Got it
Huawei Enterprise Support Community
Community Forums Security
Security Strategy Develop...

Security Strategy Development in Firewall

Latest reply: Sep 23, 2021 04:46:49 926 10 11 0 5
View the author 1#

Security Strategy Development in Firewall

    The Internet world is changing and security threats are emerging. In order to adapt to this change, Huawei firewall products are constantly evolving, and security strategies are also improved and improved. The development of Huawei's firewall security strategy mainly goes through three stages: the packet filtering stage based on ACL, the security strategy stage based on UTM, and the integrated security strategy stage.

    The development of Huawei firewall security strategy has the following characteristics. Matching conditions are getting finer and finer, from traditional firewall based on IP and port to next generation firewall based on user, application and content to identify messages, the recognition ability is getting stronger and stronger.  There are more and more actions, from simply allowing/rejecting a message through to carrying out multiple content security checks on the message, the means of processing become richer and richer. The configuration method is also improving, from configuring ACLs to configuring integrated security strategies, which are easy to understand and easy to use.  Below we will introduce the three stages in the development of security strategy one by one.

Stage 1: Package filtering based on ACL

    Package filtering based on ACL is an early implementation of Huawei firewall, which is only supported by older versions, such as V100R003 version of USG2000/5000 series firewall, V200R001 version of USG9500 series firewall, etc.  Packet filtering based on ACL controls messages through ACL, which contains several rules with conditions and actions defined in each rule. ACLs must be configured in advance and then referenced between secure domains.  When a firewall forwards a message between two security zones, it finds the rules in the ACL one by one in top-down order. If a message hits a rule, the action in that rule will be executed, and the search will no longer continue down. If the message does not hit a rule, the search will continue down. If none of the rules are hit, the action in the default package filter is performed.

    When configuring package filtering based on ACL, you must first configure the ACL and then reference it between security domains.For example, requests that a report with a source address of 192.168.0.100 be rejected in the direction from the Trust security zone to the Untrust security zone;Allow messages from 192.168.0.0/24 network segments with source address and 172.16.0.0/24 network segments to pass through, as configured below.

[FW] acl 3000
[FW-acl-adv-3000] rule deny ip source 192.168.0.100 0
w-acl-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255 destination 172.16.0.0 0.0.0.255  
[FW-acl-adv-3000] quit
[FW] firewall interzone trust untrust
[FW-interzone-trust-untrust] packet-filter 3000 outbound

Stage 2: Fusing the security policy of the UTM

    With the launch of UTM products, the security policy of Huawei firewall has also taken a step forward, truly becoming a "policy" form. Unlike ACL-based packet filtering, conditions and actions can be defined directly in the security policy at this time without additional configuration of the ACL. In addition, when the action of the security policy is to allow it to pass, UTM policies such as AV, IPS can also be referenced to further detect the message.  At present, the V300R001 version of USG2000/5000 series firewall uses the security policy of fusing UTM. The V300R001 version of USG9500 series firewall also uses this method, but only conditions and actions can be configured and referencing UTM policy is not supported.  

    A security policy that incorporates UTM consists of conditions, actions, and UTM policies. It is important to note that the concept of service-set appears in the context of security policy, replacing protocols and ports. Some service sets have been built into the security policy, including common protocols, which can be configured directly as conditions. For protocols or ports that do not fall within this scope, we can customize the new set of services and reference them in our security policy.

Stage 3: Integrated Security Strategy

    With the rapid development of the network and the increasing number of applications, the use of protocols and the mode of data transmission have changed, and network worms, zombie networks and other application-based attacks continue to occur. Traditional firewalls are mainly based on ports and protocols to identify applications. They detect and protect attacks based on the characteristics of the transport layer. They will no longer have sufficient protection against network worms, zombie networks and other threats. New security requirements promote the generation of next generation firewalls. Huawei firewall keeps pace with the times, and security strategy develops to a new stage of "integrated" security strategy.

    At present, the V100R00I version of USG6000 series firewall uses the integrated security policy.  The so-called integration mainly includes two aspects: one is the integration of configuration, such as anti-virus, intrusion prevention, URL filtering, mail filtering and other security functions can be achieved by using security profile in security policy, which reduces the configuration difficulty; The second is the integration of business processing, security policy detects messages once, and multi-business parallel processing, which greatly improves the system performance.

    Through the above introduction, I believe you have a certain understanding of the development process of Huawei firewall security strategy. Later in this book, all references to security policies will be exemplified by the more general Phase II security policy, but we will only provide conditions and actions, not the configuration of UTM policies.

That's all. Thank you for your support. Thank you.

t_0002.gift_0002.gif

security solutionsHuawei firewalls

Like (11) Dislike (0) Favorite(5) Share Report
Previous: URL filtering verification tool
Next: IPSEC tunnel unstable between USG6370 and Juniper firewall / tunnel statistics don't appear on the tunnel interface
(0) (0)
2#
andersoncf1
MVE Author Created Aug 30, 2021 05:06:11

Well done
View more
  • x
  • convention:

user_4147187
user_4147187 Created Aug 30, 2021 11:29:29 (0) (0)

Thank you.  
(0) (0)
3#
IndianKid
Moderator Author Created Aug 30, 2021 06:14:25

Well explanation, Thanks for sharing
View more
  • x
  • convention:

user_4147187
user_4147187 Created Aug 30, 2021 11:29:11 (0) (0)
Thanks.  
(0) (0)
4#
LilStylz237
Created Aug 30, 2021 15:54:39

Its very important to have a security strategie before deployments
View more
  • x
  • convention:
(0) (0)
5#
AL_93
Created Aug 31, 2021 16:20:38

Great share
View more
  • x
  • convention:
(0) (0)
6#
smileymind
Created Aug 31, 2021 16:26:52

Thank
View more
  • x
  • convention:
(0) (0)
7#
Linda_Wu
Created Sep 1, 2021 01:39:37

Your essay is well written.
View more
  • x
  • convention:
(0) (0)
8#
hemin88
Author Created Sep 2, 2021 17:02:56

Informative, and good deployment strategy to follow, thanks for sharing
View more
  • x
  • convention:
(0) (0)
9#
adrian_alucard
Moderator Created Sep 23, 2021 04:46:49

Great work
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.