Article directory
- 1. Summary
-
- 1. How does the firewall handle the dual-channel protocol
- 2. How does the firewall handle nat?
- 3. Which NAT technologies are supported by the firewall, and what are the main application scenarios?
- 4. When the intranet PC accesses the intranet server through public domain name resolution, what problems will exist and how to solve them? Please explain in details
- 5. What problems will be encountered when the firewall uses VRRP to implement dual-system hot backup, and how to solve them? Detailed description
- 6. Which interface modes does the firewall support, and in which scenarios are they generally used?
- 7. What is IDS?
- 8. What is the difference between IDS and firewall?
- 9. How does IDS work?
- 10. What are the detailed descriptions of the main detection methods of IDS?
- 11. What are the deployment methods of IDS?
- 12. What does the IDS signature mean? What does the signature filter do?
- Two, NAT practice
- 3. Dual-system hot standby experiment
1. Summary
1. How does the firewall handle the dual-channel protocol
Multi-channel protocol: The control process is separated from the transmission process, which means that the protocol and port of the control transmission process are inconsistent with the protocol and port of the transmission process, such as: FTP, RTSP, DNS, QQ, WeChat
**Solution: **Use ASPF technology to capture and analyze the control packets of the multi-channel protocol and find the detailed network parameters required for the transmission process (multi-channel protocols are all passed through the control process messages Negotiate and process the network parameters of the transmission process) —-> find the transmission process according to the ASPF analysis of the special message of the control process, generate the server-map table, release the transmission process message, and generate the session table after the transmission process matches the server-map table, and the transmission process Subsequent packets match the session table
ASPF: Packet filtering for the application layer, also called state-based packet filtering. The ASPF function can automatically detect the application layer information of certain packets and open the corresponding access rules according to the application layer information. After the ASPF function is enabled, the FW passes the detection The address and port information carried by the application layer of the protocol message automatically generates the corresponding Server-map table, which is used to release the subsequent message to establish the data channel, which is equivalent to automatically creating a fine “security policy”.
2. How does the firewall deal with nat?
Ordinary NAT realizes the IP address and port translation function in the UDP or TCP header, but it is powerless to the fields in the application layer data load. In many application layer protocols, the TCP/UDP load contains address or port information. , these contents cannot be effectively translated by NAT.
Methods to solve common NAT conversion defects:
NAT ALG (Application Level Gateway, application layer gateway) technology can analyze the application layer message information and address translation of the multi-channel protocol, and convert the IP address and port or the IP address that needs to be translated in the payload Specially processed fields are converted and processed accordingly to ensure the correctness of application layer communication.
For example, the FTP application is completed by the data connection and the control connection, and the establishment of the data connection is dynamically determined by the load field information in the control connection, which requires ALG to complete the conversion of the load field information to ensure the correctness of subsequent data connections Establish.
3. Which NAT technologies are supported by the firewall, and what are the main application scenarios?
1. Source NAT – Intranet hosts access external network hosts
2. server NAT – hosts on the external network access the server on the internal network
3. Inter-domain two-way NAT: generally solve the problem that the internal network server has no external network routing
be careful:
NAT strategy: grasp what is the source and destination address of the data packet before conversion and what is the source and destination address after conversion
Security strategy: grasp the parameters that should be released when the data is not NATed, that is, the parameters that should be released after NAT is completed
4. Intra-domain bidirectional NAT:
Intranet users request the same public network address of the intranet server, but return the server’s private network address.
At this time, the IP address that the user is waiting for is the public network address of the server, and the returned IP address is different, and the data packet at this time will not be adopted.
It is suitable to use a firewall if you go there, and use the intranet when you come back.
When the intranet PC accesses the intranet server through the public network, it needs to use
Intra-domain NAT translation:
When the server returns a packet at the firewall: source IP=private IP, destination IP=public IP
After firewall NAT conversion: source IP = public network IP, destination IP = client private network IP
5. Dual egress NAT:
If there are two operators at the outlet connection, there are two structures at this time: active-standby structure and load structure. We go to different servers
We have to take a different route. At this time, there is a problem that when the data packet goes out, the first network segment line is taken, and when it comes back, it is not done.
Potentially diverted to the second line back in case of policy. As a result, the routes of different operators are different, and the converted ip will be different after returning.
In the above situation, we need to set up intra-domain dual-exit NAT to solve it. Namely write two NAT
NAT conversion confusion will occur in double egress
solution:
Enable firewall multi-exit options, gateway, default, source-in source-out routing control must be enabled. This is true regardless of whether multiple exits are in one security area or multiple security areas.
4. When the intranet PC accesses the intranet server through public domain name resolution, what problems will exist and how to solve them? Please elaborate
When the client uses the public network ip [the source address is the client’s intranet address] to access the server, the server will directly use the intranet ip to return the packet to the client through the intranet route. At this time, the reply packet received by the client is the ip of the internal network, but the client accesses the server to return the public ip of the external network. Then the packet will be dropped. Solve the problem that the server returns packets using the intranet ip address
Use intra-domain bidirectional NAT to solve the problem
Change the source address of the original data packet to the public network ip address, and the destination address from the public network ip to the internal network address of the server. In this way, the source ip of the package received by the server is the public network ip, so the return package will use the public network ip address. The intranet client will not discard the ip return packet.
