Application Firewall

DPtech FW1000 Firewall Technical White Paper

1. Overview

Applications and networks are complementary and mutually reinforcing in that the increasing
application requirements give birth to the rapid development of network technologies, which, in turn,
promotes the growth of applications. As all kinds of new applications and new services continue to
emerge, such as 10G to core/Gigabit to desktop, Web2.0, virtualization, Internet of Things, network
audio/video, P2P, cloud computing, etc., the traditional port-based firewalls for application
identification and access control fall short of meeting the needs of security protection in new
applications. In response, DPtech launched the FW1000 next-generation application firewall based
on the brand-new multi-core processor architecture.

DPtech FW1000 marks a breakthrough in application firewalls. Built upon the APP-X hardware
platform, a core technology with DPtech's independent intellectual property rights and ConPlat, a
security operating system, DPtech FW1000 is the industry's leading application firewall which is
provided with professional intrusion prevention signature library, virus database, application
protocol library, and URL library. Thanks to its high availability, outstanding performance, and high
reliability, the FW1000 solution can be deployed in various complex scenarios such as data
centers and large campus networks. What’s more, it boasts rich capabilities and on-demand
scalability, which simplifies the network security architecture and greatly brings down the total cost
of ownership of the enterprise networks.
2. Product Introduction

DPtech FW1000 is the next-generation application firewall product designed for large and medium-
sized enterprises, schools, data centers and operators. As a high performance firewall at the
application level, it performs security control at the network boundary layer over data from different
domains according to security policies. It delivers high performance in both IPv4 and IPv6
environments, eliminating network bottlenecks and offering comprehensive security protection to
ensure smooth and stable operation of the network. With built-in VPN, it provides a cost-effective
choice with flexible networking capabilities for various network environments.

3. DPtech’s unique firewall technology

3.1 Data forwarding process of DPtech FW1000

By releasing, denying or redirecting traffic, the firewall serves as an important tool of access control
and auditing of different networks of an organization. With policy definitions based on users and
protocols, URL filtering, protocol identification, and other features, the DPtech FW1000 meets
requirements of both packet filtering and application-level firewalls.

According to the security rule policies at various network nodes, the firewall sends information
streams among different networks. By default, all inbound and outbound information streams are
rejected by the security rule policy, which can only be modified by authorized administrators.
Determined by the source address, destination address, transport layer protocol, source port,
destination port, and application protocol, a typical packet filtering policy is based on the arrival or
departure of data packets from the interface.

DPtech firewall performs overall invoke by controlling security domains at the packet filtering.
Default rules are as follows:

1) Domains with a higher security level can access to domains with a lower security level.

2) Domains with a lower security level is not allowed to access domains with a higher security level.

3) Different domains with the same security level are prohibited from accessing each other.

4) Mutual access between different interfaces in the same security domain is allowed.

Data forwarding inside the firewall is shown in the diagram below:

 Fig. 1 Internal data forwarding flow chart

As shown in the above diagram, internal data forwarding begins with searching for the session
table entry, then performs destination NAT conversion, routing number lookup, packet filtering
rules, attack firewall policies, application layer matching rules, auditing policies, and finally
searches for source NAT before forwarding.
3.2 Rich Network Features

ConPlat platform enables rich network features, such as STP, VLAN, ARP and other layer-2
features, as well as BGP, OSPFv2/v3, MPLS and other layer-3 features in IPv4/IPv6 environments.

DPtech FW1000 is characterized by the following network features:

■ Available networking modes include transparent mode, routing mode, and hybrid mode.

■ Support IPv4/IPv6 protocol stack, with complete and rich IPv6 protocol transition and tunnel
technology

■ Access, Trunk VLAN, port aggregation, port mirroring

■ policy-go-together, static routing, multicast IPv4/6 routing (IGMP, PIM, MSDP, multicast VPN)

■ IPv4 routing (supports RIP v1/2, OSPF, IS-IS, BGP, Guard routing)

■ IPv6 routing (supports RIPng, OSPFv3, Guard routing), IPv6 tunneling technology

■ Support complete MPLS VPN

■ Support DNS, DHCP, ARP, BFD, STP, QOS

■ Support WIFI module, 3G network card

With the rich network features, DPtech Firewall provides users with flexible networking capabilities
in transparent mode, routing mode, and hybrid mode adapting to various networking environments.

