HCIP-Security V4.0 Training Material_unlocked.pdf
Document Details
Uploaded by MeticulousTaylor
2022
Tags
Full Transcript
Overview of Cyber Security Certification Foreword ⚫ Before studying the HCIP-Security course, we need to learn about the course positioning and outline. ⚫ In January 2022, China's Ministry of Industry and Information Technology released the Competency Framework of...
Overview of Cyber Security Certification Foreword ⚫ Before studying the HCIP-Security course, we need to learn about the course positioning and outline. ⚫ In January 2022, China's Ministry of Industry and Information Technology released the Competency Framework of Industrial Talents in network information security , which standardizes the types and responsibilities of cyber security engineers. Accordingly, HCIP- Security certification is intended for security implementation engineers and security O&M engineers. ⚫ In this course, we will learn the types and responsibilities of cyber security engineers, capability models for security implementation engineers and security O&M engineers, and the HCIP-Security course outline. 1 Huawei Confidential Objectives ⚫ On completion of this course, you will be able to: Describe the position classification and responsibilities of cyber security engineers. Describe the capability model for security implementation engineers. Describe the capability model for security O&M engineers. Understand the HCIP-Security course outline. 2 Huawei Confidential Contents 1. Capability Models for Cyber Security Engineers 2. Cyber Security Certification 3 Huawei Confidential Major Directions of Cyber Security and Positions ⚫ Cyber security engineers adopt security technologies, products, and services in various phases, such as planning and design, construction and implementation, operations and maintenance (O&M), and emergency response and defense. They are also responsible for full-lifecycle security compliance and management. In this way, information, information systems, and information infrastructure and networks are confidential, integral, and available, as well as well-protected from damages, changes, disclosures, or being excessively used due to unintentional, accidental, or malicious reasons. ⚫ The following figure shows the full-lifecycle cyber security and the position directions of cyber security engineers. Security planning Security construction Security emergency Security O&M and design and implementation response and defense Security detection and Requirement analysis Security development Security product O&M analysis Platform security Vulnerability discovery Security planning Security test management and analysis Security Data security Security emergency Security design implementation management response and defense Security compliance and management Full-lifecycle Compliance Security Security Risk control cyber security consulting verification investigation 4 Huawei Confidential This course is intended for security implementation engineers and security O&M engineers. This section is written based on Competency Framework of Industrial Talents in network information security released by China's Ministry of Industry and Information Technology in January 2022. According to the assurance system of cyber security life cycle, the positions of the cyber security industry are mainly divided into five directions: security planning and design, security construction and implementation, security O&M, security emergency response and defense, and security compliance and management. ▫ Security planning and design is the basic step in the whole cyber security life cycle. It involves comprehensive planning and designing of the security assurance system for the network system based on product and service security requirements, including security requirement analysis, security strategy planning, and security architecture design. ▫ Security construction and implementation is a key step in the whole cyber security life cycle. It mainly refers to security development, test, and implementation based on security requirements, including security product development, basic security test, and onsite security implementation. ▫ Security O&M is an important step in the whole cyber security life cycle. After information, information systems, and information infrastructure and networks are delivered and used, security O&M personnel are deployed and tools are used, based on security framework, security policies, and mature O&M management system. Moreover, effective and efficient technical means are used to perform operation monitoring and security maintenance on assurance information, information systems, and information infrastructure and networks to ensure their security. Security O&M includes security product O&M, platform security management, and data security management. ▫ Security emergency response and defense is an important safeguard for the whole cyber security life cycle. It identifies, analyzes, and handles security threats to information, information systems, and information infrastructure and networks through security detection, vulnerability analysis, and defense technologies. It also collects cyber security information, and performs security analysis, proactively assesses the effectiveness of security protection measures through penetration attacks and attack and defense drills, continuously improves security protection measures, and quickly conducts emergency response when a security event occurs. Security emergency response and defense includes security detection and analysis, vulnerability discovery and analysis, and security protection and emergency response. ▫ Security compliance and management runs through the whole cyber security life cycle. It provides security compliance consulting, analyzes risks, provides solutions, and performs compliance supervision, risk control, and security assessment based on related laws, regulations, standards, and actual security requirements. It involves security compliance consulting, risk control, security assessment, and cyber security investigation. Position Requirements for Cyber Security Talents ⚫ Before introducing the capability models for security implementation engineers and security O&M engineers, we need to learn about the position requirements for cyber security talents. ⚫ Cyber security talents should meet the following position requirements: comprehensive capabilities, professional knowledge, technical skills, and engineering practices. Comprehensive capabilities Professional knowledge Technical skills Engineering practices Behaviors and comprehensive Necessary knowledge: Professional knowledge Necessary experience: qualities: Basic theories Use of profession tools Actual engineering Self-study Relevant standards and Project promotion Communication and specifications coordination Relevant laws and Requirement and trend regulations analysis Theoretical knowledge and Insights into service operational skills scenarios … … 6 Huawei Confidential This course focuses on the development of professional knowledge and technical