下一代防火墙设计方案V2

Hillstone E-3000 SeriesNext-Generation FirewallE3662 / E3668 / E3960 / E3965 / E3968The Hillstone E-3000 Series Next Generation Firewall (NGFW) is design for the specific function of security and provide comprehensive and granular visibility and control of applications. It can identify and prevent potential threats associated with high-risk applications while providing poli-cy-based control over applications, users, and user-groups. Policies can be defined that guarantee bandwidth to mission-critical applications while restricting or blocking unauthorized or malicious applications. The Hillstone E-3000 Series NGFW incorporates comprehensive network security and advanced firewall features, provides superior price performance, excellent energy efficiency, and comprehensive threat prevention capability.Product HighlightGranular Application Identification and ControlThe Hillstone E-3000 Series NGFW is optimized for con-tent analysis of Layer 7 applications, providing fine-grained control of web applications regardless of port, protocol, or evasive action. It can identify and prevent potential threats associated with high-risk applications while providing poli-cy-based control over applications, users, and user-groups. Security Policies can be defined that guarantee bandwidth to mission-critical applications while restricting or blocking unauthorized or malicious applications. Comprehensive Threat Detection and PreventionThe Hillstone E-3000 Series NGFW provides real-time protec-tion for applications from network attacks including viruses, spyware, worms, botnets, ARP spoofing, DoS/DDoS, Tro-jans, buffer overflows, and SQL injections. It incorporates a unified threat detection engine that shares packet details with multiple security engines (AD, IPS, URL filtering, Anti-Virus, Sandbox etc.), which significantly enhances the protectionefficiency and reduces network latency.Network Services• Dynamic routing (OSPF, BGP, RIPv2)• Static and Policy routing• Route controlled by application• Built-in DHCP, NTP, DNS Server and DNS proxy • Tap mode – connects to SPAN port• Interface modes: sniffer, port aggregated, loopback, VLANS (802.1Q and Trunking)• L2/L3 switching & routing• Virtual wire (Layer 1) transparent inline deploymentFirewall• Operating modes: NAT/route, transparent (bridge), and mixed mode• Policy objects: predefined, custom, and object grouping• Security policy based on application, role and geo-location• Application Level Gateways and session support: MSRCP, PPTP, RAS, RSH, SIP, FTP, TFTP, HTTP, dcerpc, dns-tcp, dns-udp, H.245 0, H.245 1, H.323• NAT and ALG support: NAT46, NAT64, NAT444, SNAT, DNAT, PAT, Full Cone NAT, STUN• NAT configuration: per policy and central NAT table• VoIP: SIP/H.323/SCCP NAT traversal, RTP pin holing• Global policy management view• Security policy redundancy inspection, policy group, policy configuration rollback• Policy Assistant for easy detailed policy deployment• Policy analyzing and invalid policy cleanup• Comprehensive DNS policy• Schedules: one-time and recurringIntrusion Prevention• Protocol anomaly detection, rate-based detection, custom signatures, manual, automatic push or pull signature updates, integrated threat encyclo-pedia• IPS Actions: default, monitor, block, reset (attackers IP or victim IP, incoming interface) with expiry time• Packet logging option• Filter Based Selection: severity, target, OS, appli-cation or protocol• IP exemption from specific IPS signatures• IDS sniffer mode• IPv4 and IPv6 rate based DoS protection with threshold settings against TCP Syn flood, TCP/ UDP/SCTP port scan, ICMP sweep, TCP/UDP/ SCIP/ICMP session flooding (source/destination)• Active bypass with bypass interfaces• Predefined prevention configurationAnti-Virus• Manual, automatic push or pull signature updates • Flow-based Antivirus: protocols include HTTP, SMTP, POP3, IMAP, FTP/SFTP• Compressed file virus scanningAttack Defense• Abnormal protocol attack defense• Anti-DoS/DDoS, including SYN Flood, UDP Flood, DNS Query Flood defense, TCP fragment, ICMP fragment, etc.• ARP attack defenseURL Filtering• Flow-based web filtering inspection• Manually defined web filtering based on URL, webcontent and MIME header• Dynamic web filtering with cloud-based real-timecategorization database: over 140 million URLswith 64 categories (8 of which are security related)• Additional web filtering features:- Filter Java Applet, ActiveX or cookie- Block HTTP Post- Log search keywords- Exempt scanning encrypted connections oncertain categories for privacy• Web filtering profile override: allows administratorto temporarily assign different profiles to user/group/IP• Web filter local categories and category ratingoverride• Support multi-languageCloud-Sandbox• Upload malicious files to cloud sandbox foranalysis• Support protocols including HTTP/HTTPS, POP3,IMAP, SMTP and FTP• Support file types including PE,ZIP, RAR, Office,PDF, APK, JAR and SWF• File transfer direction and file size control• Provide complete behavior analysis report formalicious files• Global threat intelligence sharing, real-time threatblocking• Support detection only mode without uploadingfilesBotnet