3.3 High performance and low-latency processing capabilities based on a huge

number of policies

DPtech firewall packet filtering and NAT matching compile security policies into a series of quick
matching entries with the decision tree algorithm. When a packet passes through the device, the
five elements are extracted and forwarded to the quick matching entry for policy matching at a time.
In this way, all corresponding matches can be found to form a parallel processing architecture of
data stream, while maintaining high performance and low-latency processing capabilities. In
addition to meeting the administrator's requirements for ultra-high performance and low
transmission delay, the firewall helps eliminate network transmission bottleneck.

3.4 Attack prevention technologies (IPv4/IPv6)

As one of the important features of DPtech firewall, attack prevention determines whether the
packets contain attack characteristics by analyzing the content and behavior characteristics of
packets, and takes actions to protect network hosts or network devices.
Attacks that can be detected include DoS (Denial of Service), scanning and snooping, malformed
packets and others. Appropriate measures can thus be adopted to protect against these attacks.
Attack prevention is realized by various functions, such as blacklist filtering, packet feature
identification, anti-DDoS, and intrusion detection statistics.
Apart from the conventional IPv4 security protection technologies, DPtech provides all-round IPv6
security protection against huge-icmp-pak, icmp-flood, ip-sweep, ip-spoofing (l2/l3), udp-flood, tear-
drop, ip-fragment, ping-of-death, port-scan, syn-flood, syn-proxy, tcp abnormal, land-attack, NDP
defender, etc.

■ DDoS attacks

DDoS attack, one of the most common network attacks, requires less professional skills. Therefore,
attacks can be launched by using various open-sourced software with a huge number of packets.
The target system/host under attack may fail to receive normal requests or be suspended from
working properly. Unlike other attacks, DDoS attacks do not look for an entry into the target
network. Instead, they aim to block legal access to network resources by disrupting normal
operations of the target network.

With the attack prevention technology, the firewall is capable of actively defending against various
common network attacks and ensuring normal network operations in the face of an increasing
number of attacks, thus enabling overall security protection. For DDoS attacks initiated by using
legal protocols allowed by the server, the attack prevention technology, on the strength of anti-
DDoS algorithms based on behavior patterns, provides accurate detection and distinction of attack
traffic and normal traffic. It blocks the attack traffic effectively and allows the normal one to pass
through, realizing anti-DDoS protection. DDoS attacks that can be detected by attack prevention
include SYN, Flood, ICMP Flood, and UDP Flood.

DDoS attacks can also be launched to the IPv6 Internet. Computers infected by Trojan horse virus
form a large botnet to launch focused attacks on a victim. Unfortunately, there are still active botnets
in IPv6, as it could not prevent the botnets from forming and running. IPv6 provides Internet access to
more devices than that are allowed in IPv4 Internet. DDoS attacks launched by the large number of
devices in IPv6 will bring about more devastating results compared with those launched in IPv4
Internet.

With a built-in DDoS fingerprint recognition technology, the DPtech firewalls automatically learn
from the IPv4/IPv6 traffic to establish a database of fingerprint features. DDoS can quickly identify
abnormal attack traffic on the network and block the traffic or perform traffic control, achieving
intelligent and simplified anti-DDoS protection. What’s more, manual configuration of the fingerprint
features is allowed. Users can effectively identify and protect against known attack signatures by
configuring a number of parameters. Take TCP for example. Configurable parameters include the
length of packet, packet ID, TTL, source IP, destination IP, serial number, confirmation number,
source port, destination port, flag, and other custom features.

■ Scanning and snooping attacks

Through identifying active hosts on the network by PING scanning (including ICMP and TCP), the
scanning and snooping attack locates a potential target and identifies the operating system and
services enabled on the target by TCP and UDP scanning. Scanning and snooping attacks help the
attacker gain an overall understanding of the target system and the services and potential security
vulnerabilities available on the target, thereby getting ready for further intrusion. DPtech firewalls are
effective in defending against scanning and snooping attacks targeting at IP address, port, and
vulnerability.

