Scribd
Upload
1 views

1 Network Security Basis

Uploaded by

rodrigo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
1 views

1 Network Security Basis

Uploaded by

rodrigo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 26

Chapter 1

Next-Generation Firewall Introduction


Training Team
HCSA Official Training

Integrative Cybersecurity
Visionary. AI-powered. Accessible.

Hillstone Networks All Rights Reserved.


1
Evolution of Security Attack and Defense technologies

Agenda Evolution of Network Security in Scenarios

Hillstone NGFW function and Product Introduction

2 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


1
Evolution of Security Attack and
Defense technologies

3 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Change 1: Limitations of the traditional 5-tuple

≠ ≠
An IP address cannot uniquely Port numbers cannot uniquely
represent a user represent an application

4 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Firewall Technology Development
• A next-generation firewall (NGFW) is a network security device that provides
capabilities beyond a traditional, stateful firewall , includes additional features like
application awareness and control, integrated intrusion prevention, and cloud-
delivered threat intelligence , etc...

1989 1994 1995 2004 2005 2009

• UTM • NGFW
• Packet filtering • Proxy Service • Stateful Inspection
APP + User + Content
ACL Session AV + IPS

5 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Change 2: Changes in threat attacks

DDoS CC Botnet XSS


distributed denial-of- Collapse Challenge A controlled computer Cross-Site Scripting

service attack with malware

Brute force Exploit Malware


Cracking passwords a security flaw or vulnerability in an program or code that is created with the intent
application or computer system to do harm to a computer, network or server.
and encryption keys

6 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


NGFW provides multi-dimensional conditions

App
User Threat

Time Content
IP
port
protocol

5 tuple Geographic

7 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Change 3: Attack signatures change frequently

C&C uses case:


Malware utilizes a DGA algorithm to communicate with C&C servers. The domain names and IPs are
changing rapidly.

1. Signature databases cannot keep up with the speed at which DGA domain names are generated.
2. Defenders must block all DGA domain names to disrupt C2 communication.

8 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Future-Ready Next Generation Firewall
Anti-virus

Botnet C&C protection


IPS

Black and white list


Spam filtering Comprehensive threat
protection

Sandbox
URL filtering

Advanced Threat Detection and Protection


9 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.
Change 4: Collapse of network perimeter

Cloud Services

Physic Edge Third-party partners

Disappearing perimeter
Intranet Threats

Remote work

Edge Protection = Network security Mobile office

The collapse of physical boundaries, applications are no longer secure


 Telework is more popular
 More employees use their own devices for work
 More applications run on the clouds How to protect Applications ?
 Third-party partners access the enterprise network, and the terminal controllability is poor
 Even employees on intranet can steal or inadvertently leak company secrets.

10 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


ZTNA provides multi-elements control

Application
security protection
Centralized management

device identity
( endpoint tag )
independent ZTNA
policy Agentless
Single Packet
Authorization
(SPA)

Application SSL VPN upgrade to ZTNA Tunnel Detection


resources

11 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Use Case - Security Operations
Cloud Collaboration
Capabilities
Full range of threat Improved threat
detection detection resilience
– Signature detection, m S
an ecu
Unified data collection with
correlation analysis, NTA, ag rit

UEBA
em y
en
t
Cloud intelligence
center full threat visibility

Br s
Third-party joint

an
iSource

ch
Ca

e
defense HSM
n m
capability pe etw pus
HSA rim ork
et NGFW

C
NGFW er
Advanced AI/ML-driven
bu ritica
sin l
es
s NIPS
Pu
b
se lic-f
security detection and
rv ac
Network-
wide
3rd party
Datacenter
firewall
ice in
s g analytics
monitoring
platform security BDS
device
int
ra
VM ne WAF
ar e t
a
Collaborative threat Agent

prevention and Enhanced threat Automated security


control CloudHive
visibility
orchestration and cohesive
In-network
collaborative defense response
capability
Intelligence sharing Security logs/traffic metadata Policy
deployment

12 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


2
Evolution of Network Security in
Scenarios

13 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Physical network border scenario without protection

There are no security devices in the egress area.

