KFW防火墙技术白皮书v2.0

虚拟防火墙技术白皮书关键词：虚拟防火墙 MPLS VPN摘要：本文介绍了虚拟防火墙技术和其应用背景。

描述了虚拟防火墙的功能特色，并介绍了公司具备虚拟防火墙功能的独立防火墙和防火墙插板产品的组网环境应用。

缩略语清单：目录1概述 (3)1.1新业务模型产生新需求 (3)1.2新业务模型下的防火墙部署 (3)1.2.1传统防火墙的部署缺陷 (3)1.2.2虚拟防火墙应运而生 (4)2虚拟防火墙技术 (5)2.1技术特点 (5)2.2相关术语 (6)2.3设备处理流程 (6)2.3.1根据入接口数据流 (7)2.3.2根据Vlan ID数据流 (7)2.3.3根据目的地址数据流 (8)3典型组网部署方案 (8)3.1虚拟防火墙在行业专网中的应用 (8)3.1.1 MPLS VPN组网的园区中的虚拟防火墙部署一 (9)3.1.2 MPLS VPN组网的园区中的虚拟防火墙部署二 (10)3.1.3虚拟防火墙提供对VPE的安全保护 (10)3.2企业园区网应用 (11)4总结.......................................................................................................................... 12驅踬髏彦浃绥譎饴憂锦。

