当前位置:网站首页>Yyds dry inventory hcie security Day12: concept of supplementary package filtering and security policy
Yyds dry inventory hcie security Day12: concept of supplementary package filtering and security policy
2022-07-03 21:20:00 【Xiao Liang L】
Packet filtering technology
For packets that need to be forwarded , Get the header information first , Then compare it with the set rules , According to the results of the comparison, the packets are forwarded or discarded . The main technology used is ACL.
State detection mechanism
For only one connection ( A stream ) The first packet of is checked for packet filtering , If the first package passes the inspection , The session table will be established , Subsequent messages are quickly forwarded according to the session table , No longer detected by packet filtering .
Security policy of firewall
According to certain rules ( Packet filtering ) The control device forwards the traffic and integrates the content security of the traffic ( Not only is 5 Tuples detect the legitimacy of messages and analyze the content characteristics of messages to determine whether they are malicious messages such as diseases * Poison, etc ) Detection strategy . It is mainly used to control network mutual access across firewalls or access to the firewall itself .
Firewall security policy principle
[
USG6000V1
]
security-policy
[
USG6000V1-policy-security
]
rule
name
p1
[
USG6000V1-policy-security-rule-p1
]
rule
name
p2
[
USG6000V1-policy-security-rule-p2
]
rule
name
p3
[
USG6000V1-policy-security
]
dis
this
2022
-
01
-
28
15
:
08
:
50.000
#
security-policy
rule
name
p1
(
not
configure
the
action
)
rule
name
p2
(
not
configure
the
action
)
rule
name
p3
(
not
configure
the
action
)
#
return
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
Filter the traffic passing through the firewall according to the defined rules , And determine how to proceed with the next operation of the filtered traffic according to the keywords .
Firewall inter domain forwarding
Query and create session
The position of the session in the forwarding process
1、 Match the firewall session table according to the five tuples of the message , If the match is successful, carry out state detection , And security checks ( If done IPS Configuration ), And refresh the session table , Forward the message .
2、 If no match succeeds , Then conduct status detection to determine whether it is the first package , Check whether there is a route with destination address in the routing table , Some words , According to the message Access interface And the message determined in the routing table Exit interface Determine inter domain traffic Direction , Check the corresponding security policy according to the direction of inter domain traffic , If the match , Create a session , Forward , If it doesn't match , Direct discarding .
View session table information
[
USG6000V1
]
dis
firewall
session
table
2022
-
01
-
28
15
:
48
:
03.600
Current
Total
Sessions
:
1
bootps
VPN
:
default
--
>
default
192.168
.191
.1
:
68
--
>
192.168
.191
.254
:
67
[
USG6000V1
]
dis
firewall
session
table
verbose
2022
-
01
-
28
15
:
48
:
12.850
Current
Total
Sessions
:
1
bootps
VPN
:
default
--
>
default
ID
:
c487f66beef5cf8231561f40fd8
Zone
:
trust
--
>
trust
TTL
:
00
:
02
:
00
Left
:
00
:
00
:
21
Recv
Interface
:
GigabitEthernet0
/
0
/
0
Interface
:
GigabitEthernet0
/
0
/
0
NextHop
:
192.168
.191
.254
MAC
:
0050
-
56
f6-a752
<
--
packets
:
2
bytes
:
656
--
>
packets
:
1
bytes
:
344
192.168
.191
.1
:
68
--
>
192.168
.191
.254
:
67
PolicyName
:
--
-
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
current total sessions: Statistics of current session tables
bootp: Name of agreement
VPN:default-->default:VPN Instance name , The expression is : Source direction --> Goal direction
192.168.191.1:68-->192.168.191.254:67: Session table information
ID: Current session id
zone:trust-->trust: The security zone of the session , The expression is : Source security area --> Objective safe area
TTL: The total lifetime of the session entry
Left: The remaining lifetime of the session table entry
Output-interface: Exit interface
NextHop: Next jump ip Address
MAC: Next jump MAC Address
边栏推荐
- Capturing and sorting out external articles -- autoresponder, composer, statistics [III]
- Nmap and masscan have their own advantages and disadvantages. The basic commands are often mixed to increase output
- 2022 low voltage electrician examination and low voltage electrician simulation examination question bank
- UI automation test: selenium+po mode +pytest+allure integration
- JS three families
- 上周内容回顾
- "Actbert" Baidu & Sydney University of technology proposed actbert to learn the global and local video text representation, which is effective in five video text tasks
- JVM JNI and PVM pybind11 mass data transmission and optimization
- Global and Chinese market of gallic acid 2022-2028: Research Report on technology, participants, trends, market size and share
- The 12th Blue Bridge Cup
猜你喜欢
Design e-commerce seckill system
2022 safety officer-c certificate examination and safety officer-c certificate registration examination
Mysql - - Index
Go learning notes (4) basic types and statements (3)
![[vulnhub shooting range] impulse: lupinone](/img/27/b92eeceefd1c71f19d926bdd1eee8b.jpg)
[vulnhub shooting range] impulse: lupinone
Experience summary of database storage selection
Transformer structure analysis and the principle of blocks in it
MySQL - idea connects to MySQL
Interval product of zhinai sauce (prefix product + inverse element)
TLS environment construction and plaintext analysis
随机推荐
2022 melting welding and thermal cutting examination materials and free melting welding and thermal cutting examination questions
MySQL - database backup
SQL injection - Fundamentals of SQL database operation
抓包整理外篇——————autoResponder、composer 、statistics [ 三]
【愚公系列】2022年7月 Go教学课程 002-Go语言环境安装
Transformer structure analysis and the principle of blocks in it
Last week's content review
内存分析器 (MAT)
C程序设计的初步认识
MySQL——索引
Volley source code analysis
Visiontransformer (I) -- embedded patched and word embedded
Strange way of expressing integers (expanding Chinese remainder theorem)
Analyse de REF nerf
Redis data migration (II)
Solve the problem that openocd fails to burn STM32 and cannot connect through SWD
leetcode-540. A single element in an ordered array
What if the Flink SQL client exits and the table is emptied?
MySQL——JDBC
Kubernetes abnormal communication network fault solution ideas