[Network Security] Comprehensive Diagram of Firewall Knowledge Points (2)

This series of articles includes:

• [Network Security] Comprehensive Diagram of Firewall Knowledge Points (1)
• [Network Security] Comprehensive Diagram of Firewall Knowledge Points (2)
• 【Network Security】Comprehensive Diagram of Firewall Knowledge Points (3)

---

21. What does the access control list of the router look like?

Usually a rule is composed of multiple ACLs , and an ACL is also called an entry . A table item consists of object ( object), behavior ( action), selection ( option) these $Composed\; of\; 3$ elements.

For example: Cisco standard access control list , the entry only allows the source IP address as the object, and the behavior is to choose between allow ( permit) and deny ( ). denyWhen the condition is met, that is, when the object is triggered, the option can specify operations such as "logging" or "entry valid time". If the effective time option is used, you can set an entry that only targets the company's business hours.

Extended access control list , the object is not only IP address, but also IP protocol number, source IP address, destination IP address, ToS data field, ICMP type, ICMP message, source TCP/UDP port number, destination TCP/UDP port number, whether the TCP session has been established, etc.

For example: allow 10.1.1.2the client with the IP address 172.16.1.1to make a Telnet connection to the server with the IP address, the TCP port of Telnet is 23, and the access control list is as follows:

access-list 101 permit tcp host 10.1.1.2 host 172.16.1.1 eq telnet

22. What is the security policy of the firewall?

Compared with the access control list of the router, the biggest difference between the security policy of the firewall is the object. The firewall uses the area as the object, and can also use information such as application program name and user name as the object.

serial number	source area	target area	source address	Destination address	destination port	Behavior
1	Trust	Untrust	192.168.1.0/24	Any	Any	Allow
2	Trust	Untrust	192.168.2.0/24	Any	80	Deny
3	Untrust	DMZ	Any	10.1.1.1	80	Allow

For example: in the security policy in the above table, when communicating 192.168.2.1from a trusted zone to a port in an untrusted zone , the firewall first executes the first 180$1$ security policy, it is found that the source address does not match, and it will not be executedAllow. Then execute the$2$ security policies, find that the address and port match, executeDeny, that is, refuse communication. The security policy of the firewall is executed sequentially from top to bottom, which is also called security policy lookup (policy lookup).

AnyIndicates that any value matches the policy. If there is undefined communication in the security policy, such as DMZthe communication from the trusted zone to the zone, the firewall will deny it by default. This policy is called " Default Deny " ( implicit deny).

If it needs to be executed when the firewall does not match , you can set the policy with object as and behavior as Allowin the last line of the security policy .AnyAllow

serial number	source area	target area	source address	Destination address	destination port	Behavior
1	Trust	Untrust	192.168.1.0/24	Any	Any	Allow
2	Trust	Untrust	192.168.2.0/24	Any	80	Deny
3	Untrust	DMZ	Any	10.1.1.1	80	Allow
4	Any	Any	Any	Any	Any	Allow

Of course, the security policy of the firewall has an upper limit, which is determined by the product specification. Moreover, when there are more entries, the performance of the device will decrease accordingly.

23. What is Content Security Policy?

The firewall can not only set security policies based on areas, IP addresses, port numbers, applications, etc., but also use content security policies for communication control. Content security policy includes anti-virus , IPS (Intrusion Prevention System), URL filtering , DLP (Data Leakage Prevention) and other content-based security mechanisms, which can block illegal communications and avoid unnecessary traffic. It is also possible to not intercept these communications, but to record them in the alarm log and then release them.

The default setting of the security device is to block attacks with high severity, and only record attacks with low severity to the alarm log. Of course, the level of severity can be customized, and the setting can also be modified to block attacks with low severity.

Anti-virus and IPS may have misjudgments, and misjudgments are divided into false positive errors and false negative errors .

• False positive error means that there is no attack behavior or virus intrusion, but it is judged to be an attack behavior or virus intrusion, and it is recorded in the log, or the communication is intercepted. This type of error is easy for users to detect.
• False negative error means that there is an attack, but it is determined that there is no attack, and the communication is allowed, but it is not recorded in the log, and serious consequences cannot be detected. Unrecognized attacks can only be found if anti-virus software or firewall software is installed on the PC. This kind of error is generally due to the fact that the digital signature itself does not exist, or the detection failure is caused by mistakenly believing that the digital signature exists.