1 概述1.1 新业务模型产生新需求目前，跨地域的全国性超大企业集团和机构的业务规模和管理复杂度都在急剧的增加，传统的管理运营模式已经不能适应其业务的发展。

企业信息化成为解决目前业务发展的关键，得到了各企业和机构的相当重视。

现今，国内一些超大企业在信息化建设中投入不断增加，部分已经建立了跨地域的企业专网。

有的企业已经达到甚至超过了IT-CMM3的级别，开始向IT-CMM4迈进。

另一方面，随着企业业务规模的不断增大，各业务部门的职能和权责划分也越来越清晰。

各业务部门也初步形成了的相应不同安全级别的安全区域，比如，OA和数据中心等。

PROTECTING YOUR NETWORK FROM THE INSIDE-OUTInternal Segmentation Firewall (ISFW)WHITE PAPER: PROTECTING YOUR NETWORK FROM THE INSIDE–OUT – INTERNAL SEGMENTATION FIREWALL (ISFW) PROTECTING YOUR NETWORKFROM THE INSIDE-OUTInternal Segmentation Firewall (ISFW)TABLE OF CONTENTSSummary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Advanced Threats Take Advantage of the “Flat Internal” Network . . . . .4The Answer is a New Class of Firewall – Internal Segmentation Firewall . . .4ISFW Technology Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7SUMMARYFor the last decade organizations have been trying to protect their networks by building defenses across the borders of their networks. This includes the Internet edge, perimeter, endpoint, and data center (including the DMZ). This “outside-in” approach has been based on the concept that companies can control clearly defined points of entry and secure their valuable assets. The strategy was to build a border defense as strong as possible and assume nothing got past the firewall.As organizations grow and embrace the latest IT technology such as mobility and cloud the traditional network boundaries are becoming increasingly complex to control and secure. There are now many different ways into an enterprise network.Not long ago, firewall vendors markedthe ports on their appliances “External” (untrusted) and “Internal” (trusted). However, advanced threats use this to their advantage because, once inside, the network is very flat and open. The inside of the network usually consists of non security-aware devices such as switches, routers, and even bridges. So once you gain access to the network as a hacker, contractor, or even rogue employee, then you get free access to the entire enterprise network including all the valuable assets. The solution is a new class of firewall –Internal Segmentation Firewall (ISFW),that sits at strategic points of the internalnetwork. It may sit in front of specific serversthat contain valuable intellectual property ora set of user devices or web applicationssitting in the cloud.Once in place, the ISFW must provideinstant “visibility” to traffic traversing intoand out of that specific network asset. Thisvisibility is needed instantly, without monthsof network planning and deployment.Most importantly the ISFW must alsoprovide “protection” because detection isonly a part of the solution. Sifting throughlogs and alerts can take weeks or months.The ISFW needs to deliver proactivesegmentation and real-time protectionbased on the latest security updates.Finally, the ISFW must be flexible enoughto be placed anywhere within the internalnetwork and integrate with other parts of theenterprise security solution under a singlepane of management glass. Other securitysolutions can also provide additional visibilityand protection. This includes the emailgateway, web gateway, border firewalls,cloud firewalls, and endpoints. Further,Internal Segmentation Firewalls need toscale from low to high throughputs allowingdeployment across the global network.KEY REQUIREMENTSn COMPLETE PROTECTION –Continuous inside-out protectionagainst advanced threats with asingle security infrastructuren EASY DEPLOYMENT –Default Transparent Mode meansno need to re-architect thenetwork and centrally deployedand managedn HIGH PERFORMANCE –Multi-gigabit performance supportswire speed east-west trafficINTERNAL NETWORKCybercriminals are creating customized attacks to evade traditional defenses, and once inside, to avoid detection and enable egress of valuable data. Once inside the network there are few systems in place to detect or better still protect against APT s. It can be seen from the threat life cycle in Figure 1 that once the perimeter border is penetrated, the majority of the activity takes place inside the boundary of the network. Activities include disabling any agent-based security , updates from the botnet command, and control system, additional infection/recruitment and extraction of the targeted assets.THE ANSWER IS A NEW CLASS OF FIREWALL –INTERNAL SEGMENT A TION FIREWALL (ISFW)Most firewall development over the past decade has been focused on the border, the Internet edge, perimeter (host firewall), endpoint, data center (DMZ), or the cloud. This started with the stateful firewall but has evolved to include Unified Threat Management (UTM) for distributed networks, which brought together the firewall, intrusion detection, and antivirus. Later came the Next Generation Firewall (NGFW), which included intrusion prevention and application control for the Internet edge. More recently because of the huge increase in speeds, Data CenterFirewalls (DCFW) have arrived to provide more than 100 Gbps of throughput. All of these firewalls have in common an approach designed to protect from the “outside-in.”For rapid internal deployment and protection, a new class of firewall is required – Internal Segmentation Firewall (ISFW). The Internal Segmentation Firewall has some different characteristics when compared to a border firewall. The differences are laid out in figure 2.14DisposalThreat Production+ ReconThreat VectorExtractionScan for vulnerabilities Design phishing emails Customize malware, etc.ExternalPackage &Encrypt StageFIGURE 1 – ADVANCED THREAT LIFE CYCLEFIGURE 2 – FIREWALL TYPE DIFFERENCESTHE ISFW NEEDS TO PROVIDE COMPLETE PROTECTIONThe first element of security is visibility. And visibility is only as good as network packet knowledge. What does a packet stream look like for a specific application, where did it come from, where is it going, even what actions are being taken (download, upload…).The second and equally important element is protection. Is the application, contentor actions malicious? Should this type of traffic be communicating from this set of assets to another set of assets? While this is very difficult across different contentand application types, it is an essentialpart of the ISFW. The ability to detect a malicious file, application, or exploit gives an enterprise time to react and contain the threat. All of these protection elements must be on a single device to be effective.Both visibility and protection are heavily reliant on a real-time central security threat intelligence service. A question that always needs to be posed – how good is the visibility and protection? Is it keeping up with the latest threats? That’s why all security services should be measured on a constantbasis with 3rd party test and certificationservices.THE ISFW NEEDS TO PROVIDE EASYDEPLOYMENTThe ISFW must be easy to deploy andmanage. Keeping it simple for IT meansbeing able to deploy with minimumconfiguration requirements and withouthaving to re-architect the existing network.The ISFW must also be able to protectdifferent types of internal assets placed atdifferent parts of the network. It could be aset of servers containing valuable customerinformation or a set of endpoint devicesthat may not be able to be updated with thelatest security protection.Additionally, the ISFW must be able tointegrate with other parts of the enterprisesecurity solution. Other security solutionscan also provide additional visibility andprotection. This includes the email gateway,web gateway, border firewalls, cloudfirewalls, and endpoints. This all needs tobe managed with a ‘single pane of glass’approach. This allows security policies to beconsistent at the border, inside the network,and even outside the network in clouds.Traditional firewalls are usually deployedin routing mode. Interfaces (ports) are welldefined with IP addresses. This often takesmonths of planning and deployment. Thisis valuable time in today’s instant cyberattack world. An ISFW can be deployedin the network rapidly and with minimumdisruption. It must be as simple as poweringon a device and connecting. It must betransparent to the network and application.THE ISFW NEEDS TO PROVIDE WIRE-SPEED PERFORMANCEBecause internal segmentation firewalls aredeployed in-line for network zoning, theymust be very high performance in order tomeet the demands of internal or “east-west”traffic, and to ensure they do not becomea bottleneck at these critical points. Unlikefirewalls at the border that deal with WideArea Network (WAN) access or Internetspeeds of less than 1 gigabit per second,internal networks run much faster – multi-gigabit speeds. There, ISFWs need tooperate at multi-gigabit speeds and be ableto provide deep packet/connect inspectionwithout slowing down the network.REQUIREMENTSA FLEXIBLE NETWORK OPERATING SYSTEMAlmost all firewall “deployment modes” require IP allocation and reconfiguration of the network. This is known as network routing deployment and provides traffic visibility and threat prevention capabilities. At the other end of the spectrum is sniffer mode, which is easier to configure and provides visibility, but does not provide protection.Transparent mode combines theadvantages of network routing and sniffer modes. It provides rapid deployment and visibility plus, more importantly, protection. The differences are summarized in Figure 3.FIGURE 3 – FIREWALL TYPE DIFFERENCESA SCALABLE HARDWARE ARCHITECTUREBecause internal networks run at much higher speeds the ISFW needs to be architected for multi-gigabit protection throughput. Although CPU-only based architectures are flexible they become bottlenecks when high throughput isrequired. The superior architecture still uses a CPU for flexibility but adds custom ASICs to accelerate network traffic and content inspection.Because the ISFW is deployed in closer proximity to the data and devices, it may sometimes need to cope with harsher environments. Availability of a moreruggedized form factor is therefore another requirement of ISFWs.with cloud-based sandboxing, allowing for the enforcement of policies thatcomplement standard border firewalls. This real-time visibility and protection is critical to limiting the spread of malware inside the network.NETWORK WIDE ISFW DEPLOYMENT EXAMPLEMost companies have set up border protection with firewalls, NGFWs, and UTMs. These are still critical parts ofnetwork protection. However, to increase security posture, Internal Segmentation Firewalls can be placed strategically internally. This could be a specific set ofendpoints where it is hard to update security or servers where intellectual property is stored.SEGMENT ISFW DEPLOYMENT EXAMPLEThe ISFW is usually deployed in the access layer and protects a specific set of assets. Initially the deployment is transparent between the distribution and access switches. Longer term the integrated switching could take the place of theaccess and distribution switch and provideadditional physical protection.DEPLOYMENT (ISFW) DEPLOYMENTNETWORK SEGMENTATION –HIGH SPEED INTEGRATED SWITCHING An evolving aspect of transparent mode is the ability to physically separatesubnetworks and servers via a switch.Firewalls are starting to appear on the market with fully functional, integrated switches within the appliance. These new firewalls, with many 10 GbE port interfaces, become an ideal data center “top-of-rack” solution, allowing servers to be physically and virtually secured. Also, similar switch-integrated firewalls with a high density of 1 GbE port interfaces become ideal for separation of LAN subsegments. ISFWs should be able to fulfill both of these roles, and as such should ideally have fullyfunctional, integrated switching capabilities.REAL-TIME SECURITYInternal Segmentation Firewalls must be able to deliver a full spectrum of advanced security services, including IPS, application visibility, antivirus, anti-spam, and integrationCopyright © 2016 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.GLOBAL HEADQUARTERS Fortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein 06560 Valbonne FranceTel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6513.3730LATIN AMERICA HEADQUARTERS Sawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430Sunrise, FL 33323Tel: +1.954.368.9990ENHANCING ADVANCED THREA T PROTECTION WITH INTERNAL VISIBILITYA proper approach to mitigating advanced threats should include a continuous cycle of prevention, detection, and mitigation. Very typically a next-generation firewall would serve as a key foundation of the prevention component, enabling L2/L3 firewall,intrusion prevention, application control and more to block known threats, while passing high-risk unknown items to a sandbox for detection. But with NGFW’s deployed traditionally at the network edge, this only provides partial visibility into the attack life cycle by primarily observing ingress and egress activity.Deployment of an ISFW can providemore complete visibility into the additional internal activity of the hackers once they’ve compromised the edge. Lateral movement can account for a significant portion of the malicious activity as the hackers try to identify valuable assets and extract data,and having a complete picture of both internal and edge activity enhances allphases of a complete ATP framework. With internal network traffic often being several times the bandwidth of edge traffic, an ISFW can provide many more opportunities to limit the spread of the compromise from known techniques and more high-risk items to be passed to sandboxes for deeper inspection.CONCLUSIONAdvanced Threats are taking advantage of the flat Internal network. Once through the border defense there is little to stop their spread and eventual extraction of valuable targeted assets. Because traditional firewalls have been architected to slower speeds of the Internet edge it’s hard to deploy these security devices internally. And firewall network configuration deployments (IP addresses) take a long time to deploy.Internal Segmentation Firewalls are a new class of firewall that can be deployed rapidly with minimum disruption while keeping up the multi-gigabit speeds of internal networks. Instant visibility and protection can be applied to specific parts of the internal network.FIGURE 5 – ADVANCED THREAT PROTECTION (ATP) FRAMEWORK。

