Firewall System Overview

Internal
ODF010001 Firewall
System Overview
ISSUE 1.1
HUAWEI TECHNOLOGIES CO., LTD.
www.huawei.com
All rights reserved
This slides give us a brief introduction of

firewall products basic knowledge
related to zone concepts, basic function
and features, working mode, test
performance parameters, typical cases
and essential limitations etc.
All rights reserved
Page 2
References
Eudemon Series Firewall
Operation Manual
Eudemon Series Firewall
Command Manual
All rights reserved
Page 3
Upon completion this course, you will be able

to:
Be familiar with firewall basic concepts
Be known typical networks of firewall
Be grasped firewall parameters meaning
All rights reserved
Page 4
Chapter 1 Background of Firewall

Chapter 2 Zone concepts
Chapter 3 Basic function and features,
working mode
Chapter 4 Test performance parameters
Chapter 5 Typical cases and essential
limitations
All rights reserved
Page 5

1.1 Simple Packet Filtering
1.2 State Detect Packet Filtering
1.3 Application Gateway
1.4 State Detect and Application Gateway
All rights reserved
Page 6
Simple Packet Filtering

Application
layer
Start Attacking
Application
layer
TCP
layer
TCP
layer
IP
layer
IP
layer
Only detect
IP head
Network
Interface layer
Network
Interface layer
Start
Attacking
All rights reserved
1, No detecting data
2, No establishing
connection state table
3, No corresponding of
previous and next packet
4, Weakly control of
application layer
5, Only filter port 1-1024
Page 7
State Detect Packet Filtering

Application
layer
TCP
layer
Start Attacking
TCP
layer
Establish connection
state table
IP
layer
IP
layer
Only detect
IP head
Network
Interface layer
Network
Interface layer
Start
Attacking
Application
layer
All rights reserved
1, No detecting data
2, Establish connection
state table
3, Corresponds of
previous and next packet
application layer
5, Can filter port 1-65535
Page 8
Application Gateway
Application
layer
Start Attacking
TCP
layer
IP
layer
Network
Interface layer
Application
layer
TCP
layer
1, No detecting IP TCP head

2, No establishing connection state table
application layer
IP
layer
Only detect data
Network
Interface layer
Start
Attacking
All rights reserved
Page 9
State Detect and Application Gateway

Application
layer
Start Attacking
TCP
layer
IP
layer
Network
Interface layer
TCP
layer
Establish connection
state table
1, Detect whole packet

2, Establish connection
state table if necessary
3, Powerfully control of
network layer
4, Detailed control of
application layer
IP
layer
Detect whole Packet
Network
Interface layer
Start
Attacking
Application
layer
All rights reserved
Page 10
Comparison of Firewalls
General
security
Network
Applicatio Performa
layer
n layer
nce
protection protection
Processin
g objects
Packet
head
Packet
head
Application Gateway
Packet
data
State Detect and

Application Gateway
Whole
packet
Simple Packet Filtering
State Detect Packet

Filtering
All rights reserved
Page 11
Trend of Firewalls
1 Software firewall an application program installed on PC such as
CheckPoint and Symantec
2 Software-hardware firewall PC + General OS + Firewall program
module, running Linux, FreeBSD, Solaris and successive firewall
software on the hardware platform, firewall performance cannot be
increased greatly for based on shared system bus, interface and
CPU, and what more, Ethernet cards. It does not have too much
difference with the previous one.
3 Hardware firewall independent hardware architecture, optimize
design at CPU, power, fan, PCI bus and extend slots. Generally
designed base on ASIC, NP, FPGA to guaranty the best performance
and reliability.
Software firewall => Software-hardware firewall => Hardware firewall
All rights reserved
Page 12

working mode
limitations
All rights reserved
Page 13
Issue about zone

Zone is a unique concept of firewall comparing with router, which
combine a set of interfaces.

Zone is only a concept which does not indicate the real features
that PC or devices put into it (trust or untrust etc.)

Zone priority is only used to bring convenience to define data
stream direction of interzone
All rights reserved
Page 14
Security Zone
DMZ zone
Untrust zone
Local zone
External networks
Trust zone
Internal networks
All rights reserved
Page 15
Security Zone (cont.)

