What Is a Security Group?


A security group implements access control for ECSs within a security group and between different security groups. After a security group is created, you can create different access rules for the security group to protect the ECSs that are added to this security group.

Other related questions:
Definition of the security level of a security zone on the firewall
In a VPN instance, each security zone has a globally unique security priority. That is, two security zones with the same security priority do not exist in a VPN instance. The security level ranges from 1 to 100. A larger value indicates a higher security level. By default, the device has four security zones, and their security levels are as follows: 1. The Untrust zone is a security zone with a low security level, namely, 5. It is usually used to define insecure networks, such as the Internet. 2. The DMZ is a security zone with a medium security level, namely, 50. It is usually used to define the zone where the intranet server resides. Devices of this type are deployed on the intranet but frequently accessed from the extranet, causing large security risks. In addition, they are not allowed to proactively access the extranet. Therefore, they are deployed in a zone whose security level is lower than Trust but higher than Untrust. 3. The Trust zone is a security zone with a relatively high security level, namely, 85. It is usually used to define the zone where the intranet device users reside. 4. The Local zone is the security zone of the highest security level, namely, 100. A local zone is a device itself, including interfaces on the device. All packets constructed on and proactively sent from the device are regarded as from the Local area; those to be responded and processed by the device (including the packets to be detected or directly forwarded) are regarded as to the Local zone. Users cannot change Local zone configurations, for example, adding interfaces to the Local zone. You cannot delete a default security zone or reset its security level. You can also create security zones and define their security levels as required.

USG firewall security association
USG firewall security association What is security association (SA)? The IPSec SA is a unidirectional logical connection created for security purposes. The SA is bidirectional and requires an IPSec SA in each direction. The number of SAs depends on the security protocol. If either the AH or ESP is used to protect traffic between peers, two SAs, one in each direction, exist between the peers. If both the AH and the ESP are used, four SAs, two in each direction corresponding to the AH and the ESP, exist between the peers. Therefore, an IPSec SA is not equivalent to a connection. The IPSec SA is uniquely identified by a triplet. The triplet includes the following elements: Security Parameter Index (SPI) The SPI is a 32-bit value that is generated to uniquely identify an SA. The SPI is carried in the AH and ESP headers. The SPI, destination IP address, and security protocol number uniquely identify an IPSec SA. Destination IP address Security protocol number (AH or ESP) Creation mode The IPSec SA is classified into two types: SA that is manually created and SA that is created by means of IKE automatic negotiation (isakmp). Major differences between two types of SAs are as follows: Different key generation modes In manual mode, all parameters required by the IPSec SA, including encryption and verification keys, are manually configured or manually updated. In IKE mode, encryption and verification keys required by the IPSec SA are generated by the DH algorithm and can be dynamically updated. The key management cost is low and the security is high. Different IPSec SA lifetime In manual mode, once an IPSec SA is created, it permanently exists. In IKE mode, the IPSec SA establishment is triggered by the data flow, and the SA lifetime is controlled by lifetime parameters configured on both ends.

What Are the Functions of the Default Security Group Rule?

An inbound security group rule enables external access to ECSs in a security group, and an outbound security group rule enables ECSs in a security group to access external networks.

If no access rule is configured for a security group after an ECS is added to the security group, communication between the ECS and the external network is blocked.

The default inbound rule enables an ECS to be accessed by other ECSs in the same security group, and the default outbound rule enables ECSs in the security group to access external networks.

Security groups cannot resolve the problems caused by network faults or incorrect network configuration. For example, when two ECSs cannot communicate with each other due to a network problem, a security group rule will also not allow them to communicate.

GRE security options of the USG6000
To improve the GRE tunnel security, the GRE supports user-defined tunnel interface recognition keywords (or keys) and end-to-end check on packets encapsulated by the tunnel.

What is the USG SNMP security name meaning
The configuration and interpretation of the USG SNMP security name are as follows: Security name and securityname, SNMPv1 and SNMPv2c agreement with the community name to identify, in the SNMPv3 protocol with the user name to identify. This parameter is used to identify and distinguish the source device that sends the alarm on the NMS to facilitate the user to identify the sender of the alarm. Examples of configuration are as follows: Allow SNMP traps to be sent to System-view [Sysname] snmp-agent trap enable standard [Sysname] snmp-agent target-host trap address udp-domain params securityname Com & access

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top