5. What problems will be encountered when the firewall uses VRRP to implement dual-system hot backup, and how to solve them? Detailed description
1. The reason for this is the first packet mechanism. When the first packet passes through the active firewall, a session table will be generated. When the active firewall goes offline, the standby firewall will be used. However, there is no session table generated by the first packet on the standby firewall, so subsequent sessions cannot be established, and sessions cannot be established through the standby firewall.
Fundamental problem: The session table master and backup are not established at the same time, and there is no synchronization information. As a result, the outgoing and returning packets cannot find the exit or entry
Solution:
1. Use HRP (Huawei Hot Backup Protocol) to solve the synchronization problem, and back up the master’s dynamic data and key commands. Make the synchronization share the information and avoid the problem of the first packet mechanism
2. Use VGMP to solve the problem of concerted action, conduct unified management, and have the function of preemptive management
3. Turn off the state detection mechanism, so that the non-first packet can also establish a session table
6. Which interface modes are supported by the firewall, and in which scenarios are they generally used?
- route mode (the interface has an IP address)
?The interface of the firewall participates in the networking in the form of a layer-3 routing interface
?The firewall is located between the internal network and the external network. It is necessary to configure the interfaces connecting the firewall with the internal network, external network, and DMZ to P addresses of different network segments. At this time, the firewall is equivalent to a router. (ACL packet filtering, ASPF dynamic filtering, NAT conversion and other functions can be completed in routing mode)
- switched mode (interface without IP address)
?The interface of the firewall participates in the networking in the form of a layer 2 switching interface
?When the firewall adopts transparent mode, it is transparent to subnet users and routers. This mode has no impact on security and functions as a switch. In this mode, NAT cannot be performed, and VPN cannot be used as a server.
- Interface pair mode (no need to check the MAC address table)
?Interface pair mode is a special two-layer mode. The interfaces in this mode appear in pairs. The data forwarded between this pair of interfaces does not go through the MAC addressing of the second layer. It is also forwarded in the form of a network cable, and the speed is fast.
(1.) Set the interface as an interface pair
(2.) Set both interfaces to interface pair mode
(3.) Add two interfaces to the interface pair in the interface pair
? Different ports in and out: After two interfaces of the same type are formed into an interface pair, the traffic entering from one interface is always forwarded from the other interface, and there is no need to query the routing table or MAC address table.
?Same port in and out: If the in and out interfaces are configured as the same interface, the incoming packets from this interface will still be forwarded out of this interface after being processed by the device.
- bypass mode
?The interface in bypass mode is also a Layer 2 switch interface. This interface is generally used to receive mirrored traffic and watch on the device like the host. The port mirroring technology of the bystander device collects traffic and sends it to the bypass interface. In this scenario, the firewall can perform tasks such as IPS, audit, and traffic analysis, with minimal functions.
7. What is IDS?
IDS (Intrusion Detection System): Monitor the operating status of the system and discover various attack attempts, attack behaviors, and attack results. Used to ensure the security (confidentiality, integrity, availability) of system resources
effect:
- identify the intruder
- Identify intrusions
- Detect and monitor successful intrusions
- Provide information and basis for fighting against intrusion and prevent tense expansion
8. What is the difference between IDS and firewall?
A firewall is a defense system between the internal network and the external network
IDS is a bypass monitoring device, it does not need to be connected to any link, and it can work without traffic flow
Device location is different
A firewall is a defense system between the internal network and the external network
IDS is a bypass monitoring device, it does not need to be connected to any link, and it can work without traffic flow
The role is different
Through the data firewall of the firewall, other operations cannot be performed
Intrusion detection (IDS) is a powerful supplement to the firewall, forming a closed loop of defense, which can detect intrusions in a timely, correct and comprehensive manner, and make up for the lack of application layer detection by the firewall
Actions are different
A firewall can allow some internal hosts to be accessed from the outside
IDS can only monitor and analyze user and system activities and behaviors
Intrusion detection is a powerful supplement to the firewall, forming a closed loop of defense, which can detect intrusions in a timely, accurate and comprehensive manner, and make up for the lack of inspection of the application layer by the firewall.
9. How does IDS work?
IDS is divided into real-time intrusion detection and post-event intrusion detection:
Real-time intrusion detection: It is carried out during the network connection process, and the current connection is immediately disconnected when any signs of intrusion are found, and evidence is collected and data recovery is implemented.
Postmortem intrusion detection: detection by security personnel.
Intrusion Detection Classification:
Network-based: Capture packets at sites connected to the network to analyze for known attack patterns.
Host-based: Discover suspicious activities, such as memory and file changes, by analyzing system audit data; input data only comes from system logs.
Intrusion Detection Technology Approach:
Information collection: abnormal changes in system logs, directories and files, abnormal behaviors during program execution, and intrusion information in physical form.
data analysis
10. What are the main detection methods of IDS in detail?
Anomaly Detection (Behavior): When an event matches a known attack signature (signal). An anomaly-based IDS will record a general outline of the activities of a normal host. When an event occurs outside this outline, it will be considered abnormal and the IDS will alert.