24. What is NAT?

Private IP addresses can only communicate in the internal network. If you want to access the external network (Internet), you can convert the private IP address to a public network IP address through a router or firewall. This process is called NAT ( ) Network Address Translator.

NAT used to be a function of routers, and later firewalls at the border of the network often use this function. After routers and firewalls run NAT function, it is also called gateway ( gateway).

1. Static NAT

Static NAT (Static NAT) refers to the one-to-one correspondence between the address before NAT translation and the address after NAT translation. Usually, a private network address corresponds to a public network address, and the corresponding information is manually configured in the gateway.

2. Dynamic NAT

Dynamic NAT (Dynamic NAT) is to configure an IP address pool (IP address pool) on the gateway, and the address pool contains multiple IP addresses. When NAT establishes a session, the IP addresses in the address pool are assigned a translated IP address in sequence. Since the address range can be set and changed manually, this method is more widely used.

Although it is somewhat similar to static NAT, the private address and public network address have a one-to-one mapping relationship, but it is not the specified address after NAT translation, but the valid address that is dynamically allocated and ranked first in the IP address pool.

3. Source NAT

Source NAT (Source NAT) is to perform NAT translation on the source IP address of the sender. The client in the company's internal network wants to access the server on the Internet. The private address of the client is used as the sending source. When sending data to the gateway, the private IP address must be converted into a public IP address.

To communicate with servers on the Internet, public IP addresses must be used, but IPv4 addresses are limited, and it is impossible to assign a public network address to each client. In most cases, source NAT can save public network address resources through dynamic NAT. Set the address pool on the gateway, or use NAPT on the interface of the gateway, so that the private network can access the Internet.

The external network can only see the public network address information, and the source NAT can hide the IP address actually used by the client, thereby reducing the risk of being attacked by the external network.

4. Destination NAT

Destination NAT (Destination NAT) is to perform NAT translation on the received destination IP address.

When an Internet client wants to access an internal network server through a gateway, since the company's internal server uses an internal network address, it cannot be accessed directly from the Internet, and destination NAT is required. As the agent of the internal server, the gateway maps the internal network address of the server to the public network address. When receiving an external network client accessing the public network address, the gateway converts the destination address of the message into the private address of the internal server to complete the routing and access . The servers in the company are usually placed in the DMZ area, which can shield the address of the internal server from the external network, thereby preventing the internal network from being attacked.

5.NAPT

When there are a large number of intranet clients to communicate with the external network, but only one or a small number of public network addresses, the gateway cannot complete the one-to-one allocation of private addresses and public network addresses.

At this time, the gateway needs to combine the TCP or UDP port number to complete the conversion of mapping multiple private addresses into one public network address. This conversion method is called NAPT ( Network Address Port Translation ).Network Address Port Translation

25. What is a VPN?

VPN , the full name isVirtual Private Network, is a virtual private network . VPN is a technology that uses the public network provided by telecom operators to build an internal network.

Financial and personnel data on the internal network is confidential information to the outside world and must be transmitted in a closed manner internally. If there is only one office, you can build an intranet through LAN. However, if both Beijing and Shanghai have branches, it is necessary to build an intranet between different office locations . Telecom operators have private line services , which can complete the construction of intranets in different regions. The leased line is a line used alone, so there is no need to worry about data being eavesdropped, and the communication quality can be guaranteed, but the leased line is expensive.

There is also an Internet access service such as ADSL. Although it is a shared network, it is cheap and has a cost advantage in building an intranet. Routers, firewalls, and VPN devices all support the IPsec-VPN function. In each branch, these devices are used to establish IPsec tunnels to complete the establishment of VPN.

26. What kinds of network topologies does VPN have?

Common VPN network topologies are point-to-point VPN , central VPN , and remote access VPN .

1. Point-to-point VPN

Point-to-point VPN (site-to-site VPN) is a topology that connects two networks through an IPsec tunnel. The gateway of the network, usually a network device such as a router or a firewall, establishes an IPsec tunnel between two networks using a point-to-point topology.

The network here refers to a network that is not in the same local area network, such as any site in Chengdu or Guangzhou headquarters. Because it is sitea connection between sites ( ), it is called a point-to-point VPN.

2. Central VPN

Central VPN (hub and spoke VPN) is a star topology, that is, a central site device is connected to multiple remote site devices to form a network structure. The central site (center site) at the headquarter's network, that is, the data center, becomes the core site of the entire structure. Generally, it is a VPN service provided by a telecommunication provider, with the infrastructure of the telecommunication provider as the central site, and connecting to other sites through the VPN.