C&C Prevention• Discover intranet botnet host by monitoring C&Cconnections and block further advanced threatssuch as botnet and ransomware• Regularly update the botnet server addresses• Prevention for C&C IP and domain• Support TCP, HTTP, and DNS traffic detection• IP and domain whitelistsIP Reputation• Identify and filter traffic from risky IPs such asbotnet hosts, spammers, Tor nodes, breachedhosts, and brute force attacks• Logging, dropping packets, or blocking fordifferent types of risky IP traffic• Periodical IP reputation signature databaseupgradeSSL Decryption• Application identification for SSL encrypted traffic• IPS enablement for SSL encrypted traffic• AV enablement for SSL encrypted traffic• URL filter for SSL encrypted traffic• SSL Encrypted traffic whitelist• SSL proxy offload modeEndpoint Identification and Control• Support to identify endpoint IP, endpoint quantity,on-line time, off-line time, and on-line duration• Support 10 operation systems including Windows,iOS, Android, etc.• Support query based on IP, endpoint quantity,control policy and status etc.• Support the identification of accessed endpointsquantity across layer 3, logging and interferenceon overrun IP• Redirect page display after custom interferenceoperation• Supports blocking operations on overrun IPData Security• File transfer control based on file type, size andname• File protocol identification, including HTTP, FTP,SMTP and POP3• File signature and suffix identification for over 100file types• Content filtering for HTTP-GET, HTTP-POST, FTPand SMTP protocols• IM identification and network behavior audit• Filter files transmitted by HTTPS using SSL ProxyApplication Control• Over 3,000 applications that can be filtered byname, category, subcategory, technology and risk• Each application contains a description, riskfactors, dependencies, typical ports used, andURLs for additional reference• Actions: block, reset session, monitor, trafficshaping• Identify and control cloud applications in the cloud• Provide multi-dimensional monitoring andstatistics for cloud applications, including riskcategory and characteristicsQuality of Service (QoS)• Max/guaranteed bandwidth tunnels or IP/userbasis• Tunnel allocation based on security domain,interface, address, user/user group, server/servergroup, application/app group, TOS, VLAN• Bandwidth allocated by time, priority, or equalbandwidth sharing• Type of Service (TOS) and Differentiated Services(DiffServ) support• Prioritized allocation of remaining bandwidth• Maximum concurrent connections per IP• Bandwidth allocation based on URL category• Bandwidth limit by delaying access for user or IP• Automatic expiration cleanup and manual cleanupof user used trafficServer Load Balancing• Weighted hashing, weighted least-connection, andweighted round-robin• Session protection, session persistence andsession status monitoring• Server health check, session monitoring andsession protectionLink Load Balancing• Bi-directional link load balancing• Outbound link load balancing includes policybased routing, ECMP and weighted, embeddedISP routing and dynamic detection• Inbound link load balancing supports SmartDNSand dynamic detection• Automatic link switching based on bandwidth,latency, jitter, connectivity, application etc.• Link health inspection with ARP, PING, and DNSFeaturesFeatures (Continued)VPN• IPSec VPN- IPSEC Phase 1 mode: aggressive and main ID protection mode- Peer acceptance options: any ID, specific ID, ID in dialup user group- Supports IKEv1 and IKEv2 (RFC 4306)- Authentication method: certificate andpre-shared key- IKE mode configuration support (as server orclient)- DHCP over IPSEC- Configurable IKE encryption key expiry, NATtraversal keep alive frequency- Phase 1/Phase 2 Proposal encryption: DES,3DES, AES128, AES192, AES256- Phase 1/Phase 2 Proposal authentication:MD5, SHA1, SHA256, SHA384,SHA512- Phase 1/Phase 2 Diffie-Hellman support: 1,2,5 - XAuth as server mode and for dialup users- Dead peer detection- Replay detection- Autokey keep-alive for Phase 2 SA• IPSEC VPN realm support: allows multiple custom SSL VPN logins associated with user groups (URL paths, design)• IPSEC VPN configuration options: route-based or policy based• IPSEC VPN deployment modes: gateway-to-gateway, full mesh, hub-and-spoke, redundant tunnel, VPN termination in transparent mode • One time login prevents concurrent logins with the same username• SSL portal concurrent users limiting• SSL VPN port forwarding module encrypts client data and sends the data to the application server • Supports clients that run iOS, Android, and Windows XP/Vista including 64-bit Windows OS • Host integrity checking and OS checking prior to SSL tunnel connections• MAC host check per portal• Cache cleaning option prior to ending SSL VPN session• L2TP client and server mode, L2TP over IPSEC, and GRE over IPSEC• View and manage IPSEC and SSL VPN connec-tions• PnPVPNIPv6• Management over IPv6, IPv6 logging and HA • IPv6 tunneling, DNS64/NAT64 etc• IPv6 routing including static routing, policy routing, ISIS, RIPng, OSPFv3 and BGP4+• IPS, Application identification, URL filtering,Anti-Virus, Access control, ND attack