Firewall Policies
The firewalls divide security domains based on security levels, and the security domains are isolated based on security policy settings such as the access control list (ACL), packet filtering, security gateway deployment, and anti-attack policies.
Figure 1 shows the firewall deployment on eSight security networking.
Theoretically, all zones are isolated from each other using firewalls. In actual networking, firewalls are deployed based on site requirements considering the network environments, risks, and investment. In Figure 1, firewalls need to be deployed between the following zones:
Between the eSight server domain and eSight client access domain
Between eSight third-party server domain and device domain
Firewall Deployment and ACL Policies
On a eSight network, firewalls are deployed to prevent illegal traffic after the NE type, quantity, and traffic type are configured.
This is called traffic filtering. Traffic filtering allows network data that complies with pre-defined rules to pass through the network, which ensures eSight network security.
- Traffic between the eSight server and NEs.
- Traffic between the eSight clients and eSight server.
- Traffic between the eSight server and the NMS (upper-layer).
Firewalls can be deployed either by Huawei or by carriers. When configuring firewall policies, ensure that legal traffic can traverse the firewalls. Configure ACL policies to prevent high-risk traffic.
- Basic ACL policy
Specifies the IP addresses from which users are allowed to log in to the system.
- Extended ACL policy
Specifies the source IP addresses, destination IP addresses, source ports, destination ports, and application protocols for users to log in to the system.
Anti-Attack Policies
An understanding of common network attacks and anti-attack policies helps you prevent malicious operations and reduce security risks.
Common network attacks can be classified into the following types:
- Deny of service (DoS) attack
A large number of unauthorized packets are sent to a target host. As a result, the host encounters network congestion or may be controlled by authorized users.
- Scanning and snooping attack
Attackers steal information about port usage and network structure by scanning each IP address and port of the target system.
- Malformed packet attack
A malicious system sends malformed IP packets to the target system. When processing these IP packets, the target system breaks down.
- Browser exploit against SSL/TLS (BEAST) attack
The TLSv1 and TLSv1.1 protocol are vulnerable to attacks, especially BEAST attacks, because it uses the CBC encryption algorithm. Therefore, the eSight allows access to eSight clients only over TLSv1.2 by default.
A target system may encounter multiple attacks at a time. Firewalls can protect the target system against common attacks. Proper planning and configuration on the firewalls can prevent malicious attacks from damaging devices on the eSight network.