[Dr.WoW] [No.9] Development History of Security Policies Highlighted

Latest reply: Apr 30, 2015 03:55:01 3909 1 0 0

The network world is amidst the winds of change, and security threats emerge one after another. To adapt such changes, Huawei firewalls are constantly updated, and security policies are accordingly developed and improved.

As shown in Figure 1-1,  the development of Huawei firewall security policies has experienced three phases: ACL-based packet filtering, UTM-integrated security policy, and unified security policy.

Figure 1-1 Development history of Huawei firewall security policies

[Dr.WoW] [No.9] Development History of Security Policies-1309265-1

 

The development history shows the following characteristics:

l   Matching conditions are more refined. They are developed from IP address- and port-based packet identification by traditional firewalls to user-, application-, and content-based packet identification by next-generation firewalls (NGFWs). The packet identification capability is enhanced.

l   More actions are available. At the beginning, packets were simply permitted or denied. Now, firewalls can perform various content security checks on packets.

l   The configuration is more convenient. To configure security policies on traditional firewalls, you must be skillful of the ACL configuration. The unified security policy configuration on NGFWs is more simple, convenient, and easy to understand.

Let's describe the three development phases one by one.

 

Phase 1: ACL-based Packet Filtering

ACL-based packet filtering is the implementation on initial Huawei firewalls. Only early versions (such as V200R001 for Eudemon8000E-X series) support this mode.

In this phase, ACLs are configured to control packets. Each ACL contains several rules, and each rule has the condition and action defined. ACLs must be configured in advance and referenced in interzones.

When forwarding a packet between security zones, a firewall searches for rules in ACLs from top to bottom. If the packet matches a rule, the firewall takes the action defined in the rule and stops rule searching. If the packet does not match the rule, the firewall continues to search for the next rule. If the packet does not match any rule, the firewall takes the action defined in default packet filtering. 

As shown in Figure 1-2,  the Trust-Untrust interzone relationship is used as an example to explain the configuration logic of ACL-based packet filtering.

Figure 1-2 Configuration logic of ACL-based packet filtering

[Dr.WoW] [No.9] Development History of Security Policies-1309265-2

To configure ACL-based packet filtering, you must first configure an ACL and then reference the ACL in the interzone. For example, to deny the packets from 192.168.0.100 in the Trust zone to the Untrust zone and permit the packets from 192.168.0.0/24 to 172.16.0.0/24, configure the following ACL:

[FW] acl 3000

[FW-acl-adv-3000] rule deny ip source 192.168.0.100 0

[FW-acl-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255

[FW-acl-adv-3000] quit

[FW] firewall interzone trust untrust

[FW-interzone-trust-untrust] packet-filter 3000 outbound

Phase 2: UTM-integrated Security Policy

With the release of UTM products, Huawei firewall security policies take a step forward and become actual "policies". Different from ACL-based packet filtering, UTM-integrated security policies have conditions and actions defined without the help of ACLs. In addition, if the action is permit, UTM policies, such as antivirus and IPS policies, can be referenced for further packet inspection.

V300R001 for Eudemon1000E-X series uses UTM-integrated security policies. V300R001 for Eudemon8000E-X series also supports this type of security policy, but only conditions and actions can be set, and UTM policies cannot be referenced.

As shown in Figure 1-3,  a UTM-integrated security policy consists of the condition, action, and UTM policy. Note that the "service set" concept emerges in security policy conditions as a substitute to the protocol and port. Some service sets including common protocols have been predefined in security policies. These service sets can be directly set as conditions. For other protocols or ports, we can define new service sets and reference them in security policies.

Figure 1-3 Composition of a UTM-integrated security policy

[Dr.WoW] [No.9] Development History of Security Policies-1309265-3

UTM-integrated security policies are in sequence. When a firewall forwards packets between security zones, it searches interzone security policies from top to bottom. If a packet matches a specific security policy, the firewall takes the action defined in the policy and stops searching subsequent security policies. If the packet does not match the policy, the firewall continues to search subsequent policies. If the packet does not match any policy, the firewall takes the action defined in default packet filtering.

As shown in Figure 1-4,  the Trust-Untrust interzone relationship is used as an example to explain the configuration logic of UTM-integrated security policies.