defense,iQoS• Track address detectionVSYS• System resource allocation to each VSYS• CPU virtualization• Non-root VSYS support firewall, IPSec VPN, SSLVPN, IPS, URL filtering• VSYS monitoring and statisticHigh Availability• Redundant heartbeat interfaces• Active/Active and Active/Passive mode• Standalone session synchronization• HA reserved management interface• Failover:- Port, local & remote link monitoring- Stateful failover- Sub-second failover- Failure notification• Deployment options:- HA with link aggregation- Full mesh HA- Geographically dispersed HATwin-mode HA (not available on E3662, E3668)• High availability mode among multiple devices• Multiple HA deployment modes• Configuration and session synchronization amongmultiple devicesUser and Device Identity• Local user database• Remote user authentication: TACACS+, LDAP,Radius, Active• Single-sign-on: Windows AD• 2-factor authentication: 3rd party support,integrated token server with physical and SMS• User and device-based policies• User group synchronization based on AD andLDAP• Support for 802.1X, SSO Proxy• WebAuth page customization• Interface based Authentication• Agentless ADSSO (AD Polling)• Use authentication synchronization based onSSO-monitor• Support MAC-based user authenticationAdministration• Management access: HTTP/HTTPS, SSH, telnet,console• Central Management: Hillstone Security Manager(HSM), web service APIs• System Integration: SNMP, syslog, alliancepartnerships• Rapid deployment: USB auto-install, local andremote script execution• Dynamic real-time dashboard status and drill-inmonitoring widgets• Language support: EnglishLogs & Reporting• Logging facilities: local memory and storage (ifavailable), multiple syslog servers and multipleHillstone Security Audit (HSA) platforms• Encrypted logging and log integrity with HSAscheduled batch log uploading• Reliable logging using TCP option (RFC 3195)• Detailed traffic logs: forwarded, violated sessions,local traffic, invalid packets, URL etc.• Comprehensive event logs: system and adminis-trative activity audits, routing & networking, VPN,user authentications, WiFi related events• IP and service port name resolution option• Brief traffic log format option• Three predefined reports: Security, Flow andnetwork reports• User defined reporting• Reports can be exported in PDF, Word and HTMLvia Email and FTPStatistics and Monitoring• Application, URL, threat events statistic andmonitoring• Real-time traffic statistic and analytics• System information such as concurrent session,CPU, Memory and temperature• iQOS traffic statistic and monitoring, link statusmonitoring• Support traffic information collection andforwarding via Netflow (v9.0)CloudView• Cloud-based security monitoring• 7/24 access from web or mobile application• Device status, traffic and Threat monitoring• Cloud-based log retention and reportingIoT Security• Identify IoT devices such as IP Cameras andNetwork Video Recorders• Support query of monitoring results based onfiltering conditions, including device type, IPaddress, status, etc.• Support customized whitelistsExpasion Module Option IOC-4GE-B-M, IOC-8GE-M, IOC-8SFP-M IOC-4GE-B-M, IOC-8GE-M, IOC-8SFP-M, IOC-4SFP+, IOC-8SFP+, IOC-2SFP+-Lite Twin-mode HAN/AYesMaximum Power Consumption 1 x 150W Redundancy 1 + 1 2 x 450W Redundancy 1 + 1Power SupplyAC 100-240V 50/60Hz AC 100-240V 50/60Hz DC -40 ~ -60VDimension (W×D×H, mm)1U 17.2 x 14.4x 1.7 in (436 x 366 x 44 mm)2U 17.3 x 20.9 x 3.5 in (440 x530 x 88 mm)Weight 12.3lb (5.6kg)27.1 lb (11.8kg)Temperature 32-104 F (0-40°C)32-104 F (0-40°C)Relative Humidity10-95% (no dew)10-95% (no dew)Compliance and CertificateCE, CB, FCC, UL/cUL, ROHS, IEC/EN61000-4-5 Power Surge Protection, ISO 9001:2015, ISO 14001:2015, CVE Compatibility, IPv6 Ready, ICSA FirewallsNames 8SFP Extension Module 4GE Bypass Extension 2SFP+ Extension Module 4SFP+ Extension ModuleI/O Ports 8 x SFP , SFP module not included2 x SFP+, SFP+ module not included 4 x SFP+, SFP+ module not included Dimension ½U (Occupies 1 generic slots)½ U (Occupies 1 generic slot) 1 U (Occupies 2 generic slots)Weight2.0 lb (0.9kg)0.7 lb (0.3kg)1.5 lb (0.7kg)Module OptionsNOTES:(1) FW throughput data is obtained under single-stack UDP traffic with 1518-byte packet size;(2) IPSec throughput data is obtained under Preshare Key AES256+SHA-1 configuration and 1400-byte packet size packet; (3) AV throughput data is obtained under HTTP traffic with file attachment;(4) IPS throughput data is obtained under bi-direction HTTP traffic detection with all IPS rules being turned on; (5) IMIX throughput data is obtained under UDP traffic mix (64 byte : 512 byte : 1518 byte =5:7:1);(6) NGFW throughput data is obtained under 64 Kbytes HTTP traffic with application control and IPS enabled;(7) Threat protection throughput data is obtained under 64 Kbytes HTTP traffic with application control, IPS, AV and URL filtering enabled; (8) New Sessions/s is obtained under TCP traffic.Unless specified otherwise, all performance, capacity and functionality are based on StoneOS5.5R7. Results may vary based on StoneOS ® version and deployment.IOC-8GE-MIOC-8SFP-MIOC-4GE-B-MIOC-2SFP+-LiteIOC-8SFP+IOC-4SFP+。