深信服下一代防火墙NGAF技术白皮书深信服科技有限公司二零一三年四月目录一、概述 (4)二、为什么需要下一代防火墙 (4)2.1 网络发展的趋势使防火墙以及传统方案失效 (4)2.2 现有方案缺陷分析 (5)2.2.1 单一的应用层设备是否能满足？ (5)2.2.2 “串糖葫芦式的组合方案” (5)2.2.3 UTM统一威胁管理 (5)三、下一代防火墙标准 (6)3.1 Gartner定义下一代防火墙 (6)3.2 适合国内用户的下一代防火墙标准 (7)四、深信服下一代应用防火墙—NGAF (8)4.1 产品设计理念 (8)4.2 产品功能特色 (9)4.2.1更精细的应用层安全控制 (9)4.2.2全面的应用安全防护能力 (12)4.2.3独特的双向内容检测技术 (17)4.2.4涵盖传统安全功能 (18)4.2.5智能的网络安全防御体系 (19)4.2.6更高效的应用层处理能力 (20)4.3 产品优势技术【】 (20)4.3.1深度内容解析 (20)4.3.2双向内容检测 (20)4.3.3分离平面设计 (21)4.3.4单次解析架构 (22)4.3.5多核并行处理 (23)4.3.6智能联动技术 (23)五、解决方案与部属 (24)5.1 基于业务场景的安全建设方案选择 (24)5.1.1互联网出口-内网终端上网 (24)5.1.2互联网出口-服务器对外发布 (24)5.1.3广域网边界安全隔离 (25)5.1.4数据中心 (25)5.2 部署方式 (26)5.2.1路由部署 (26)5.2.2透明部署 (26)5.2.3虚拟网线部署 (26)5.2.4旁路部署 (26)5.2.5混合部署 (26)5.2.6链路聚合 (26)六、关于深信服 (26)一、概述防火墙自诞生以来，在网络安全防御系统中就建立了不可替代的地位。