Figure 1-4 Configuration logic of UTM-integrated security policies

[Dr.WoW] [No.9] Development History of Security Policies-1309265-4

 

To configure a UTM-integrated security policy, you can directly set the condition and action. If UTM inspection on packets is required, set a UTM policy and reference the UTM policy in the security policy with the action being permit. For example, to deny the packets from 192.168.0.100 in the Trust zone to the Untrust zone and permit the packets from 192.168.0.0/24 to 172.16.0.0/24, configure the following security policy:

[FW] policy interzone trust untrust outbound

[FW-policy-interzone-trust-untrust-outbound] policy 1

[FW-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.100 0

[FW-policy-interzone-trust-untrust-outbound-1] action deny

[FW-policy-interzone-trust-untrust-outbound-1] quit

[FW-policy-interzone-trust-untrust-outbound] policy 2

[FW-policy-interzone-trust-untrust-outbound-2] policy source 192.168.0.0 0.0.0.255

[FW-policy-interzone-trust-untrust-outbound-2] policy destination 172.16.0.0 0.0.0.255

[FW-policy-interzone-trust-untrust-outbound-2] action permit

Phase 3: Unified Security Policy

As networks rapidly develop and applications blossom, protocol usage and data transmission modes have changed, and network worms, botnets, and other application-based applications constantly emerge. Traditional firewalls are incapable of preventing threats from network worms and botnets as they identify applications based on ports and protocols and detect and defend against attacks based on transport-layer signatures. The new security requirement drives the emergence of the next-generation firewall. Huawei firewalls keep pace with the times, and their security policies are developed into the "unified" security policy phase. Currently, V100R001 for Eudemon200E-N/1000E-N series supports unified security policies.

The unification mainly refers to:

l  Unified configuration: Security profiles can be referenced in security policies to implement security functions, such as antivirus, intrusion prevention, URL filtering, and mail filtering, reducing configuration complexity.

l  Unified service processing: Multiple services are conducted on packets when security policies are used to check the packets, greatly improving system performance.

As shown in Figure 1-5, unified security policies are configured to identify actual service environments based on applications, content, time, users, attacks, and locations in addition to traditional quintuple information, implementing accurate access control and security inspection.

Figure 1-5 Identification dimensions for unified security policies

[Dr.WoW] [No.9] Development History of Security Policies-1309265-5 

A unified security policy consists of the condition, action, and profile, as shown in Figure 1-6. The profile is used for content security inspection on packets and can be referenced only when the action in the policy is permit.

Figure 1-6 Composition of a unified security policy

[Dr.WoW] [No.9] Development History of Security Policies-1309265-6

 

Compared with security policies in the first two phases, unified security policies have the following features:

l   Unified security policies are based on the global scope, no longer based on the interzone. Security zones are optional, and multiple security zones can be set at the same time. A special implementation on Huawei Eudemon200E-N/1000E-N series is that packets are not allowed to travel between security zones by default. To allow the travel, you must configure an intrazone security policy.

l   The default action for security policies replaces default packet filtering, and the action takes effect globally.

If multiple unified security policies are configured on a firewall, the firewall searches the policies from top to bottom when forwarding packets. As shown in Figure 1-7,  if a packet matches a specific security policy, the firewall takes the action defined in the policy and stops searching subsequent security policies. If the packet does not match the policy, the firewall continues to search subsequent policies. If the packet does not match any policy, the firewall takes the default action for security policies. The function of the default action is the same as default packet filtering. The difference is that the default action is set in a security policy.

Figure 1-7 Configuration logic of unified security policies

[Dr.WoW] [No.9] Development History of Security Policies-1309265-7 

For example, to deny the packets from 192.168.0.100 in the Trust zone to the Untrust zone and permit the packets from 192.168.0.0/24 to 172.16.0.0/24, configure the following unified security policies:

[FW] security-policy

[FW-policy-security] rule name policy1

[FW-policy-security-rule-policy1] source-zone trust

[FW-policy-security-rule-policy1] destination-zone untrust

[FW-policy-security-rule-policy1] source-address 192.168.0.100 32

[FW-policy-security-rule-policy1] action deny

[FW-policy-security-rule-policy1] quit

[FW-policy-security] rule name policy2

[FW-policy-security-rule-policy2] source-zone trust

[FW-policy-security-rule-policy2] destination-zone untrust

[FW-policy-security-rule-policy2] source-address 192.168.0.0 24

[FW-policy-security-rule-policy2] destination-address 172.16.0.0 24

[FW-policy-security-rule-policy2] action permit

After the preceding introduction, I believe that you have understood the development history of Huawei firewall security policies. The security policies mentioned in the following parts are configured as UTM-integrated security policies, which are popular nowadays, but we only provide conditions and actions and do not involve UTM policies.

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Apr 30, 2015 03:55:01 Helpful(0) Helpful(0)

Thank you for sharing.

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login