3 security domain to which a VSwitchIF belongs, and the destination is a Layer 3 security domain to which another VSwitchIF belongs. At the same time, a strategy in the opposite direction also needs to be created
.
The security domains where the two Layer 3 interfaces are located belong to the same VRouter, to achieve interface mutual access:
you need to create a policy to allow traffic from one security domain to another security domain. For example, to achieve mutual access between eth0/0 and eth0/5, create a zone from L3-zone1 to L3-
Zone2's policy to allow traffic to pass, and then create a policy in the opposite direction.
The security domains where the two Layer 3 interfaces are located belong to different VRouters, and interface mutual visits are realized:
To realize interface mutual visits, policy rules need to be created to allow traffic from one VRouter to another VRouter to pass.
The Layer 2 interface and Layer 3 interface under the same VRouter realize mutual access:
Create a policy that allows traffic to pass. The source of the policy is the Layer 3 security domain bound to the VSwtichIF of the Layer 2 interface. The purpose of the policy is the Layer 3 interface to which it belongs. Layer 3 security
domain. Then, create the reverse strategy.
For example, to achieve mutual access between eth0/0 and eth0/2, you need to create a policy from L3-zone1 to L2-zone1 and a reverse policy.

Packet Processing Flow

Forwarding rules in the Layer 2 forwarding domain

In a VSwitch, that is, a Layer 2 forwarding domain, a MAC address forwarding table is established through source address learning.
Each VSwitch has its own MAC address forwarding table.
According to
the type of data packet (IP data packet, ARP packet and non-IP and non-ARP packet), different processing is carried out respectively.

For IP packets

Follow the forwarding rules below:

1. Packet received.
2. Learn the source address and update the MAC address forwarding table.
3. If the destination MAC address is a unicast address, look up the outbound interface based on the destination MAC address. At this time, there are the following two situations:
   • If the destination MAC address is the MAC address of the VSwitch interface, and the VSwitch interface has an IP address, it will be forwarded according to the routing and forwarding rules; if the VSwitch
     interface does not have an IP address, it will be discarded.
   • Find the outbound interface based on the destination MAC address. If the found outbound interface is the source interface of the data packet, the datagram will be discarded, otherwise, the datagram will be forwarded from the outbound interface
     .
   • If no outbound interface (unknown unicast) is found in the MAC address table, skip to step 6 directly.
4. Determine the source domain and destination security domain according to the incoming interface and outgoing interface.
5. Find policy rules. Forward the packet if allowed by the policy rules; drop the packet if not allowed by the policy rules.
6. If no outbound interface (unknown unicast) is found in the MAC address forwarding table, the system will
   try As the outbound interface, the Layer 2 security domain where the Layer 2 interface is located is used as the destination domain, and the policy rules are queried. If the policy permits, the
   data packet is forwarded on the Layer 2 interface, and if the policy does not allow it, the data packet is discarded. In a nutshell, the forwarding of unknown unicast is the broadcast under policy restriction. The processing of broadcast
   and multicast IP packets is similar to the processing of unknown unicast, the difference is that broadcast and multicast IP packets will be copied at the same time for three-layer processing.
   For ARP packets, broadcast packets and unknown unicast packets are forwarded to all other interfaces in the VSwitch, and a copy is processed by the ARP module.

Forwarding rules for Layer 3 forwarding domains

0. Identify the logical incoming interface of the data packet, which may be a general unlabeled interface or a sub-interface. In this way, the source security domain of the data packet is determined.

1. Check the legality of the data packet. If the attack protection function is configured in the source security domain, the system will check the attack protection function at the same time in this step.
2. Session query. If the data packet belongs to an established session, skip 4 to 10, and go directly to step 11.
3. Destination NAT (DNAT) operation. If a matching DNAT rule can be found, the packet is marked with DNAT. Because the routing query needs the IP address converted by DNAT
   , the DNAT operation is performed first.
   *Note: If the system is configured with a static one-to-one BNAT rule, then search for the matching BNAT rule first. After the data packet matches the BNAT rule, it will be processed according to the BNAT setting
   , and no ordinary DNAT rule will be searched.
4. Routing queries. The route query sequence of the system from front to back is: Policy Routing (PBR) > Source Interface Routing (SIBR) > Source Routing (SBR) > Destination Routing (DBR) >
   ISP Routing. At this point, the system obtains the logical outbound interface and destination security domain of the data packet.
5. Source NAT (SNAT) operation. If a matching SNAT rule can be found, SNAT marks the packet.
   *Note: If the system is configured with a static one-to-one BNAT rule, then search for the matching BNAT rule first. After the data packet matches the BNAT rule, it will be processed according to the BNAT setting
   , and no ordinary DNAT rule will be searched.
6. Next hop VR query. If the next hop is VR, continue to check whether the specified next hop VR exceeds the maximum number of VRs (the current version of the system only allows data packets
   to pass through 3 VRs), if it exceeds, discard the data packet, if not, return 4. If the next hop is not VR, proceed to the next step of policy query.
7. Policy query. The system looks for policy rules based on the source security domain, destination security domain, source IP address and port number, destination IP address and port number, and protocol of the data packet. If
   no matching policy rule is found, the data packet will be discarded; if a matching policy rule is found, it will be processed according to the behavior specified by the rule, respectively:
   Permit: Allow the data packet to pass.
   Deny: Deny the data packet to pass.
   Tunnel: forward the data packet to the specified tunnel.
   Whether it is from a tunnel (Fromtunnel): Check whether the packet is from the specified tunnel, if yes, allow it to pass, if not, discard it.
   Web authentication (WebAuth): Web authentication is performed on qualified traffic.
8. Type recognition is applied for the first time. The system tries to identify the application type based on the port numbers and services configured in the policy rules.
9. The session is established.
10. If necessary, perform a second application type identification. The application type is again accurately identified based on the content of the data packet and the traffic behavior.
11. Application layer behavior (ALG) control. Implement adaptive processing for specific complex protocols.
12. Perform corresponding processing operations according to the information recorded in the session, such as NAT marks.
13. Forward the packet to the outgoing interface.

