Huawei firewall product introduction and working principle

Bowen Outline

• Huawei Firewall Products
• Firewall works
  1, a firewall working mode
  2, the firewall's security zoning Huawei
  3, what is firewall Inbound and Outbound yes?
  4, meaning state information
  related concepts 5, security policy

Huawei Firewall Products

USG2000, USG5000, USG6000 and USG9500 Huawei firewall constitute four parts, each suited to different environmental needs which, USG2000 and USG5000 series targeted at UTM (Unified Threat Management) products, USG6000 series is the next generation of firewall products, USG9500 series a high-end firewall products. ,

Each series of products are described below:

1, the USG2110 : the USG2110 Huawei for the release of SMEs and chain, SOHO enterprises firewall device that functions covered by the firewall, UTM, Virtual Private Network (please see their own initials, I write short words it was harmony), routing , wireless and so on. USG2110 its high performance, high reliability, easy configuration and other features, but compared to lower prices, support for multiple Virtual Private Network networking.

2, USG6600: Huawei network environment for the next generation of firewall products for medium to large enterprise data centers and network environment, with access control accurate, comprehensive protection range, simple security management, protection and high performance, enterprise network perimeter protection can be carried out, Internet networking applications exit protection, cloud data center perimeter protection, Virtual Private Network Internet and other remote.

3, USG9500: This series contains USG9520, USG9560, USG9580 three kinds of series, suitable for cloud service providers, large data centers, large enterprise campus networks. It has the most precise access control, the most practical NGFW characteristics, leading "NP + multi-system + distributed" architecture and the most abundant virtualization, is known as the most stable and reliable security gateway products can be used for large data centers, border protection , radio and television network and the second carrier's security export, export education network security and other network scenarios.

4, NGFW: full name is the next-generation firewalls, NGFW more suitable for the new network environment. NGFW in terms of functionality not only have the standard firewall functions, such as network address translation, stateful inspection, virtual private Network and large companies need to function, but also to achieve the IPS (Invasion Prevention System) and Firewall truly integrated, rather than simply based on modules. In addition, NGFW also need to have powerful applications and application-aware visualization capabilities, integration strategy based on the application, log statistics, application security capabilities and depth, use more outside help to improve information security policy, such as identity recognition.

Difference between traditional firewall and the firewall NGFW:
Traditional firewalls can only be based on time, IP and port perception, while NGFW control and firewall protection based on six dimensions, namely, application, user, content, time, threat, location. among them:

• Based applications: to use various means to accurately identify application-layer protocol and more than 6000 subsidiary functions within the web application, to perform precise control and traffic access acceleration. Which also includes mobile applications, such as micro-channel can be distinguished by flow firewall voice and text, so as to realize different control strategies.

• Based on the user: by means of the AD active directory, directory server or AAA server or the like, a user-based access control, QoS management, and defense in depth.

• Based on the location: combined with the global location information, location intelligence to identify traffic initiated in order to gain a position to initiate the application and ***. Position information to differentiate different areas of traffic control, and supports custom information based on location in accordance with IP.

In practice, the application may use any port, but not traditional firewall control application and port identification according. NGFW progress is more fine-grained access control. Optimum use of the principle based on the application control + + whitelist least privilege.

Next, I will focus on the type of firewall products USG6600 write it works.

Firewall works

Firewall working mode

Huawei firewall has three operating modes: routing mode, transparent mode, hybrid mode.

1, routing mode: Firewall interface configuration of the IP address of the network connection, the firewall that works in routing mode, where the firewall is a first router and provide other firewall. In most firewalls are in route mode, between inside and outside the company and outside the network.

2, Transparent mode: Think of it as it switches, the interface IP is not configured to work in transparent mode, the company will generally not use the router as a switch, which is asking too much.

3, mixed mode: an interface that there is a firewall if Huawei routing mode (the IP interface configuration), and there are interfaces working in transparent mode (no IP address), then the firewall operates in a mixed mode, this mode is substantially transparent mode and mixed routing mode, the current special applications in hot standby mode is only used for the transparent, the other environment is not recommended.

Huawei firewall security zoning

Huawei firewall default existing areas:

• Trust area: is used to connect the internal network, priority 85, a higher level of security.
• UNtrust area: usually connected to an external network, priority 5, the security level is very low. The region represents a region untrusted, too many security risks on the Internet, the Internet is generally included UNtrust area.
• The DMZ: demilitarized zone, used to connect the server needs to provide services between the Trust and Untrust between the region of its safety, priority 50, medium security level.
• Local area: refers to the firewall itself, priority 100, in addition to the firewall forwards packets between areas, we also need to accept or send its own traffic, such as remote management, dynamic routing protocols.
• Other areas: user-defined region, the default area 16 up to the custom, the custom default priority area is no need to manually specify.

Dividing the area under a feeling of FIG intuitive:

Regional configuration need to know that:

• Priority security zone must be unique;
• An interface can add a security zone, but a security zone can have multiple interfaces;
• By default, Huawei NGFW firewalls deny traffic between any area specified For release flow, you need to set policy (Huawei traditional firewall default on high-priority areas to low-priority zone traffic default release, but the latest NGFW firewall is disabled by default all traffic)

3, what is firewall Inbound and Outbound yes?