3. Remote access VPN

At home or on a business trip, use the software on the PC to establish an IPsec tunnel with the company's VPN device through the Internet to access the topology of the company's internal network, which is called remote access VPN .

For remote access, IPsec-VPNyou need to install VPN client software on the PC, but SSL-VPNuse SSL to connect to the company's VPN through a Web browser, HTTPSand connect to the company's internal network through SSL ( ).

27. What are the proper terms for IPsec VPN?

• SA (Security Association): Logical connection established during IPsec communication.

• ESP (Encapsulating Security Payloads): The original messageis encrypted using any algorithm in //, and whether the data has been tampered is determined by HMAC. The IP protocol number usedisDES50 503DESAES$50$。

• AH (Authentication Header): An authentication protocol that determines whether a message has been tampered with based on HMAC information. Do not encrypt the message, the IP protocol number used is$51$。

• IKE (Internet Key Exchange):keyThe protocol used by the IPsec protocol to exchange information, also calledISAKMP/Oakley. The exchange process implementedonISAKMPthe protocol. UDP port number 500 is being used 500Oakleykey$500$ . Divided into Phase 1 and Phase 2 for processing.

• HMAC (Keyed-Hashing for Message Authentication code): A kind of MAC (Message Authentication code) used to verify whether the information has been tampered with, that is, the message authentication code, which is calculated by the combination of the hash function and the key information, and the algorithm used by the hash function is generallyMD5orSHA-1.

• SPI (Security Pointer Index): Indicates the number of SA,$32$ bits. When encrypting a message, use this value to indicate what encryption algorithm and key information is used.

• NAT traversal : A message encrypted by ESP cannot use NAPT because there is no TCP/UDP header. You can useNAT traversaltechnology to add UDP header to ESP-encrypted message, so as to perform IPsec communication in NAPT environment. General use$500$ or$The\; port\; number\; of\; 4500$ .

• IPsec-VPN connection : When establishing an IPsec tunnel, the party that initiates the negotiation is called the initiator (initiator), and the other party is called the responder (responder). The sender is the device that first sends out packets through the IPsec tunnel.

• Update key (rekey): After the IPsec tunnel is established, it will be operated every time or after a certain amount of datarekey. VPN equipment hasrekeythe function of modifying time.

28. What is the process of point-to-point VPN?

For example: when network A and network B are connected through an IPsec tunnel, PC1 on network A wants to communicate with PC2 on network B.

PC1 sends a request to the gateway of network A, that is, VPN device A. At this time, the message has not been encrypted and is in plain text. VPN device A encrypts the message, adds the ESP header and the IP header used in the tunnel (called the outer layer IP address), and then sends it out through the IPsec tunnel.

VPN device B on network B receives the encrypted message through the IPsec tunnel, and checks the ESP header and AH header. If the ESP serial number is incorrect, VPN device B will consider it a replay attack and output an error message; if the SPI value is incorrect, it will output an Bad SPIerror notification message of " ".

If the encrypted message is normal, the decryption operation is performed, the external IP, ESP, AH and other headers are removed, and the destination address of the original IP header is routed to reach PC2.

When PC2 replies a message to PC1, VPN device B encrypts it, and VPN device A decrypts it.

This is also the case for VPN communications between remote site clients of a central VPN and the central site server.

29. What is the communication process between remote sites?

For example: remote site A, remote site B, and central site VPN device C. A's PC1 communicates with B's PC2.

The packet passes through the IPsec tunnel between VPN device A and VPN device C, then passes through the IPsec tunnel between VPN device C and VPN device B, and finally reaches PC2.

If the central site is a router or VPN device, typically only decryption, encryption, and routing are processed. If the central site is a firewall, it will check the packets after they are decrypted, and only encrypt the safe packets before sending them to the remote site.

30. What is policy-based VPN?

Routers and VPN devices often use policy-based VPNs. Policy-based VPN refers to controlling the flow through the IPsec tunnel according to the policy ( access control list ), so that even if the path changes, it will not affect the IPsec communication.

Policy-based VPN needs to set IPsec policy and proxyID information. proxyID specifies the local network and remote network for IPsec tunnel transmission packets.