model

transparent mode

routing pattern

blend mode

Bypass (Tap) mode

Internet connection

**Security domain: **Security domain divides the network into different parts, such as trust (usually the trusted part such as the intranet), untrust (usually the untrusted part with security threats such as the Internet),
etc. After the configured policy rules are applied to the security domain, the system can manage and control the traffic entering and leaving the security domain.
**Interface: **The interface allows traffic to enter and exit the security domain. Therefore, in order to allow traffic to flow in and out of a certain security zone, the interface must be bound to the security zone, and, if it is a
Layer 3 security zone, an IP address must be configured for the interface. Then, appropriate policy rules must be configured to allow traffic between interfaces in different security domains.
**VLAN: **Virtual local area network.
**DNS:** Domain Name System.
**DHCP:** Dynamic Host Configuration Protocol.
**DDNS:**Dynamic Domain Name Service.
**PPPoE: **Point-to-Point Protocol.
**Virtual-Wire: Realize direct Layer 2 communication between subnets.
Virtual router: **Virtual routers have router functions, and different virtual routers have their own independent routing tables.
**Virtual switch: **Virtual switch (VSwitch) has switch function. The VSwitch works at Layer 2. After the Layer 2 security domain is bound to the VSwitch,
the interfaces bound to the security domain are also bound to the VSwitch. Traffic can be forwarded between Layer 2 and Layer 3 through the VSwitch interface.
**Destination mirroring interface:**The Ethernet port of the system has the interface mirroring function. Users can mirror the traffic of an interface to other interfaces to monitor and analyze the traffic.
**3G: **By configuring the 3G function, users can access the Internet wirelessly.
**Link load balancing: **Reasonably distribute traffic to different links through dynamic link detection technology, so as to achieve the purpose of making full use of the resources of each link.
Application layer gateway: ALG technology can ensure the normal data communication of applications using multi-channel data transmission, and ensure that VoIP applications can
communicate normally after NAT address translation.
**Global network parameters:** Mainly include IP packet data processing options, such as IP fragmentation, TCP MSS value, etc.

security domain

In the system, a domain is a logical entity to which one or more interfaces can be bound. The domain to which policy rules are applied is the security domain, and
the domain that exists for a specific function is the functional domain. Domains have the following characteristics:
interfaces are bound to domains, Layer 2 domains are bound to VSwitches, and Layer 3 domains are bound to VRouters. Therefore, the VSwitch of the Layer 2 domain determines the VSwitch of the interface in the domain, and
the VRouter of the Layer 3 domain determines the VRouter of the interface in the domain.
Layer 2 and Layer 3 domains determine whether their interfaces work in Layer 2 mode or Layer 3 mode.
The system supports intra-domain policy rules, such as "from trust to trust" policy rules.
The system pre-defines 8 security domains for users, namely: trust, untrust, dmz, L2-trust, L2-untrust, L2-dmz, vpnhub (VPN functional domain) and ha (HA functional domain)
. Users can also customize domains. In fact, there is no difference in function between the predefined domain and the user-defined domain, and users can freely choose

interface

Interfaces allow traffic to and from the security domain. Therefore, to allow traffic to flow in and out of a certain security zone, the interface must be bound to the security zone, and, if it is a Layer 3 security zone, an
IP address must be configured for the interface. Then, appropriate policy rules must be configured to allow traffic between interfaces in different security domains. Multiple interfaces can be bound to one
security zone, but one interface cannot be bound to multiple security zones.
The security gateway device has various types of interfaces, which can be divided into physical interfaces and logical interfaces according to different properties.
Physical interface: Each Ethernet interface on the security device represents a physical interface. The name of the physical interface is predefined and
consists of media type, slot number and positional parameters, for example ethernet2/1 or ethernet0/2.
Logical interface: Logical interfaces in the system include sub-interfaces, VSwitch interfaces, VLAN interfaces, loopback interfaces, tunnel interfaces, aggregation interfaces, redundant interfaces, PPPoE interfaces, and
Virtual Forward interfaces.
Depending on the security zone where the interface is located, the interface can also be divided into Layer 2 interfaces and Layer 3 interfaces.
Layer 2 interface: All interfaces belonging to a Layer 2 domain or VLAN are Layer 2 interfaces.
Layer 3 interface: The interface belonging to the Layer 3 domain is a Layer 3 interface. Only Layer 3 interfaces can work in NAT/routing mode.