Firewall between the processing area based traffic, when the traffic flow between the security zone, will stimulate the firewall security policy check, it can be seen, the firewall security policy is usually based on the inter-domain (e.g. UNtrust region and Trust between regions), the data stream is divided into two directions between domains:

The direction (Inbound): Data direction from a low-level security zone to high-level security zone transfers. The flow Untrust zone (priority 5) to the trust zone (priority 85) belong Inbound flow direction.

Outbound (Outbound): Data direction by the high-level security zone to a low-level security zone transfers. The trust zone traffic flow (priority 85) to Untrust zone (priority 5) belongs to the Outbound direction.

4, meaning the state of information

In firewall technology, usually the difference between the two directions of traffic treated as stateful inspection firewall mechanism, so the data stream is usually only focus for the first packet processing, security policies, the first packets to permit once allowed, will forming a session table, subsequent packets and return packets if the match will be directly released to the session table, rather than view the policy to improve the efficiency of the firewall forward. For example, clients in the Trust zone to access the Internet UNtrust area, just to the Trust security policy to Outbound direction UNtrust applications do not need to do UNtrust Trust area of ​​security policy.

Firewall quintuple only to distinguish one data stream, i.e., the source IP, destination the IP, protocol, source port number, destination port. Firewall data with the same quintuple content as a data stream, quintuple packet must match the specified match to be considered this strategy, otherwise it will continue to follow-up match strategy, it is also a matching rule to match stop.

As mentioned earlier, on the firewall, the first after the packets creates a session table, the session table can only match the same traffic tuple, can not match the other traffic (IP targets may differ, it may target different ports), which also positive policy checks to ensure the safety of data streams in the same session forwarding efficient and strict. It should be noted that the session table is dynamically generated, but not permanent, long time if there is no message matching the session, then prove that the two sides have disconnected the communication, no longer need this session, in order to save system resources, the session will be deleted after a certain time, this time is called aging time of the session. Generally not too long, I remember the session table on the Cisco firewall default aging time is 300s like it.

5, security policy concepts

The basic role of a firewall is to protect a particular network from a network of "no confidence", but must also be allowed to carry out legitimate traffic between the two networks. The role of security policy is to stream through the firewall inspection, security policy in line with legitimate traffic to pass through the firewall. You can apply different security policies between domains in different directions different controls.

Huawei for current network needs, proposed an integrated security policy, currently USG6000 series firewall V100R001 version uses integrated security strategy. The so-called integration can be reflected in two aspects, one is the integration of the configuration, such as anti-virus, spam filtering, content filtering, application filtering and other security inspection conduct by reference profiles to achieve in the policy, the other is on business integration, integration policy only once for packet detection, multi-service functions can be processed in parallel, thereby improving the processing efficiency. The traditional firewall products such as UTM, serial mode, the flow through each module will conduct a test.

Huawei's next-generation firewall detects packets in addition based on the traditional five-tuple (source IP, destination IP, source port, destination port, protocol), also based applications, content, time, user, threat location and traffic for deep probe, truly full three-dimensional detection capability and precise access control.

Integrated security policy is more rules, but the rules of the conditions, actions, and options configuration files constitution, the role of which is to profile the message content security detection, including anti-virus, intrusion prevention, URL filtering, file filtering, content filtering, application control, and e-mail filtering behavior. A rule may reference one or more profiles. Profiles allow action only if, it can be cited. On a map it!

In the figure, a condition can be seen comprising a plurality of elements, each element in the condition is "AND", that is, the data packet must match these elements, only that the packet matches the rule. And among a plurality of objects of the same element that conditions "or" relationship, that is, packets that match one of the objects, it is considered the packet matches this element. For chestnut, when the source address while the conditions defined in A, B, C three addresses, as long as the source address of the packet belongs to either one, it indicates that the source address matching element. But the message the same time to match other attributes conditions, such as destination address, time, services, users, etc., be considered to match this rule.

Different from the traditional security policy, an integrated security strategy has the following characteristics:

• Policy configuration based on a global, not regional configuration based on security zone is optional configuration item conditions can also configure multiple source areas or target area in a rule.
• Default deny traffic across all regions, you must release the required flow through the policy.
• The default security policy action instead of the default packet filtering. The traditional packet filtering firewall based only take effect for the designated area between inter-regional and global next-generation firewall default action to take effect, and the default action to deny, namely to reject all traffic, unless allowed.

By default, Huawei firewall strategy has the following characteristics:

1. The priority of any two security zones must be different.
2. Messages between different interfaces within this unfiltered straight forward.
3. You can not forward packets before the interface is not joined to a domain.
4. The default on the USG series is no firewall security policy, that is to say, no matter what the mutual visits between regions, must be to configure security policy, unless it is in the same area of ​​message delivery.

-------- end of this article so far, thanks for reading --------