Documente Academic
Documente Profesional
Documente Cultură
ODF010001 Firewall
System Overview
ISSUE 1.1
www.huawei.com
Page 2
References
Eudemon Series Firewall
Operation Manual
Eudemon Series Firewall
Command Manual
Page 3
Page 4
Page 5
Page 6
Start Attacking
Application
layer
TCP
layer
TCP
layer
IP
layer
IP
layer
Only detect
IP head
Network
Interface layer
Network
Interface layer
Start
Attacking
1, No detecting data
2, No establishing
connection state table
3, No corresponding of
previous and next packet
4, Weakly control of
application layer
5, Only filter port 1-1024
Page 7
TCP
layer
Start Attacking
TCP
layer
Establish connection
state table
IP
layer
IP
layer
Only detect
IP head
Network
Interface layer
Network
Interface layer
Start
Attacking
Application
layer
1, No detecting data
2, Establish connection
state table
3, Corresponds of
previous and next packet
4, Weakly control of
application layer
5, Can filter port 1-65535
Page 8
Application Gateway
Application
layer
Start Attacking
TCP
layer
IP
layer
Network
Interface layer
Application
layer
TCP
layer
IP
layer
Only detect data
Network
Interface layer
Start
Attacking
Page 9
Start Attacking
TCP
layer
IP
layer
Network
Interface layer
TCP
layer
Establish connection
state table
IP
layer
Detect whole Packet
Network
Interface layer
Start
Attacking
Application
layer
Page 10
Comparison of Firewalls
General
security
Network
Applicatio Performa
layer
n layer
nce
protection protection
Processin
g objects
Packet
head
Packet
head
Application Gateway
Packet
data
Whole
packet
Page 11
Trend of Firewalls
1 Software firewall an application program installed on PC such as
CheckPoint and Symantec
2 Software-hardware firewall PC + General OS + Firewall program
module, running Linux, FreeBSD, Solaris and successive firewall
software on the hardware platform, firewall performance cannot be
increased greatly for based on shared system bus, interface and
CPU, and what more, Ethernet cards. It does not have too much
difference with the previous one.
3 Hardware firewall independent hardware architecture, optimize
design at CPU, power, fan, PCI bus and extend slots. Generally
designed base on ASIC, NP, FPGA to guaranty the best performance
and reliability.
Page 12
Page 13
Page 14
Security Zone
DMZ zone
Untrust zone
Local zone
External networks
Trust zone
Internal networks
Page 15
Interface4
Interface5
Local zone
Untrust zone
Interface1
External networks
Trust zone
Interface3
Internal networks
Page 16
Page 17
Page 18
Internal network
Trust
External network
Eth1/0/0
outbound
Untrust
outbound
inbound
inbound
Server
Server
DMZ
Page 19
Page 20
Page 21
Firewall provides only one channel for data flow from one zone to another,
and also provides the functions of permitting, denying, supervising, and
logging based on corresponding security policy designed by
administrators.
Page 22
By source IP address
By destination IP address
list 192.168.1.3 to 202.2.33.2 By source port number
By destination port number
nat 192.168.3.0 to any pass
202.1.2.3 to 192.168.1.3 block By time range
By protocol
default pass
By MAC address
By user
Matching rules
Page 23
Recognize
intrusion
Send
announcement
packet
Send
Disconnect link response
or alarm
packet
Page 24
Authenticate
packet
and action
Recover file
Inspect virus
Received data
Sent data
Page 25
Internet
Internet
Page 26
Support trunk
Firewall doesnot work
without trunk function
Trunk
Trunk
Switch
Trunk
Trunk
Switch1
Switch2
All rights reserved
Page 27
RADIUS server
Authentication
Page 28
i3 SAFE
i intelligence integrated individuality
3 network layer, space and time, three dimensions End to End
SAFE Safe Architecture for eNET
Page 29
Page 30
Page 31
old
Page 32
Reliability
Requirement: Firewall is placed in key network position
generally, once failure will cause extremely bad result
especially in the environment of carrying multi service (i.e.
