Scribd
Upload
98 views15 pages

Network Security Fundamentals: Firewalls

Hillstone

Uploaded by

Lerner Mapurunga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
98 views15 pages

Network Security Fundamentals: Firewalls

Hillstone

Uploaded by

Lerner Mapurunga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Chapter 1 - Network Security Basis

HCSA-NGFW 2022
1 Evolutionary History of Firewall
Contents
2 Hillstone Product Introduction
Evolutionary History of
Firewall
Firewall Concept

Network firewalls secure traffic bidirectionally across networks. Although these firewalls
are primarily deployed as hardware appliances, clients are increasingly deploying
virtual appliance firewalls, cloud-native firewalls from infrastructure as a service (IaaS)
providers, and firewall as a service (FWaaS) offerings hosted directly by vendors.

-Gartner

Internet
Internal External
Network Network

[Link]
Evolutionary History of Firewall

Application Layer
Stage3 – NGFW
q Identify application via app signature
and app behavior
q Able to control the encrypted apps
q Role based user identification

Stage2
Session

–Stateful Inspection
Layer

q IP connection based
q Use ALG to track protocol stack, no
way to handle encrypted or HTTP
based application

Stage1
–Packet Filtering
Network
Layer

q Simple ACL

Before 1995 1996-2007 After 2008

[Link]
Packet Filter Firewall
• Features of Packet Filter FW:
− Only check packet header:IP address and port
− Detected object is single packet, data connection requires bidirectional all permit policy,
not able to correlate the packets relation
− Filter packets via ACL

Only check packet header

IP TCP APP

Internet

[Link]
Stateful Inspection Technology
• Features of Stateful Inspection FW:
– Introduce“session”technology, session connection is the detected object.
– Session is identified via 5 tuple (source/destination IP and port, IP protocol number)
– Session maintains bidirectional traffic, one-way policy can control the access
– For example:TCP Source address [Link]

Destination address [Link]


Source port 1026

Destination port 23

Initial sequence number 49091

Ack
Flag SYN [Link]

1 [Link]

23 2
1026
3
PC 32513
[Link]
[Link]
49092
[Link] Telnet
SYN+ACK
[Link]
1026

23

49092

32514
[Link]
ACK
Next Generation FW
• DPI technology into application layer detection
• Content identification
• User authentication User、APP、Content
• IP 5 tuple + APP ID and User ID

IP Port

Port ≠ Application
IP ≠ User
Packet ≠ Content

[Link]
NGFW Concept

Next-generation firewalls (NGFWs) are


deep-packet inspection firewalls that
move beyond port/protocol inspection
and blocking to add application-level
inspection, intrusion prevention, and
bringing intelligence from outside the
firewall.

[Link]
NGFW Functions

VPN HA
Support IPSECVPN、 Support A/P、A/A mode,
SSLVPN、L2TPVPN configuration、session
synchronization

Basic VSYS
Switch/Route、Session、
Policy
Network Logically divides the
physical firewall into
several virtual firewalls.

IPV6 Monitor
Support IPv6/IPv4 dual
Monitor device status、
stack
traffic etc.

[Link]
NGFW Functions
Application Identification

User
SSL Decryption
Authentication
Support https decryption with
AD、Local、
APPID、IPS、AV、URL filtering
radius

Link Load Balancing


QoS Intelligently route and
Two-level 8 layers pipe nesting dynamically adjust the traffic load

APP
of bandwidth control: based of each link by monitoring the
on user、IP、APP、URL etc. quality of each link in real-time

Traffic Quota
Limit and control the Server Load Balancing
allowable flow quota of Based on weighted hashing、
users/user groups per day weighted round robin、weighted
or per month. Endpoint Access least connection
Monitor [Link]
NGFW Functions – Threat Protection
Attack Defense Data Security: File/content filter

04 01
IPS 02 02 Botnet C&C Prevention

AV
06 03 IP Reputation

05 04
Cloud Sandbox Web access control,URL filter
[Link]
Hillstone Product Introduction
Hillstone’s Product Portfolio
Centralized Security Analytics, Management and Operations

iSource HSM/vHSM HSA/vHSA CloudView


Hillstone Security Operation Platform Hillstone Security Management Platform Hillstone Security Audit Platform Cloud Security Monitoring & Analytics

EDGE PROTECTION CLOUD PROTECTION SERVER PROTECTION APPLICATION PROTECTION


NGFW (A, E, E-Pro
CloudArmour AX-Series
Series) I-Series
Cloud Workload Protection Application Delivery Controller (ADC)
Next-Gen Firewall (NGFW) Breach Detection
Platform
System (BDS) AX-Series
Virtual Application Delivery Controller
DCFW (X-Series) CloudHive (vADC)
Data Center NGFW Micro-segmentation Solution I-Series
Virtual Breach W-Series
Detection System Web Application Firewall (WAF)
NIPS (S-Series) CloudEdge (vBDS)
W-Series
Network intrusion Virtual NGFW Solution Virtual Web Application Firewall
Prevention System (NIPS) (vWAF)

ZTNA SD-WAN XDR NDR CWPP Micro-Segmentation

[Link]
Thanks

You might also like