Feature detection (comparison): The core of IDS is the feature library (signature)
Signatures are used to describe the characteristics of network intrusion behaviors, and intrusion behaviors are detected by comparing message characteristics and signatures
Anomaly Detection
First, summarize the characteristics (user profiles) that normal operations should have. When user activities deviate significantly from normal behaviors, it is considered an intrusion.
Misuse Detection
Collect the behavioral characteristics of abnormal operations and establish a related feature library. When the detected user or system behavior matches the records in the library, the system considers this behavior to be an intrusion. The misuse detection model is also called signature detection (signature detection). -based detection)
11. What are the deployment methods of IDS?
Bypass: It is necessary to use the port mirroring function on the deployed bypass device to mirror the port traffic to be collected to the IDS bypass port. Traffic duplication can also be achieved using hubs and optical splitters. (Even IPS will have bypass)
- Straight way: Directly connected in series to the live network, which can provide real-time protection against attacks. The disadvantage is that the network needs to be disconnected during deployment, which increases the number of failure points.
- One-arm: hanging on the switch, without changing the existing network, the disadvantage is that the traffic passes through one interface, the processing performance is halved, and BYPASS is not supported
- Bypass: Deployed through traffic mirroring without changing the existing network. The disadvantage is that it can only detect but not defend
12. What does the IDS signature mean? What does the signature filter do?
The PS signature database contains a large amount of signature information for various attack behaviors. However, in the actual network environment, the service type may be relatively simple, and it is not necessary to use all the signatures. A large number of useless signatures may also easily affect the commissioning of commonly used signatures. At this point we can use the signature filter to filter out commonly used signatures.
**IDS signature: **Intrusion prevention signature is used to describe the characteristics of attack behavior in the network, and detect and prevent attacks by comparing data flow with intrusion prevention signature.
Signature filter is a collection of several signatures. According to specific conditions such as severity, protocol, threat type, etc., we filter the signatures applicable to the current business in the IPS signature database into the signature filter. You can focus on the defensive effects of these signatures. Usually, for these filtered signatures, the default action of the signature itself will be used in the signature filter. In special cases, we can also uniformly set new actions for these signatures in the signature filter, which is very convenient to operate.
The role of the signature filter: Due to the long-term operation of the device, a large number of signatures have been accumulated, which need to be classified, and those with no value will be filtered out by the filter. function as a filter.
Signature Filter Actions:
- Blocking: Discard the packet that hits the signature and record the log
- Warning: The packet that hits the signature is allowed, but the log is recorded.
- The default action of the signature is adopted, and the actual action is subject to the default action of the signature
The action priority of the signature filter is higher than the signature default action. When the signature filter action does not adopt the default action, the action in the signature filter shall prevail.
Exception signature function:
Since the signature filter will filter out signatures in batches, it is usually set as a unified action for the convenience of management. If the administrator needs to set certain signatures as different actions from the filter, these signatures can be introduced into the exception signature and the actions can be configured separately.
The actions of the exception signature are divided into:
- Blocking: Discard packets that hit the signature and record the log
- Warning: The packet that hits the signature is allowed, but the log is recorded.
- Allow: Allow packets that match the signature without recording logs. Adding blacklist: refers to discarding the packets that hit the signature, blocking the data flow of the packets, recording logs, and adding the source or destination addresses of the packets to the blacklist
2. NAT practice
1. Configure the IP, mask and gateway for the devices in the three areas according to the topology, and configure the corresponding interface of the firewall
2. First, practice the source NAT configuration
After configuring NAT, you need to write a security policy to let the traffic from the trust zone to the untrust zone, because NAT policy and security policy are two kinds of policies, only writing NAT policy is inaccessible
At this time, it is possible to use the PC in the trust area to access the devices in the untrust area to complete the intercommunication
Capture the traffic of PC1 in the untrust area of the firewall, and you will find that the address translation has been completed
3. Complete the server mapping in the DMZ area
Writing a security policy, it should be noted that the source address should be any, and the destination address should be the private network address of the server
After the configuration is complete, use the client in the untrust area to test
4. Assume that the DMZ area can only be accessed by internal addresses, but at this time the devices in the untrust area need to access the DMZ area.
Since the security policy has been configured before, there is no need to write the security policy at this time
It can be observed by capturing packets that both the source address and the destination address have been converted
5. Two-way translation within the NAT domain
At this time, the external network can access the server, but the internal network device cannot.
After configuring the two-way conversion within the domain, the internal device can access the server
3. Dual machine hot standby experiment
1. Configure IP, mask and gateway for PCs in all areas, create vlan on the switch, and Configure interface IP
2. Divide areas on the firewall and configure IP
3. Write routing
[L1]ip route-static 0.0.0.0 0 10.1.2.254 [L2] ip route-static 0.0.0.0 0 100.1.2.254
4. Configure dual-machine hot backup
The results show that:
5. After completing the configuration, you can see the security policy on the backup
6. Test
Active/standby switching:
After closing the 1/0/0 port, the state of the standby becomes the master
At this point, the PC can still access the external network
