Introduction to Firewalls

Foreword

 During data communication, insecure factors may cause information leakage,

incomplete information, unavailable information, etc. Therefore, firewalls are
required during network deployment.
 This course introduces the history, features, typical networking modes, application
scenarios, and technical specifications of Huawei firewalls.

3 Huawei Confidential
 Objectives

Upon completion of this course, you will be able to:

 Understand the basic concepts of firewalls.
 Understand firewall security policies.
 Have a good command of firewall security policy configuration.

4 Huawei Confidential
 Contents

1. Firewall Overview
2. Principle of Firewall Forwarding
3. Firewall Security Policies and Application
4. ASPF

5 Huawei Confidential
Firewall Features
 Logical area filter
Intranet
 Hiding the intranet structure
 Security assurance
Firewall
 Proactive defense against attacks
Router

Can the traffic that does not pass through a

firewall be protected?

6 Huawei Confidential
Firewall Classification
 Firewalls are classified into the following types according to access control modes:
 Packet filtering firewalls
 Proxy firewalls
 Stateful inspection firewalls

7 Huawei Confidential
Firewall Classification: Packet Filtering Firewall

TCP layer 1. Unable to associate data packets TCP layer

2. Unable to adapt to multi-channel protocols
3. Not check the application-layer data generally

IP layer IP layer

Only packet headers checked

Data link layer Data link layer

IP layer TCP layer Application layer

8 Huawei Confidential
Firewall Classification: Proxy Firewall
1. Slow processing
2. Difficult upgrades
Internet PC Proxy firewall Intranet server
Sends a connection request.

Performs security check on the request.

If the check fails, the connection is
blocked.

Sets up a connection with the client After the check succeeds, the connection to
after the check. the server is set up.

Sends packet A to the firewall.

Sends packet A' to the server.

Sends response packet B to

Sends response packet B' to the PC. the firewall.

9 Huawei Confidential
Firewall Classification: Stateful Inspection Firewall
Host 10.0.0.1 Server 20.0.0.1

ACK (seq=1135)
10.0.0.1
10.0.0.1
10.0.0.1 20.0.0.1
20.0.0.1
20.0.0.1 SYN(seq=1134)
ACK’(seq=2288)
ACK’(seq=30000) 20.0.0.1 10.0.0.1 SYN`(seq=2287)

Incorrect status, discarded Security policy check

Session information recording

1. Fast processing of subsequent packets

2. High security

10 Huawei Confidential
Firewall Networking Modes

Untrust
Untrust
192.168.10.1/30
192.168.10.1/30 192.168.10.129/30

Trust
192.168.10.5/30 192.168.10.133/30
Trust
192.168.10.2/30

12 Huawei Confidential
 Contents

1. Firewall Overview
2. Principle of Firewall Forwarding
3. Firewall Security Policies and Application
4. ASPF

13 Huawei Confidential
Packet Filtering Technology
 When receiving a packet, the firewall obtains the header, compares the header with specified rules, and
decides to forward or discard the packet.
 The core technique for packet filtering is the access control list (ACL).

Intranet

Branch

HQ
Unauthorized user

14 Huawei Confidential
Firewall Security Policies
 Definition
 Security policies control traffic forwarding according to specified rules and apply integrated content
security detection to traffic.
 The rules focus on packet filtering.
 Major Applications
 Security policies control network communication through the firewall.
 Security policies control access to the firewall.

15 Huawei Confidential
Firewall Security Policy Mechanism
Firewall security
policies Step 2:
Policy 0: Permit subsequent The firewall searches for a matching
operations of A. security policy.
Policy 1: Deny subsequent
The firewall determines whether to allow
operations of B.
the next operation.

Step 1: Step 3:
The incoming data flow passes Default policy operation The firewall processes the data packets
through the firewall. according to the rules defined in the
security policy.

BBAABBBAAAA AA AAAA

Incoming data flow Outgoing data flow

 Function of firewall security policies:

Filter the traffic passing through the firewall according to defined rules, and determine the
next operation according to keywords.

