Chapter 1 - Network Security Basis

HCSA-NGFW 2022
 1 Evolutionary History of Firewall
Contents
2 Hillstone Product Introduction
Evolutionary History of
Firewall
Firewall Concept

Network firewalls secure traffic bidirectionally across networks. Although these firewalls
are primarily deployed as hardware appliances, clients are increasingly deploying
virtual appliance firewalls, cloud-native firewalls from infrastructure as a service (IaaS)
providers, and firewall as a service (FWaaS) offerings hosted directly by vendors.

-Gartner

Internet
Internal External
Network Network

www.hillstonenet.com
Evolutionary History of Firewall

Application Layer
Stage3 – NGFW
❑ Identify application via app signature
and app behavior
❑ Able to control the encrypted apps
❑ Role based user identification

Stage2
Session

–Stateful Inspection
Layer

❑ IP connection based
❑ Use ALG to track protocol stack, no
way to handle encrypted or HTTP
based application

Stage1
–Packet Filtering
Network
Layer

❑ Simple ACL

Before 1995 1996-2007 After 2008

www.hillstonenet.com
Packet Filter Firewall
• Features of Packet Filter FW:
− Only check packet header：IP address and port
− Detected object is single packet, data connection requires bidirectional all permit policy,
not able to correlate the packets relation
− Filter packets via ACL

Only check packet header

IP TCP APP

Internet

www.hillstonenet.com
Stateful Inspection Technology
• Features of Stateful Inspection FW:
– Introduce“session”technology, session connection is the detected object.
– Session is identified via 5 tuple(source/destination IP and port, IP protocol number)
– Session maintains bidirectional traffic, one-way policy can control the access
– For example：TCP Source address 10.0.0.11

Destination address 172.30.0.50

Source port 1026

Destination port 23

Initial sequence number 49091

Ack
Flag SYN 172.30.0.50

1 10.0.0.11

23 2
1026
3
PC 32513
10.0.0.11 10.0.0.11
49092
172.30.0.50 Telnet
SYN+ACK
172.30.0.50
1026

23

49092

32514
www.hillstonenet.com
ACK
Next Generation FW
• DPI technology into application layer detection
• Content identification
• User authentication User、APP、Content
• IP 5 tuple + APP ID and User ID

IP Port

Port ≠ Application
IP ≠ User
Packet ≠ Content

www.hillstonenet.com
NGFW Concept

Next-generation firewalls (NGFWs) are

deep-packet inspection firewalls that
move beyond port/protocol inspection
and blocking to add application-level
inspection, intrusion prevention, and
bringing intelligence from outside the
firewall.

www.hillstonenet.com
NGFW Functions

VPN HA
Support IPSECVPN、 Support A/P、A/A mode，
SSLVPN、L2TPVPN configuration、session
synchronization

Basic VSYS
Switch/Route、Session、
Policy
Network Logically divides the
physical firewall into
several virtual firewalls.

IPV6 Monitor
Support IPv6/IPv4 dual
Monitor device status、
stack
traffic etc.

www.hillstonenet.com
NGFW Functions
Application Identification

User
SSL Decryption
Authentication
Support https decryption with
AD、Local、
APPID、IPS、AV、URL filtering
radius

Link Load Balancing

QoS Intelligently route and
Two-level 8 layers pipe nesting dynamically adjust the traffic load

APP
of bandwidth control: based of each link by monitoring the
on user、IP、APP、URL etc. quality of each link in real-time

Traffic Quota
Limit and control the
allowable flow quota of
users/user groups per day
or per month.
Server Load Balancing
Based on weighted hashing、
weighted round robin、weighted
Endpoint Access least connection
Monitor www.hillstonenet.com
NGFW Functions – Threat Protection
Attack Defense Data Security: File/content filter

04 01
IPS 02 02 Botnet C&C Prevention

AV 06 IP Reputation
03

05 04
Cloud Sandbox Web access control，URL filter
www.hillstonenet.com
Hillstone Product Introduction
Hillstone’s Product Portfolio

www.hillstonenet.com
Thanks