■ Malformed packet attacks

A malformed packet attack occurs when defective IP packets are sent to a target system, causing the
system to break down or bringing losses. Such defective packets include packets with overlapping
fragments, or packets with illegal TCP flags. By virtue of the feature recognition technology, DPtech
firewalls can accurately detect dozens of attack signatures and protect against a variety of malformed
packets, including LAND attacks, ping of death, IP overlapping fragments, UDP Fraggle attacks,
WinNuke attacks, TcpFlag attacks, ICMP unreachable packets, ICMP redirect packets, ICMP Smurf,
source route option IP packets, route record option IP packets, and oversized ICMP packets.

3.5 Virus Filtering Technology

With an integrated professional virus signature library, DPtech provides users with powerful anti-
virus services, which can detect a great number of viruses transmitted on HTTP, FTP, SMTP,
POP3, IMAP, RAR, and ZIP. The anti-virus module can be deployed on the network in online,
bypass, bridge, and hybrid modes, and automatically detect, block, or redirect virus-carrying
packets and abnormal traffic based on real-time analysis. Functions provided by the anti-virus
module include:

1) Anti-virus rule management;

2) Anti-virus signature query

3) Anti-virus logs

Thanks to its defense capabilities against various types of viruses such as file, network, and hybrid
type, it can accurately detect and kill various variants of viruses and unknown viruses through a
new generation of virtual shell and behavior judgment technology. Three levels of antivirus
protection are enabled, through which users can configure different levels of antivirus protection
based on the popularity of viruses. The antivirus signature library is regularly updated to ensure
timely response to new viruses. The basic functions and principles of the antivirus module are
shown in the figure below.
 Fig. 7 Virus detection and protection

Traditional virus detection methods are divided into the following four types: feature code,
checksum, activity detection, and software simulation. The best way to enable anti-virus function
on a network device is through feature codes. Network data stream passing through the device is
accurately scanned with an integrated professional virus database. If any similar signature is found
in the stream, it is deemed to be a virus. Different protection measures are available and logs are
generated based on signatures and virus prevalence. DPtech anti-virus technology enjoys
accurate and rapid detection, recognition capability of virus name, and low rate of false positives.

DPtech’s antivirus logs provide abundant reporting features, including all kinds of query conditions,
such as virus source IP, destination IP, virus type, and various time periods. Logs can be sent
remotely or backed up. DPtech’s IPS virus database is released on a regularly (weekly) basis and
upon emergency (when a major security signature is found), and is automatically distributed to
user devices.

3.6 Firewall with high reliability

DPtech FW1000 supports complete dual-system hot standby technologies, including regular,
advanced, asymmetric, and silent dual-system hot standby.

■ Regular dual-system hot standby

With synchronized dual-system functions, the firewall configurations can be backed up mutually,
including IP address object/group, service object/group, packet filtering policy, routing, etc.

■ Advanced dual-system hot standby

Based on backup configurations, sessions between the two firewalls can be synchronized in real
time. In the event that the master and the backup servers switch, connected applications can
continue to access to the Internet without reconnection.

■ Asymmetric dual-machine hot standby

Both configurations and sessions can be backed up. Dual-master deployment of asymmetric
service traffic is enabled. For real-time synchronization of ALG sessions, multi-channel application
layer services are supported.

Regular, advanced, and asymmetric dual-system hot-standby and master-backup switching can be
implemented by adopting protocols such as VRRP, OSPF, and STP. Through planning the priority
parameters of VRRP, OSPF, and STP, the administrators control the traffic trends to enable
master/backup or master/master modes, as shown below:

Fig. 2 Dual-system hot standby (VRRP protocol)

Fig. 3 Dual-system hot standby (OSPF protocol)

■ Silent dual-system hot standby

All configurations of the active and standby firewalls (including the interface IP) are exactly the
same. In normal operations, only the active device can be detected from the perspective of logics.
The standby device is in a silent state, being neither visible nor perceptible on the network. The
active device sends its own heartbeat packets through the heartbeat line to notify its running status.
The standby device listens to the status of the active device in a silent state, without receiving or
sending any packet.