16 Huawei Confidential
Firewall Interzone Forwarding
trust Untrust

Client Firewall Server

Queries the routing table and queries interzone packet filtering rules based on the interzone and direction to
No session is matched, which the interface belongs.
perform the first-packet
process
Policy 0: Permit packets from 192.168.168.0.

Policy 1: Deny packets from 192.168.100.0.

…
The default interzone packet filtering
rule is deny.
A session is matched,
perform the subsequent-
packet process
Not the first packet, look up the
session table

17 Huawei Confidential
Querying and Creating Sessions
Yes
Is the session Update the session
Query the session table. Perform security check.
table matched? table.

No

Check whether a
session can be created.

Server-map table

Routing table

Create a session. Forward the packet.

Packet filtering rules

NAT

18 Huawei Confidential
Stateful Inspection Mechanism
 When the stateful inspection mechanism is enabled, a session can be created only when the first packet passes the
inspection performed by the firewall. Subsequent packets are forwarded based on the session.
 When the stateful inspection mechanism is disabled, even if the first packet does not pass through the firewall,
subsequent packets can trigger the generation of a session as long as they pass through the firewall.

Host 10.0.0.1 Server 20.0.0.1

10.0.0.1 20.0.0.1 TCP SYN

10.0.0.1 20.0.0.1 TCP ACK’

19 Huawei Confidential
Session
Host 192.168.1.1:20000 Server 1.1.1.1:23
Create a session.

The packet matches the session, and the firewall allows the packet to pass.

Client Server

Source IP Destination IP Destination

Source Port Protocol User Application
Address Address Port

192.168.1.1 20000 1.1.1.1 23 TCP abc Telnet

Server Client

Source IP Destination IP Destination

Source Port Protocol User Application
Address Address Port

1.1.1.1 23 192.168.1.1 20000 TCP abc Telnet

Session: TCP 192.168.1.1:20000 1.1.1.1:23

20 Huawei Confidential
Querying the Session Table
 Display brief information about the firewall session table.

<sysname> display firewall session table

Current Total Sessions : 2
telnet VPN:public --> public 192.168.3.1:2855-->192.168.3.2:23
http VPN:public --> public 192.168.3.8:2559-->192.168.3.200:80

 Display detailed information about the firewall session table.

<sysname> display firewall session table verbose
Current Total Sessions : 1
http VPN:public --> public ID: a48f3648905d02c0553591da1
Zone: trust--> local TTL: 00:20:00 Left: 00:19:56
Output-interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:3073 bytes:3251431 -->packets:2881 bytes:705651
128.18.196.4:1864-->128.18.196.251:80 PolicyName: test

21 Huawei Confidential
 Contents

1. Firewall Overview
2. Principle of Firewall Forwarding
3. Firewall Security Policies and Application
4. ASPF

23 Huawei Confidential
Security Policy Matching Principle
Trust Untrust

Client Firewall Server

First packet matched with security policies

Rule 0: Permit packets from 192.168.168.0 ...

No session is
matched, Rule 1: Deny packets from 192.168.100.0 ...
perform the
first-packet
process …

The action of the default policy is deny.

A session is matched,
perform the
subsequent-packet
process
Subsequent packets not matched with
security policies

24 Huawei Confidential
Security Policy Matching Process
Security policy

Condition Action Profile

Source zone Permit
Traffic Antivirus
Destination zone
Deny Intrusion prevention
Source address or
region URL filtering
Destination address
or region Response File blocking
Packet
User Data filtering
Send

Service Application control

Do not Send

Application Mail filtering

Schedule APT defense

25 Huawei Confidential
Application of Security Policies

Security policy 1
Source address: any
Destination address: any
User: Marketing Dept.
Intranet Application: IM and Game
192.168.0.0/16 Action: deny

Marketing Dept.
Trust
Untru
R&D Dept.
st

Security policy 2
Source address: any
Allow traffic to pass through
Destination address: any
User: R&D Dept.
Deny traffic
Protocol: HTTP
Action: permit

26 Huawei Confidential
Configuring a Security Zone on the Web UI
 The system has four default security zones. If more security levels are needed, you can create a security zone and
define its security level.

