Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 2 - Firewall System Architecture

    Uploaded by

    jamysson
    16 views17 pages
    - StoneOS uses security zones, virtual switches, and virtual routers to control network traffic and implement firewall policies. It divides the network into zones and uses virtual networking components to forward traffic between zones. - It uses stateful inspection to monitor established sessions by tracking session details like source/destination addresses and ports. For new traffic, it performs NAT, route lookup, and policy checks before installing a new session or dropping the packet. - The key components of the StoneOS architecture include security zones (L2 and L3), interfaces, virtual switches to handle L2 traffic, virtual routers to handle L3 traffic, and policies to control traffic flowing between zones.

    Original Description:

    material de estudo, certificação HCSA Hillstone

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    - StoneOS uses security zones, virtual switches, and virtual routers to control network traffic and implement firewall policies. It divides the network into zones and uses virtual networking components to forward traffic between zones. - It uses stateful inspection to monitor established sessions by tracking session details like source/destination addresses and ports. For new traffic, it performs NAT, route lookup, and policy checks before installing a new session or dropping the packet. - The key components of the StoneOS architecture include security zones (L2 and L3), interfaces, virtual switches to handle L2 traffic, virtual routers to handle L3 traffic, and policies to control traffic flowing between zones.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    16 views17 pages

    Chapter 2 - Firewall System Architecture

    Uploaded by

    jamysson
    - StoneOS uses security zones, virtual switches, and virtual routers to control network traffic and implement firewall policies. It divides the network into zones and uses virtual networking components to forward traffic between zones. - It uses stateful inspection to monitor established sessions by tracking session details like source/destination addresses and ports. For new traffic, it performs NAT, route lookup, and policy checks before installing a new session or dropping the packet. - The key components of the StoneOS architecture include security zones (L2 and L3), interfaces, virtual switches to handle L2 traffic, virtual routers to handle L3 traffic, and policies to control traffic flowing between zones.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 17

    Chapter 2 - Firewall System Architecture

    HCSA-NGFW 2022
    1 Firewall Concept
    Contents
    2 StoneOS System Architecture
    Layer 2 Frame Forwarding
    • Transparent bridging:
    – MAC learning (by source MAC)
    – Forward, flood, and filter (by destination MAC)
    – Layer 2 frame forwarding

    001d.7294.e5f6 [E0/1] [E0/2] 001d.097f.9ad8

    MAC Address
    Table
    Destination Address Port
    001d.7294.e5f6 E0/1
    001d.097f.9ad8 E0/2
    www.hillstonenet.com
    Layer 3 Packet Forwarding
    • Forwarding IP packets by destination IP, maintaining a route table
    – Static route, Default route, ISP route
    – Dynamic route (RIP, OSPF, BGP, IS-IS)
    – Policy-based route
    [E0/3]
    10.3.3.2/24 10.3.3.1/24
    10.4.4.1/24

    [E0/1] [E0/2]
    10.1.1.10 10.4.4.10
    10.1.1.1/24 10.2.2.2/24 10.2.2.1/24
    Route Table
    Network Int. Gateway
    10.1.1.0/24 E0/1 0.0.0.0
    10.2.2.0/24 E0/2 0.0.0.0
    10.4.4.0/24 E0/2 10.2.2.1
    10.4.0.0/16 E0/3 10.3.3.1
    www.hillstonenet.com
    Firewall Concept
    Security Zone

    • Security Zone , or named as Zone , A security zone is a collection of one or more interface or
    network segments, it is the main feature of firewall different from router.

    • Firewall users Security Zone to divide network , The security check is triggered only when the
    message flows between the security zones.

    • You can apply proper policy rules to zones to make the devices control the traffic transmission
    among zones. It is independent of physical interfaces, which makes security rules more flexible.

    www.hillstonenet.com
    Predefined Security Zone
    • There are Layer 2 zone and Layer 3 zone , Layer 2 zone work in Layer 2 mode and Layer 3 zone
    work in Layer 3 mode.