In the event that an abnormality is found in the active device, or the standby device does not
receive the heartbeat packets from the active device within a certain period of time, the standby
device will wake up and become the active firewall. It continuously refreshes the MAC address
table entry on the switch by constantly sending free ARP, thereby diverting the service traffic for
forwarding on behalf of the active device. This process is known as dual-system hot standby. It is a
simple and reliable way to realize dual-system hot standby on the strength of the device’s own
detection mechanism without the help of any other protocols.

Fig. 4 Silent dual-system hot standby

3.7 Full VPN support

In response to users’ requirements for branch interconnection and mobile office, DPtech FW1000
provides full VPN support for IPSec, SSL, GRE, L2TP, PPTP and others. It supports multiple
encryption algorithms including DES and 3DES, as well as certificate authentication. The built-in
IPSec VPN and SSL VPN hardware encryption features not only enable a simplified network structure,
but also greatly improve the cost performance of network security construction.
Site to Site Fixed access

1) IPSEC VPN

2) GRE VPN

Fig. 5 Site to Site VPN access

Mobile access

1) IPSEC VPN
2) PPTP VPN
3) L2TP VPN
4) SSL VPN

Fig. 6 Mobile office VPN

3.8 Firewall virtualization

3.8.1 Virtual firewalls

The DPtech ConPlat platform provides rich virtualization features at the OS or application level.
OS-Level Virtualization is a concept in server virtualization. By running a virtualization layer
software on the main operating system, it allows the installation of multiple guest OSs, each
running independently without affecting others, even in case of failure. The virtualization software
installed on the host OS abstracts the kernel and file system of the guest OS into individual
containers, and is responsible for allocation of computing and storage resources and container
isolation. ConPlat OS-level virtualization is shown below:
 Fig. 7 OS-Level virtualization

Application-level virtualization is used on a single operating system. By running a virtualization layer

between the OS and the application, failure of any application package will have no impact on other
packages. Packaging the core functions of the ConPlat into a virtual firewall, the application-level
virtualization ensures each virtual device has independent computing resources, forwarding entries,
control plane, service plane and forwarding plane processes, in addition to stand-alone administrator
and management interfaces. ConPlat Application-level virtualization is shown below:

Fig. 8 Application-level virtualization

The difference between OS-level virtualization and application-level virtualization lies in the degree
of integrity. In OS-level virtualization, each virtualized instance is still a complete ConPlat software
platform on which application-level virtualization is still available, such as further division of the
virtual firewall. However, in application-level virtualization where only the core functions of ConPlat
are virtualized, each virtualized instance is not a complete ConPlat software platform, and no
further virtualization is allowed.

The traditional firewall is a physical device, while the virtual firewall is a plurality of virtual firewalls
divided within this physical device. The function of the virtual firewall is a subset of that of the
original firewall. Virtual firewalls are mostly deployed in the network of operators or IDC computer
rooms. The physical firewall devices are purchased and managed by the operators, and users may
manage their own resources by renting one or more virtual firewalls.

Virtual firewalls are completely isolated. Each of the virtual firewalls is provided with an
independent user management system, allowing it to manage its own hardware resources and
logical resources such as security domains, VLANs and others.

■ Virtualization of administrators

Fig. 9 Virtualization of administrators

Each virtual system has its own independent administrator. The public system is a global system
that can manage all administrators on the device. The administrator of the virtual system can only
see and manage the administrators of the virtual system.

■ Virtualization of physical hardware resources

Fig. 10 Virtualization of physical resources

Each virtual system is assigned with its own interfaces, which can be further divided into VLANs
and allocated with IPs by the administrator of each virtual system.

■ Virtualization of logical resources

 Fig. 11 Vlan-if virtualization

Global and unified logical resources such as VLANs are created by the administrators of public
systems before being assigned to various virtual systems. Administrators of each virtual system
can configure IPs for and assign interfaces to their own VLANs.

Fig. 12 Virtualization of security domains

Logical resources consisting merely of software, such as security domains, are maintained by
administrators of each virtual system.

■ Routing virtualization

Routing virtualization is performed at the forwarding level and on the routing management. From
the perspective of kernel forwarding, each virtual firewall contains multiple hardware interfaces,
which are managed by their own virtual forwarding planes to realize complete isolation between
different virtual firewalls. As a result, the same IP address is allowed for different virtual firewalls.

