Professional Documents
Culture Documents
Foreword
3 Huawei Confidential
Objectives
4 Huawei Confidential
Contents
1. Firewall Overview
2. Principle of Firewall Forwarding
3. Firewall Security Policies and Application
4. ASPF
5 Huawei Confidential
Firewall Features
Logical area filter
Intranet
Hiding the intranet structure
Security assurance
Firewall
Proactive defense against attacks
Router
6 Huawei Confidential
Firewall Classification
Firewalls are classified into the following types according to access control modes:
Packet filtering firewalls
Proxy firewalls
Stateful inspection firewalls
7 Huawei Confidential
Firewall Classification: Packet Filtering Firewall
IP layer IP layer
8 Huawei Confidential
Firewall Classification: Proxy Firewall
1. Slow processing
2. Difficult upgrades
Internet PC Proxy firewall Intranet server
Sends a connection request.
Sets up a connection with the client After the check succeeds, the connection to
after the check. the server is set up.
9 Huawei Confidential
Firewall Classification: Stateful Inspection Firewall
Host 10.0.0.1 Server 20.0.0.1
ACK (seq=1135)
10.0.0.1
10.0.0.1
10.0.0.1 20.0.0.1
20.0.0.1
20.0.0.1 SYN(seq=1134)
ACK’(seq=2288)
ACK’(seq=30000) 20.0.0.1 10.0.0.1 SYN`(seq=2287)
10 Huawei Confidential
Firewall Networking Modes
Untrust
Untrust
192.168.10.1/30
192.168.10.1/30 192.168.10.129/30
Trust
192.168.10.5/30 192.168.10.133/30
Trust
192.168.10.2/30
12 Huawei Confidential
Contents
1. Firewall Overview
2. Principle of Firewall Forwarding
3. Firewall Security Policies and Application
4. ASPF
13 Huawei Confidential
Packet Filtering Technology
When receiving a packet, the firewall obtains the header, compares the header with specified rules, and
decides to forward or discard the packet.
The core technique for packet filtering is the access control list (ACL).
Intranet
Branch
HQ
Unauthorized user
14 Huawei Confidential
Firewall Security Policies
Definition
Security policies control traffic forwarding according to specified rules and apply integrated content
security detection to traffic.
The rules focus on packet filtering.
Major Applications
Security policies control network communication through the firewall.
Security policies control access to the firewall.
15 Huawei Confidential
Firewall Security Policy Mechanism
Firewall security
policies Step 2:
Policy 0: Permit subsequent The firewall searches for a matching
operations of A. security policy.
Policy 1: Deny subsequent
The firewall determines whether to allow
operations of B.
the next operation.
Step 1: Step 3:
The incoming data flow passes Default policy operation The firewall processes the data packets
through the firewall. according to the rules defined in the
security policy.
BBAABBBAAAA AA AAAA
16 Huawei Confidential
Firewall Interzone Forwarding
trust Untrust
Queries the routing table and queries interzone packet filtering rules based on the interzone and direction to
No session is matched, which the interface belongs.
perform the first-packet
process
Policy 0: Permit packets from 192.168.168.0.
…
The default interzone packet filtering
rule is deny.
A session is matched,
perform the subsequent-
packet process
Not the first packet, look up the
session table
17 Huawei Confidential
Querying and Creating Sessions
Yes
Is the session Update the session
Query the session table. Perform security check.
table matched? table.
No
Check whether a
session can be created.
Server-map table
Routing table
NAT
18 Huawei Confidential
Stateful Inspection Mechanism
When the stateful inspection mechanism is enabled, a session can be created only when the first packet passes the
inspection performed by the firewall. Subsequent packets are forwarded based on the session.
When the stateful inspection mechanism is disabled, even if the first packet does not pass through the firewall,
subsequent packets can trigger the generation of a session as long as they pass through the firewall.
19 Huawei Confidential
Session
Host 192.168.1.1:20000 Server 1.1.1.1:23
Create a session.
The packet matches the session, and the firewall allows the packet to pass.
Client Server
Server Client
20 Huawei Confidential
Querying the Session Table
Display brief information about the firewall session table.
21 Huawei Confidential
Contents
1. Firewall Overview
2. Principle of Firewall Forwarding
3. Firewall Security Policies and Application
4. ASPF
23 Huawei Confidential
Security Policy Matching Principle
Trust Untrust
24 Huawei Confidential
Security Policy Matching Process
Security policy
25 Huawei Confidential
Application of Security Policies
Security policy 1
Source address: any
Destination address: any
User: Marketing Dept.
Intranet Application: IM and Game
192.168.0.0/16 Action: deny
Marketing Dept.
Trust
Untru
R&D Dept.
st
Security policy 2
Source address: any
Allow traffic to pass through
Destination address: any
User: R&D Dept.
Deny traffic
Protocol: HTTP
Action: permit
26 Huawei Confidential
Configuring a Security Zone on the Web UI
The system has four default security zones. If more security levels are needed, you can create a security zone and
define its security level.
27 Huawei Confidential
Configuring a Security Policy on the Web UI
A security policy includes:
Matching conditions: Source security zone, destination security zone, source address, destination address, user,
service, application, and schedule
Action: Permit or deny
Content security profile (optional): Antivirus, intrusion prevention, URL filtering, file blocking, data filtering,
application behavior control, mail filtering, and APT defense
28 Huawei Confidential
Configuring Addresses and Address Groups on the Web UI
An address object is a set of IPv4/IPv6 addresses or MAC addresses. An address group is a set of address objects.
An address object contains one or more IPv4/IPv6 addresses or MAC addresses. It is like a basic component and can
be referenced by different policies (such as security policies and NAT policies).