DMZ zone
Interface2
Self-named zone
Interface4
Interface5
Local zone
Untrust zone
Interface1
External networks
Trust zone
Interface3
Internal networks
All rights reserved
Page 16
Parameters related to zone
Each zone has a priority value
which is used to define the data

stream direction from each other
and it doesnt refer to reliability.
By default, local, trust, DMZ and
untrust has priority value as 100,

85, 50, 5 respectively.
All rights reserved
Page 17
Parameters related to zone (cont.)
The direction of data flow
from high priority zone to

low priority zone is defined
as outbound
The direction of data flow from low
priority zone to high priority zone is

defined as inbound
All rights reserved
Page 18
Parameters related to zone (cont.)

inbound
outbound
Eudemon
Eth0/0/0 Local
Eth2/0/0
Internal network
Trust
External network
Eth1/0/0
outbound
Untrust
outbound
inbound
inbound
Server
Server
DMZ
All rights reserved
Page 19

working mode
limitations
All rights reserved
Page 20
Chapter 3 Basic function and

features, working mode
3.1 Basic function
3.2 Working mode
3.3 Log function
All rights reserved
Page 21
What Functions Can Firewall Provide?
Firewall provides only one channel for data flow from one zone to another,
and also provides the functions of permitting, denying, supervising, and
logging based on corresponding security policy designed by
administrators.
All rights reserved
Page 22
Access Control List

Access
Access
Access
Access
By source IP address
By destination IP address
list 192.168.1.3 to 202.2.33.2 By source port number
By destination port number
nat 192.168.3.0 to any pass
202.1.2.3 to 192.168.1.3 block By time range
By protocol
default pass
By MAC address
By user
Matching rules
All rights reserved
Page 23
Cooperation with IDS

Hacker
Protected
networks
Recognize
intrusion
Send
announcement
packet
Send
Disconnect link response
or alarm
packet
All rights reserved
Page 24
Authenticate
packet
and action
Cooperation with Virus Server

Virus serverReceived data
Recover file
Inspect virus
Received data
Sent data
All rights reserved
Page 25
Binding IP and MAC
Configuring host A IP and MAC

binding, host B cannot imitates
host A access internet
Internet
Internet
Firewall permit host

A access internet
All rights reserved
Page 26
Support trunk
Firewall doesnot work
without trunk function
Trunk
Trunk
Switch
Firewall doesnot work

without trunk function
Trunk
Trunk
Switch1
Switch2
All rights reserved
Page 27
Authentication of the 3rd party server

Support the 3rd party RADIUS server
Support HWTACACS
RADIUS server
Authentication
All rights reserved
Page 28
New requirements to firewall

Huawei carrier-class hardware firewalls support MB and
GB processing units. With perfect performance and

advanced security architecture, Eudemon can provide
strong and powerful security protection for customer
networks, and this is one of important and necessary parts
of i3 Safe conception.
i3 SAFE
i intelligence integrated individuality
3 network layer, space and time, three dimensions End to End
SAFE Safe Architecture for eNET
All rights reserved
Page 29
Requirements of network size/traffic increasing

Requirement: Firewall should be able to provide powerful and
steady performance during forwarding big or small packets with
amount of acl rules configured, as well number of new parallel
connections.
All rights reserved
Page 30
Applications of multimedia/NGN service

Requirement:
Can support multimedia and NGN networks
Can not become the bottleneck of building networks, as well
firewall only acts as NAT server now.
Problem: Firewalls based on ASIC are not suitable for new

generation service development.
All rights reserved
Page 31
old
Popular of P2P service

