Which Services Require Security Policies?

Huawei firewalls do not provide security policies for all services. By understanding the following basic rules, you can avoid some problems.

• By default, security policies control only unicast packets and do not control multicast or broadcast packets. You need to configure security policies to permit all authorized unicast packets. The firewall directly forwards multicast and broadcast packets.

  The protocols to which the preceding rule is applied includes basic network interconnection and interoperability protocols including BGP, BFD, DHCP, DHCPv6, LDP and OSPF. You need to configure security policies for unicast packets of these protocols. This is the biggest difference between firewalls and routers and switches. To quickly access a network, you can run the undo firewall packet-filter basic-protocol enable command to disable security policy control for these protocols. After this command is executed, unicast packets of these protocols will not be controlled by security policies.

• You can enable the security policy control function for Layer 2 multicast packets. After you run the firewall l2-multicast packet-filter enable command to enable this function on the USG6000/USG6000E, you need to configure security policies for Layer 2 multicast packets except Layer 2 ND multicast packets.
• If the interface access control function is enabled for the management protocol used to access the firewall, you do not need to configure security policies for the protocol packets. The interface access control function applies to common management protocols and has a higher priority than the security policy control function. For details, see Local Security Policy and Interface-Specific Access Control.
• For multi-channel protocols such as FTP, you only need to configure security policies for the control channel. After the control channel is established, the IP address and port of the data channel are dynamically negotiated through the control channel, and then the data channel is established based on the negotiation result. You need to enable the application specific packet filter (ASPF) function for multi-channel protocols. The firewall obtains the IP address and port information from negotiation packets, generates server mapping entries, and forwards packets based on the server mapping entries. The server mapping table is equivalent to a dynamically created security policy.
• Huawei firewalls are stateful inspection firewalls. You only need to configure security policies for the packet sender. After receiving the first packet from the initiator, the firewall performs security policy check and generates a session entry. Subsequent forward packets and return packets can pass through the firewall as long as they match the session entry. The firewall will not perform security policy check for them. If both communication parties can initiate a connection, you need to configure security policies for bidirectional packets.
• By default, no security policy needs to be configured for intrazone traffic. According to the design concept of security zones, devices in the same security zone have the same security level. Intrazone traffic is forwarded by default without requiring security check. You can configure security policies for certain intrazone traffic (whose source and destination security zones are the same) to block specific traffic or add content security check to certain permitted traffic. If security requirements are high, you can run the default packet-filter intrazone enable command to configure the firewall to control intrazone traffic using the default security policy. In this case, you need to configure security policies for all intrazone traffic.
• Security policies do not need to be configured for services that skip security policy check in the firewall forwarding process. For example, if an authentication policy is configured on the firewall and Portal authentication is triggered by user access requests, you do not need to configure security policies to permit Portal authentication traffic. For another example, you do not need to configure security policies for HRP packets exchanged between two firewalls in hot standby mode.

The security requirements of firewalls complicate configuration, and the complexity of configuration and management undermines security. You need to be familiar with and understand these rules and configurations, and find the best configuration method to strike balance between services and security.