Hillstone山石网科下一代防火墙基础配置手册V5.5版本Hillstone Networks Inc.服务热线：400 828 6655内容提交人审核人更新内容日期陈天骄陈天骄初次编写2016/1/14目录1 设备管理 (3)1.1 终端console登录 (3)1.2 网页WebUI登录 (3)1.3 恢复出厂设置 (5)1.3.1 CLI命令行操作 (5)1.3.2 WebUI图形化界面操作 (5)1.3.3 硬件CLR操作 (6)1.4 设备系统（StoneOS）升级 (6)1.4.1 通过sysloader升级 (6)1.4.2 通过CLI升级 (9)1.4.3 通过WebUI升级 (9)1.5 许可证安装 (10)1.5.1 CLI命令行安装 (10)1.5.2 WebUI安装 (11)2 基础上网配置 (11)2.1 接口配置 (11)2.2 路由配置 (13)2.3 策略配置 (14)2.4 源地址转换配置（SNAT） (15)3 常用功能配置 (16)3.1 PPPoE拨号配置 (16)3.2 动态地址分配（DHCP）配置 (17)3.3 IP-MAC地址绑定配置 (20)3.4 端到端IPSec VPN配置 (21)3.4.1 配置第一阶段P1提议 (22)3.4.2 配置ISAKMP网关 (23)3.4.3 配置第二阶段P2提议 (24)3.4.4 配置隧道 (25)3.4.5 配置隧道接口 (26)3.4.6 配置隧道路由和策略 (28)3.4.7 查看VPN状态 (29)3.5 远程接入SCVPN配置 (30)3.6 目的地址转换DNAT配置 (38)3.6.1 IP映射 (39)3.6.2 端口映射 (41)1设备管理安全网关支持本地与远程两种环境配置方法，可以通过CLI 和WebUI 两种方式进行配置。