skills. Capability Model for Security Implementation Engineers ⚫ Security implementation engineers and security O&M engineers mainly work in the security operation and maintenance phase. ⚫ Security implementation engineers are responsible for the planning and design of the security implementation solutions and engineering implementation as well as formulation and compilation of the acceptance solutions, training solutions, and delivery documents. The requirements for professional knowledge and technical skills of security implementation engineers are as follows: Professional knowledge Technical skills Master the current standards related to cyber security services. Master skills such as port monitoring, analysis and detection of vulnerabilities, permission management, intrusion and attack Be familiar with the technical specifications and implementation processes of security attack and defense drills, penetration testing, analysis and tracing, website penetration prevention, and virus and Trojan horse prevention. security consulting, code audit, and emergency response in the cyber security service system. Be familiar with the configurations of cyber security devices. Master security service rules and creation, and provide integrated Master basic commands and tools of the operating system and be and advanced security solutions for sophisticated service familiar with common services. environments. Be familiar with system and application security protection, working Be familiar with the basic knowledge related to cyber security principles of vulnerability scan, and cyber security technologies. services, and be familiar with the principles, deployment, and Be familiar with basic network principles, TCP/IP protocols, common security assessment methods of mainstream security vendors' protocols such as HTTP, FTP, and SNMP, and routine maintenance equipment. operations of switches and routers. 7 Huawei Confidential According to this slide, requirements on the professional knowledge and technical skills of implementation engineers are as follows: ▫ Security standards: such as ISO27001. For details, see HCIA-Security certification. ▫ Security construction rules and solutions: Implementation engineers need to fully know the implementation details of the security solutions. ▫ Network principles and configurations of cyber security devices: deployment and configurations of cyber security devices should be mastered by implementation engineers and are also the key points of HCIA/HCIP- Security certification. ▫ System and application security: Services are running on servers and operating systems. Therefore, system and application security should be taken into full consideration in security implementation. ▫ Technologies and processes such as attack and defense drills and emergency response: The feasibility of routine O&M needs to be considered during security solution deployment. Capability Model for Security O&M Engineers ⚫ Security O&M engineers are responsible for performing security maintenance, security inspection, policy maintenance and management, configuration change, troubleshooting, and security analysis on servers, network devices, security products, and network information systems to eliminate detected threats and reduce security risks faced by enterprises. ⚫ The requirements for professional knowledge and technical skills of security O&M engineers are as follows: Professional knowledge Technical skills Master technical guides and standards related to security Master O&M operations on common cyber security O&M. products, such as firewalls, IDS/IPS, and log audit. Master common operation commands of operating Master network operation protocols such as TCP/IP. systems and network devices. Master the detection and protection principles of security Be familiar with the attack principles of common security vulnerabilities in common applications and operating vulnerabilities. systems, such as SQL injection, XSS, and privilege escalation vulnerabilities, and fix the vulnerabilities. Be familiar with the processes and methods of security monitoring, security analysis, risk handling, and Be proficient in using operating systems such as Linux emergency response in security O&M. and Windows and database languages such as Oracle and MySQL. Be familiar with common network monitoring methods. 8 Huawei Confidential Security O&M engineers and security implementation engineers face similar requirements on professional knowledge and technical skills. Security implementation engineers focus on the deployment of security solutions, security devices, and functions. Higher requirements are exerted on O&M engineers in terms of troubleshooting, threat identification, and emergency response. Accordingly, security certification focuses on planning and design of cyber security solutions, implementation and construction, and O&M and optimization. Contents 1. Capability Models for Cyber Security Engineers 2. Cyber Security Certification ◼ Panorama of Cyber Security Concepts and Huawei Security Certification ▫ HCIP-Security Course Outline 9 Huawei Confidential Panorama of Cyber Security Concepts Emerging Application Scenarios Cloud security Industrial Cloud native security Cloud application security IoT security Mobile security Secure cloud service Security operation on the cloud platform control security Security management and operations Security service Threat management Key management Situational awareness Asset management Log audit Security awareness Identity authentication Emergency response General Security Domain Security consulting Service security Security operation and audit Encryption service Data masking Backup and restoration Data leakage prevention Risk assessment Database security Data security Computer forensics Penetration testing WAF load balancing Content security Vulnerability scan Threat prevention Application security Key event security assurance service Intrusion prevention Desktop management Antivirus Identity authentication Attack and defense drill Host security Emergency response Security training Infrastructure security Access control DDoS mitigation Firewall Encrypted transmission Network reliability Intrusion prevention Online behavior management 5G security 10 Huawei Confidential The above figure shows common cyber security concepts in general security domain and emerging application scenarios. ▫ General security domain: Any network involves security technologies, including infrastructure security, service security, security management and operation, and sometimes security services. ▪ Infrastructure security: Security devices and their functions are used to ensure the security of the entire network, including protecting intranet services, network architecture, and facilities. ▪ Service security: The security of services and bearer devices are to be ensured, including protecting hosts, applications on hosts, and background data. ▪ Security management and operation: Any network requires security management, including administrative management regulations and technical management methods, such