[Dr.WoW] [No.8] First Experience of Security Policies Highlighted

Latest reply: Apr 28, 2015 03:46:30 2882 1 0 0

As I mentioned many times in the preceding chapter, "rules" are actually "security check inspectors" for security control and play an important role when firewalls forward packets. Packets can travel between security zones only when the action in the rules is "permit". If the action is "deny", the packets will be discarded.

On firewalls, rules are expressed as "security policies". I will explain security policies in detail in this chapter.

1 Basic Concepts

First, let's start from a simple network environment. As shown in Figure 1-1, a PC and a Web server are on different networks, and both of them connect to a firewall. The PC is in the Trust zone, while the Web server is in the Untrust zone.

Figure 1-1 Networking for a PC to access a Web server

[Dr.WoW] [No.8] First Experience of Security Policies-1306997-1


If we want the firewall to allow the PC to access the Web server, the requirement can be described as follows: Allow packets to pass from source address in the Trust zone to destination address and destination port 80 (HTTP port) in the Untrust zone.

If we express the requirement in a security policy and supplement the implied source port information, the result is shown in Figure 1-2.

Figure 1-2 Security policy for a PC to access a Web server

[Dr.WoW] [No.8] First Experience of Security Policies-1306997-2


We can see that security policies are based on interzone relationships. A security policy consists of the following parts:

  • Condition

Indicates the reference based on which the firewall checks packets. The firewall compares the information carried in a packet with the condition one by one to check whether the packet is matched.

  • Action

Indicates the action to be taken on matching packets. One policy has only one action, either permit or deny.

Note that the condition has multiple fields, such as the source address, destination address, source port, and destination port. These fields are in the "AND" relationship. That is, a packet matches a policy only when the information in the packet matches all the fields in the policy. If one field has multiple matching items (such as two source addresses or three destination addresses), the matching items are in the "OR" relationship. That is, a packet matches the condition only when it matches one item.

After the security policy is configured on the firewall, the PC can access the Web server. The packets that the Web server replies to the PC match sessions, and therefore no additional security policy is required. This mechanism has been described in section 1.5.

In actual network environments, it is often that two network segments (such as and need to communicate, not only two specific targets (PC and Web server). In this case, we set the condition of a security policy to a network segment. For example, allow the packets to pass from source network segment in the Trust zone to destination network segment in the Untrust zone. If there is a new requirement that packets from in the source network segment are not allowed to access the destination network segment, how can we fulfill the requirement?

We can configure another security policy to reject the packets from source address in the Trust zone to the Untrust zone. Here you may have a question that the conditions of both security policies contain source address To be specific, packets from match both security policies, but the actions defined in the policies are conflicting. Which action does the firewall take?

Let's look at the matching sequence of security policies.

2 Matching Sequence

Security policies are in sequence. When a firewall forwards packets between security zones, it searches interzone security policies from top to bottom. If a packet matches a specific security policy, the firewall takes the action defined in the policy and stops searching subsequent security policies. If the packet does not match the policy, the firewall continues to search subsequent policies.
Because of the matching sequence, we must comply with the "refined first, rough second" principle when configuring security policies. To be specific, we must first configure security policies with narrow matching scopes and precise conditions and then ones with large matching scopes and broad conditions. The configuration of security policies is similar to that of ACL rules.
The preceding situation is used as an example. As shown in Figure 1-3, we configure the first security policy to deny the packets from in the Trust zone to the Untrust zone and the second security policy to allow packets to pass from network segment in the Trust zone to network segment in the Untrust zone.

Figure 1-3 Matching sequence of security policies

[Dr.WoW] [No.8] First Experience of Security Policies-1306997-3


When the firewall searches security policies, the packets from initially match the first policy and are therefore denied. Other packets from network segment match the second policy and are forwarded. If we adjust the sequence of the two security policies, packets from will never match the policy with the action being deny.

You may have another question: How does the firewall process packets if none of security policies is matched? For such a situation, firewalls provide the "default packet filtering" function.

3 Default Packet Filtering

Default packet filtering is essentially a type of security policy, which is also called the default security policy. Default packet filtering does not have specific conditions, and its action can be either permit or deny. It takes effect on all packets. Note that default packet filtering has nothing to do with the first-generation packet filtering firewalls.

Default packet filtering has the broadest condition so that all packets can match it. Therefore, default packet filtering serves as the final packet processing means. As shown in Figure 1-4, if a packet does not match any security policy, it finally matches default packet filtering, and the firewall takes the action defined in the default packet filtering.

Figure 1-4 Security policies and default packet filtering

[Dr.WoW] [No.8] First Experience of Security Policies-1306997-4


The default action in default packet filtering is deny. That is, the firewall does not allow packets that do not match any security policy to travel between security zones. To simplify configuration, we may set the action to permit for default packet filtering between security zones. However, this operation brings huge security risks. Allowing all packets to pass through the firewall means does not achieve network isolation or access control, making the firewall meaningless. Therefore, setting the action in default packet filtering to permit is not preferred. Instead, set security policies with precise conditions to control packet forwarding.

The preceding security policies are subject to packets traveling between security zones. Can Huawei firewalls control packets within a security zone? Of course YES. By default, packets within a security zone are not controlled by security policies and they are freely forwarded. Huawei firewalls support intrazone security policies. We can configure security policies to restrict the passing of specific packets to meet the requirements in special scenarios.

Pay attention to this point: When the interfaces on a firewall work in layer 2 (transparent) mode, packets passing the firewall are controlled by security policies. In this case, security policies must be configured to control the packets.

In addition to the packets forwarded by a firewall, the packets that the firewall exchanges with other devices are controlled by security policies, such as the packets generated when an administrator logs in to the firewall or the firewall establishes a VPN with another device. The conditions in such security policies differ a lot, and we will introduce them in section "ASPF".

Through the preceding introduction, I believe that you have had the preliminary understanding on security policies. As anything is not changeless, the security policies set on Huawei firewalls keep pace with the times and are constantly developed. In the next section, we will tell you the development history of Huawei firewall security policies.




To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created Apr 28, 2015 03:46:30 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits