Huawei Symantec Secospace USG5100&2200 Technical White Paper. Huawei Symantec Technologies Co., Ltd.

Please download to get full document.

View again

of 26
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report



Views: 35 | Pages: 26

Extension: PDF | Download: 0

Related documents
Huawei Symantec Secospace USG5100&2200 Technical White Paper Huawei Symantec Technologies Co., Ltd. Contents 1 Overview Problems on Networks Introduction to Firewall Products Firewall
Huawei Symantec Secospace USG5100&2200 Technical White Paper Huawei Symantec Technologies Co., Ltd. Contents 1 Overview Problems on Networks Introduction to Firewall Products Firewall Definition Instructions on the Use of Firewalls Technology Principles of Firewalls Reliability Design Firewall Performance Model Network Isolation Access Control Flow-based Status Check Technology Application Software Monitoring Service Support Capability NAT Attack Defense Networking Adaptability VPN Services Management System Log System Technical Features of Huawei Symantec Secospace USG5100& High-Reliability Design...14 Highly-reliable Hardware Design Robust Software System Dual-System Backup Technology Link Backup Technology Hot Backup Technology Advantages of Huawei Symantec Firewalls in Reliability Flexible Security Zone Management...18 Isolation Based on Security Zones Manageable Security Zones Policy Control Based on Security Zones i Comprehensive Service Capability Security Policy Control...19 Flexible Rule Setting Rule Management Based on Time Segments High-Speed Policy Matching Binding of MAC Addresses and IP Addresses Dynamic Policy Management Blacklisting Status Check Technology Based on Flow Sessions...21 Kernel Technology Based on Session Management In-Depth Detection Advantages of the Status Check Technology P2P Traffic Monitoring Advanced Virtual Firewall Technology Service Support Capability...26 Perfect Security Protection for Multi-Channel Protocols Data Flow Management for Diversified Services Comprehensive Service Capacity Perfect Multi-Media Services NAT Features of the USG5100& Excellent NAT Performance Flexible NAT Management Powerful Internal Server Powerful Service Support Unlimited PAT Supporting Load Balancing Among Multiple Interfaces Abundant Attack Defense Means...32 Prerequisites for Excellent Anti-DoS Capability Diversified Anti-DoS Means Advanced TCP Proxy Defense System Scanning and Sniffing Attacks Malformed-Packet Attacks Brilliant Networking Adaptability...35 High-Density Interfaces ii WLAN (WiFi) Diversified Routing Protocols and Routing Management Multiple Working Modes Various Authentication Methods Multi-ISP Networking Adaptability Perfect VPN Functions...38 L2TP VPN IPSec VPN SSL VPN GRE VPN VPN Manager Sound Maintenance and Management System...43 Diversified Maintenance and Management Methods SNMP-based Terminal System Management Perfect Log System...43 Log Server Two Log Output Modes Diversified Logs Typical Networking Attack Defense Address Translation Networking Dual-System Hot Backup Application VPN Applications Protected by IPSec Wireless Application (WLAN/WiFi) SSL VPN Application...51 iii Huawei Symantec Secospace USG5100&2200 Technical White Paper Keywords: Huawei Symantec Secospace USG5100&2200, network security, VPN, tunneling, L2TP, IPSec, and IKE Abstract: This document details the technical features and operating principles of the firewall and answers certain technical issues that may obsess you during firewall selection. Acronym and Abbreviation Acronym and Abbreviation VPN AAA ASPF DoS L2TP IPSec IKE Full Spelling Virtual Private Network Authentication, Authorization, Accounting Application Specific Packet Filter Denial of Service Layer 2 tunnle protocal IP Security Internet Key Exchange 1 1 Overview 1.1 Problems on Networks Networks provide great convenience for people. However, the TCP/IP protocols of the Internet are not safe enough. Therefore, network security has become a practical issue. There are various types of attacks across networks, such as: Eavesdropping packets: The attacker uses packets to obtain information about devices. Then, the attacker analyzes the data in the data flows to obtain the user names and passwords and other sensitive information. IP spoofing: The attacker changes its own IP address into that of an intranet user or a trusted external user. Then, the attacker sends specific packets to disturb normal data transmission or changes the route information with forged routing packets (such as specific ICMP packets) to steal information. Source route attack: The sender of an IP packet specifies the route for the packet in the Option field. As a result, the packet may be sent to protected networks. Address or port scanning: The attacker probes the port monitored by the firewall to locate vulnerabilities. If the attacker knows that a certain version of the system software of the host has vulnerabilities, it queries specific ports to find vulnerabilities. Then, the attacker attacks the host through the vulnerabilities, making the host Down or stop working. Denial of service (DoS): The attacker prevents legitimate users from accessing resources. For example, the attacker can send massive packets to exhaust bandwidths. As DoS attack becomes simpler and simpler, it is now one of the most notorious threats to networks. Application layer attack: This kind of attacks is diversified in forms, such as vulnerability probing of application software, and Trojan horses. Worm virus: As and the Internet popularize, worm virus has become another most notorious threat to networks. Worm viruses can rapidly spread through networks to almost anywhere in the world. They consume massive bandwidths when spreading, occupying the networks and overloading network devices. Moreover, the reliability of network device itself and the security of lines also need to be noted. With the popularization of network applications, especially on sensitive occasions (for example, E-commerce), network security is increasingly urgent. Network security is also a complex 2 subject. It involves various aspects of network communications, such as the security of hosts, lines, protocols, and communications. Meanwhile, security conflicts with openness. The Internet, however, is intended to create an open communications environment. Therefore, network security technologies need to strike a balance between security defense and network openness. Different security technologies and protection modes need to be employed to protect the system at different levels. For host systems, users can install PC firewalls, anti-virus software, and other profession host software to improve the security. Meanwhile, patches need to be applied in time to cope with vulnerabilities of the operating system. As to the lines, users need to provide a secure and reliable working environment for important network devices to prevent theft of the devices and use reliable and secure communications cables. For protocols, attention can be paid to possible vulnerabilities; security defense need to be enabled and authentication adopted to guarantee the reliability of protocols; insecure protocols need to be avoided. Therefore, network security is a comprehensive subject involving various aspects including technologies, management modes, security laws and regulations, and people's consciousness of security. This document discusses the security features of the firewall, which is a device used to address security issues in networks. The firewall has outstanding advantages in solving security issues and is thus a very important part of the entire network security solution. 1.2 Introduction to Firewall Products As the Internet develops, many local area networks (LANs) can directly access the Internet. These open LANs are exposed to many security threats. On an open network, unreliable computers exist here and there, threatening private and sensitive information. Traditional protection through passwords cannot protect certain important information anymore. Security technologies are intended to protect private data while guaranteeing the openness of networks. Therefore, security technologies are comprehensive technologies that have integrated several subjects and technical means during the development of networks. The firewall technology is a specific kind of security technology. Hardware firewalls are devices that adopt various security technologies and hardware structures, use high speed CPUs and embedded operating systems, and support various high speed interfaces (LAN interfaces) to protect private networks. Hardware firewalls do not necessarily rely on operating systems (for example, HP-UNIX, SUN OS, AIX, and NT) and computers (for example, the IBM6000, HP, and PC). Hardware firewalls are used to solve security problems. They are applicable to various scenarios and can deliver efficient filtering. Meanwhile, hardware firewalls need to deliver such security features as access control, identity authentication, data encryption, VPN technologies, and network address translation. You can configure complicated security policies based on your network 3 environment to block illegitimate access, protecting your network security. Current firewalls should not be only a barrier at the entrance. They should be the access control points among networks. All data flows going through the network protected by a firewall have to pass the firewall, which functions as a gateway for data flows. Therefore, the firewall can protect not only the intranets in the Internet but also the hosts within an intranet. Inside each of the networks separated by the firewall, all computers are trusted to each other. The firewall does not interfere with communications among these computers. Among the networks, however, access must follow the policies defined by the firewall. 1.3 Firewall Definition Simply speaking, the firewall protects a network from being attacked by any distrusted network while permitting the two to implement legitimate communications. The firewall should have such basic features as follows: The communications data protected by the firewall between two networks must pass the firewall. Only the legitimate data packets verified through various configured policies can pass the firewall. The firewall itself must have very strong anti-attack and anti-penetration abilities and should deliver high reliability. The firewall can protect the intranet against attacks from extranets. The hardware firewall should be able to support multiple network interfaces, which are used to connect multiple networks. All connections in these networks must pass through the hardware firewall so that the firewall controls, verifies, and filters these connections. The firewall delivers clear network isolation function and can separate an equal network into several logical zones. The right for a specific zone to access the other zones varies from one another. The clear network isolation feature and access inequality of the firewall can protect the specific networks and bring highly reliable security protection for the intranet. Therefore, it is necessary to deploy professional firewalls at important scenarios to provide more reliable security protection. The firewall can proactively isolate certain attacks in the network. 1.4 Instructions on the Use of Firewalls The firewall is placed at the convergence point of the entire network. If the communication 4 traffic of the protected network bypasses the firewall, the firewall fails the protection. Therefore, all the network traffic protected by the firewall must pass the firewall. By default, the firewall forbids any access. After the firewall is placed in the network, various security policies need to be configured according to the actual needs of the network. The effectiveness, diversity, and flexibility of firewall policies are important indexes for evaluating the firewall performance. There may be many rules in a complex network environment and rule capacity and forwarding performance need to be considered when there are plenty of rules. The security of the firewall itself is an important criterion to select a firewall. The security performance of the firewall depends on whether the firewall is based on a secure operating system and whether it employs a dedicated hardware platform. The secure operating system guarantees the security and reliability of the firewall from the software aspect whereas the dedicated hardware platform ensures that the firewall can stand the test of long-time operation. Firewall is a part of the network infrastructure; therefore, it must be able to deliver uninterrupted operation for a long period of time. In this regard, the hardware reliability of the firewall is vital. Before deploying the firewall, we must first determine the issues to be addressed according to the actual condition of the network and then select the firewall with appropriate performance and functions. To strike a balance between performance and functions, attention must be paid to performance indexes because the firewall performance is very important during actual operation. A firewall with low performance can cause network congestion and frequent faults; thus, the corresponding network is not secure at all. The performance indexes reflect the availability of the firewall and the cost that enterprises have to pay to use the firewall. Customers usually do not accept a cost that is too high. Moreover, the firewall brings quite losses to users if it causes a quite big delay to the network. Today's mainstream firewalls are all based on status check and sensitive to service applications. Protocols of multimedia services such as audio and video services are quite complex. If the protocol status is improperly processed, services are blocked upon application of the protocol to the firewall or many unnecessary ports have to be opened to guarantee smooth services, degrading the security. Therefore, for stateful firewalls, the service adaptability needs to be considered so that the added firewall does not influence normal network services. The firewall should be capable of interworking with other network security products such as the IDS to provide comprehensive, reliable, and high-performance security solutions. 5 2 Technology Principles of Firewalls 2.1 Reliability Design The firewall itself is an important network device, which is generally located at the egress of the network. The location and functions of the firewall require that the firewall deliver very high reliability. The reliability of a firewall can be guaranteed in the following ways: Highly reliable hardware design: Hardware design is the foundation for reliable working of any network device. Different from personal or household systems such as common PCs, network devices are required to work for 24 successive hours. This is demanding for the main board, CPU, fans, cards, and other hardware devices. To guarantee successive working for a long time, the firewall must have an excellent hardware structure system. Dual-system backup technology: In common cases, to ensure the reliable operation at important locations, the firewall should provide dual-system hot backup. Dual-system backup means that two independent devices of the same mode run simultaneously to provide a more reliable operating environment. A satisfactory environment for dual-system backup has two working modes: Only one of the two firewalls is working and the other takes over when the first firewall fails. Or, both devices are working. When one fails, the other automatically takes over its tasks. Link backup technology: Link backup is used to prevent physical link failure from causing service interruption. There may be a variety of technologies for link backup. Generally, two links provide services at the same time. Both links are used for load balancing when both are normal. When one link fails, the traffic of that link automatically fails over to the other link. To implement link backup, the firewall must provide routing protocols and route management functions. Therefore, the route-based link backup technology can well suit various scenarios and provide more reliable services through mutual backup of links. Hot backup technology: Hot backup means that the services are not influenced at all during device or link switchover when a failure occurs. If services are interrupted during the backup caused by failures, the backup mechanism is called cold backup or warm backup. In most documents, hot backup, warm backup, and cold backup are not strictly distinguished. Many vendors advertise their hot backup concept, but in fact most backup mechanisms are not hot backup. As we can see from the hot backup mechanism, the more dynamical information, the more complex implementation mechanism of hot backup. The firewall needs to maintain plenty of rule information, connection information, and other information, so its hot backup mechanism will be rather complex. For this 6 reason, hot backup need to be differentiated from cold backup when evaluating the backup technology of the firewall. The reliability design of firewalls reflects a comprehensive consideration in design. It must be noted that firewalls are important network devices. The reliability design is quite demanding. So, to select firewalls, the reliability design needs to be considered in an all-round manner. 2.2 Firewall Performance Model Performance is important when measuring a firewall device. What are the indexes of measuring the firewall performance? This section describes certain precautions when measuring the firewall performance. Throughput is a very important index to evaluate firewall performance in the industry. Throughput refers to the total traffic that the firewall can forward with the best effort in the case of large packets. Throughput is expressed in bit per second (bps). However, using the throughput as an index to measure the performance is very limited, because it cannot reflect the real working capability of the firewall. In addition to the throughput, the following indexes also count to evaluate firewall performance. 1. Ability to forward small-size packets In the industry, large-size packets of 1 to 1.5 KB are used to measure the processing capability of a firewall. The network traffic is mostly packets of 200 bytes, so a firewall's capability of forwarding small-size packets needs to be assessed. This performance reflects the real forwarding capacity of a firewall in practical operating environment. Impacts of number of rules on forwarding efficiency A firewall works under a large number of rules. The implementation of rules and services affects the forwarding performance. Services affect the firewall a lot and the firewall may not work in practical environment. Thus, the forwarding efficiency of the firewall working under a large number of rules needs to be assessed. 3. Number of new connections per second The number of new connections per second refers to the number of TCP connections can be established on a firewall per second. The firewall connections are dynamically established according to the current communication status. Sessions can exchange data only after a connection is established on the firewall for each session. If the firewall sets up connections at a low rate, a long 7 delay occurs during the communications between the clients. The more the connections can be established each second, the faster the forwarding speed is. When being attacked, the bigger the index is, the stronger the anti-attack capability is. The more the connections can be established each second, the stronger the backup capability is. The number of new connections per second is an important index to measure the function of a firewall. If this index is low, the firewall cannot present excellent performance in actual network environments and even cannot work under DoS attacks. 4. Number of concurrent connections The firewall processes packets based on connections. The number of concurrent connections refers to the maximum number of concurrent connections supported by the firewall. 5. Delay The delay refers to the time spent for transmitting in the case of no packet loss. The delay should be as short as possible. The delay is critical under scenarios that require high timeliness, such as voice and video services. The long delay of the firewall results in harmonic distortion an
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!