Services Services

14 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Single firewall egress border scenario

NGFW NGFW

Deploy a firewall at the egress border


Services Services

15 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Defense in Depth Border Scenario

WAF WAF
NGFW NGFW

IPS IPS

1. Anti-DDoS
ICM ICM
2. Prevention System
3. Web Application Firewall
4. ICM Internet Content Management
NGFW NGFW

DMZ Services Services

16 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Cloud within and outside scenario
Internet
Cloud DataCenter Protection VPC protection

01
WAF
DataCenter
云·界
VPC North-South protection
FW
IPS
VPN
ADC 云·格
DataCenter FW

Cloud DataCenter Egress Branch/Active-active/Disaster Recovery


02
Micro-segmentation
East-West monitor
Cloud Network/SDN

01

CloudEdge North and South CloudEdge Cloud Platform

02

CloudHive
VPC East-west protection
VPC

Cloud IaaS

17 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


3
Hillstone NGFW function and
Product Introduction

18 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


A story of continuous “Innovation”

Founder by One of the first 100G First vendor to CloudEdge, first virtual 1T Data Center AI-powered 3.5T Data
Netscreen firewall platform in release an AI- NGFW supporting major Firewall Platform XDR Solution Center
Veterans the industry based firewall public clouds and NFV Firewall Proprietary
Platform Chipset
Innovation

FPGA

ASIC

SECoC

2006 2008 2010 2013 2014 2015 2016 2017 2018 2019 2021 2022 2023 Future

AI
Threat Detection

Threat Intelligence

Security Operations

Managed Services

One of the first 360G fully distributed CloudHive, one of the first AI-based NDR Secure SD-WAN CWPP Solution: ZTNA Ai in Security
vendor released firewall architecture solutions to support Solution Solution CloudArmour
multicore firewall Openstack & Vmware

19 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


NGFW Hardware Architecture
Box Model: Frame Model : Distributed + expansion board

20 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


NGFW Software Architecture

Data
Route/Policy/NAT…./ security and forward
Plane
OS

Control Management / Auth / VPN establish


Plane
StoneOS

WebUI HTTPS HTTP


Config

CLI Console SSH Telnet

21 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


NGFW Functions
VPN HA
Support Support A/P 、 peer
IPSECVPN 、 SSLVPN 、 L2TP mode , configuration 、
VPN session synchronization

Basic VSYS
Switch/Route, Session
management, Security
Network Logically divides the
physical firewall into
Policy several virtual firewalls.

IPV6 Monitor
Support IPv6/IPv4 dual
Monitor device status 、
stack
traffic etc.

22 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


NGFW Functions
User
SSL Decryption
Authentication
Support https decryption with
AD 、 Local 、 radi
APPID 、 IPS 、 AV 、 URL filtering
us

Link Load Balancing


QoS Intelligently route and
Two-level 8 layers pipe dynamically adjust the traffic
nesting of bandwidth control:
based on
AP load of each link by monitoring
the quality of each link in real-
user 、 IP 、 APP 、 URL etc.
P time

Traffic Quota Server Load Balancing


Limit and control the Based on weighted
allowable flow quota of hashing 、 weighted round
users/user groups per robin 、 weighted least
day or per month. Endpoint Access connection
Monitor

23 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


NGFW Functions – Threat Protection
Attack Defense Data Security: File/content filter

08 01
IPS 07 02 Botnet C&C Prevention

AV 06 03 IP Reputation

05 04
Cloud Sandbox Web access control , URL filter

24 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


Product Portfolio

iSource HSM/vHSM HSA/vHSA CloudView

EDGE PROTECTION CLOUD PROTECTION BREACH PREVENTION APPLICATION PROTECTION

NGFW CloudArmour
BDS ADC vADC
DCFW CloudHive

NIPS CloudEdge vBDS WAF vWAF

ZTNA SD-WAN XDR NDR CWPP Micro-Segmentation

25 | Integrative Cybersecurity Hillstone Networks All Rights Reserved.


2
5
Integrative Cybersecurity
Visionary. AI-powered. Accessible.
+1 408 508 6750
[email protected]
5201 Great America Pkwy, #420
Santa Clara, CA 95054
www.hillstonenet.com

You might also like