as security awareness cultivation and security situational awareness. ▪ Security services: Security service providers provide security services for enterprises, such as risk assessment and attack and defense drills. ▫ Emerging application scenarios: Feature-based protection is added based on general security technologies and service uniqueness. For example, in the cloud security scenario, cloud application security needs to be protected in addition to general security technologies. ▫ This course applies to cyber security implementation engineers and O&M engineers, focuses on infrastructure security, and partially involves service security, and security management and operation. Overview of Huawei Security Certification Enable learners to gain Everything in charge, building secure network solutions Expert a deep understanding of defense skills, Cyber security attacks Security O&M integrate enterprise Security Networking and defense technologies and analysis security planning and Planning and design to help cultivate Information security Deployment management technologies Cloud security security architects. Cyber security architect Four areas, sharpening the mind Security Professional Secure communication Security Secure computing Focus on the four areas, management network boundary environment give in-depth center explanation based on High reliability Cyber attack Application Access control technologies defense threat Security products, focus on Intelligent uplink Firewall virtual prevention implementation practice. selection on the firewalls system Emergency engineer VPN technologies Content security response Security O&M Traffic management and filtering engineer technologies Associate Provide theoretical basis, enable beginners Five modules, opening the security gate to improve security Security awareness, and learn Firewall basics Intrusion implementation Concepts of Basic network Encryption and about the technology prevention engineer cyber security knowledge decryption framework of technologies Security O&M application information security. engineer 11 Huawei Confidential HCIA-Security certification mainly applies to security implementation engineers and security O&M engineers. It is intended for people who are about to engage in or interested in related fields, such as students and new employees. After passing the certification, examinees prove that they have mastered the basic information security knowledge and related technologies (such as Huawei firewall technologies, encryption and decryption technologies, and PKI certificate system) on the small- and medium-sized networks. They are also capable of building information security networks for small- and medium-sized enterprises to ensure the security of networks and applications. HCIP-Security certification also mainly applies to security implementation engineers and security O&M engineers. After passing this certification, examinees prove that they have mastered Huawei cyber security technologies (including network architecture security, boundary security, application security, and endpoint security). They are also capable of designing, deploying, and maintaining cyber security architectures for medium- and large-sized enterprises, and are able to identify risks and respond to them promptly to ensure the security of enterprise information assets. HCIE-Security certification focuses on cyber security architects, and cultivates and certifies security experts with comprehensive capabilities in the design, deployment, and O&M of enterprise information security solutions. After passing this certification, examinees prove that they have mastered the latest security system architecture and best practices of security standards, and have comprehensive capabilities in the design, deployment, and O&M of information security solutions for medium- and large-sized enterprises. They meet enterprises' evolving requirements for network security and address increasingly diversified network security challenges. Contents 1. Capability Models for Cyber Security Engineers 2. Cyber Security Certification ▫ Panorama of Cyber Security Concepts and Huawei Security Certification ◼ HCIP-Security Course Outline 12 Huawei Confidential HCIP-Security Course Framework HCIP-Security V4.0 course framework Secure Security Certification Security zone Secure computing communication management Case studies overview border environment network center High reliability of firewalls Traffic management on the firewalls Cyber attacks and defense Case studies of Intelligent uplink Emergency response Cyber security Vulnerability defense and penetration enterprise network selection on the Network access certification testing security firewalls control Content security filtering technologies Firewall virtual system IPsec VPN SSL VPN 13 Huawei Confidential This course first describes the positioning and framework of HCIP-Security course based on "Overview of Cyber Security Certification". The high-level knowledge of Huawei cyber security solution is divided into four aspects: security communication architecture, security zone border, secure computing environment, and security management center. Based on the basic knowledge points of HCIA-Security, this course describes the technical details of Huawei cyber security solution. Finally, Huawei cyber security cases are used to systematically explain how security implementation engineers deploy security solutions and how security O&M engineers perform routine O&M. Overview of Enterprise Network Security Threats ⚫ An enterprise faces internal and external security threats. The following figure shows a typical enterprise network architecture. Carrier DDoS attack Virus Router Anti-DDoS SecoManager Firewall WAF IPS Boundary Big data security IPS analysis platform Web server Core switch Log analysis platform Email server Vulnerability scan WAF Access switch Employee Employee Endpoint security area 1 area 2 Computing management Computing environment environment (server area) (office area) Management center 14 Huawei Confidential Security threats to enterprise networks can be classified into the following types: ▫ External threats: security threats from outside the enterprise network, such as DDoS attacks, viruses, Trojan horses, worms, network scan, spam, phishing emails, and web vulnerability attacks; ▫ Internal threats: unreliable network structure, network without isolation, endpoint vulnerabilities, uncontrolled employee behavior, information security violation, information leakage, disordered permission management, and unauthorized access. Emerging security threats pose more and more security challenges to enterprises, and enterprise security requirements increase accordingly. Communication Network Boundary Computing Environment Management Center Communication Network Security Requirement - Device Redundancy ⚫ The network architecture of the secure communication Internet network needs to provide hardware redundancy for communication lines, key network devices, and key computing devices to ensure system availability. The