Table of Contents
Advertisement
S9700 Core Routing Switch
Configuration Guide - SPU
2.1 Firewall Overview
A firewall discards unwanted packets and protects the systems and key resources on the internal
network.
In a building, a firewall is designed to prevent the spread of fire from one place to other places.
Similarly, a firewall on the network prevents hazards on the Internet from spreading to the
internal network.
Located at the network boundary, a firewall prevents unauthorized access to the protected
network and allows the internal users' secure access to the web service across the Internet.
Both the packets from the Internet to the internal network and the packets from the internal
network to the Internet pass through the firewall; therefore, the firewall is a guard that can discard
the undesired packets.
A firewall can also be used to protect systems and key resources such as data on the internal
network. A firewall filters the access to the protected data, even the internal access to the data.
Ae firewall also serves as an authority control gateway to restrict the access to the Internet. For
example, it allows the specified internal users to access the Internet. Firewalls also provide other
functions, such as identity authentication and security processing (packet encryption).
The SPU has the following functions:
l
l
l
l
l
l
l
2.2 Firewall Features Supported by the SPU
The firewall features supported by the SPU include ACL-based packet filtering, blacklist,
whitelist, application specific packet filter (ASPF), port mapping, transparent firewall, virtual
firewall, attack defense, traffic statistics and monitoring, and logs.
Security Zone
The security zone, also referred to as a zone, is the basis of a firewall. All the security policies
are enforced based on zones.
A zone is an interface or a group of multiple interfaces. The users in a zone have the same security
attributes. Each zone has a unique security priority. That is, the priorities of any two zones are
different.
Issue 01 (2012-03-15)
ACL-based packet filtering: filters packets through an ACL.
ASPF: filters packets at the application layer.
Blacklist: filters packets based on source IP addresses.
Whitelist: prevents the specified IP addresses from being added to the blacklist and filters
packets based on source IP addresses.
Port mapping: defines new port numbers for different application-layer protocols,
protecting the server against service-specific attacks.
Attack defense: detects various network attacks and takes measures to protect the internal
network against attacks.
Traffic statistics and monitoring: monitors traffic volume, detects the connections between
internal and external networks, and carries out calculation and analysis.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Firewall Configuration
28
Advertisement
Table of Contents
