Huawei quidway s7700 Configuration Manual page 40
Smart routing switch
Hide thumbs
Also See for quidway s7700:
- Configuration manual (833 pages) ,
- Configuration manual - ethernet (648 pages) ,
- Configuration manual - multicast (551 pages)
Table of Contents
Advertisement
Quidway S7700 Smart Routing Switch
Configuration Guide - SPU
A zone is an interface or a group of multiple interfaces. The users in a zone have the same security
attributes. Each zone has a unique security priority. That is, the priorities of any two zones are
different.
The SPU considers that the data transmission within a zone is reliable; therefore, it does not
enforce any security policy on the intra-zone data transmission. The SPU verifies the data and
enforces the security policies only when the data flows from one zone to another.
Interzone
Any two zones form an interzone. Each interzone has an independent interzone view. Most
firewall configurations are performed in the interzone views.
Assume that there are zone1 and zone2. In the interzone view, ACL-based packet filtering can
be configured. The configured filtering policy is then enforced on the data transmission between
zone1 and zone2.
Direction
In an interzone, data is transmitted in inbound direction or outbound direction.
l
l
ACL-based Packet Filtering
ACL-based packet filtering is used to analyze the information of the packets to be forwarded,
including source/destination IP addresses, source/destination port numbers, and IP protocol
number. The SPU compares the packet information with the ACL rules and determines whether
to forward or discard the packets.
In addition, the SPU can filter the fragmented IP packets to prevent the non-initial fragment
attack.
ASPF
ASPF is applied to the application layer, that is, ASPF is the status-based packet filtering. ASPF
detects the application-layer sessions that attempt to pass the firewall, and discards undesired
packets.
The ACL-based packet filtering firewall detects packets at the network and transport layers. The
ASPF function and the common packet filtering firewall can be used together to enforce the
security policies on an internal network.
The SPU performs ASPF for the File Transfer Protocol (FTP) and Hypertext Transport Protocol
(HTTP) packets.
Blacklist
A blacklist filters packets based on source IP addresses. Compared with the ACL, the blacklist
uses simpler matching fields to implement high-speed packet filtering. Packets from certain IP
addresses can be filtered out.
Issue 01 (2011-07-15)
Inbound: indicates that data flows from a zone with lower priority to a zone with higher
priority.
Outbound: indicates that data flows from a zone with higher priority to a zone with lower
priority.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Firewall Configuration
29
Advertisement
Table of Contents
