Application Firewall

Application Firewall

 > Products>Network Security>Application Firewall >Related Resources >Technical White Paper >FW1000 Firewall Technical White Paper
FW1000 Firewall Technical White Paper

\ Download

1. Overview

Applications and networks are complementary and mutually reinforcing in that the increasing application requirements give birth to the rapid development of network technologies, which, in turn, promotes the growth of applications. As all kinds of new applications and new services continue to emerge, such as 10G to core/Gigabit to desktop, Web2.0, virtualization, Internet of Things, network audio/video, P2P, cloud computing, etc., the traditional port-based firewalls for application identification and access control fall short of meeting the needs of security protection in new applications. In response, DPtech launched the FW1000 next-generation application firewall based on the brand-new multi-core processor architecture.

DPtech FW1000 marks a breakthrough in application firewalls. Built upon the APP-X hardware platform, a core technology with DPtech's independent intellectual property rights and ConPlat, a security operating system, DPtech FW1000 is the industry's leading application firewall which is provided with professional intrusion prevention signature library, virus database, application protocol library, and URL library. Thanks to its high availability, outstanding performance, and high reliability, the FW1000 solution can be deployed in various complex scenarios such as data centers and large campus networks. What’s more, it boasts rich capabilities and on-demand scalability, which simplifies the network security architecture and greatly brings down the total cost of ownership of the enterprise networks.

\

 

2. Product Introduction

DPtech FW1000 is the next-generation application firewall product designed for large and medium-sized enterprises, schools, data centers and operators. As a high performance firewall at the application level, it performs security control at the network boundary layer over data from different domains according to security policies. It delivers high performance in both IPv4 and IPv6 environments, eliminating network bottlenecks and offering comprehensive security protection to ensure smooth and stable operation of the network. With built-in VPN, it provides a cost-effective choice with flexible networking capabilities for various network environments.

3. DPtech’s unique firewall technology

3.1   Data forwarding process of DPtech FW1000

By releasing, denying or redirecting traffic, the firewall serves as an important tool of access control and auditing of different networks of an organization. With policy definitions based on users and protocols, URL filtering, protocol identification, and other features, the DPtech FW1000 meets requirements of both packet filtering and application-level firewalls.

According to the security rule policies at various network nodes, the firewall sends information streams among different networks. By default, all inbound and outbound information streams are rejected by the security rule policy, which can only be modified by authorized administrators. Determined by the source address, destination address, transport layer protocol, source port, destination port, and application protocol, a typical packet filtering policy is based on the arrival or departure of data packets from the interface.

DPtech firewall performs overall invoke by controlling security domains at the packet filtering. Default rules are as follows:

1) Domains with a higher security level can access to domains with a lower security level.

2) Domains with a lower security level is not allowed to access domains with a higher security level.

3) Different domains with the same security level are prohibited from accessing each other.

4) Mutual access between different interfaces in the same security domain is allowed.

Data forwarding inside the firewall is shown in the diagram below:

\

Fig. 1 Internal data forwarding flow chart

As shown in the above diagram, internal data forwarding begins with searching for the session table entry, then performs destination NAT conversion, routing number lookup, packet filtering rules, attack firewall policies, application layer matching rules, auditing policies, and finally searches for source NAT before forwarding.

3.2 Rich Network Features

ConPlat platform enables rich network features, such as STP, VLAN, ARP and other layer-2 features, as well as BGP, OSPFv2/v3, MPLS and other layer-3 features in IPv4/IPv6 environments.

DPtech FW1000 is characterized by the following network features:

■ Available networking modes include transparent mode, routing mode, and hybrid mode.

■ Support IPv4/IPv6 protocol stack, with complete and rich IPv6 protocol transition and tunnel technology.

■ Access, Trunk VLAN, port aggregation, port mirroring

■ policy-go-together, static routing, multicast IPv4/6 routing (IGMP, PIM, MSDP, multicast VPN).