27 Huawei Confidential
Configuring a Security Policy on the Web UI
 A security policy includes:
 Matching conditions: Source security zone, destination security zone, source address, destination address, user,
service, application, and schedule
 Action: Permit or deny
 Content security profile (optional): Antivirus, intrusion prevention, URL filtering, file blocking, data filtering,
application behavior control, mail filtering, and APT defense

28 Huawei Confidential
Configuring Addresses and Address Groups on the Web UI
 An address object is a set of IPv4/IPv6 addresses or MAC addresses. An address group is a set of address objects.
 An address object contains one or more IPv4/IPv6 addresses or MAC addresses. It is like a basic component and can
be referenced by different policies (such as security policies and NAT policies).

29 Huawei Confidential
Configuring Regions and Region Groups on the Web UI
 A region is a set of public IP addresses in a certain area.
 A region group contains multiple regions or region groups. Region groups can be configured and referenced by
policies.

30 Huawei Confidential
Configuring Services and Service Groups
 A service is a type of application protocol determined by a protocol type and a port number. A service group is a collection of
services and service groups.
 Predefined service: A service that has been preset in the system by default and can be selected directly.
 User-defined service: A service defined by specifying certain information including the application protocol type (such as TCP, UDP,
or ICMP) and port number.

31 Huawei Confidential
Configuring Applications and Application Groups on the Web UI
 Applications are computer programs used for a special purpose or performing a special task. An
application group is a collection of applications.

32 Huawei Confidential
Configuring a Schedule on the Web UI
 A schedule can be referenced by a policy to match the traffic passing through a firewall during
the schedule.

33 Huawei Confidential
Configuring a Security Policy on the Web UI
 You can reference existing objects in a security policy.

34 Huawei Confidential
Example for Configuring Security Policies
 Networking Requirements
 On an enterprise network, PCs in the 192.168.5.0/24 network segment are allowed to access the
Internet, but PCs at 192.168.5.2, 192.168.5.3, and 192.168.5.6 in this network segment are not
allowed to access the Internet.

Trust zone Untrust zone

192.168.5.0/24 Internet
1.1.1.1/24

Intranet

35 Huawei Confidential
Security Policy Configuration Process
Start

Create security zones

Configure the address and address group

Configure interfaces
Configure the region and region group
Antivirus
Configure user and
authentication Configure the service and service group
Intrusion Prevention
Configure the application and application group
URL Filtering
Configure objects
Configure user and user group
Data Filtering
Create profiles Configure terminal device and terminal device group
File Blocking
Configure a schedule
Application Behavior Configure the security
Control policy

Mail Filtering
Save and commit
APT Defense
End Mandatory sub-item

Optional item

36 Huawei Confidential
Key Configuration (Commands)
 Create a security policy rule that denies the access of special IP addresses to the Internet.
[NGFW]security-policy
[NGFW-policy-security]rule name celue
[NGFW-policy-security-rule-celue]source-zone trust
[NGFW-policy-security-rule-celue]destination-zone untrust
[NGFW-policy-security-rule-celue]source-address 192.168.5.2 32
[NGFW-policy-security-rule-celue]source-address 192.168.5.3 32
[NGFW-policy-security-rule-celue]source-address 192.168.5.6 32
[NGFW-policy-security-rule-celue]action deny

 Create a security policy rule that allows the 192.168.5.0/24 network segment to access the Internet.

[NGFW]security-policy
[NGFW-policy-security]rule name celue2
[NGFW-policy-security-rule-celue2]source-zone trust
[NGFW-policy-security-rule-celue2]destination-zone untrust
[NGFW-policy-security-rule-celue2]source-address 192.168.5.0 24
[NGFW-policy-security-rule-celue2]action permit

37 Huawei Confidential
Key Configuration on the Web UI (1)
 Configure an address group named ip_deny.

38 Huawei Confidential
Key Configuration on the Web UI (2)
 Configure a security policy to deny the access of the addresses in address group ip_deny to the
Internet.

39 Huawei Confidential
Key Configuration on the Web UI (3)
 Configure a security policy to allow access from the 192.168.5.0/24 network segment to the
Internet.