Different types of interfaces have different functions in the security gateway. The following table lists the descriptions of the various logical interfaces:

DNS

DNS is the abbreviation of Domain Name System (Domain Name System). DNS is a computer and network service naming system organized into a domain hierarchy. It is used in TCP/IP
networks and is mainly used to find Internet domain names (such as www.xxxx.com) and convert them into IP addresses (such as "10.1.1.1 ”) to locate the appropriate computer and corresponding service.
The DNS functions of the system are as follows:
Server: configure the DNS server for the device.
Resolution: Set the number of retries and response timeout for the DNS function of the device, and set the TTL of the response message for the DNS proxy function of the device.
Proxy: The device acts as a DNS proxy server and provides DNS proxy functions for PCs (clients) connected to it. At the same time, the device can select different domain
name servers according to the domain name.
Cache: Store DNS mapping entries in the cache to improve lookup speed. DNS mapping entries can be created, edited and deleted.
NBT cache: display NBT cache information.

DNS cache

During the use of the DNS function, the system can store DNS mapping entries in the cache to improve the lookup speed. The system has the following three methods to obtain DNS mapping entries:
Dynamically obtain: from DNS response.
Obtained statically: Manually add DNS mapping entries to the cache.
Obtained by registration: Some functional modules of the security device, such as NTP, AAA, and address book, etc., defined DNS hosts.
Users can use commands to add static DNS mapping entries to the cache, view system DNS mapping entries, and clear DNS dynamic mapping entries.

DHCP

DHCP is the abbreviation of Dynamic Host Configuration Protocol. DHCP can automatically assign appropriate IP addresses and related
network parameters to subnets, thereby reducing the need for network management. At the same time, DHCP can ensure that there will be no address conflicts and can redistribute idle resources.
The system supports DHCP client function, DHCP server function and DHCP relay agent function.
DHCP client: The interface of the device can be set as a DHCP client to dynamically obtain the IP address and network parameter configuration from the DHCP server. For DHCP client configuration, see
“Configuring the Interface” on page 39.
DHCP server: The interface of the device can be set as a DHCP server, and assign IP addresses and network parameters to hosts connected to the interface through the configured address pool.
DHCP relay agent: The interface of the device can be set as a DHCP relay agent. The relay agent obtains DHCP information from the DHCP server, and then transfers the obtained information to the
host computer connected to the interface.
Although the security device has the above three DHCP functions at the same time, when configuring the DHCP function for the security device, only one function can be configured on one interface.

PPPoE

PPPoE is the abbreviation of Point-to-Point Protocol over Ethernet. PPPoE combines PPP protocol and Ethernet, while allocating IP addresses
, it can perform access control, verification and billing for clients.
The implementation of the PPPoE protocol includes two phases: the discovery phase and the PPP session phase.
Discovery phase: In the discovery phase, the client determines a PPPoE access concentrator (Access Concentrator), obtains its Ethernet MAC address and establishes a
PPPoE session identifier Session ID.
PPP session phase: The client performs PPP negotiation with the access concentrator determined in the discovery phase. This negotiation process is the same as standard PPP negotiation.
The interface of the device can be configured as a PPPoE client for PPPoE connection.

Virtual Wire

The device supports the Virtual Wire function based on VSwitch. After enabling this function and configuring the Virtual Wire interface pair, the two Virtual Wire interface pairs form a virtual
line , connecting the two subnets connected to the Virtual Wire interface pair of the device together, and the connected two subnets can directly implement Layer 2 Communication does not require MAC address learning
or forwarding through other subnets. Moreover, while using the Virtual Wire function, you can also use functions such as policy rules for control.
The Virtual Wire function has two modes, namely Strict and Non-Strict, and the specific description is as follows:
Strict Virtual Wire mode: In this mode, data packets can only be transmitted between Virtual Wire interface pairs, and VSwitch cannot work in mixed mode
. A PC connected to the Virtual Wire interface cannot manage devices or access the Internet through this interface.
Non-Strict Virtual Wire mode: In this mode, in addition to data packets being transmitted between Virtual Wire interface pairs, VSwtich also supports mixed-mode data
forwarding, that is, this mode only limits Layer 2 data packets to Virtual Wire interface pairs It does not affect the forwarding of Layer 3 data packets.