NGN). Thus, firewall is required for high reliability, with
redundancy power supply system, hot plug-in of interface
module, power supply module, and fan, reliable hot
standby system.
Problem: Part of old generation firewalls does not support
redundancy power supply, hot plug-in.
Page 33
Page 34
Page 35
Transparent mode
Donot need
configure IP here
Donot need reconfigure
hosts of internal networks
Same segment
Donot need
configure IP here
Internet
Internet
Page 36
Routing mode
provide simple
routing function
Similar with
a router
Internet
Internet
Page 37
Hybrid mode
Hybrid mode
Page 38
1
S -B
1
A
EudemonA
Master
A3
A1
A2
Trust
Hub
B1
DMZ
A2S -B
A4
A4-H-B4
A3
-S
-B
3
Untrust
B4
B2
2
B3
EudemonB
Backup
Physical link
Data channel
Page 39
Routing mode
Hybrid mode
Usage Occasion
Do not need
routing, in the
middle of CE
and PE
Routing is
required
Typical usage is
HRP under
transparent
mode
Resource
consumption
Running at layer
2, little resource
consumption
Running at layer
3, big resource
consumption
Resource
consumption is
between
previous two
Remarks
Page 40
Page 41
Log analysis
1, No log
2, Communication log: traditional log
record source IP address, destination IP address, source port number,
destination port number, link duration, protocol, permit or deny etc.
3, Application layer command log
record not only communication log, but also command and parameters
of application layer. i.e. HTTP requirements and websites.
4, Access log
record not only communication log, but also the server resource that
subscribers has accessed. The difference between access log and
application layer command log is the latter can save a amount of data
that administrator might not needed, i.e. procedure of negotiation parameters, but access log will only save the action of read or write files
in FTP service.
5, Content log
record not only all of application layer command log, but also transmission
content, i.e. e-mail or website subscriber has sent or accessed. This kind
of log is not provided by all firewall products for it is concerned with users
secrets to some extent.
6, Log analysis tools
automatic make table for administrator, tell possible vulnerability in networks
HUAWEI TECHNOLOGIES CO., LTD.
Page 42
Communication log
response
www.huawei.com
requirement
Communication log
Communication log
HUAWEI TECHNOLOGIES CO., LTD.
Page 43
response
www.huawei.com
requirement
Command log
Command log
HUAWEI TECHNOLOGIES CO., LTD.
Page 44
Access log
response
www.huawei.com
requirement
Access log
Access log
HUAWEI TECHNOLOGIES CO., LTD.
Page 45
Content log
Content log
requirement
Page 46
response
www.huawei.com
Page 47
Page 48
Page 49
Latency
Definition: time interval it takes from the last bit input at the ingress
to the first bit output at the egress
Scale: latency is used to determine firewall processing data speed
Time interval
The last bit entry
Smartbits 6000B
Packet arriving late
Page 50
Smartbits 6000B
Page 51
Parallel connections
Parallel connections
Page 52
Parallel connections
Parallel connections
Page 53
Summary
Advanced architecture based on NP, high reliability, perfect
performance
Routing mode, transparent mode, hybrid mode
ASPF inside, complete detect function based state inspect
Powerful NAT, ALG
Reliable defense to variety attack
High efficiency ACL filter
Powerful traffic supervise, limit, especially P2P traffic control
High reliable power backup system, hot plug-in, hot
redundancy protocol
Enhanced log function-binary format
HUAWEI TECHNOLOGIES CO., LTD.
Page 54
Page 55
Regional branch A
Regional branch B
DDN/FR
City branch A
HUAWEI TECHNOLOGIES CO., LTD.
City branch B
All rights reserved
Page 56
DDN/FR
Authentication
Authorization
Accounting
Branch
Page 57
Internet
Internet
DDN
Stop
Branch
Cracker
Virus
Unthor access
Unique code
All rights reserved
Page 58
Limitations
Cannot provide in time inspection and recovery to a new
Page 59
Questions
What kind of zones we can configure on firewall?
What are their priority respectively?
What are the basic functions of firewall?
Page 60
Thank You
www.huawei.com