CLI同时支持Console、Telnet、SSH等主流通信管理协议。

下一代防火墙使用手册第一章：引言随着信息技术的迅猛发展，网络安全问题日益凸显，网络攻击事件层出不穷，为保护企业网络的安全，下一代防火墙成为不可或缺的一环。

本手册旨在帮助用户了解和使用下一代防火墙，提高网络安全防护能力。

第二章：下一代防火墙概述2.1 下一代防火墙的定义下一代防火墙是一种集成了传统防火墙、入侵检测系统、应用程序控制和其他安全功能于一体的网络安全设备。

它可以实现对网络流量、应用程序和用户行为的深度检测和防护。

2.2 下一代防火墙的特点（1）应用层识别：能够识别和控制各种应用程序的访问行为。

（2）多维度防护：结合网络安全、应用层安全、行为安全等多个维度进行综合防护。

（3）威胁情报整合：集成威胁情报，实时更新恶意软件和攻击信息。

2.3 下一代防火墙的优势（1）提供深度安全：能够深入识别和阻断各种网络威胁和攻击。

（2）有效管理应用程序：灵活控制和管理各类网络应用程序的访问和使用。

（3）提升网络性能：能够快速有效地过滤和处理大量网络流量。

第三章：下一代防火墙的部署与配置3.1 部署架构根据网络规模和需求确定下一代防火墙的部署位置，一般可以部署在边界网关、数据中心、分支机构等位置，构建多层次、多维度的网络安全防护体系。

3.2 设备连接连接下一代防火墙的各个接口，包括内部网络、外部网络、DMZ等，配置接口地址及路由信息。

3.3 安全策略配置根据实际需求，配置安全策略，包括访问控制、应用程序控制、反病毒、反垃圾邮件等安全功能。

3.4 VPN 配置如需部署 VPN 服务，配置 VPN 策略、隧道和用户认证等参数。

第四章：下一代防火墙的管理与维护4.1 系统管理对下一代防火墙进行管理和维护，包括设备初始化、软件升级、日志备份、系统监控等功能。

4.2 安全管理监测和分析安全事件，对发现的攻击威胁进行处置和应对。

4.3 策略优化定期对安全策略进行调整和优化，提升防护能力，保障网络安全。

第五章：应急响应与排查5.1 安全事件响应在发生安全事件时，迅速进行安全事件的诊断、核实和处置，减少安全事件造成的损失。

深信服科技NGAF 下一代防火墙方案白皮书1.概述 (4)2.深信服下一代防火墙核心价值 (5)2.1.全程保护 (5)2.2.全程可视 (7)3.主要功能介绍 (8)3.1.系统架构设计 (8)3.2.基础防火墙特性 (11)3.3.事前风险预知 (13)3.4.事中安全防护 (18)3.5.事后检测及响应 (31)4.部署模式 (33)4.1.网关模式 (33)4.2.网桥模式 (34)4.3.旁路模式 (36)4.4.双机模式 (37)5.市场表现 (39)5.1.高速增长，年复合增长超70% (39)5.2.众多权威机构一致认可 (40)5.3.为客户需求而持续创新 (40)6.关于深信服 (40)1.概述近几年来，随着互联网+、业务数字化转型的深入推进，各行各业都在加速往互联网化、数字化转型。