作为边界网络安全的第一道关卡防火墙经历了包过滤技术、代理技术和状态监视技术的技术革命，通过ACL 访问控制策略、NAT地址转换策略以及抗网络攻击策略有效的阻断了一切未被明确允许的包通过，保护了网络的安全。

捷普安全运维管理系统Jump Gatekeeper白皮书Version 2.0西安交大捷普网络科技有限公司2014年1月目录一、运维管理面临的安全风险 (1)1.运维操作复杂度高 (1)2.运维操作不透明 (1)3.误操作给企业带来严重损失 (2)4.IT运维外包给企业带来管理风险 (2)5.法律法规的要求 (2)6.人员流动性给企业带来未知风险 (2)二、运维审计势在必行 (3)1.设备集中统一管理 (3)2.根据策略实现对操作的控制管理 (3)3.实时的操作告警及审计机制 (3)4.符合法律法规 (3)5.易部署、高可用性 (4)三、安全运维管理方案 (5)1.捷普安全运维管理系统简介 (5)2.应用环境 (6)四、系统功能 (7)1.运维事件事前防范 (7)1）完整的身份管理和认证 (7)2）灵活、细粒度的授权 (7)3）后台资源自动登录 (7)2.运维事件事中控制 (8)1）实时监控 (8)2）违规操作实时告警与阻断 (8)3.运维事件事后审计 (9)1）完整记录网络会话过程 (9)2）详尽的会话审计与回放 (9)3）完备的审计报表功能 (9)五、系统部署 (11)六、系统特点 (13)1.全面的运维审计 (13)2.更严格的审计管理 (13)3.高效的处理能力 (13)4.丰富的报表展现 (14)5.完善的系统安全设计 (14)七、产品规格参数 (15)1.参数规格 (15)2.产品功能 (15)一、运维管理面临的安全风险随着IT建设的不断深入和完善，计算机硬软件系统的运行维护已经成为了各行各业各单位领导和信息服务部门普遍关注和不堪重负的问题。

