Professional Documents
Culture Documents
Chapter 1 - Network Security Basis
Chapter 1 - Network Security Basis
HCSA-NGFW 2022
1 Evolutionary History of Firewall
Contents
2 Hillstone Product Introduction
Evolutionary History of Firewall
Firewall Concept
Network firewalls secure traffic bidirectionally across networks. Although these firewalls
are primarily deployed as hardware appliances, clients are increasingly deploying
virtual appliance firewalls, cloud-native firewalls from infrastructure as a service (IaaS)
providers, and firewall as a service (FWaaS) offerings hosted directly by vendors.
-Gartner
Internet
Internal External
Network Network
www.hillstonenet.com
Evolutionary History of Firewall
Application Layer
Stage3 – NGFW
Identify application via app signature
and app behavior
Able to control the encrypted apps
Role based user identification
Stage2
Session
–Stateful Inspection
Layer
IP connection based
Use ALG to track protocol stack, no
way to handle encrypted or HTTP
based application
Stage1
–Packet Filtering
Network
Layer
Simple ACL
www.hillstonenet.com
Packet Filter Firewall
• Features of Packet Filter FW:
− Only check packet header:IP address and port
− Detected object is single packet, data connection requires bidirectional all permit policy, not able
to correlate the packets relation
− Filter packets via ACL
IP TCP APP
Internet
www.hillstonenet.com
Stateful Inspection Technology
• Features of Stateful Inspection FW:
– Introduce“session”technology, session connection is the detected object.
– Session is identified via 5 tuple(source/destination IP and port, IP protocol number)
– Session maintains bidirectional traffic, one-way policy can control the access
– For example:TCP Source address 10.0.0.11
Destination port 23
Ack
Flag SYN 172.30.0.50
1 10.0.0.11
23 2
1026
3
PC 32513
10.0.0.11 10.0.0.11
49092
172.30.0.50 Telnet
SYN+ACK
172.30.0.50
1026
23
49092
32514
www.hillstonenet.com
ACK
Next Generation FW
• DPI technology into application layer detection
• Content identification
• User authentication User、APP、Content
• IP 5 tuple + APP ID and User ID
IP Port
Port ≠ Application
IP ≠ User
Packet ≠ Content
www.hillstonenet.com
NGFW Concept
www.hillstonenet.com
NGFW Functions
VPN HA
Support IPSECVPN、 Support A/P、A/A mode,
SSLVPN、L2TPVPN configuration、session
synchronization
Basic VSYS
Switch/Route、Session、
Policy
Network Logically divides the
physical firewall into
several virtual firewalls.
IPV6 Monitor
Support IPv6/IPv4 dual
Monitor device status、
stack
traffic etc.
www.hillstonenet.com
NGFW Functions
Application Identification
APP
bandwidth control: based on monitoring the quality of each link in
user、IP、APP、URL etc. real-time
Traffic Quota
Limit and control the Server Load Balancing
allowable flow quota of Based on weighted hashing、
users/user groups per day or weighted round robin、weighted
per month. Endpoint Access least connection
Monitor www.hillstonenet.com
NGFW Functions – Threat Protection
Attack Defense Data Security: File/content filter
04 01
IPS 02 02 Botnet C&C Prevention
AV 06 IP Reputation
03
05 04
Cloud Sandbox Web access control,URL filter
www.hillstonenet.com
Hillstone Product Introduction
Hillstone’s Product Portfolio
www.hillstonenet.com
Thanks