40 Huawei Confidential
 Contents

1. Firewall Overview
2. Principle of Firewall Forwarding
3. Firewall Security Policies and Application
4. ASPF

41 Huawei Confidential
Multi-channel Protocol Technology
 Single-channel protocol: uses only one port during communication. For example, WWW uses
only port 80.
 Multi-channel protocol: uses two or more ports for communication. For example, FTP passive
mode uses port 21 and a random port.

How to only use packet filtering methods to precisely define the ports used by multi-channel protocols?

For protocols that use random ports, pure packet filtering cannot define data flows.

42 Huawei Confidential
ASPF Overview
 Application Specific Packet Filter (ASPF), as an advanced filtering technology, checks
application-layer protocol information and monitors the status of the connected application-layer
protocol. For all connections of a specified application protocol, ASPF maintains status
information and dynamically determines whether to permit data packets to pass through the
firewall or discard data packets.

Monitor communication packets. Dynamically create and delete filtering rules.

43 Huawei Confidential
ASPF Supports Multi-channel Protocols
 ASPF is used to filter packets at the application layer.
Host 10.0.0.1 Control channel FTP Server 20.0.0.1

Data channel
User 1 uses port 4952 to set up a data channel
with user 2.

Session table: FTP:10.0.0.1:4927 --> 20.0.0.1:21

FTP:10.0.0.1:4926 --> 20.0.0.1:4952

Server-map table
-----------------------------------------------------------
Inside-Address :Port Global-Address :Port Pro AppType TTL Left
----------------------------------------------------------- 20.0.0.1 : 4952 ---
tcp FTP DATA 00:01:00 00:00:47

44 Huawei Confidential
Generation of Server Map
Server map entries generated when the
firewall forwards the traffic of multi-
channel protocols, such as FTP and
RTSP, after ASPF is configured
Triplet server map entries generated
when the firewall forwards the traffic
of the Simple Traversal of UDP
Through NAT (STUN) protocols, such
as MSN and TFTP, after ASPF is
configured

Generation of
Server Map

Static server map entries Dynamic server map entries

generated when NAT server generated when NAT No-PAT is
mapping is configured configured

46 Huawei Confidential
Support for Multi-channel Protocols by Port Identification
 Port identification maps non-standard protocol ports to identifiable application protocol ports.

Host 10.0.0.1 Control channel FTP Server 20.0.0.1

Data channel What is the application

protocol of port 31?
 Configure a basic ACL. I don't know what to do.

[NGFW]acl 2000
[NGFW-acl-basic-2000]rule permit source 20.0.0.1 0

 Configure port identification (or port mapping).

[NGFW]port-mapping FTP port 31 acl 2000

48 Huawei Confidential
Fragment Cache
 The fragment cache function is used to cache fragments that arrive before the first fragment in
the flow. This function prevents the firewall from discarding fragments.

20-byte header
0 0 0

Fragment ····· Destination IP Data 0+······+

······ 0x1234 Tag Source IP address Option
offset 0 · address data N

0 0 1

Fragment ····· Source IP Destination IP

First fragment ······ 0x1234 Tag Option Data 0
offset 0 · address address

0 0 0

Fragment ····· Source IP Destination IP

Nth fragment ······ 0x1234 Tag
offset N · address address
Option Data N

50 Huawei Confidential
Persistent Connection
 Why are persistent connections required?
 Aging mechanism of the firewall session table
 Problems caused by the session aging mechanism to special services

If no data is transmitted within the session aging time, the session is disconnected.

Session

Client Database service

51 Huawei Confidential
 Quiz

1. In which of the following situations will server map entries be generated?

A. NAT No-PAT is configured.

B. NAT server mapping is configured.

C. ASPF is configured.

D. A persistent connection is configured.

2. A firewall has four default security zones, and the security levels of the zones cannot be
changed.
A. True

B. False

52 Huawei Confidential
 Summary

 Principle of Firewall Packet Filtering

 Principle of Firewall Forwarding
 Application Scenarios and Configuration Methods of Firewall Security Policies

53 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.