For example: site A and site B use a point-to-point VPN to form a network, where site A's network is 192.168.1.0/24and 192.168.2.0/24, and site B's network is 192.168.3.0/24and 192.168.4.0/24. If there is only encrypted communication 192.168.1.0/24between and , then the VPN device at site A should set the local proxyID to remote . On the VPN device at site B, set the local proxyID to , and the remote proxyID to .192.168.3.0/24192.168.1.0/24proxyID 为 192.168.3.0/24192.168.3.0/24192.168.1.0/24

31. What is a route-based VPN?

Route-based VPNs are usually the type of VPN used by firewall products. The firewall will carry out precise control on IPsec packets.

In a route-based VPN, the IPsec tunnel is the virtual interface used, also called the tunnel interface ( tunnel interface), through which traffic enters the IPsec tunnel. If there is traffic that needs to be transmitted in the IPsec tunnel, you can set routing and forward it to the tunnel interface.

Policy-based VPNs use policies to control the flow of IPsec communications, while route-based VPNs use routing information on tunnel interfaces to control the flow of IPsec communications. Therefore, when performing IPsec communication, you can define packet filtering and firewall processing through policies in the same way as processing ordinary packets.

32. What is Phase 1?

In IPsec communication, in order to establish the SA of the encrypted tunnel, it is necessary to use the IKE protocol to complete the key exchange between the devices.

To improve security, the IKE protocol is divided into phase 1 and phase 2. IKE phase 1 is to complete the identification and protection of both sides of the SA communication, and at the same time generate the public key required by phase 2, establish IKE SA and other work.

parameter	value	illustrate
model	mainmode or aggressivemode	In mainmode, the IP address is used to identify the device. If the two VPN devices at the tunnel terminal are fixedly assigned IP addresses, you can use mainthe mode. If a terminal uses PPPoEor DHCPautomatically obtains an IP address, you need to use aggressivethe mode
verification method	Digital certificate or pre-shared key	Using a security certificate issued by a public institution is more secure, but the application process is cumbersome. The pre-shared key is the method that the devices at both ends of the tunnel use the same password to log in, and the introduction is very simple. When using a digital certificate, you need to specify the type ( RSAor DSA) and length ( bitnumber) of the key. The general key length is $512$ / $768$ / $1024$ / $2048$ bit , andbitthe larger the number, the stronger the security
Diffie-Hellman group	group1、group2、group5	It is referred to as DH, groupand the larger the number, Oakleythe stronger the strength of the public key used in the key exchange. group1The length of is $768$ bit ,group2the length of which is$1024$ bit ,group5the length is$1536$ bit
Encryption Algorithm	DES、3DES、AES	You can choose the key length is $56$ bit ,DESthe key length is$168$ bit or3DESthe key length is$128$ / $192$ / $256$ , of whichbittheuse is more common. The longer the key length and the higher the strength, the more time-consuming the processingAESAES
authentication algorithm	MD5、SHA-1	MD5use $128$ bit ,SHA-1use$160$ bit hash value for the authentication of the pendulum. SHA-1The hash value used in this way is super long, andthecollision" between different data due to the same hash calculation result is lower
IKE ID	IP address or FQDN	Identifier used to identify a device as a target for performing IKE. Most use IP addresses, and some use FQDN etc. as identifiers

33. What is Phase 2?

IKE Phase 2 is responsible for generating keys used in IPsec communications and establishing IPsec SAs.

parameter	value	illustrate
IPsecprotocol	AH、ESP	AHIt can only be used for authentication, ESPand it can perform authentication and encryption processing
model	tunnel mode, transparent mode	Use tunnel mode when building a VPN over IPsec, and use transparent mode when establishing an IPsec tunnel between endpoints
ESPoptions		Specifies whether ESPthe protocol is used for encryption processing only or for both encryption and authentication processing. This parameter is generally set to the latter
Encryption Algorithms and Authentication Algorithms	DES、3DES、AES	You can choose the key length is $56$ bit ,DESthe key length is$168$ bit or3DESthe key length is$128$ / $192$ / $256$ , of whichbittheuse is more common. The longer the key length and the higher the strength, the more time-consuming the processingAESAES
Anti-replay option	ON、OFF	After clicking the anti-replay option, the IPsec tunnel will check the serial number information of the received encrypted message, discard the message with an incorrect serial number, and notify the administrator through recording logs. This function is mainly used to prevent replay attacks, that is, After obtaining the content of the encrypted message, send the same content again to "reverse" the attack of the original message order
PFSoptions	ON、OFF	这个选项用于防止某密钥成为破解其它密钥的线素，点选 PFS 选项后，当 IPsec SA 密钥生成 / 更新时会再次执行 Diffie-Hellman 算法，同时与阶段 $1$ 一样, 选择 Diffie-Hellman 的 group 类型。

