As a world leading Huawei networking products supplier, Hong Telecom Equipment Service LTD(HongTelecom) keeps regular stock of Huawei router and switch and all cards at very good price, also HongTelecom ship to worldwide with very fast delivery.
For related articles, visit the HongTelecom Blog and HongTelecom WordPress.
For real pictures of related product, visit the HongTelecom Gallery.
To buy related product, visit the HongTelecom Online Shop.
Introduction to the USG9000
At present, the USG9000 can work in three modes: routed mode, transparent mode, and composite mode.
- routing mode In routing mode, the USG9000 uses the layer 3 for external connections, and all interfaces must be assigned with IP addresses. When the USG9000 is located between the internal network and the external network, you need to configure the interfaces, through which the USG9000 is connected with the internal network and the external network, with IP addresses on different network segments and re-plan the network topology. In this case, the USG9000 serves as a router. As shown in Figure 2-1, the USG9000 is connected with the internal network through an interface in the Trust zone, while it is connected with the external network through an interface in the Untrust zone. Note that the interface in Trust zone and the interface in Untrust zone reside in different two subnets.
Figure 2-1 Networking in routing mode
When working in routing mode, the USG9000 can complete ACL packet filtering. However, network topology needs to be changed. For example, internal network users need to change their gateways and routers' routing configurations need to be changed.
- transparent mode In transparent mode, the USG9000 uses the layer 2 for external connections, and none of the interfaces can be assigned with IP addresses. In this case, the USG9000 is transparent to users in subnets and routers. That is, users do not feel the existence of the USG9000. As shown in Figure 2-2, the USG9000 is connected with the internal network through interfaces in the Trust zone, while it is connected with the external network through interfaces in the Untrust zone. Note that the internal network and the external network must reside in the same subnet.
Figure 2-2 Networking in transparent mode
If the USG9000 works in transparent mode, you do not need to change network topology. In transparent mode, you only need to place the USG9000 in the network like placing a bridge without need of modifying any existing configuration. Similar to the routing mode, IP packets also need to be filtered and checked in transparent mode, and internal users can be protected by the USG9000.
- composite mode If there are both interfaces working in routing mode (such interfaces have IP addresses) and interfaces working in transparent mode (such interfaces have no IP address) in the USG9000, the USG9000 is working in composite mode. Composite mode is applied in the case of dual-system hot backup with transparent mode. The interface on which VRRP is enabled needs to be configured with an IP address, and other interfaces do not. Figure 2-3 shows a typical networking in composite mode.
Figure 2-3 Networking in composite mode
Master and backup USG9000s are connected with the internal network through interfaces in the Trust zone, while they are connected with the external network through interfaces in the Untrust zone. In addition, master and backup USG9000s connect each other and perform hot standby through VRRP. Note that the internal network and the external network must reside in the same subnet.
As the rapid development of the Internet, more and more enterprises turn to network services to speed up their development. How to protect confidential data, resources and reputation in an open network environment has become a focus of attention.
At present, common security threats on the Internet fall into the following types:
- Unauthorized use
Resources are used by an unauthorized user (also called illegal user) or in unauthorized mode. For example, an intruder can guess a combination of username and password to enter a computer system and use resources illegally.
- Denial of Service (DoS)
The server denies legal access request from the legal user. For example, an intruder sends a large number of data packets to the server within a short time, so that the server cannot process the legal task due to overload.
- Information theft
An intruder does not intrude a destination system directly, but intercepts significant data or information on the network.
- Data juggle
An intruder intentionally destroys the consistency of data through modifying, deleting, delaying, reordering the system data or message stream, or inserting fraud messages.
Introduction to Network Security
Classification of Network Security Services
Network security services are a set of security measures taken against the above security threats. The network security services fall into the following types:
- Availability service
Ensures information or services can be accessed if required.
- Confidentiality service
Ensure that sensitive data or information is not disclosed or exposed to an unauthorized entity.
- Integrality service
Ensure that data cannot be changed or destroyed in an unauthorized mode.
Ensure the legality of an entity ID.
Specifies the access authority for a user to control resource.
Introduction to Network Security
Implementation of Network Security Services
Encryption is a process to translate a readable message into an unreadable encrypted text. It not only provides users with communication security, but also becomes the basis of many security mechanisms.
Encryption methods are of three types, shown as follows:
- Symmetric password mechanism
Its security key of encryption and decryption is identical. One pair of users share one password to exchange message, and keys must be private. Includes Data Encryption Standard (DES) and Triple DES (3DES).
- Public key password mechanism
It has two different security keys that separate the process of encryption from that of decryption. One key is called private key that must be stored secretly; the other is called public key that can be distributed publicly. Includes Diffie-Hellman (DH) and Rivest, Shamir, Adleman (RSA).
It is used to compress a variable message into an invariable code and enable it to become a hash or message digest. Includes Message Digest 5 (MD5) and Secure Hash Algorithm (SHA).
Encryption can be applied in the following mechanism:
- Authentication password design
- Security communication protocol design
- Digital signature design
Authentication is used to verify the legality of the user ID before a user accesses the network or obtains services.
Authentication can be either provided locally by each device on the network, or carried out through a dedicated authentication server. The latter has better flexibility, controllability and expandability.
Now, in a hybrid network environment, Remote Access Dial-In User Service (RADIUS), as an open standard, is widely used for an authentication service.
Access Control is an enhanced authorization method. Generally, it is divided into two types:
- Access control based on an operating system
It authorizes a user to access resources on a certain computer. Access control policies can be set based on user ID, groups or rules.
