- How to Configure a Firewall: Deployment and Advanced Settings
- Understanding Firewall Fundamentals
- What Is a Firewall?
- Interfaces and Security Zones
- Security Policies
- Инструкция Huawei B315s-22
- Конфигурация виртуального сервера
- Процедуры
- Конфигурация FTP сервера
- Конфигурирование специальных приложений
- Процедуры
- Пример конфигурирования специального приложения
How to Configure a Firewall: Deployment and Advanced Settings
This document is a guide for first-time user to operate a firewall. After reading this document, you will have a preliminary understanding of the firewall configuration process and complete the basic firewall configuration.
Basic firewall configuration procedures
Collection of all features
Focusing on the firewall access to the Internet
If you want to learn more about firewall configuration, read this document before reading product documentation.
This document is written based on the USG6000E. For other firewall products, you can also refer to this document.
Understanding Firewall Fundamentals
Before configuring a firewall, familiarize yourself with the basic working mechanism of the firewall.
What Is a Firewall?
A firewall is a network security device that is usually located at the network border. It isolates networks of different security levels and protects one network from attacks and intrusions from another network. This «isolation» is not one-size-fits-all. It is controlled isolation, allowing legitimate traffic to pass through the firewall and forbidding illegal traffic to pass through the firewall.
As shown in Figure 1-1, the firewall is located at the enterprise-to-Internet egress to ensure intranet security. You can specify rules on the firewall to allow PCs on the intranet 10.1.1.0/24 to access the Internet and forbid Internet users to access the intranet host with the IP address 192.168.1.2.
As shown above, firewalls are different from routers and switches. A router is used to connect different networks and ensure interconnection through routing protocols to make sure that packets are forwarded to destinations. A switch is usually used to set up a LAN to serve as an important hub for local area network communications. The switch quickly forwards packets through Layer 2/Layer 3 switching. A firewall is deployed at the network border to control the access to and from the network. Security protection is the core feature of a firewall. The essence of routers and switches is forwarding, and the essence of firewalls is control.
Firewalls control network traffic based on security zones and security policies, which will be described in the following sections.
Interfaces and Security Zones
As mentioned, firewalls are used to isolate networks of different security levels. A firewall identifies different networks by security zone. By assigning firewall interfaces to different security zones, the networks connected to the interfaces are classified into different security levels. Interfaces on the firewall must be added to security zones (except independent management interfaces on some models) to process traffic.
Security zones are designed to reduce network attack surfaces. Once security zones are defined, traffic cannot flow between security zones unless the administrator specifies valid access rules. To be specific, if a subnet is intruded, attackers can access only resources in a security zone corresponding to the subnet. Therefore, it is recommended that security zones be used for refined network partitioning.
Adding an interface to a security zone means that the network connected to the interface is added to the security zone, not the interface itself. Figure 1-2 shows the relationships between the interface, network, and security zone.
Security zones of firewalls are divided into security levels from 1 to 100. A larger number indicates a higher security level. The firewall provides four default security zones: trust, dmz, untrust, and local. Administrators can also customize security zones to implement fine-grained control. For example, an enterprise divides firewall security zones according to Figure 1-3. The intranet interface is added to the trust zone, the extranet interface is added to the untrust zone, and the server interface is added to the DMZ. In addition, a security zone named visitor is defined as a guest zone.
An interface can be added to only one security zone. Multiple interfaces can be added to a security zone.
As shown in the preceding figure, there is a special security zone named local. The maximum security level is 100. local indicates the firewall itself. No interface can be added to the local zone, but all interfaces on the firewall belong to the local zone. It can be considered that packets sent by the firewall originate from the local zone and those received (not forwarded) by the firewall are destined for the local zone.
In addition to physical interfaces, the firewall also supports logical interfaces, such as sub-interfaces, VLANIF interfaces, and tunnel interfaces, which also need to be added to security zones.
Security Policies
As mentioned above, a firewall controls traffic through rules, which are called security policies. Security policies are a basic concept and core function of firewalls. Firewalls provide security management and control capabilities through security policies.
As shown in Figure 1-4, a security policy consists of matching conditions, an action, and a content security profile. You can perform content security detection functions, such as antivirus and intrusion prevention, for allowed traffic.
Each preceding matching condition is optional in a security policy. Configured matching conditions are bitwise ANDed. That is, traffic is considered to match a security policy only when it matches all conditions in the security policy. If multiple values are configured in a matching condition, the values are bitwise ORed. That is, traffic matches the condition as long as it matches any value.
More specific matching conditions in a security policy will more accurately filter the traffic. You can use only the 5-tuple (source and destination IP addresses, source and destination ports, and protocol) as matching conditions. To configure security policies more accurately, you add more matching conditions, such as application and user identification.
Firewall-based security policies and local security policies
The traffic passing through a firewall, traffic sent by a firewall, and traffic received by a firewall are controlled by security policies. As shown in Figure 1-5, an intranet PC needs to log in to and manage the firewall through Telnet and access the Internet through the firewall. In this case, you need to configure security policies for the two types of traffic.
Destination Security Zone
Firewall-based security policy
Allow PC to access Internet
Allow PC to telnet firewall
In particular, this section will describe local security policies, that is, security policies related to the local zone. In the preceding example, the PC in the Trust zone logs in to the firewall and configures a security policy for the Trust zone to access the local network. If the firewall proactively accesses objects in other security zones, for example, when the firewall reports logs to a log server or connects to a security center to update signature databases, you need to configure security policies from the local zone to other security zones. To identify to which zones the firewall and external networks belong, note that the firewall itself is in the local zone. Adding an interface to a security zone indicates that only the network connected to the interface belongs to this security zone.
Default security policy and security policy list
The firewall has a default security policy named default, which blocks all interzone traffic by default. The default policy is always at the end of a policy list and cannot be deleted.
By default, security policies created by users are displayed from top to bottom in ascending order by creation time, and the newest security policy is prior to the default security policy. After receiving traffic, the firewall matches the traffic against security policies from top to bottom. Once a security policy is matched successfully, the firewall stops matching and processes the traffic according to the action specified in the security policy. If none of the manually created security policies is matched, the default security policy is used.
Therefore, the order for listing security policies determines whether policies are matched against as expected. After a security policy is created, you need to manually adjust its position in the list.
The IP address of a server within the enterprise network is 10.1.1.1. Users in the office area on the network segment 10.2.1.0/24 are allowed to access the server. The security policy policy1 is configured. After running for a period of time, two temporary office PCs (10.2.1.1 and 10.2.1.2) are forbidden to access the server.
The newly configured security zone policy policy2 is located below policy1. Because the address range of policy1 contains the address range of policy2, policy2 cannot be matched.
Инструкция Huawei B315s-22
Конфигурация виртуального сервера
Mobile Broadband поддерживает виртуальный сервер, чтобы внешний пользователь мог использовать услуги предоставляемые в локальной сети (LAN) с помощью протоколов HTTP, FTP и других протоколов.
Конфигурация виртуального сервера
Mobile Broadband поддерживает виртуальный сервер, чтобы внешний пользователь мог использовать услуги предоставляемые в локальной сети (LAN) с помощью протоколов HTTP, FTP и других протоколов.
Процедуры
- Выберите Настройки >Безопасность >Виртуальный сервер .
- Нажмите Добавить и задайте параметры.
- Нажмите OK для сохранения настроек.
- Изменить : для изменения пункта.
- Удалить : для удаления пункта.
- Нажмите Применить , чтобы настройки вступили в силу.
Конфигурация FTP сервера
Чтобы разрешить клиенту с IP-адресом 192.168.8.101 предоставлять услуги FTP и возможность подключиться к нему внешним пользователям, сделайте следующее:
По умолчанию, порт для услуг FTP — 21. Если этот порт изменен (например, на 8021), то внешний пользователь должен ввести ftp://10.2.1.123:8021 для подключения к FTP серверу.
Конфигурирование специальных приложений
Mobile Broadband поддерживает функцию для использования специальных приложений для конфигурирования передачи динамического порта. Определенные приложения в локальной сети должны использовать специальные порты брандмауэра для подключения к удаленным приложениям. Для настройки соединения TCP/UDP между приложением локальной сети и удаленным приложением, брандмауэр использует функцию передачи динамического порта для открытия требуемого порта.
Конфигурирование специальных приложений
Mobile Broadband поддерживает функцию для использования специальных приложений для конфигурирования передачи динамического порта. Определенные приложения в локальной сети должны использовать специальные порты брандмауэра для подключения к удаленным приложениям. Для настройки соединения TCP/UDP между приложением локальной сети и удаленным приложением, брандмауэр использует функцию передачи динамического порта для открытия требуемого порта.
Процедуры
- Выберите Настройки >Безопасность >Специальные приложения .
- Нажмите Добавить и задайте параметры.
- Нажмите OK для сохранения настроек.
- Изменить : для изменения пункта.
- Удалить : для удаления пункта.
- Нажмите Применить , чтобы настройки вступили в силу.
Пример конфигурирования специального приложения
Клиент LAN использует TCP для подключения к игровому серверу MSN через порт 47624. Когда игра началась, игровой сервер использует TCP и порт 2400 для установки соединения с клиентом пытающимся подключиться к серверу. В этом случае вы должны сконфигурировать передачу динамического порта, поскольку игра конфликтует со следующими правилами брандмауэра:
- Брандмауэр блокирует вход внешних данных.
- Игровой сервер может послать запрос на соединение к внешнему IP-адресу Huawei B315s-22 , но не может послать запрос клиенту LAN, который пытается подключиться к игровому серверу, поскольку IP-адрес клиента закрыт для внешних устройств.
Для решения проблемы надо определить набор правил для передачи. Когда клиент в LAN посылает данные на TCP порт 47624, правила разрешают ввод данных с TCP порта 2400. После чего данные от игрового сервера могут приниматься и передаваться клиенту LAN, посылающего данные на TCP порт 47624.