34、什么是 SSL-VPN ？

SSL-VPN 是通过浏览器使用 HTTPS（HTTP over SSL）进行 Web 访问的远程接入 VPN 。

如果要使用 IPsec-VPN ，需要在 PC 上安装专用的客户端软件。这个客户端软件不一定支持 Mac OS 、手机等操作系统。同时 IPsec-VPN 连接过程，可能会因为防火墙过滤了 IPsec-VPN 的协议号或 NAT traversal 的端口号，而导致连接失败。

SSL-VPN 就方便很多，只要设备带有浏览器，就能够通过反向代理的方式完成 VPN 的连接。而且防火墙几乎不会拦截，因为使用的是 HTTPS 的 $443$ 端口，让 VPN 远程连接摆脱了操作系统和连接方式的限制。

远程接入 IPsec-VPN	SSL-VPN
需要专用的客户端软件	无需专用客户端软件，只需有 Web 浏览器即可
依赖操作系统或 NIC 驱动	不受操作系统和 NIC（Network lnterface Card）驱动的限制
在通过防火墙中需要设置多个安全策略（IKE、ESP 用的端口等）	使用防火墙运行通过的 HTTPS（TCP $443$）端口
在 NAT 环境下需要 NAT traversal 过程	不受 NAT 环境限制
需要注意 MTU 大小	不受 MTU 大小限制
需要管理个人计算机	无需管理个人计算机
报文头部小于 SSL-VPN	报文头部较大，数据吞吐量较低
网络层以上的协议都支持实现隧道传输	使用反向代理以及端口转发方式时只有 TCP 协议上特定的应用程序可以支持隧道传输，使用隧道方式时网络层以上的所有协议都支持隧道传输

IPsec-VPN 是在网络层实现的，能够完成传输层 TCP 和 UDP 的加密和隧道传输处理。而 SSL-VPN 是在会话层实现的，基于 TCP 的 $443$ 端口运行。只有特定的几种 TCP 能够使用反向代理和端口转发方式，而 ICMP 和 UDP 等传输层通信，只能选择隧道方式。

35、什么是反向代理？

反向代理，又叫做 无客户端 SSL-VPN。SSL-VPN 的终端在 $443$ 端口号上，通过 HTTPS 完成解密工作后，转换为 $80$ 端口号的 HTTP 通信，与内部网络上的 Web 服务器进行交互。这种方式只有使用 $80$ 端口号、通过浏览器访问 Web 的应用程序才能使用。

在内部客户端访问互联网时，进行中继的代理服务器，叫做 转发代理服务器。如果访问方向相反，也就是在互联网上的客户端访问内部网络服务器时，进行中继的代理服务器叫做 反向代理服务器（reverse proxy）。

36、什么是端口转发？

端口转发，又叫做 瘦客户端 SSL-VPN。使用 ActiveX 或 Java applet 等浏览器插件来创建 PC 和服务器的 SSL 隧道。用户只要登录 Web 门户（SSL-VPN 网关），并完成认证，就能够下载相关插件。用户能够使用公司内网服务器上的特定应用程序，也能够使用端口固定且无需浏览器支持的 TCP 应用程序，比如 E-mail 。有些产品还能够支持端口号变动的应用和 UDP 应用程序等。

37、什么是隧道？

隧道方式 是使用 SSL-VPN 客户端软件的方式。和 IPsec-VPN 一样，支持网络层以上协议的隧道传输。

用户通过浏览器访问 SSL-VPN 设备，并完成认证，就可以下载应用程序，并安装在用户的 PC 上。接下来就是通过客户端软件建立 PC 和 SSL-VPN 设备的隧道。由于使用了客户端软件，还是会不可避免的受到操作系统的限制。

38、什么是主机检查？

支持主机检查（Host Checker）功能的 SSL-VPN ，在客户端与 SSL-VPN 设备连接时，能够对连接的客户端主机进行检查，检查信息如下表。

检查项	检查内容
是否安装了防毒软件	检查反病毒软件的签名版本信息
是否安装了个人防火墙	检查特定的进程是否启动（硬件加密软件以及日志收集软件等）
OS 和 Service Pack 的种类、补丁兼容性	检查特定的注册信息
MAC 地址	检查是否存在特定文件

If the host checks the result OK, the client's SSL-VPN connection is allowed, and the company's intranet can be accessed from the external network. If the result is yes NO, the SSL-VPN connection of the client is rejected, or only a specific range of access operations such as software upgrades can be performed.