- Access control based on the network
It authorizes a legal user to access the network. Its mechanism is much more complex than the access control based on an operating system. Usually, the access control component is configured on some intermediate points (such as unified Security Gateway) between a requester and his destination to achieve access control.
Network security protocol plays an extremely significant role in network security. Following describes widely used security protocols in terms of Transmission Control Protocol / Internet Protocol (TCP/IP) layered model:
- Application layer security
It provides the end-to-end security from this application on a host to that application on another host across the network. Application layer security mechanism depends on the specific application. Therefore, general application layer security protocol does not exist.
For example, The Secure Shell (SSH) protocol can set up secure remote login sessions to provide secure connection channels for Telnet and FTP services.
- Transport layer security
It provides a process-to-process security service on a host or multiple hosts. Providing security service at transport layer is to strengthen its Inter-Process Communication (IPC). Specific process includes:
- Authentication of entities at both ends
- Exchange of data encryption security keys
For example, Secure Socket Layer (SSL) is developed on the basis of reliable transmission service.
- Network layer security
Security provided at network layer, even if the upper layers fail to implement the security, can also automatically protect the user data. Therefore, Internet Protocol (IP) security is the basis of the whole TCP/IP security and the core of the Internet security.
At present, the most significant security protocol at network layer is IP Security Protocol (IPSec). IPSec is a generic term for a series of network security protocols, including security protocols and encryption protocols.
IPSec can provide communication parties with services.
- Access control
- Connectionless integrality
- Data source authentication
- Classification encryption of data flow
- Data link layer security
It provides a point-to-point security service, such as on a point-to-point link or Frame Relay permanent virtual circuit. Data link layer security is implemented through encryption and decryption at each end on the link using dedicated devices.
Introduction to Network Security
Introduction to Firewall
In practical application, since a single security defense technology cannot construct a secure network system, multiple technologies should be used together to control the security hazard within the least limit.
In general, the first step to implement security defense is to construct a barrier, between internal networks and external networks to defend the large majority of attacks from the external. Similar to partition wall used to prevent fire from spreading in the building, firewall is an internet device used to prevent attacks from external networks.
Firewalls monitor trusted networks (internal networks) and untrusted networks (external networks) and function as access channels between the two types of networks. Firewalls deny unauthorized access by users in external networks to the intranet and allow users in the intranet to access external networks. Firewalls can also function as the gateways to control access to the Internet. For example. firewalls can allow specified hosts in an organization to access the Internet. Many current firewalls deliver some other features, including ID authentication and security processing of information, such as encryption.
Besides controlling access to the Internet, firewalls can also protect large devices and important resources, such as data, in the intranet. firewalls filter all access to the protected data, including access by users in the intranet.
Firewall is mainly used for the following purposes:
- Restrict entry of users or information from a specific and strictly controlled website.
- Prevent intruders from approaching other security defense facilities.
- Restrict exit of users or information from a specific and strictly controlled website.
Introduction to Firewall
Evolution of the Firewall
The First Generation Firewall-Packet-Filtering Firewall
Packet filtering is to check each packet at network layer, and then to forward or deny packets based on the security policy.
The basic principle of packet filtering firewall is that: It filters packets through configuring Access Control List (ACL), based on the source and destination IP address, the source and destination port number, IP identifier and packet delivery direction.
With moderate cost and simple design, the first generation firewall can be implemented easily. However, its disadvantages are obvious:
The Second Generation Firewall-Proxy Firewall
The proxy service acts on application layer. In essence, a proxy takes over the services between internal network users and external network users. The working principle is that the proxy first checks the request from a user, if the authentication is passed, it establishes connection with a genuine server and forwards the request, and finally it sends back the request response.
The proxy firewall has higher security. It can completely control network information exchange and session process.
However, it has obvious disadvantages:
- Low processing speed due to software restriction, and vulnerable to DoS attack
- Difficult to upgrade for requiring developing application proxy for each protocol
The Third Generation Firewall-Stateful Firewall
The stateful analysis technology is an extension of packet filtering technology (also informally called "dynamic packet filtering"). The basic principle is described as follows:
- The stateful firewall uses various state tables to keep track of activated Transmission Control Protocol (TCP) session and User Datagram Protocol (UDP) pseudo session. Then ACL determines which sessions are allowed to be established. Finally only the packets associated with allowed sessions are forwarded.
UDP pseudo-session is a session process during which a virtual connection is set up to process UDP-based protocol packet, and to monitor the status of UDP connection process.
- The stateful firewall can capture packets at network layer. Then the firewall extracts the state information needed by security policy from application layer, and saves it in the dynamic state tables. Finally it analyzes the state tables and the subsequent connection request related to the data packet to make a proper decision.
The stateful firewall has the following advantages:
- High speed
Firewalls can record the connection state of packets while performing ACL check on the initial packets. ACL check is not required for the subsequent packets. Thus, the firewall only needs to check the connection record of the packet based on the state table. After passing the check, the connection state records will be refreshed. In this case, packets with the same connection state are no longer repeatedly checked. Different from fixed arrangement of ACL, the records in the connection state table can be arranged randomly. Thus, the firewall can fast search the records using such algorithms as binary tree or hash, so as to improve the transmission efficiency of the system.
- Reliable security
The connection state list is managed dynamically. After completing sessions, the temporary return packet entry created on the firewall will be closed, so as to ensure the security of internal networks. Meanwhile, with a real time connection state monitoring technology, the firewall can identify the connection state based on state factors in the state table to enhance the system security.
Parent topic: Introduction to Firewall