29 Huawei Confidential
Configuring Regions and Region Groups on the Web UI
A region is a set of public IP addresses in a certain area.
A region group contains multiple regions or region groups. Region groups can be configured and referenced by
policies.
30 Huawei Confidential
Configuring Services and Service Groups
A service is a type of application protocol determined by a protocol type and a port number. A service group is a collection of
services and service groups.
Predefined service: A service that has been preset in the system by default and can be selected directly.
User-defined service: A service defined by specifying certain information including the application protocol type (such as TCP, UDP,
or ICMP) and port number.
31 Huawei Confidential
Configuring Applications and Application Groups on the Web UI
Applications are computer programs used for a special purpose or performing a special task. An
application group is a collection of applications.
32 Huawei Confidential
Configuring a Schedule on the Web UI
A schedule can be referenced by a policy to match the traffic passing through a firewall during
the schedule.
33 Huawei Confidential
Configuring a Security Policy on the Web UI
You can reference existing objects in a security policy.
34 Huawei Confidential
Example for Configuring Security Policies
Networking Requirements
On an enterprise network, PCs in the 192.168.5.0/24 network segment are allowed to access the
Internet, but PCs at 192.168.5.2, 192.168.5.3, and 192.168.5.6 in this network segment are not
allowed to access the Internet.
192.168.5.0/24 Internet
1.1.1.1/24
Intranet
35 Huawei Confidential
Security Policy Configuration Process
Start
Mail Filtering
Save and commit
APT Defense
End Mandatory sub-item
Optional item
36 Huawei Confidential
Key Configuration (Commands)
Create a security policy rule that denies the access of special IP addresses to the Internet.
[NGFW]security-policy
[NGFW-policy-security]rule name celue
[NGFW-policy-security-rule-celue]source-zone trust
[NGFW-policy-security-rule-celue]destination-zone untrust
[NGFW-policy-security-rule-celue]source-address 192.168.5.2 32
[NGFW-policy-security-rule-celue]source-address 192.168.5.3 32
[NGFW-policy-security-rule-celue]source-address 192.168.5.6 32
[NGFW-policy-security-rule-celue]action deny
Create a security policy rule that allows the 192.168.5.0/24 network segment to access the Internet.
[NGFW]security-policy
[NGFW-policy-security]rule name celue2
[NGFW-policy-security-rule-celue2]source-zone trust
[NGFW-policy-security-rule-celue2]destination-zone untrust
[NGFW-policy-security-rule-celue2]source-address 192.168.5.0 24
[NGFW-policy-security-rule-celue2]action permit
37 Huawei Confidential
Key Configuration on the Web UI (1)
Configure an address group named ip_deny.
38 Huawei Confidential
Key Configuration on the Web UI (2)
Configure a security policy to deny the access of the addresses in address group ip_deny to the
Internet.
39 Huawei Confidential
Key Configuration on the Web UI (3)
Configure a security policy to allow access from the 192.168.5.0/24 network segment to the
Internet.
40 Huawei Confidential
Contents
1. Firewall Overview
2. Principle of Firewall Forwarding
3. Firewall Security Policies and Application
4. ASPF
41 Huawei Confidential
Multi-channel Protocol Technology
Single-channel protocol: uses only one port during communication. For example, WWW uses
only port 80.
Multi-channel protocol: uses two or more ports for communication. For example, FTP passive
mode uses port 21 and a random port.
How to only use packet filtering methods to precisely define the ports used by multi-channel protocols?
For protocols that use random ports, pure packet filtering cannot define data flows.
42 Huawei Confidential
ASPF Overview
Application Specific Packet Filter (ASPF), as an advanced filtering technology, checks
application-layer protocol information and monitors the status of the connected application-layer
protocol. For all connections of a specified application protocol, ASPF maintains status
information and dynamically determines whether to permit data packets to pass through the
firewall or discard data packets.
43 Huawei Confidential
ASPF Supports Multi-channel Protocols
ASPF is used to filter packets at the application layer.
Host 10.0.0.1 Control channel FTP Server 20.0.0.1
Data channel
User 1 uses port 4952 to set up a data channel
with user 2.
Server-map table
-----------------------------------------------------------
Inside-Address :Port Global-Address :Port Pro AppType TTL Left
----------------------------------------------------------- 20.0.0.1 : 4952 ---
tcp FTP DATA 00:01:00 00:00:47
44 Huawei Confidential
Generation of Server Map
Server map entries generated when the Triplet server map entries generated
firewall forwards the traffic of multi- when the firewall forwards the traffic
channel protocols, such as FTP and of the Simple Traversal of UDP
RTSP, after ASPF is configured Through NAT (STUN) protocols, such
as MSN and TFTP, after ASPF is
configured
Generation of
Server Map
46 Huawei Confidential
Support for Multi-channel Protocols by Port Identification
Port identification maps non-standard protocol ports to identifiable application protocol ports.
[NGFW]acl 2000
[NGFW-acl-basic-2000]rule permit source 20.0.0.1 0
48 Huawei Confidential
Fragment Cache
The fragment cache function is used to cache fragments that arrive before the first fragment in
the flow. This function prevents the firewall from discarding fragments.
20-byte header
0 0 0
0 0 1
0 0 0
50 Huawei Confidential
Persistent Connection
Why are persistent connections required?
Aging mechanism of the firewall session table
Problems caused by the session aging mechanism to special services
If no data is transmitted within the session aging time, the session is disconnected.
Session
C. ASPF is configured.
2. A firewall has four default security zones, and the security levels of the zones cannot be
changed.
A. True
B. False
52 Huawei Confidential
Summary
53 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织,构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.