Fig. 13 Routing virtualization

From the perspective of routing management, each virtual system has its own routing management
software, management domains and management processes independent of other systems,
allowing routing protocols such as OSPF and BGP to be run and managed independently. As the
management domains of virtual systems are independent, a more rational allocation of CPU
resources among virtual systems can be realized, preventing the breakdown system from affecting
others.

3.8.2 VSM virtualization

Virtualization has been changing and evolving ever since its inception. Diverse implementation
solutions have been provided by different vendors. DPtech VSM (Virtual Switching Matrix)
technology is the first in the industry to integrate network and application.

Fig. 14 VSM multi-frame cascading

Aggregation of multiple VSM member devices is realized by using 10G ports. The VSM system and its
upper and lower devices are also aggregated. In this way, the VSM systems are more reliable thanks
to the multi-link backup technology and the logical links are simplified. The VSM system is composed
of multiple member devices, including the Master and the Slave devices. The Master is responsible for
the operation, management, and maintenance of the VSM, and the Slave may process services while
serving as a backup. Once the Master fails, the system will automatically elect a new Master to ensure
service continuity of the VSM system, which is also known as 1:N virtualization at the device level.

VSM is compatible with extended SW, FW, IPS, UAG, ADX, SSL VPN and other functional boards.
With easy scalability of network interfaces, functions and performance, it is an ideal choice for
protecting your investment.

Fig. 15 VSM virtualization configuration

VSM boasts the following advantages:

■ Simplified management

When the VSM mode is enabled, users may perform unified management on all member devices
in the VSM on the Master Device page through any port of any device, rather than connecting to
each one for separated configuration and management.

■ Simplified network structure

The various control protocols running in the virtual devices formed by the VSM are also operated
as a single device, significantly simplifying the network structure.

■ High reliability

VSM is highly reliable in the following aspects. For example, aggregation is supported on VSM
physical ports of member devices,and the VSM system and its upper and lower devices are also
aggregated. In this way, the VSM systems are more reliable thanks to the multi-link backup
technology. What’s more, the VSM system is composed of multiple member devices, including the
Master and the Slave devices. The Master is responsible for the operation, management, and
maintenance of the VSM, and the Slave may process services while serving as a backup. Once
the Master fails, the system will automatically elect a new Master to ensure service continuity of the
VSM system, enabling dual-system standby.

■ High performance

As the VSM system is resulted from the stand-alone virtualization of two or more devices that
support VSM features, the processing capacity and number of ports of the VSM system is the
sum of the switching capacity and the total number of ports of all stand-alone devices inside the
VSM system. Therefore, the VSM technology can easily multiply the core switching capabilities
and the density of user ports by several times through virtualization of two or more stand-alone
devices, substantially improving the device performance.

■ Multiple cascading modes

In frame devices, VSM allows multiple boards to serve as cascading boards in order to meet diverse
requirements of users. It currently supports 4*10GE and 8*10GE boards cascading.

■ Rich functions

All functions available for stand-alone devices are supported in the VSM system.

3.8.3 N:M virtualization

DPtech’s original N:M virtualization technology can realize virtualization by integrating N devices
into a VSM system (N-->1), which is then divided into M virtual firewalls as needed (1-->M) to
achieve N:M virtualization.
■ Cascade N frame devices, and virtualize VSM as a device

■ The cascaded devices are virtualized into M logical sub-devices and assigned to corresponding
administrators for independent management and use

■ Processing performance, port density, and number of virtual firewalls can be expanded as
needed

Fig. 16 N:M virtualization

N:M virtualization enables secure Cloud computing:

■ High performance single-board processing capability

■ Large-capacity backplane switching capability, multi-frame cascading, and expanded overall

processing capabilities through the board and the frame

■ Integrating network security, application delivery, and service switching, it provides all-round
protection to ensure the security of Cloud computing.

■ Comprehensive OS-level virtualization is realized in terms of management, protocol, forwarding,

and resources. By virtualizing one device into multiple stand-alone devices, it guarantees the
security of Cloud computing.