No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding Security Policies

Understanding Security Policies

Security Policies of the Device

Traditional firewalls control traffic using IP addresses and protocols. With the network development, increasing new applications bring more conveniences to people's network life, but also cause more security risks. Typically, with the web technology development, more and more services with different risk levels run on ports 80 and 443 using HTTP and HTTPs, including web instant communication, web games, video websites, and web chat. In addition, new working methods such as telecommuting and mobile office emerge. IP addresses of hosts used by the same user may change at any time. Traffic control based on IP addresses cannot meet modern network requirements. Therefore, traffic contents must be identified and monitored in enterprises' network security management on the basis of controlling traffic sources and destinations.

The device uses security policies to forward and control traffic at the application layer, and implements content security detection and processing on traffic. Security policies of the device adapt to modern network characteristics and meet modern network requirements.

As shown in Figure 7-2, the device uses security policy 1 to apply the intrusion prevention system (IPS) function to protect the internal server against attacks from the Internet. The device uses security policy 2 to apply the IPS function and URL filtering function to allow users in the Trust zone to browse the Internet. The device also detects contents browsed by users and defends against viruses and hackers.

Figure 7-2  Security policies of the device

After using security policies, the device has the following advantages:

  • The device applies corresponding security policies in different security zones, making the network management more flexible and visualized.
  • The device effectively differentiates different applications (such as web instant communication and web games) carried by a protocol (such as HTTP), providing more refined network management.
  • The device uses security policies to implement content security detection, blocking viruses and hackers to protect the internal network.

Security Policy Processing Flow

Figure 7-3 shows the processing flow of security policies on the device.

Figure 7-3  Security policy processing flow

When traffic passes through the Router, the security policy processing flow is as follows:

  1. The Router detects received traffic and obtains traffic attributes including the source security zone, destination security zone, ACL (source IP address, destination IP address, source port, destination port, and protocol type), and time period.

  2. The Router matches traffic attributes with security policy conditions. If all conditions are matched, go to step 3. Otherwise, the traffic is allowed to pass through.

  3. If the traffic matches security policy conditions successfully, the Router determines whether security policies reference security profiles. If security profiles are referenced, go to step 4. If no security profile is referenced, the traffic is allowed to pass through.

  4. If security policies reference security profiles, the Router implements integrated content security detection on the traffic.

    In the integrated detection, the device only detects traffic contents once according to security profile conditions, and implements security profile actions according to the detection result. If one security profile blocks the traffic, the Router blocks the traffic. If all security profiles allow the traffic to pass through, the Router forwards the traffic.

    As shown in Figure 7-4, all content security functions of the Router are implemented through security profiles referenced by security policies. Detection and processing are only performed once, greatly improving the system performance.

    Figure 7-4  Integrated detection of the Router

Table 7-1 describes security profiles that can be referenced by security policies and their functions.

Table 7-1  Security profiles and functions
Security Profile Function
IPS Configuration An intrusion prevention system (IPS) implements attack detection by comparing traffic contents with the IPS signature database. IPS effectively defends against attacks from the application layer, such as buffer overflow attacks, Trojan horses, and worms.
URL Filtering Configuration Manages and controls user's URL requests. It permits or rejects access to some web resources to control online behaviors.

Using Different Security Profiles Together

You can use different security profiles together to provide strong content security protection functions and avoid wasting system resources.

Table 7-2 describes some tips for using different security profiles together.

Table 7-2  Tips for using different security policies together
Function Purpose Security Profile
Server protection Protects servers providing access to external networks against viruses and intrusion behaviors.
  • IPS: defends against attacks from the application layer to servers.

Web access protection Protects internal users against viruses and intrusion behaviors when they visit websites and download files.
  • IPS: blocks intrusion behaviors in web access.
  • URL filtering: filters illegal websites and malicious websites, and reduces risks of virus infection and attacks.
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 137592

Downloads: 248

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next