Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Recommended Deployment Method
- Determine the firewall deployment position on a network and divide the network into security zones. You need to understand the distribution of current network resources to identify key information assets, services, and their security levels based on the networking diagram.
- Obtain the authorized services running on the network and add them to a whitelist. Service whitelists are classified into the following types:
- Network infrastructure, such as routing protocols, NTP, FTP, DNS, and VPN
- Enterprise IT infrastructure, such as the AD/LDAP authentication service, enterprise email, and Windows Update service
- Management services, such as SNMP, SSH, and RDP
- Enterprise office applications and services, such as MySQL, Salesforce, GitHub, Office 365, and enterprise-built services
- Personal applications and services, such as Internet access, social media, and private email
- Determine the communication matrix and service access rules based on the enterprise information security policy, user group structure, and service whitelist.
- Obtain the high-risk applications and services prohibited by the enterprise information security policy, add them to a blacklist, and determine the rules for prohibiting these applications and services.
- Create a temporary security policy that allows all traffic on the firewall and record policy matching logs.
- Configure security policies for the whitelist and blacklist on the firewall based on the determined service rules. Adjust the security policy sequence to place the temporary security policy preceding the default security policy, as shown in Table 5-1. In this way, all authorized service traffic can pass through the firewall without affecting service running. In addition, unauthorized services match the temporary security policy and are recorded in logs.
Table 5-1 Security policy list
No.
Name
Source Security Zone
Destination Security Zone
Source Address/Region
Destination Address/Region
User
Service
Action
Log
1
Block high-risk ports
any
any
any
any
any
Customized service: High-risk ports
deny
-
...
101
Allow RDP for admin
Trust
DMZ
Customized address group: Management terminal
Customized address group: Server farm
any
rdp-tcp
rdp-udp
permit
-
......
201
Temporary Security Policy
any
any
any
any
any
any
permit
Policy matching log
202
default
any
any
any
any
any
any
deny
-
- Analyze policy matching logs to determine the validity of unauthorized services recorded in the logs, and add security policies with accurate matching conditions. When analyzing policy matching logs, identify services of the same type based on the source and destination IP addresses, source and destination security zones, services, and ports. Then, aggregate the discrete IP addresses in policy matching logs into address ranges, create address groups, and reference the address groups in security policies with accurate matching conditions. You are advised to preferentially analyze and process the service, port, or application (for example, TCP3389 in Figure 5-1) that frequently matches security policies to quickly reduce the number of logs.
In addition to the web UI, you can view policy matching logs on the log server or by running the display firewall session table verbose policy "Temporary Security Policy" command.
- Move new security policies preceding the temporary security policy.
- Clear the matching count of the temporary security policy, observe and analyze logs, and add security policies with accurate matching conditions until no traffic matches the temporary security policy. This process may take several hours or even days, depending on the complexity of network services.
- After confirming that all traffic on the network is fully analyzed, delete the temporary security policy.
- Analyze the security risks that may exist when service traffic is permitted and add a proper content security profile for the security policy.