Common usage of P2P software: i.e. BitTorrent(BT),
eMule/eDunkey, mp3 files exchange etc.
P2P downloading accompany with multi connection (1 BT
downloading can hold more than 20 procedure), occupy huge
amounts of bandwidth resources, most of the files downloaded
are movie, music. This will affect ordinary users using network.
It is concluded that around 70% bandwidth resource is
occupied by P2P.
Problem: Part of old generation firewalls does not support QoS,
or with a very low performance QoS control.
All rights reserved
Page 32
Reliability
Requirement: Firewall is placed in key network position
generally, once failure will cause extremely bad result
especially in the environment of carrying multi service (i.e.
NGN). Thus, firewall is required for high reliability, with
redundancy power supply system, hot plug-in of interface
module, power supply module, and fan, reliable hot
standby system.
Problem: Part of old generation firewalls does not support
redundancy power supply, hot plug-in.
All rights reserved
Page 33
Requirement of worm virus defense

Requirement: Nowadays, the worst effect to internet is worm
virus. It has variable classes, from RedCode, MSBlast up to
Big, NetSky etc. every such virus action can cause millions of $
economic waste. It will start a great lot of connection from hosts
and occupy huge amounts of network resource. Firewall should
support dynamic virus defense function, and inspect suspend
hosts, lessen virus action scale.
Problem: Majority of firewall in networks can not defend worm
virus well and control virus expanding.
All rights reserved
Page 34

3.1 Basic function
3.2 Working mode
3.3 Log function
All rights reserved
Page 35
Transparent mode
Donot need
configure IP here
Donot need reconfigure
hosts of internal networks
Same segment
Donot need
configure IP here
Internet
Internet
All rights reserved
Page 36
Routing mode
provide simple
routing function
Similar with
a router
Internet
Internet
All rights reserved
Page 37
Hybrid mode
Hybrid mode
Different segment hosts need routing
All rights reserved
Same segment hosts

communicates without routing
Page 38
1
S -B
1
A
EudemonA
Master
A3
A1
A2
Trust
Hub
B1
DMZ
A2S -B
A4
A4-H-B4
Hybrid mode (cont.)
A3
-S
-B
3
Untrust
B4
B2
2
B3
EudemonB
Backup
A1 A2 A3 are interface on EudemonA
Physical link
Data channel
B1B2B3 are interface on EudemonB

S Is LAN Switch
All rights reserved
Page 39
Difference of Working Modes

Transparent
mode
Routing mode
Hybrid mode
Usage Occasion
Do not need
routing, in the
middle of CE
and PE
Routing is
required
Typical usage is
HRP under
transparent
mode
Resource
consumption
Running at layer
2, little resource
consumption
Running at layer
3, big resource
consumption
Resource
consumption is
between
previous two
Remarks
Eudemon equipment run in routing mode by default
All rights reserved
Page 40

3.1 Basic function
3.2 Working mode
3.3 Log function
All rights reserved
Page 41
Log analysis
1, No log
2, Communication log: traditional log
record source IP address, destination IP address, source port number,
destination port number, link duration, protocol, permit or deny etc.
3, Application layer command log
record not only communication log, but also command and parameters
of application layer. i.e. HTTP requirements and websites.
4, Access log
record not only communication log, but also the server resource that
subscribers has accessed. The difference between access log and
application layer command log is the latter can save a amount of data
that administrator might not needed, i.e. procedure of negotiation parameters, but access log will only save the action of read or write files
in FTP service.
5, Content log
record not only all of application layer command log, but also transmission
content, i.e. e-mail or website subscriber has sent or accessed. This kind
of log is not provided by all firewall products for it is concerned with users
secrets to some extent.
6, Log analysis tools
automatic make table for administrator, tell possible vulnerability in networks
All rights reserved
Page 42
Communication log
response
www.huawei.com
requirement
Communication log
Communication log
All rights reserved
Page 43
Application layer command log
response
www.huawei.com
requirement
Command log
Command log
All rights reserved
Page 44
Access log
response
www.huawei.com
requirement
Access log
Access log
All rights reserved
Page 45
Content log
Content log
requirement
All rights reserved
Page 46
response
www.huawei.com
Eudemon log function

