Deploying a security Firewall

1. The main function of the firewall is to achieve network isolation and access control

1). Untrusted area: Generally refers to the Internet

2). Trusted area: Generally refers to intranet

3.) DMZ Zone: The zone where the public server is placed, can accept external access, but does not actively access the external

ASPF: Packet filtering for the application tier

2.Secpath Firewall Architecture

Model:

Secblade: Firewall card

Secpath f100-c

Secpath f100-s

Secpath f100-m

Secpath f100-a-s

Secpath f100-a

Secpath F100-E

Secpath f1000-m

Secpath f1000-s

Secpath f1000-a

Secpath f1000-e 100w Concurrent Connection, new 5w connection 10G throughput per second

3. Security Zone

On the H3C secpath firewall, determine whether the data transfer is in the direction or in the direction, always relative to the high side, that is, the high-level area to the low-grade area of the data flow in the direction, from the lower area to high level area data flow into the direction.

Security Zone Basic Configuration includes

1) Create a secure zone

2) Enter the security area view

3) Enter the inter-area view

4) Add an interface to the security zone

5) Set the priority of the security zone

By default, all interfaces do not belong to any security zone.

An interface can belong to only one security zone. Before the interface is added to a security zone,

This interface cannot already belong to another security zone, otherwise you will need to delete this interface from other regions first.

By default, the priority level for the local region for the 100,trust zone is the priority level for the 85,untrust zone for the 5,DMZ zone, with a priority of 50. The priority levels of these areas defined by the system cannot be changed.

1. Acl

Basic access Control lists: packets are only differentiated based on the source address of the packet

Advanced access Control List: The Advanced access Control list can use the source address information of the packet, the destination address information, the IP-hosted protocol type, the characteristics of the protocol, such as the source port of TCP, the type of the ICMP protocol, code, and other content definition rules

interface-based access control lists:

MAC-based access control list:

5. Packet Filtration Technology

The so-called packet filtering is the packet to be forwarded to the firewall, first get the information of Baotou, and then compare with the set rules, according to the results of the comparison of packets forwarded or discarded action

An ACL problem exists:

For multi-channel application layer protocol (such as FTP, n/A, etc.), some security policies cannot be predicted.

Unable to detect some attack behavior from the application layer (e.g. TCP SYN Java applet, etc.)

ASPF (stateful firewall)

ASPF (Application specific Packet filter) is a packet filter for both the application layer and the transport layer, which is based on the status of the message filtering.

ASPF can implement the application layer protocol detection including: FTP HTTP SMP RTSP (q.931 h.245 rtp/rtcp), ASPF can implement the Transport Layer Protocol detection includes: general TCP/UDP detection

Session state table: A session can be considered a TCP connection, and the Session state table is created when the first external sender is detected, i.e. through the first SYN packet

Temporary Access Control Table:

The principle of Transport layer Protocol detection:

The Application layer protocol detection takes precedence over the Transport Layer protocol detection, and the general TCP/UDP detection requires that the packets flowing into the interface exactly match the message from the previous outgoing interface, that is, the source, destination address and port number exactly correspond, otherwise the returned message will be discarded

Deploying a security Firewall