当前位置:网站首页>Yyds dry inventory hcie security Day12: concept of supplementary package filtering and security policy
Yyds dry inventory hcie security Day12: concept of supplementary package filtering and security policy
2022-07-03 21:20:00 【Xiao Liang L】
Packet filtering technology
For packets that need to be forwarded , Get the header information first , Then compare it with the set rules , According to the results of the comparison, the packets are forwarded or discarded . The main technology used is ACL.
State detection mechanism
For only one connection ( A stream ) The first packet of is checked for packet filtering , If the first package passes the inspection , The session table will be established , Subsequent messages are quickly forwarded according to the session table , No longer detected by packet filtering .
Security policy of firewall
According to certain rules ( Packet filtering ) The control device forwards the traffic and integrates the content security of the traffic ( Not only is 5 Tuples detect the legitimacy of messages and analyze the content characteristics of messages to determine whether they are malicious messages such as diseases * Poison, etc ) Detection strategy . It is mainly used to control network mutual access across firewalls or access to the firewall itself .
Firewall security policy principle
[
USG6000V1
]
security-policy
[
USG6000V1-policy-security
]
rule
name
p1
[
USG6000V1-policy-security-rule-p1
]
rule
name
p2
[
USG6000V1-policy-security-rule-p2
]
rule
name
p3
[
USG6000V1-policy-security
]
dis
this
2022
-
01
-
28
15
:
08
:
50.000
#
security-policy
rule
name
p1
(
not
configure
the
action
)
rule
name
p2
(
not
configure
the
action
)
rule
name
p3
(
not
configure
the
action
)
#
return
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
Filter the traffic passing through the firewall according to the defined rules , And determine how to proceed with the next operation of the filtered traffic according to the keywords .
Firewall inter domain forwarding
Query and create session
The position of the session in the forwarding process
1、 Match the firewall session table according to the five tuples of the message , If the match is successful, carry out state detection , And security checks ( If done IPS Configuration ), And refresh the session table , Forward the message .
2、 If no match succeeds , Then conduct status detection to determine whether it is the first package , Check whether there is a route with destination address in the routing table , Some words , According to the message Access interface And the message determined in the routing table Exit interface Determine inter domain traffic Direction , Check the corresponding security policy according to the direction of inter domain traffic , If the match , Create a session , Forward , If it doesn't match , Direct discarding .
View session table information
[
USG6000V1
]
dis
firewall
session
table
2022
-
01
-
28
15
:
48
:
03.600
Current
Total
Sessions
:
1
bootps
VPN
:
default
--
>
default
192.168
.191
.1
:
68
--
>
192.168
.191
.254
:
67
[
USG6000V1
]
dis
firewall
session
table
verbose
2022
-
01
-
28
15
:
48
:
12.850
Current
Total
Sessions
:
1
bootps
VPN
:
default
--
>
default
ID
:
c487f66beef5cf8231561f40fd8
Zone
:
trust
--
>
trust
TTL
:
00
:
02
:
00
Left
:
00
:
00
:
21
Recv
Interface
:
GigabitEthernet0
/
0
/
0
Interface
:
GigabitEthernet0
/
0
/
0
NextHop
:
192.168
.191
.254
MAC
:
0050
-
56
f6-a752
<
--
packets
:
2
bytes
:
656
--
>
packets
:
1
bytes
:
344
192.168
.191
.1
:
68
--
>
192.168
.191
.254
:
67
PolicyName
:
--
-
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
current total sessions: Statistics of current session tables
bootp: Name of agreement
VPN:default-->default:VPN Instance name , The expression is : Source direction --> Goal direction
192.168.191.1:68-->192.168.191.254:67: Session table information
ID: Current session id
zone:trust-->trust: The security zone of the session , The expression is : Source security area --> Objective safe area
TTL: The total lifetime of the session entry
Left: The remaining lifetime of the session table entry
Output-interface: Exit interface
NextHop: Next jump ip Address
MAC: Next jump MAC Address
边栏推荐
- 上周内容回顾
- MySQL - index
- Is flush account opening and registration safe and reliable? Is there any risk?
- (5) Web security | penetration testing | network security operating system database third-party security, with basic use of nmap and masscan
- Reinforcement learning - learning notes 1 | basic concepts
- 大神们,我想发两个广播流1 从mysql加载基础数据,广播出去2 从kafka加载基础数据的变更
- No more! Technical team members resign collectively
- Pengcheng cup Web_ WP
- JS three families
- Measurement fitting based on Halcon learning -- Practice [1]
猜你喜欢
How to choose cache read / write strategies in different business scenarios?
![Capturing and sorting out external articles -- autoresponder, composer, statistics [III]](/img/bf/ac3ba04c48e80b2d4f9c13894a4984.png)
Capturing and sorting out external articles -- autoresponder, composer, statistics [III]
TiDB 之 TiCDC6.0 初体验
MySQL——数据库备份
![[gd32l233c-start] 5. FLASH read / write - use internal flash to store data](/img/4f/ed8ca2f43ba5a8e5da63eb419aae82.jpg)
[gd32l233c-start] 5. FLASH read / write - use internal flash to store data
Mysql database ----- common commands of database (based on database)
Compilation Principle -- syntax analysis
Hcie security Day11: preliminarily learn the concepts of firewall dual machine hot standby and vgmp
"Designer universe" APEC safety and health +: environmental protection Panda "xiaobaobao" Happy Valentine's Day 2022 | ChinaBrand | Asia Pacific Economic media
Xai+ network security? Brandon University and others' latest "interpretable artificial intelligence in network security applications" overview, 33 page PDF describes its current situation, challenges,
随机推荐
Advanced technology management - how to examine candidates in the interview and increase the entry probability
(5) Web security | penetration testing | network security operating system database third-party security, with basic use of nmap and masscan
Pengcheng cup Web_ WP
Apprentissage intensif - notes d'apprentissage 1 | concepts de base
Getting started with postman -- built-in dynamic parameters, custom parameters and assertions
The 12th Blue Bridge Cup
TLS environment construction and plaintext analysis
QFileDialog
Quickly distinguish slices and arrays
Xai+ network security? Brandon University and others' latest "interpretable artificial intelligence in network security applications" overview, 33 page PDF describes its current situation, challenges,
不同业务场景该如何选择缓存的读写策略?
Getting started with postman -- environment variables and global variables
flink sql-client 退出,表就会被清空怎么办?
2022 low voltage electrician examination and low voltage electrician simulation examination question bank
90 後,辭職創業,說要卷死雲數據庫
APEC industry +: father of the king of the ox mill, industrial Internet "king of the ox mill anti-wear faction" Valentine's Day greetings | Asia Pacific Economic media | ChinaBrand
What if the Flink SQL client exits and the table is emptied?
内存分析器 (MAT)
Hcie security Day10: six experiments to understand VRRP and reliability
"Actbert" Baidu & Sydney University of technology proposed actbert to learn the global and local video text representation, which is effective in five video text tasks