Eudemon firewall provide SYSLOG function, as well binary log format.
Because of too many connections established on firewall, binary log
format can record more information comparing with SYSLOG, which
mainly relates to start/stop connections, NAT private address/public
address/destination address.
Eudemon performance will be affected after binary log format enabled.
All rights reserved
Page 47

working mode
limitations
All rights reserved
Page 48
Throughput, TCP Goodput

Throughput: Maximum data stream that firewall can process at
one time. Usually, people determine firewall performance by

testing 1K 1.5K length byte packet, however, vast majority of
packet passing firewall is at length of around 100 byte. Thus, it is
more useful and important that we should test firewall forwarding
small length packet ability, meanwhile, a great lots of ACL rules
configured under testing is better. One difference from router is
that throughput scale of router is tested under small length byte
packet.
TCP Goodput: The valid data stream that firewall process except
losing packet or timeout TCP connection. It is defined as valid

transmission rate per second, can be calculated by file size
(byte) over transmission time (s) as well.
All rights reserved
Page 49
Latency
Definition: time interval it takes from the last bit input at the ingress
to the first bit output at the egress
Scale: latency is used to determine firewall processing data speed
Time interval
The last bit entry
The first bit exit
Smartbits 6000B
Packet arriving late
Packet been forwarded

after been checked in queue
All rights reserved
Page 50
Packet Lost Ratio
Definition: in case of steady loading, the percentage of losing packet

of firewall forwarded due to limited power of processing resource.
Packet lost ratio =(1000-800) / 1000=20%
Sent 1000 packets
Forwarded 800 packets
Smartbits 6000B
All rights reserved
Page 51
Number of parallel connection

Definition: maximum number of connection between hosts and server through
firewall or between hosts and firewall can be established at one time.
This parameter is used to determine the maximum number

of connection between hosts and server
Parallel connections
All rights reserved
Page 52
Number of new parallel connection

Definition: maximum number of new connection between hosts and server
through firewall or between hosts and firewall can be established in one second.
This parameter is used to determine the real time responding to data.
All rights reserved
Page 53
Summary
Advanced architecture based on NP, high reliability, perfect
performance
Routing mode, transparent mode, hybrid mode
ASPF inside, complete detect function based state inspect
Powerful NAT, ALG
Reliable defense to variety attack
High efficiency ACL filter
Powerful traffic supervise, limit, especially P2P traffic control
High reliable power backup system, hot plug-in, hot
redundancy protocol
Enhanced log function-binary format
All rights reserved
Page 54

working mode
limitations
All rights reserved
Page 55
Typical using in bank networks

Headquarter
Regional branch A
Regional branch B
DDN/FR
City branch A
City branch B
All rights reserved
Page 56
Typical using in company networks

Headquarter
Branch
Authentication
Authorization
Accounting
Authentication
Authorization
Accounting
DDN/FR
Authentication
Authorization
Accounting
Branch
All rights reserved
Page 57
Typical using in telecommunication networks
Internet
Internet
DDN
Stop
Branch
Cracker
Virus
Unthor access
Unique code
All rights reserved
Page 58
Limitations
Cannot provide in time inspection and recovery to a new
vulnerability and intrusion

Difficult to manage, easy to find wrong security zone,
impossible to response real time in emergence situations

Performance and stability restrict use in mass conditions
Cannot disable ports of providing external service
All rights reserved
Page 59
Questions
What kind of zones we can configure on firewall?
What are their priority respectively?
What are the basic functions of firewall?
All rights reserved
Page 60
Thank You
www.huawei.com

Firewall System Overview

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Firewall System Overview

Transféré par

Droits d'auteur :

Formats disponibles

Internal

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

This slides give us a brief introduction of

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Upon completion this course, you will be able

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Chapter 1 Background of Firewall

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Chapter 1 Background of Firewall

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Simple Packet Filtering

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

State Detect Packet Filtering

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

1, No detecting IP TCP head

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

State Detect and Application Gateway

1, Detect whole packet

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

State Detect and

Simple Packet Filtering

State Detect Packet

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Software firewall => Software-hardware firewall => Hardware firewall

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Chapter 1 Background of Firewall

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Issue about zone

combine a set of interfaces.

that PC or devices put into it (trust or untrust etc.)

stream direction of interzone

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Security Zone (cont.)

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Parameters related to zone

Each zone has a priority value

which is used to define the data

untrust has priority value as 100,

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Parameters related to zone (cont.)

The direction of data flow

from high priority zone to

priority zone to high priority zone is

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved