Hcie security Day12: supplement the concept of packet filtering and security policy

Packet filtering technology

For packets that need to be forwarded , Get the header information first , Then compare it with the set rules , According to the results of the comparison, the packets are forwarded or discarded . The main technology used is ACL.

State detection mechanism

For only one connection （ A stream ） The first packet of is checked for packet filtering , If the first package passes the inspection , The session table will be established , Subsequent messages are quickly forwarded according to the session table , No longer detected by packet filtering .

Security policy of firewall

According to certain rules （ Packet filtering ） The control device forwards the traffic and integrates the content security of the traffic （ Not only is 5 Tuples detect the legitimacy of messages and analyze the content characteristics of messages to determine whether they are malicious messages such as diseases * Poison, etc ） Detection strategy . It is mainly used to control network mutual access across firewalls or access to the firewall itself .

Firewall security policy principle

[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name p1 
[USG6000V1-policy-security-rule-p1]rule name p2
[USG6000V1-policy-security-rule-p2]rule name p3
[USG6000V1-policy-security]dis this
2022-01-28 15:08:50.000 
#
security-policy
 rule name p1
  (not configure the action)
 rule name p2
  (not configure the action)
 rule name p3
  (not configure the action)
#
return

Filter the traffic passing through the firewall according to the defined rules , And determine how to proceed with the next operation of the filtered traffic according to the keywords .

Firewall inter domain forwarding

Query and create session

The position of the session in the forwarding process

1、 Match the firewall session table according to the five tuples of the message , If the match is successful, carry out state detection , And security checks （ If done IPS Configuration ）, And refresh the session table , Forward the message .

2、 If no match succeeds , Then conduct status detection to determine whether it is the first package , Check whether there is a route with destination address in the routing table , Some words , According to the message Access interface And the message determined in the routing table Exit interface Determine inter domain traffic Direction , Check the corresponding security policy according to the direction of inter domain traffic , If the match , Create a session , Forward , If it doesn't match , Direct discarding .

View session table information

[USG6000V1]dis firewall session table
2022-01-28 15:48:03.600 
 Current Total Sessions : 1
 bootps  VPN: default --> default  192.168.191.1:68 --> 192.168.191.254:67
[USG6000V1]dis firewall session table verbose
2022-01-28 15:48:12.850 
 Current Total Sessions : 1
 bootps  VPN: default --> default  ID: c487f66beef5cf8231561f40fd8
 Zone: trust --> trust  TTL: 00:02:00  Left: 00:00:21
 Recv Interface: GigabitEthernet0/0/0
 Interface: GigabitEthernet0/0/0  NextHop: 192.168.191.254  MAC: 0050-56f6-a752
 <--packets: 2 bytes: 656 --> packets: 1 bytes: 344
 192.168.191.1:68 --> 192.168.191.254:67 PolicyName: ---

current total sessions： Statistics of current session tables

bootp: Name of agreement

VPN:default-->default:VPN Instance name , The expression is ： Source direction --> Goal direction

192.168.191.1：68-->192.168.191.254:67: Session table information

ID: Current session id

zone：trust-->trust: The security zone of the session , The expression is ： Source security area --> Objective safe area

TTL: The total lifetime of the session entry

Left： The remaining lifetime of the session table entry

Output-interface： Exit interface

NextHop： Next jump ip Address

MAC: Next jump MAC Address