devices include but Router A Router B are not limited to forwarding devices such as routers and switches as well as security devices such as firewalls, IPS, and Firewall A Firewall B Anti-DDoS. Master Backup ⚫ High reliability of firewalls is used as an example for security authentication. The HCIA-Security course describes the Switch A Switch B operating principles and service forwarding mechanism of firewalls in hot standby mode. The HCIP-Security course will introduce more networking and routine O&M operations of Traffic from host A firewalls in hot standby mode. to the Internet Host A Host B Traffic from host B Intranet to the Internet 15 Huawei Confidential Communication Network Boundary Computing Environment Management Center Communication Network Security Requirement - Line Redundancy ⚫ Large- and medium-sized enterprises usually have multiple egress links, and firewalls typically serve as network egress devices. Egress devices usually select the optimal link based on routes or randomly select a link from equal-cost routes to forward traffic. However, the quality, bandwidth, and costs vary depending on links. Enterprises need to dynamically select the optimal path based on their requirements or properly distribute traffic to each link based on different proportions to improve link resource utilization and user experience. ISP1 ISP2 ISP3 Link bandwidth: 200 Mbit/s Link bandwidth: 100 Mbit/s Link bandwidth: 100 Mbit/s Overload protection threshold: Overload protection threshold: 90% Overload protection threshold: 90% 90% 25% of the traffic is transmitted. 25% of the traffic is transmitted. 50% of the traffic is transmitted. Firewall User User 16 Huawei Confidential Communication Network Boundary Computing Environment Management Center Communication Network Security Requirement - Encrypted Transmission ⚫ There are two methods to prevent enterprise information from being stolen during transmission: private line transmission and encrypted VPN transmission. Private line transmission is applicable to communication between different organizations with high cost. Therefore, VPN encrypted transmission is commonly used on the live network. In the site-to-site scenario, IPsec VPN is mainly used. In the site-to-client scenario, SSL VPN is mainly used. Enterprise IPsec VPN can encrypt data to IPsec VPN branch ensure transmission security. Enterprise Internet HQ SSL VPN SSL VPN can authenticate user identities Employee on while ensuring data confidentiality. business trip 17 Huawei Confidential Communication Network Boundary Computing Environment Management Center Communication Network Security Requirement - Bandwidth Management ⚫ The network architecture of the secure communication network needs to ensure that the bandwidth for all services on the networks needs to be met during peak hours. Bandwidth management can be configured on the firewall to ensure the bandwidth for key services. In addition, quota control policies can also be configured on the firewall to manage users' Internet access traffic and duration, improving employees' work efficiency. Trust 8:00 to 18:00 P2P and online video Untrust Dept. A Firewall Router ERP and email Dept. B Key services Non-key services 18 Huawei Confidential Communication Network Boundary Computing Environment Management Center Security Threats to Boundary - Defense Against Network Attacks ⚫ A firewall is typically deployed at the egress of an enterprise intranet. After the attack defense function is enabled, the firewall can distinguish between legitimate traffic and attack traffic, permit legitimate traffic, and block attack traffic. This function ensures that intranet servers and PCs run properly, thereby enabling uninterrupted services for authorized users. Authorized user Server Permit legitimate traffic. Firewall Enterprise intranet Block attack traffic. Attacker ⚫ Scanning and snooping attack PC ⚫ Malformed packet attack ⚫ Special packet attack ⚫ DDoS attack 19 Huawei Confidential Communication Network Boundary Computing Environment Management Center Security Requirements at the Boundary - Network Isolation ⚫ Large- and medium-sized enterprises typically have complex organizational structures and a large number of network devices, facing complex network environments. As the enterprise services expand, each service department has its own security requirements. If all security configurations are made on the same firewall, the firewall configuration will be complicated and the administrator's operations are prone to errors. The firewall virtualization technology allows the administrator to divide a network into multiple subnets and configure a virtual system for each subnet, simplifying service management. Enterprise intranet Firewall R&D dept. Virtual system (R&D) Financial dept. Virtual system Public (finance) system Administrative dept. Virtual system Service data flow (administration) 20 Huawei Confidential Communication Network Boundary Computing Environment Management Center Security Requirements at the Boundary - Application Content Security ⚫ 70% of information security events result from internal employees' improper operations or their lack of security awareness. In terms of compliance and service requirements, enterprises need to manage employee behaviors and application content to ensure that employees do not violate regulations, enterprise secrets are not disclosed, and intranet security is guaranteed. HTTP and FTP behavior control Trust Untrust Game Virus Information Access a website with a 1 URL filtering violence leakage valid domain name 2 DNS filtering 1 3 4 6 2 3 File filtering R&D dept. Firewall 4 Data filtering File server Internet 5 Mail filtering 6 Application 5 5 behavior control Manage the Confidential mail sending Restrict the Sales dept. attachment size Web server and receiving Enterprise intranet Email server File server DMZ Internet 21 Huawei Confidential Content security filtering: ▫ URL filtering regulates online behaviors by controlling URLs that users can access, thereby permitting or rejecting users' access to specified web page resources. ▫ DNS filtering is implemented in the domain name resolution phase to prevent employees from accessing illegal content or malicious websites, which may cause threats such as viruses, Trojan horses, and worms. ▫ File blocking blocks the transmission of certain types of files, which reduces risks of executing malicious codes and infecting viruses on the internal network and prevents employees from transmitting enterprises' confidential files to the Internet. ▫ Data filtering falls into two types: file data filtering and application data filtering. File data filtering filters the uploaded and downloaded files by keyword. The administrator can specify the file transfer protocols or the types of files to be filtered. Application data filtering filters application content by keyword. The device filters different data for different applications. ▫ Mail filtering: filters mails by checking the email addresses of the sender and recipient, attachment size, and number of attachments. ▫ The application behavior control function is used to accurately regulate users' HTTP and FTP behaviors (such as upload and download). Communication Network Boundary Computing Environment Management Center Security Threats in the Computing Environment - Application Threats ⚫ The internal network computing area involves hardware devices such as office computers, servers, and mobile endpoints, as well as the systems, applications, and data on the devices. When vulnerabilities occur on the intranet, the intranet is prone to various application threats, such as viruses and intrusions. Security implementation engineers usually deploy security devices to protect the computing area. Security O&M engineers detect vulnerabilities promptly through vulnerability scan in daily work, install patches, and sometimes perform penetration testing to prevent potential threats to the network. Enterprise intranet Attacker Virus attack Server Computing Internet area Firewall IPS Switch SQL injection Internal user WAF 22 Huawei Confidential Communication Network Boundary Computing Environment Management Center Security Requirements in the Management Center - Emergency Response ⚫ Security O&M engineers need to learn about the network security posture to identify security risks and prevent or respond to security threats promptly. ⚫ Emergency response refers to the preparations made by an organization to respond to emergencies and major information security incidents. It also includes the measures taken after the incidents occur. ⚫ Emergency response can reduce the loss suffered by enterprises and the negative impact caused by information security incidents. Security events A security incident affects the proper running of a system. Security incidents Emergency response include hacker intrusion, information theft, denial of Organizations take service (DoS) attacks, and preparations to cope with abnormal network traffic. unexpected or major information security incidents and a series of measures after security incidents occur. 23 Huawei Confidential Communication Network Boundary Computing Environment Management Center Security Requirements in the Management Center - Access Control ⚫ If an employee with excessive permission operates improperly, for example, the employee deletes the Endpoint Network Server system access database by mistake, the security risks of the service device 802.1X/Portal system increase. Wired Access control ⚫ Moreover, if visitors in an enterprise access the server endpoint enterprise's intranet without authorization, the service MAC system may be damaged and key information assets Enterprise Dumb network Patch/Virus may be leaked. endpoint database/Software server ⚫ In this case, access users need to be authenticated and 802.1X/Portal authorization for them needs to be managed. As such, access control is necessary for every campus network. Wireless Service server endpoint Access control example 24 Huawei Confidential Quiz 1. (Multiple-Answer Question) Which of the following items are not included in infrastructure security? ( ) A. Encrypted transmission B. Vulnerability scan C. Situational awareness D. Network reliability 2. (True or false) Firewall reliability is a security measure for the boundary. ( ) A. T B. F 25 Huawei Confidential 1. BC 2. B Summary ⚫ This course provides the classification and responsibilities of cyber security engineers, the capability models for security implementation engineers and security O&M engineers, and the coverage of the Huawei HCIP-Security certification course based on the capability models. ⚫ After learning this course, you will be able to describe the classification of security engineers and talent requirements for related positions, and learn about the HCIP-Security course outline. 26 Huawei Confidential Recommendations ⚫ Huawei official websites: Enterprise service: https://e.huawei.com/en/ Technical support: https://support.huawei.com/enterprise/en/index.html Online learning: http://learning.huawei.com/en/ 27 Huawei Confidential Acronyms and Abbreviations (1/2) Acronym/Abbreviation Full Name 5G 5th Generation AntiDDoS Anti Distributed Denial of Service DNS Domain Name Server DDoS Distributed Denial of Service ERP Enterprise Resource Planning FTP File Transfer Protocol HTTP Hypertext Transfer Protocol IDS Intrusion Detection System IPS Intrusion Prevention System ISP Internet Service Provider IPsec Internet Protocol Security SNMP Simple Network Management Protocol 28 Huawei Confidential Acronyms and Abbreviations (2/2) Acronym/Abbreviation Full Name SQL Structured Query Language SSL Universal Serial Bus TCP/IP Transmission Control Protocol/Internet Protocol URL Uniform Resource Locator WAF Web Application Firewall XSS Cross-Site Scripting 29 Huawei Confidential Thank you. 把数字世界带入每个人、每个家庭、 每个组织,构建万物互联的智能世界。 Bring digital to every person, home, and organization for a fully connected, intelligent world. Copyright© 2022 Huawei Technologies Co., Ltd. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. Firewall High Reliability Technologies Foreword ⚫ Firewalls, as key network elements (NEs), are usually deployed at the border of an enterprise's network or between different areas of an enterprise's intranet. To ensure stable and reliable running of an enterprise's network, multiple technologies are required to improve the reliability of the deployed firewalls. ⚫ Firewall high reliability technologies are typically implemented through device redundancy and link redundancy. This course describes the principles and application scenarios of firewall high reliability technologies. 1 Huawei Confidential Objectives ⚫ Upon completion of this course, you will be able to: Describe the principles of firewall high reliability technologies. Understand the high reliability networking mode of the firewall. Describe the application scenarios of firewall high reliability technologies. Configure firewall high reliability technologies. 2 Huawei Confidential Contents 1. Overview of Firewall High Reliability Technologies 2. Firewall Hot Standby 3. Firewall Link High Reliability 4. Hot Standby Version Upgrade and Troubleshooting 3 Huawei Confidential Background of Firewall High Reliability Technologies ⚫ Unreliable hardware in the network architecture is mainly caused by unreliable devices and links. The following uses the firewall as an example: Unreliable devices Unreliable links Intranet Intranet Device fault ! Link fault PC PC Firewall Firewall Server Service interruption Server Service interruption Device fault: When a hardware or service function fault Link fault: When the only egress link of the firewall is occurs on the firewall, the communication between all faulty, the communication between all hosts that use hosts that use the firewall as the default gateway and the the firewall as the default gateway and the Internet is Internet is interrupted. interrupted. 