Dialysis firewall technology


Firewall technology introduction

Network Security Overview

With the popularity of network technology , The Internet *** Behavior is becoming more and more frequent . Through a variety of *** Software , As long as the beginners with general computer knowledge can also complete the network of ***. The spread of various network viruses , It also exacerbates the network being *** Danger . at present ,Internet The common security threats on the network can be divided into the following categories .

Illegal use :

Resource is not authorized by users ( Users can also be called illegal ) Or in an unauthorized manner ( Illegal authority ) Use . for example :*** By guessing the combination of account and password , In order to enter the computer system for illegal use of resources .

Denial of service :

The server refuses the request of legitimate Yongfu to access information or resources normally . for example ,*** In a short period of time, a large number of packets or malformed packets are used to initiate a connection or request response to the server , The server is overloaded and unable to handle legitimate tasks .

Information theft :

*** It's not direct *** Target system , It's about tapping the network to get important data or information .

Data tampering :

*** To modify the system data or message flow selectively 、 Delete 、 incur loss through delay 、 Reordering and inserting fake messages , And the consistency of the data is destroyed .

therefore :
  • Cyber security is Internet A practical problem that has to be faced

  • Network security is a comprehensive technology

  • Network security has two meanings :

  • Ensure the security of the internal LAN ( Not to be trespassed )

  • Protect the security of data exchange with the outside world

  • Network security technology needs to be constantly improved and updated

The scope of network security concerns
Network security concerns

As a manager in charge of network security, the main concern is ( It's not limited to ) following 8 In terms of :
1) Protect the physical circuit of the network from suffering easily ***
2) Effectively identify legitimate and illegal users (AAA)
3) Implement effective access control (ACL)
4) Ensure the concealment of the internal network (NAT)
5) Effective anti-counterfeiting means , Important data protection (***)
6) For network devices 、 Security management of network topology ( Firewall centralized management )
7) Virus prevention ( Worm virus intelligent prevention )
8) Improve the awareness of security

Classification of network security devices

In order to effectively achieve the purpose of network security , Network security manufacturers have produced the following security devices :
1) A firewall
2)*** Private secure channel devices
3)IPS/IDS*** defense / Testing equipment
4) Anti poison wall
5) Waterproof wall
6)UTM Unified Threat Management Device (Unified Threat Management
7) Application of network management
8) Content filtering
9) Spam filtering
10) Web filtering
11) Gatekeeper
Other equipment . With the rapid development of network security technology , There will be new network security devices coming out one after another .

The necessary technology of firewall

In view of the various security risks existing in the network , Firewall must have the following security features :

1) Network isolation and access control :
It can effectively prevent open servers from being *** A springboard for controlling the intranet .

2)*** To guard against : Can protect the network from *** To the server 、 Internal network ***.

3) address translation :
On the premise of solving the shortage of network address, we can realize the external network access , At the same time, it can hide internal network address and special server .

4) Application layer state monitoring :
Can achieve one-way access .

5) Identity Authentication :
It can ensure that resources are not authorized by users ( Users can also be called illegal ) Or by way of authorization ( Illegal authority ) Use . for example ,*** By guessing the combination of account number and password , Illegal use of resources by entering a computer system .

6) Content filtering :
Can filter out the internal network to illegal website / Access to pornographic websites , And stop the leakage of confidential documents sent by email .

7) security management :
It mainly refers to log audit and centralized management of firewall .

Network isolation and access control

The main function of firewall is to realize network isolation and access control .

Firewall from the perspective of security management , Generally, the equipment itself is divided into different safety areas , By connecting ports and network devices to different areas , So as to achieve the purpose of network isolation :

1) Untrusted areas : It usually refers to Internet, The main *** All from this area .

2) Trust area : Generally refers to the intranet area , This area is controllable .

3)DMZ Area : The area where public servers are placed , In general , This area is accessible from the outside , But will not take the initiative to access external resources .

Firewalls usually use ACL Access control list 、ASPF Application layer state detection packet filtering method to achieve the purpose of access control .

chart 1-1 Through an actual network typical case, it shows the connection between LAN and Internet through firewall , The e-mail server is connected to DMZ The region receives internal and external interviews . The function of network isolation and access control realized by firewall is described in language .


*** To guard against

Firewalls focus on border security , Therefore, the general firewall provides rich security *** The nature of prevention :


1)DOS Denial of service *** Prevention function

Including for example ICMP Flood、UDP Flood、SYS Flood、 Fragmentation *** etc. Dos Denial of service *** How to test , discarded *** message , Protect the hosts inside the network from being infringed .

2) Prevent common network layers *** Behavior

Firewalls should generally support IP Address spoofing 、WinNuke、Land***、Tear Drop And other common networks *** Behavior , Active discovery of dropped packets .

WinNuke Also known as “ Blue bomb ”, It's the user you're communicating with Windows A sudden crash or termination of the operating system .“ Blue bomb ” It's actually an out of band network packet , This includes information that the operating system cannot process ; This will cause the operating system to crash or terminate prematurely .

land *** Sending packets to a machine using the same source and destination hosts and ports ***. The result is usually to crash the vulnerable machine .

Tear drop Class *** utilize UDP Overlap offset during packet reassembly ( Suppose the second piece in the packet IP The offset of the packet is less than that of the end of the first slice , And add in the second piece IP Bag Data, It's not more than the tail of the first piece , This is the overlap .) The vulnerability of the system host initiates a denial of service ***, Finally, the host computer will drop .

