Professional Documents
Culture Documents
HCSA-NGFW 2022
1 Evolutionary History of Firewall
Contents
2 Hillstone Product Introduction
Evolutionary History of
Firewall
Firewall Concept
Network firewalls secure traffic bidirectionally across networks. Although these firewalls
are primarily deployed as hardware appliances, clients are increasingly deploying
virtual appliance firewalls, cloud-native firewalls from infrastructure as a service (IaaS)
providers, and firewall as a service (FWaaS) offerings hosted directly by vendors.
-Gartner
Internet
Internal External
Network Network
www.hillstonenet.com
Evolutionary History of Firewall
Application Layer
Stage3 – NGFW
❑ Identify application via app signature
and app behavior
❑ Able to control the encrypted apps
❑ Role based user identification
Stage2
Session
–Stateful Inspection
Layer
❑ IP connection based
❑ Use ALG to track protocol stack, no
way to handle encrypted or HTTP
based application
Stage1
–Packet Filtering
Network
Layer
❑ Simple ACL
www.hillstonenet.com
Packet Filter Firewall
• Features of Packet Filter FW:
− Only check packet header:IP address and port
− Detected object is single packet, data connection requires bidirectional all permit policy,
not able to correlate the packets relation
− Filter packets via ACL
IP TCP APP
Internet
www.hillstonenet.com
Stateful Inspection Technology
• Features of Stateful Inspection FW:
– Introduce“session”technology, session connection is the detected object.
– Session is identified via 5 tuple(source/destination IP and port, IP protocol number)
– Session maintains bidirectional traffic, one-way policy can control the access
– For example:TCP Source address 10.0.0.11
Destination port 23
Ack
Flag SYN 172.30.0.50
1 10.0.0.11
23 2
1026
3
PC 32513
10.0.0.11 10.0.0.11
49092
172.30.0.50 Telnet
SYN+ACK
172.30.0.50
1026
23
49092
32514
www.hillstonenet.com
ACK
Next Generation FW
• DPI technology into application layer detection
• Content identification
• User authentication User、APP、Content
• IP 5 tuple + APP ID and User ID
IP Port
Port ≠ Application
IP ≠ User
Packet ≠ Content
www.hillstonenet.com
NGFW Concept
www.hillstonenet.com
NGFW Functions
VPN HA
Support IPSECVPN、 Support A/P、A/A mode,
SSLVPN、L2TPVPN configuration、session
synchronization
Basic VSYS
Switch/Route、Session、
Policy
Network Logically divides the
physical firewall into
several virtual firewalls.
IPV6 Monitor
Support IPv6/IPv4 dual
Monitor device status、
stack
traffic etc.
www.hillstonenet.com
NGFW Functions
Application Identification
User
SSL Decryption
Authentication
Support https decryption with
AD、Local、
APPID、IPS、AV、URL filtering
radius
APP
of bandwidth control: based of each link by monitoring the
on user、IP、APP、URL etc. quality of each link in real-time
Traffic Quota
Limit and control the Server Load Balancing
allowable flow quota of Based on weighted hashing、
users/user groups per day weighted round robin、weighted
or per month. Endpoint Access least connection
Monitor www.hillstonenet.com
NGFW Functions – Threat Protection
Attack Defense Data Security: File/content filter
04 01
IPS 02 02 Botnet C&C Prevention
AV 06 IP Reputation
03
05 04
Cloud Sandbox Web access control,URL filter
www.hillstonenet.com
Hillstone Product Introduction
Hillstone’s Product Portfolio
www.hillstonenet.com
Thanks