4 Huawei Confidential Overview of Firewall High Reliability Technologies ⚫ Firewall high reliability is classified into device high reliability and link high reliability. Device high reliability technologies Hot standby Cross-DC cluster Hardware bypass Two firewalls work in hot standby mode. The firewalls in other data centers can The hardware bypass function enables a When one firewall is faulty, the other take over services from the faulty faulty firewall to directly forward traffic firewall takes over services to ensure firewall in a data center. In this way, without processing it, thereby preventing service continuity. firewalls in different data centers back service interruption. up each other. Link high reliability technologies Eth-Trunk IP-Link BFD Link-Group Health check Multiple physical ARP or ICMP packets BFD control packets Different interfaces The health check function interfaces are bound are periodically sent are periodically sent to are added to a detects service availability, as a logical interface to check link check the availability logical group, known link availability, or link to improve link availability. of links between as a link-group, latency. Currently, this reliability. devices or systems. which ensures the function is used together with status consistency of the intelligent uplink selection these interfaces. feature of the firewall. 5 Huawei Confidential Contents 1. Overview of Firewall High Reliability Technologies 2. Firewall Hot Standby ◼ Hot Standby Overview ▫ VRRP-based Hot Standby ▫ Routing Protocol-based Hot Standby ▫ Hot Standby in Transparent Mode 3. Firewall Link High Reliability 4. Hot Standby Version Upgrade and Troubleshooting 6 Huawei Confidential Hot Standby Working Mechanism ⚫ Huawei Redundancy Protocol (HRP) is used to back up key configuration commands and status information between the active and standby firewalls. Status information includes the session table, server mapping table, blacklist and whitelist, and NAT mapping table. ⚫ VRRP Group Management Protocol (VGMP) manages Virtual Router Redundancy Protocol (VRRP) groups in a unified manner and ensures the status consistency of multiple VRRP groups. The VGMP status also affects the costs of routing protocols. ⚫ Backup channel: It is also called the heartbeat link and is used for HRP and VGMP communication. Firewall A Firewall B Synchronize HRP used to back up Synchronize Configuration/Status configuration and Configuration/Status HRP HRP information status information information Heartbeat link Associate Associate VGMP group VRRP group status Control status negotiation Control VRRP group status VGMP VGMP Routing protocol costs Routing protocol costs 7 Huawei Confidential VGMP status: When the VGMP group status of a firewall is active, it ensures that all VRRP groups in the VGMP group are in active state. In this way, all packets pass through the firewall and the firewall becomes the active firewall. In this case, the VGMP group status of the other firewall is standby, and this firewall becomes the standby firewall. Hot Standby Working Modes ⚫ The firewalls in a hot standby group support active/standby and load sharing modes. Active/standby mode Load sharing mode There are two devices — an active and a standby The two devices back up each other. During one. Normally, the active device processes service normal operation, both devices share the entire traffic. If this device fails, the standby device takes network's service traffic. If one device fails, the over to ensure service continuity. other device takes over all services to ensure A single device processes traffic, making route service continuity. planning and fault locating simpler compared to The networking scheme and configuration are the load sharing mode. more complex compared to the active/standby In active/standby mode, the standby device does mode. not carry any service traffic, resulting in low In load sharing mode, traffic is processed by two resource usage. devices, which improves the overall service throughput of the firewall. Only half of the services need to be switched if a device in load sharing mode fails, making the switchover faster than in active/standby mode. 8 Huawei Confidential Precautions for backup in different modes: ▫ In active/standby mode, configuration commands and status information are backed up from the active device to the standby device. ▫ In load sharing mode, both firewalls are active. Therefore, if both firewalls are allowed to back up commands to each other, command overwrite or conflict problems may occur. To centrally manage the configurations of the two firewalls, you need to configure the designated active and standby devices. ▫ In load sharing mode, the sender of the configuration backup command is the designated active device (identified by HRP_M), and the receiver is the designated standby device (identified by HRP_S). Configuration commands can be backed up only from the designated active device to the designated standby device. Status information, however, can be mutually backed up. Introduction to Hot Standby Scenarios ⚫ Based on the firewall networking mode, hot standby can be classified into the following scenarios, each of which supports both the active/standby mode and load sharing mode. VRRP-based hot standby Routing protocol-based hot standby Hot standby in transparent mode Switch A Switch B Router A Router B Router A Router B VRRP OSPF VLAN 2 VLAN 2 Heartbeat link Heartbeat link Heartbeat link Firewall A Firewall B Firewall A Firewall B Firewall A Firewall B VLAN 2 VLAN 2 VRRP OSPF Switch C Switch D Router C Router D Router C Router D ⚫ The service interfaces of firewalls work ⚫ The service interfaces of firewalls work ⚫ The service interfaces of firewalls work at Layer 3 and are connected to switches at Layer 3 and are connected to routers at Layer 2 and are connected to routers in the upstream and downstream in the upstream and downstream or switches in the upstream and directions. The VRRP protocol is used. directions. The OSPF protocol is used. downstream directions. 9 Huawei Confidential Contents 1. Overview of Firewall High Reliability Technologies 2. Firewall Hot Standby ▫ Hot Standby Overview ◼ VRRP-based Hot Standby ▫ Routing Protocol-based Hot Standby ▫ Hot Standby in Transparent Mode 3. Firewall Link High Reliability 4. Hot Standby Version Upgrade and Troubleshooting 10 Huawei Confidential Application Scenario of the Active/Standby Mode ⚫ Networking description: As shown in the figure, two firewalls are deployed at the egress of the enterprise network to implement hot standby in scenarios requiring high reliability. Switch C Switch D ⚫ Networking analysis: VRRP group 2 GE0/0/2 1.1.1.1 GE0/0/2 VGMP group status of firewalls: Firewall A is the active firewall, and Firewall A GE0/0/1 GE0/0/1 Firewall B its VGMP group status is active. Firewall B is the standby firewall, Master Heartbeat link Backup GE0/0/3 VRRP group 1 GE0/0/3 and its VGMP group status is standby. 10.3.0.3 VRRP group: Add the downlink interfaces of the firewalls to VRRP Switch A Switch B group 1 and the uplink interfaces of the firewalls to VRRP group 2. The status of VRRP groups 1 and 2 on Firewall A is set to master, and VRRP groups on Firewall B is set to backup. Backup interface: GE0/0/1 interfaces on firewalls A and B are Host A Host B heartbeat interfaces, and the heartbeat link connecting them is used as the backup link. Intranet 11 Huawei Confidential Traffic Forwarding Process in Active/Standby Mode ⚫ Traffic forwarding process: Firewall A sends gratuitous ARP packets to Switch A and Switch C to update the MAC address tables of the switches. When Host A accesses the Internet, it queries the gateway Switch C Switch D MAC address (MAC address of the VRRP virtual IP address) VRRP group 2 GE0/0/2 1.1.1.1 GE0/0/2 through ARP. Firewall A replies with the VRRP virtual MAC Firewall A Firewall B address. Host A then sends service packets to Switch A, Master Backup which forwards the traffic to Firewall A based on the MAC GE0/0/3 VRRP group 1 GE0/0/3 10.3.0.3 address table. Firewall A then forwards the traffic to the Internet. Switch A Switch B The process of forwarding returned traffic is similar and is not described here. Host A Host B Traffic of Host A Intranet Traffic of Host B 12 Huawei Confidential Configuration and status backup: The configuration and status of Firewall A are backed up to Firewall B through the heartbeat link in real time. Firewall Active/Standby Switchover (1/2) ⚫ The active/standby switchover is triggered when the service interface or service link of a firewall is faulty. As shown in the figure, when GE0/0/2 of Firewall A is faulty, the priority of Firewall A in the VGMP group decreases and Firewall A Switch C Switch D sends a VGMP request packet. VRRP group 2 After receiving the VGMP request packet, Firewall B compares the 1.1.1.1 GE0/0/2 GE0/0/2 VGMP group priority in the packet with its own VGMP group priority Firewall A Firewall B and sends a VGMP response packet. Backup Master After receiving the response packet, Firewall A switches its VGMP GE0/0/3 VRRP group 1 GE0/0/3 10.3.0.3 group status to standby, and the status of VRRP groups 1 and 2 to backup. Switch A Switch B Firewall B switches its VGMP group status to active, and the status of VRRP groups 1 and 2 to master. Firewall B sends gratuitous ARP packets to Switch B and Switch D to update the MAC address table of the switches. Service traffic is Host A Host B switched to Firewall B. Traffic of Host A Intranet Traffic of Host B 13 Huawei Confidential Firewall Active/Standby Switchover (2/2) ⚫ An active/standby switchover is triggered when a firewall is faulty. Firewall A is faulty and does not send HRP Hello Switch C Switch D packets. Firewall B does not receive HRP Hello VRRP group 2 packets from Firewall A within five packet GE0/0/2 1.1.1.1 GE0/0/2 transmission intervals and becomes the active Firewall A Firewall B Backup ! Master device. Firewall B then changes its VGMP group GE0/0/3 GE0/0/3 VRRP group 1 status to active and the status of VRRP groups 1 and 10.3.0.3 2 on Firewall B switches to master. Switch A Switch B Firewall B sends gratuitous ARP packets to Switch B and Switch D to update the MAC address table of the switches. Service traffic is switched to Firewall B. Host A Host B Traffic of Host A Intranet Traffic of Host B 14 Huawei Confidential Firewall Active/Standby Switchback ⚫ After a fault is rectified, active/standby switchback is triggered. After Firewall A recovers, its VGMP group priority increases. By default, after 60s, Firewall A sends a VGMP request packet. After receiving the VGMP request packet, Firewall B compares the Switch C Switch D VGMP group priority in the packet with its own VGMP group priority. VRRP group 2 GE0/0/2 1.1.1.1 GE0/0/2 If Firewall B finds that its VGMP group priority is the same as or Firewall A Firewall B lower than that of Firewall A, Firewall B returns a VGMP response Master Backup packet and switches its VGMP group status to standby and the GE0/0/3 VRRP group 1 GE0/0/3 status of VRRP groups 1 and 2 to backup. 10.3.0.3 After receiving the response packet, Firewall A switches its VGMP Switch A Switch B group status to active and the status of VRRP groups 1 and 2 to master. Firewall A sends gratuitous ARP packets to Switch A and Switch C to update the MAC address table of the switches. Service traffic is Host A Host B Traffic of Host A switched to Firewall A. Intranet Traffic of Host B 15 Huawei Confidential Configuration Roadmap of the Active/Standby Mode ⚫ Configuration roadmap: ⚫ Key configurations: Add the uplink and downlink service interfaces of Firewall A Start to VRRP groups and set the VRRP group status to active. [FW_A] interface GE0/0/2 [FW_A-GE0/0/2] vrrp vrid 1 virtual-ip 1.1.1.1 active Complete firewall basic [FW_A-GE0/0/2] quit network configurations. [FW_A] interface GE0/0/3 [FW_A-GE0/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 active [FW_A-GE0/0/3] quit Configure VRRP groups. Add the uplink and downlink service interfaces of Firewall B to VRRP groups and set the VRRP group status to standby. Specify a heartbeat interface [FW_B] interface GE0/0/2 and enable hot standby. [FW_B-GE0/0/2] vrrp vrid 1 virtual-ip 1.1.1.1 standby [FW_B-GE0/0/2] quit [FW_B] interface GE0/0/3 [FW_B-GE0/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 standby End [FW_B-GE0/0/3] quit 16 Huawei Confidential Application Scenario of the Load Sharing Mode ⚫ Networking description: As shown in the figure, the uplink and downlink service interfaces of the firewalls work at Layer 3. The two firewalls Router A Router B forward traffic for users at the same time and back up each other to improve network reliability. Switch A Switch B ⚫ Networking analysis: VRRP group 1:10.0.1.1 VRRP group 2: 10.0.1.2 If two firewalls work in load sharing mode, a master VRRP GE0/0/2 GE0/0/2 Firewall A Heartbeat link Firewall B group must exist on each firewall. Load-balance GE0/0/1 GE0/0/1 Load-balance GE0/0/3 GE0/0/3 VRRP groups 1 and 3 on Firewall A are in master state, and VRRP group 3: 10.0.0.1 VRRP groups 2 and 4 on Firewall A are in backup state. VRRP group 4:10.0.0.2 VRRP groups 1 and 3 on Firewall B are in backup state, and Switch C Switch D VRRP groups 2 and 4 on Firewall B are in master state. The VGMP groups on the two devices are in load-balance Enterprise state. intranet Host A Host B 17 Huawei Confidential Traffic Forwarding Process of the Load Sharing Mode ⚫ Traffic forwarding process: The gateway address of some hosts on the intranet is set to the virtual IP address 10.0.0.1 of VRRP group 3. When these Router A Router B hosts access the Internet, they send ARP requests to request the MAC address mapped to 10.0.0.1. VRRP group 3 on Firewall A is in master state, and Firewall A responds to ARP Switch A Switch B requests from these hosts. VRRP group 3 on Firewall B is in VRRP group 1:10.0.1.1 backup state, and Firewall B does not respond to the ARP VRRP group 2: 10.0.1.2 requests. The MAC address table of the switch and the ARP GE0/0/2 GE0/0/2 Firewall A Heartbeat link Firewall B cache tables of the hosts are updated based on the ARP Load-balance GE0/0/1 GE0/0/1 Load-balance reply packets from Firewall A to enable the traffic sent from GE0/0/3 GE0/0/3 the hosts to the Internet to be diverted to Firewall A for VRRP group 3: 10.0.0.1 processing. VRRP group 4:10.0.0.2 The gateway address of the other hosts is set to the virtual Switch C Switch D IP address 10.0.0.2 of VRRP group 4. When these hosts access the Internet, they send ARP requests to request the MAC address mapped to 10.0.0.2. In this case, only Firewall Enterprise Traffic of Host A B responds to the ARP requests. Therefore, the traffic of intranet Host A Host B Traffic of Host B these hosts is diverted to Firewall B for forwarding. 18 Huawei Confidential Similarly, the next-hop address of the route from Router A to the intranet is set to the virtual IP address 10.0.1.1 of VRRP group 1. The traffic sent from Router A to the intranet is diverted to Firewall A for processing. The next-hop address of the route from Router B to the intranet is set to the virtual IP address 10.0.1.2 of VRRP group 2. The traffic sent from Router B to the intranet is diverted to Firewall B for processing. Configuration Roadmap of the Load Sharing Mode ⚫ Configuration roadmap: ⚫ Key configurations: Configure two VRRP groups on each firewall. Start [FW_A] interface GigabitEthernet 0/0/2 [FW_A-GE0/0/2] vrrp vrid 1 virtual-ip 10.0.1.1 active Complete firewall basic [FW_A-GE0/0/2] vrrp vrid 2 virtual-ip 10.0.1.2 standby network configurations. [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GE0/0/3] vrrp vrid 3 virtual-ip 10.0.0.1 active [FW_A-GE0/0/3] vrrp vrid 4 virtual-ip 10.0.0.2 standby Configure VRRP groups. [FW_B] interface GigabitEthernet 0/0/2 Specify a heartbeat interface [FW_B-GE0/0/2] vrrp vrid 1 virtual-ip 10.0.1.1 standby and enable hot standby. [FW_B-GE0/0/2] vrrp vrid 2 virtual-ip 10.0.1.2 active [FW_B] interface GigabitEthernet 0/0/3 End [FW_B-GE0/0/3] vrrp vrid 3 virtual-ip 10.0.0.1 standby [FW_B-GE0/0/3] vrrp vrid 4 virtual-ip 10.0.0.2 active 19 Huawei Confidential Contents 1. Overview of Firewall High Reliability Technologies 2. Firewall Hot Standby ▫ Hot Standby Overview ▫ VRRP-based Hot Standby ◼ Routing Protocol-based Hot Standby ▫ Hot Standby in Transparent Mode 3. Firewall Link High Reliability 4. Hot Standby Version Upgrade and Troubleshooting 20 Huawei Confidential Application Scenario of the Active/Standby Mode ⚫ Networking description: As shown in the figure, the uplink and downlink service interfaces of the firewalls work at Layer 3 and are directly connected to routers. OSPF runs between the firewalls and Router A Router B routers. Increase the ⚫ Networking analysis: OSPF cost. GE0/0/1 OSPF GE0/0/1 Firewall A is the active firewall, and its VGMP group status Firewall A Firewall B is active. Firewall B is the standby firewall, and its VGMP Master Backup Heartbeat link group status is standby. GE0/0/3 GE0/0/3 Increase the After hot standby is enabled, the firewall can dynamically OSPF cost. adjust the OSPF path cost based on the VGMP group status. The VGMP group of the active firewall is in active state, and Router C Router D the firewall advertises routes according to the OSPF route configuration without changing the cost. The VGMP group of the standby firewall is in standby state, and the standby Enterprise firewall increases its OSPF route cost to make the route a Host A Host B intranet standby route. 21 Huawei Confidential The firewalls are connected to Layer 3 devices in the upstream and downstream directions. In this scenario, VRRP groups cannot be configured, therefore active and standby devices cannot be determined through VRRP, and the status of service interfaces directly connected to firewalls cannot be monitored through VRRP. The hrp adjust enable command is used to enable the route cost adjustment function. After this command is run, a firewall dynamically adjusts the costs of routing protocols such as OSPF based on the active/standby status. Traffic Forwarding Process in Active/Standby Mode ⚫ Traffic forwarding process: In normal cases, Firewall A advertises routes according to the OSPF configuration, and the cost of Router A Router B the OSPF routes advertised by Firewall B is changed to 65500. The cost of Firewall A's link is far smaller Cost=1 Cost=65500 GE0/0/1 OSPF GE0/0/1 than that of Firewall B's link. When forwarding Firewall A Firewall B traffic, a router selects a path with a smaller cost. Master Backup Heartbeat GE0/0/3 GE0/0/3 Therefore, traffic between the intranet and Internet link is diverted to Firewall A for forwarding. Cost=1 Cost=65500 In the figure, the interface bandwidth of Firewall A Router C Router D is 1000 Mbit/s. Therefore, its OSPF cost is 1. Enterprise Traffic of Host A Host A Host B intranet Traffic of Host B 22 Huawei Confidential Firewall Active/Standby Switchover ⚫ Active/Standby switchover process: When the uplink service interface of Firewall A is faulty, the status of the VGMP group on Firewall A Router A Router B changes to standby, and the status of the VGMP group on Firewall B changes to active. OSPF Cost=65500 Cost=1 GE0/0/1 GE0/0/1 Firewalls A and B adjust the OSPF costs based on Firewall A Firewall B the VGMP group status. Heartbeat GE0/0/3 GE0/0/3 link ◼ The cost of the OSPF route advertised by Firewall A changes to 65500. Cost=65500 Cost=1 ◼ The cost of the OSPF route advertised by Firewall B Router C Router D changes to 1. After OSPF route convergence is complete, traffic Enterprise Traffic of Host A between the intranet and Internet is diverted to Host A Host B intranet Traffic of Host B Firewall B for forwarding. 23 Huawei Confidential Configuration Roadmap of the Active/Standby Mode ⚫ Configuration roadmap: ⚫ Key configurations: Run the hrp track interface command on Firewall A Start and Firewall B to monitor uplink and downlink service interfaces. Complete firewall basic network configurations. [FW_A] hrp track interface GE0/0/1 [FW_A] hrp track interface GE0/0/3 [FW_B] hrp track interface GE0/0/1 Configure interface [FW_B] hrp track interface GE0/0/3 monitoring. Configure the cost adjustment commands on Configure OSPF cost Firewall A and Firewall B. adjustment. [FW_A] hrp adjust ospf-cost enable Specify a heartbeat interface [FW_B] hrp adjust ospf-cost enable and enable hot standby. Note: If a firewall is the active device, it directly advertises the End learned OSPF routes. If a firewall is the standby device, it advertises OSPF routes with the cost of 65500. 24 Huawei Confidential Contents 1. Overview of Firewall High Reliability Technologies 2. Firewall Hot Standby ▫ Hot Standby Overview ▫ VRRP-based Hot Standby ▫ Routing Protocol-based Hot Standby ◼ Hot Standby in Transparent Mode 3. Firewall Link High Reliability 4. Hot Standby Version Upgrade and Troubleshooting 25 Huawei Confidential Application Scenario of the Active/Standby Mode ⚫ Networking description: As shown in the figure, the uplink and downlink service interfaces of the firewalls work at Layer 2 and are directly connected to Layer 2 switches. The uplink and downlink service interfaces of the firewalls are added to Router the same VLAN. The firewalls must be able to monitor the availability of service interfaces. Switch ⚫ Networking analysis: Firewall A is the active firewall, and its VGMP group status is active. VLAN 10