业务越来越多的向公众、合作伙伴，第三方机构等开放，在数字化业务带给我们高效和便捷的同时，信息暴露面的增加，网络边界的模糊化以及黑客攻击的产业化使得网络安全事件相较以往成指数级的增加，面对应对层出不穷的新型安全事件如网站被篡改，被挂黑链，0 day 漏洞利用，数据窃取，僵尸网络，勒索病毒等等，传统安全建设模式已经捉襟见肘，面临着巨大的挑战。

问题一：传统信息安全建设，以事中防御为主。

缺乏事前的风险预知，事后的持续检测及响应能力传统意义上的安全建设无论采用的是多安全产品叠加方案还是采用 UTM/NGFW+WAF 的整合类产品解决方案，关注的重点都在于如何防护资产在被攻击过程中不被黑客入侵成功，但是并不具备对于资产的事前风险预知和事后检测响应的能力，从业务风险的生命周期来看，仅仅具备事中的防护是不完整的，如果能在事前做好预防措施以及在时候提高检测和响应的能力，安全事件发生产生的不良影响会大幅度降低，所以未来，融合安全将是安全建设发展的趋势。

问题二：传统安全建设是拼凑的事中防御，缺乏有效的联动分析和防御机制传统安全建设方案，搜集到的都是不同产品碎片化的攻击日志信息，只能简单的统计报表展示，并不能结合业务形成有效的资产安全状态分析。

惠尔顿下一代防火墙（NGWF）设计方案深圳市惠尔顿信息技术有限公司2016年5月1日目录一、方案背景 (2)二、网络安全现状 (2)三、惠尔顿下一代防火墙（NGWF）介绍及优势 (7)四、惠尔顿NGWF功能简介 (10)五、部署模式及网络拓扑 (14)六、项目报价 (15)七、售后服务 (16)一、方案背景无锡某部队响应国家公安部82号令号召，加强部队网络安全建设。

针对目前网络存在的涉密、泄密、木马、病毒等进行预防。

二、网络安全现状近几年来，计算机和网络攻击的复杂性不断上升，使用传统的防火墙和入侵检测系统（IDS）越来越难以检测和阻挡。

随着每一次成功的攻击，黑客会很快的学会哪种攻击方向是最成功的。

漏洞的发现和黑客利用漏洞之间的时间差也变得越来越短，使得IT和安全人员得不到充分的时间去测试漏洞和更新系统。

随着病毒、蠕虫、木马、后门和混合威胁的泛滥，内容层和网络层的安全威胁正变得司空见惯。

复杂的蠕虫和邮件病毒诸如Slammer、Blaster、Sasser、Sober、MyDoom等在过去几年经常成为头条新闻，它们也向我们展示了这类攻击会如何快速的传播——通常在几个小时之内就能席卷全世界。

许多黑客正监视着软件提供商的补丁公告，并对补丁进行简单的逆向工程，由此来发现漏洞。

下图举例说明了一个已知漏洞及相应补丁的公布到该漏洞被利用之间的天数。

需要注意的是，对于最近的一些攻击，这一时间已经大大缩短了。

IT和安全人员不仅需要担心已知安全威胁，他们还不得不集中精力来防止各种被称之为“零小时”（zero-hour）或“零日”（zero-day）的新的未知的威胁。

为了对抗这种新的威胁，安全技术也在不断进化，包括深度包检测防火墙、应用网关防火墙、内容过滤、反垃圾邮件、SSL VPN、基于网络的防病毒和入侵防御系统（IPS）等新技术不断被应用。

但是黑客的动机正在从引起他人注意向着获取经济利益转移，我们可以看到一些更加狡猾的攻击方式正被不断开发出来，以绕过传统的安全设备，而社会工程（social engineering）陷阱也成为新型攻击的一大重点。