3) For the prevention of malformed message

Through some malformed messages , If it's super large ICMP message , Illegal fragment message ,TCP A message marked with confusion, etc , May cause the harm of comparative verification , The firewall should be able to recognize these messages .

4) in the light of ICMP Redirect 、 Messages with potential security risks such as inaccessibility should be filtered 、 The ability to shut down .

address translation (NAT)
  • Address translation is in IP Address shortage in the case of .

  • There are many hosts in a LAN , But there is no guarantee that every host has a legal IP Address , In order to reach all internal hosts can be connected to Internet The purpose of the Internet , Address translation can be used .

  • Address translation technology can effectively hide the hosts in the internal LAN , Therefore, it is also an effective network security protection technology .

  • Address translation can be done according to the needs of users , Within the internal LAN, it is provided to the outside FTP、WWW、Telnet service .

  • image.png

Firewalls are like routers , Must have NAT Address translation function , So in NAT Must have the details of :

  1. Support NAT/PAT, Support address pool ;

  2. Support strategy NAT, According to different strategies, different NAT;

  3. Support NAT server Pattern , You can map out internal servers ;

  4. Provides port level NAT server Pattern , You can map the server's port to an external port , Do not open all ports of the server , Increase server security .

  5. Support for multiple ALG:  Include H323/MGCP/SIP/H248/RTSP/HWCC, And support ICMP、FTP、DNS、PPTP、NBT、ILS Such agreement .

Application layer state detection packet filtering (ASPF)

aspf(application specific packet filter) It's packet filtering for the application layer , That is, message filtering based on state . It works with the normal static firewall , To facilitate the implementation of internal network security policy .aspf It can detect the application layer protocol session information trying to pass through the firewall , Data packets that do not conform to the rules .

To protect network security , be based on acl Regular packet filtering can detect packets at network layer and transport layer , To prevent illegality ***.aspf Be able to detect application layer protocol information , And monitor the flow of the application .image.png

H3C Of SecPath Firewall ASPF As an improved state detection security technology , Support the detection of multiple application protocols : Include H323/MGCP/SIP/H248/RTSP/HWCC, as well as ICMP、FTP、DNS、PPTP、NBT、ILS、HTTP、SMTP etc. . Also supports the HTTP in Activex/JavaAppelt To filter


With the development of Internet , More and more people are trying to trade online . However, the virus 、***、 Phishing and phishing and other malicious threats , It brings great challenges to the security of online transactions .

There are endless cyber crimes , It has caused people's trust crisis to the network identity , How to prove “ Who am I ?” And how to prevent identity counterfeiting and other issues have become the focus of attention .

In the world of computers and the Internet , Identity authentication is one of the most basic elements , It is also the basis of the whole information security system . How to confirm the visitor's true identity ? How to solve the problem of consistency between physical identity and digital identity of visitors ? How to realize the safe transmission of information in the process of communication ? This is a problem that most companies with networks have been hoping to solve .

H3C SecPathf Serial firewall supports Radius Server authentication and local authentication .

The authentication form can be ::

  • PPPOE authentication : It is generally used to control the external access of intranet , Need client , After authentication, you can access the Internet

  • L2TP authentication : It is mainly used for *** application , External mobile office users need to be authenticated when accessing the internal network .

Content filtering

The development of the Internet promotes the sharing and exchange of information , In order to improve the staff's work efficiency and information inquiry , Organizations such as enterprises provide employees with external http Access rights . But the Internet is flooded with information , How to effectively ensure that employees online , It can also prevent bad information from entering the internal network, which is the problem that the administrator must solve .


H3C SecPath Firewall provides access control capability for application protocol , Through unique ASPF characteristic , The application layer analyzes the protocol , Realize the content filtering of application protocol .SecPath Firewall provides HTTP The protocol filtering function provides the ability to HTTP Website filtering and web content filtering , It can effectively manage employees' online behavior , Improve work efficiency , Save export bandwidth , Guarantee normal data flow , Shield all kinds of ” The garbage “ Information , In order to ensure the internal network of ” Green environment “.

Users can set the URL to filter the list of URLs to be filtered , URL filtering list can be saved in flash Filter the web address in the file . The format of the filter list in the website filtering file is :
www.sina.com.cn 、www.sohu.com.cn 、www.google.com

You can decide whether to prohibit or allow access to each web address , You can also specify what default actions to take for URLs not found in the URL filter list ( Allow or forbid ), So as to provide users with maximum control flexibility .

In order to prevent the potential threat of executable code in web pages to the internal network , You can specify HTTP The detection strategy can filter out the external network servers HTTP In the message Jave Applets. in addition , utilize Web Content filtering function , By specifying text keywords for filtering web pages , It can ensure that the information of user specified content will not enter the internal network .

Web Content filtering files are stored in flash in , Users can manage the filtered vocabulary files , Including adding 、 Delete 、 Clear filter keywords . Keyword filtering supports fuzzy search , That is, it is allowed to add the filter keyword file with “ * “ Key words of .

Web The format of the content filter file is : violence 、 gambling  .

utilize http Protocol filtering function , You can build a business 、 Security of the internal network of government agencies 、 Green Internet Environment .

security management

The security management described here refers to the log management and audit in the security process , Discover and track unsafe behaviors with the help of logs , Correct unsafe behavior according to the traces of the log .

image.png Mainly audit the following log content :

NAT/ASPF journal 、*** Guard against logs 、 Wandering monitoring log 、 Blacklist log 、 Address binding log 、 Email filtering logs and URLs / Content filtering logs

Log formats can be divided into :
Syslog( system log ) Text form log ( High readability ) And binary logs .






Come on







Come on