HCSA-NGFW 2020 1 Evolutionary History of Firewall Contents 2 The Concept of Firewall
3 Hillstone Product Introduction
Evolutionary History of Firewall Evolutionary History of Firewall
Application Layer Stage3 – NGFW ❑ Identify application via app signature and app behavior ❑ Able to control the encrypted apps ❑ Role based user identification
Stage2 Session
–Stateful Inspection Layer
❑ IP connection based ❑ Use ALG to track protocol stack, no way to handle encrypted or HTTP based application
Stage1 –Packet Filtering Network Layer
❑ Simple ACL
Before 1995 1996-2007 After 2008
www.hillstonenet.com www.hillstonenet.com | Hillstone Confidential Packet Filter Firewall • Packet Filter FW Features: − Only check packet header:IP address and port − Detected object is single packet, data connection requires bidirectional all permit policy, not able to correlate the packets relation − Filter packets via ACL
5 www.hillstonenet.com Stateful Inspection Technology • Stateful Inspection FW Features: – Introduce“session”technology, session connection is the detect object. – Session is identified via 5 tuple(source/destination IP and port, IP protocol number) – Session maintains bidirectional traffic, one-way policy can control the access – For example:TCP
6 www.hillstonenet.com Next Generation FW • DPI technology to application layer detection User APP • Content identification Content
• User authentication • IP 5 tuple + APP ID and User ID IP
Port
Port ≠ Application IP ≠ User Packet ≠ Content
7 www.hillstonenet.com The Concept of Firewall
8 Security Zone • Security Zone (short as Zone) is a logical entity for one or multiple interfaces and network segments. It is a main feature to differentiate FW and router. Zones divide network into multiple segments in FW, the security detection will be triggered when packets flowing in zones.
• You can apply proper policy rules to zones to make the devices control the traffic transmission among zones
• Policy applied to zones but not relay on physical interfaces, which made the policy rules more flexible
www.hillstonenet.com Zone Classification • Zone is divided into layer 2 zone and layer 3 zone
Trust Untrust Zone Zone
Internet E0/4 200.0.0.0/24
192.168.10.0/24 192.168.20.0/24
DMZ Zone 192.168.10.2 192.168.20.2
10 www.hillstonenet.com Defaut Zone in System • Zone is divided into layer 2 zone and layer 3 zone, using in layer2/layer3 network environment.
• There are eight predefined security zones in StoneOS, which are: trust、untrust、 dmz、L2-trust、L2-untrust、L2-dmz、VPNHub (VPN function zone) and HA (HA function zone)