    • There are 9 predefined security zones in StoneOS, which are : trust 、 untrust 、 dmz 、 L2-
    trust 、 L2-untrust 、 L2-dmz 、 mgt 、 VPNHub and HA

    • You can also customize security zones. Actually predefined security zones and user-defined security
    zones make no difference in functions, and you can use them as needed.

    www.hillstonenet.com
    Working Principle of Firewall

    • Firewall is a network security appliance, it protects the network security by controlling the flow in and out of the network;

    • The basic principle of Firewall is to permit 、 deny 、 monitor data traffic according to the existing policy rules by

    analyzing data packets, which has strong anti attack function;

    • Firewall also has the function of connecting the network, which can bridge between trust areas and untrust areas;

    • Prevent external users from illegally using internal network resources;

    • Protect internal network equipment from damage;

    • Protect internal sensitive data from being stolen.

    www.hillstonenet.com
    StoneOS System Architecture
    StoneOS System Architecture
    • The system architecture of StoneOS includes the following components:
    • Zones
    - L2 Zone
    - L3 Zone
    • Interfaces
    • Virtual Switch
    • Virtual Router
    • Policy

    www.hillstonenet.com
    StoneOS Architecture Diagram
    Trust-VR Logical IF

    Physical IF
    L3-Zone1 L3-Zone2
    L3 Zone

    vswitchif L2 Zone

    V-Switch V-Switch

    V-Router

    L2-Zone1 L2-Zone2 Binding

    Eth0/0 Eth0/1 Eth0/2 Eth0/3 Eth0/4


    www.hillstonenet.com
    vSwitch and vRouter
    vSwitch and vRouter :
    • Use vSwitch to forwad L2 traffic, and use vRouter to forward L3 traffic;
    • Support to create multiple vSwitch and vRouter;
    • The multi-VR function is disabled by default, you need to run exec vrouter enable first, and then reboot the
    system to make multi-VR take effect.
    Independent Independent

    VSwitch1 VSwitch2 Vrouter1 Vrouter2

    Eth0/0 Eth0/1 Eth0/3 Eth0/4

    www.hillstonenet.com
    Zone & vSwitch 、 vRouter
    Strict hierarchy of interface, zone, Vswitch and Vrouter:
    • L2-Zone is bound to a virtual switch
    • L3-Zone is bound to a virtual router
    • An interface is bound to a security zone L2-Zone
    • An interface can only be bound to one zone. Virtual Switch
    • A zone is allowed to contain multiple interfaces.
    • The interface bound to an L2-Zone is called an L2-interface.
    • The interface bound to an L3-Zone is called an L3-interface.
    • L3-interface has its own IP address and management services.

    L3-Zone Virtual Router

    www.hillstonenet.com
    Stateful Inspection Firewall
    Session established when packet send out ( source address 、 source port 、 destination
    address 、 destination port 、 connect time etc. ); when the packet return, it will try to find existing
    session, if matched, permit the packet, if not, drop the packet.

    session: id 2, proto 6, flag 0, flag1 8100000, created 702509, life 1794, policy 1,app(FTP) flag 0x0, auth_user_id 0,
    reverse_auth_user_id 0
    flow0(13(ethernet0/1)/40c00a10): 192.168.1.2:64867->100.1.1.1:21
    flow1(14(ethernet0/2)/a00a10): 100.1.1.1:21->192.168.1.2:64867 www.hillstonenet.com
    Packet Flow in StoneOS ( Lite )
    Ingress interface
    Packet Session lookup Found a session
    Source Zone

    No matched session
    Forward to Egress
    DNAT Interface

    Route Lookup No matched route

    Session installation
    SNAT
    Drop

    No matched rule
    Policy Lookup Drop Permit

    Policy Rule Action Action

    www.hillstonenet.com
    Packet Flow in StoneOS

    www.hillstonenet.com
    Thanks

    You might also like