由于这是随着计算机信息技术的深入应用而产生的，因此如何进行有效的IT 运维管理，这方面的知识积累和应用技术还刚刚起步。

对这一领域的研究和探索，将具有广阔的发展前景和巨大的现实意义。

大中型企业和机构纷纷建立起庞大而复杂的IT系统，IT系统的运营、维护和管理的风险不断加大。

北信源杀毒软件V2.0 技术白皮书北京北信源软件股份有限公司二〇一三年目录目录 (2)图目录 (3)一、引言 (4)二、背景 (5)三、产品总体设计 (5)四、产品详细设计 (6)4.1.网络构架 (6)4.2.统一配置管理 (7)4.3.病毒查杀功能 (8)4.4.实时监控功能 (9)4.5.U盘防护功能 (9)4.6.主动防御体系结构 (10)4.7.隔离恢复功能 (12)五、产品安全体系结构 (14)5.1.系统自身安全设计 (14)六、产品价值 (14)6.1雪狼引擎 (14)6.2百度私有云查杀引擎 (15)6.3极光引擎V2.0 (15)6.4智能修复引擎 (15)七、系统所需软、硬件配置要求 (15)图目录图 1 北信源杀毒软件V2.0系统架构图 (5)图 2 北信源杀毒软件V2.0功能结构图 (6)图3主动防御体系结构设计 ................................................................................. 错误！未定义书签。

图 4 系统逻辑图.. (7)图5北信源杀毒软件V2.0产品配置下发界面 (8)图 6 U盘防护 (10)图7 急速弹出 (10)图8 自动防御体系结构 (11)图9 异常文件恢复区 (13)图10 主防文件恢复区 (13)一、引言近期，微软公司宣布将于2014年4月8日起停止对Windows XP系统（以下简称XP）的支持。

其官方资料表明，由于XP系统采用的体系架构和安全技术已不足以面对日益增长的安全威胁，一旦停止支持和更新，将难以对零日漏洞和APT攻击等网络威胁进行有效防护，安全风险骤增。

基于安全考虑，微软建议XP用户尽快向Win7/8系统迁移。

据不完全统计，目前我国个人电脑市场上XP用户数高达1.5亿。

在关键信息基础设施和重要信息系统中，XP占桌面操作系统的比例约为70%，有的行业甚至高达90%以上。

彩讯反垃圾邮件网关技术白皮书Rich Firewall V2.0.1（版权所有，翻版必究）目录1. 彩讯反垃圾邮件网关 (1)1.1. RICH FIREWALL是什么？ (1)1.2. 应用价值 (1)1.3. 行业目标和客户 (2)1.4. 技术特点 (2)1.4.1. 反垃圾有效性 (2)1.4.2. 防病毒准确性 (4)1.4.3. 运维管理易用性 (5)2. R ICH FIREWALL架构 (6)2.1. 系统架构 (6)2.1.1. 架构说明 (6)2.1.2. 架构特点 (7)2.2. RICH FIREWALL管理平台 (7)2.2.1. 管理平台模块关系 (8)2.2.2. 管理关键点设计 (8)3. 产品功能介绍 (9)3.1. 反垃圾防病毒 (9)3.1.1. 过滤病毒邮件 (9)3.1.2. 过滤垃圾邮件 (9)3.2. 欺诈防御 (10)3.2.1. 抵御邮件攻击和欺诈 (10)3.2.2. 邮件监控与审核 (10)3.2.3. 邮件真实性校验 (10)3.3. 安全评分规则 (10)3.3.1. 网络控制层安全管理 (10)3.3.2. 人工智能识别 (11)3.3.3. IP评分 (14)3.3.4. 智能钓鱼识别 (17)3.3.5. 黑白灰名单 (19)3.3.6. 策略组 (19)3.3.7. 系统管理 (21)4. R ICH FIREWALL系统流程 (23)5. R ICH FIREWALL系统性能 (24)5.1. 拦截率 (24)5.2. 误判率 (24)5.3. 高安全性 (24)5.4. 高可靠性 (24)5.5. 高兼容性 (24)5.6. 高可用性 (25)6. R ICH FIREWALL安装部署 (25)6.1. 硬件配置 (25)6.2. 操作系统 (25)1.彩讯反垃圾邮件网关1.1. RICH FIREWALL是什么？彩讯反垃圾邮件网关是目前市场上技术最成熟的反垃圾邮件解决方案，在安全性上，采用了二十多种世界领先的邮件安全技术，七层过滤机制，垃圾邮件过滤拦截率超过99.7%，基于139邮箱8.5亿用户垃圾特征库实时向客户提供反垃圾服务，目前市场上反垃圾能力最强；在功能性上，彩讯反垃圾邮件网关为企业提供成熟的权限管理体系，平台采用全新的扁平化设计，简约大气的设计风格，极大的提高了用户的操作体验；在安装部署方面，采用一键安装、分布式部署，支持标准的开放API对接企业现有系统，同时提供企业自定制化服务。