■ IPv4 routing (supports RIP v1/2, OSPF, IS-IS, BGP, Guard routing).

■ IPv6 routing (supports RIPng, OSPFv3, Guard routing), IPv6 tunneling technology.

■ Support complete MPLS VPN.

■ Support DNS, DHCP, ARP, BFD, STP, QOS.

■ Support WIFI module, 3G network card.

With the rich network features, DPtech Firewall provides users with flexible networking capabilities in transparent mode, routing mode, and hybrid mode adapting to various networking environments.

3.3High performance and low-latency processing capabilities based on a huge number of policies

DPtech firewall packet filtering and NAT matching compile security policies into a series of quick matching entries with the decision tree algorithm. When a packet passes through the device, the five elements are extracted and forwarded to the quick matching entry for policy matching at a time. In this way, all corresponding matches can be found to form a parallel processing architecture of data stream, while maintaining high performance and low-latency processing capabilities. In addition to meeting the administrator's requirements for ultra-high performance and low transmission delay, the firewall helps eliminate network transmission bottleneck.

3.4Attack prevention technologies (IPv4/IPv6)

As one of the important features of DPtech firewall, attack prevention determines whether the packets contain attack characteristics by analyzing the content and behavior characteristics of packets, and takes actions to protect network hosts or network devices.

Attacks that can be detected include DoS (Denial of Service), scanning and snooping, malformed packets and others. Appropriate measures can thus be adopted to protect against these attacks. Attack prevention is realized by various functions, such as blacklist filtering, packet feature identification, anti-DDoS, and intrusion detection statistics.

Apart from the conventional IPv4 security protection technologies, DPtech provides all-round IPv6 security protection against huge-icmp-pak, icmp-flood, ip-sweep, ip-spoofing (l2/l3), udp-flood, tear-drop, ip-fragment, ping-of-death, port-scan, syn-flood, syn-proxy, tcp abnormal, land-attack, NDP defender, etc.

■ DDoS attacks

DDoS attack, one of the most common network attacks, requires less professional skills. Therefore, attacks can be launched by using various open-sourced software with a huge number of packets. The target system/host under attack may fail to receive normal requests or be suspended from working properly. Unlike other attacks, DDoS attacks do not look for an entry into the target network. Instead, they aim to block legal access to network resources by disrupting normal operations of the target network.

With the attack prevention technology, the firewall is capable of actively defending against various common network attacks and ensuring normal network operations in the face of an increasing number of attacks, thus enabling overall security protection. For DDoS attacks initiated by using legal protocols allowed by the server, the attack prevention technology, on the strength of anti-DDoS algorithms based on behavior patterns, provides accurate detection and distinction of attack traffic and normal traffic. It blocks the attack traffic effectively and allows the normal one to pass through, realizing anti-DDoS protection. DDoS attacks that can be detected by attack prevention include SYN, Flood, ICMP Flood, and UDP Flood.

DDoS attacks can also be launched to the IPv6 Internet. Computers infected by Trojan horse virus form a large botnet to launch focused attacks on a victim. Unfortunately, there are still active botnets in IPv6, as it could not prevent the botnets from forming and running. IPv6 provides Internet access to more devices than that are allowed in IPv4 Internet. DDoS attacks launched by the large number of devices in IPv6 will bring about more devastating results compared with those launched in IPv4 Internet.

With a built-in DDoS fingerprint recognition technology, the DPtech firewalls automatically learn from the IPv4/IPv6 traffic to establish a database of fingerprint features. DDoS can quickly identify abnormal attack traffic on the network and block the traffic or perform traffic control, achieving intelligent and simplified anti-DDoS protection. What’s more, manual configuration of the fingerprint features is allowed. Users can effectively identify and protect against known attack signatures by configuring a number of parameters. Take TCP for example. Configurable parameters include the length of packet, packet ID, TTL, source IP, destination IP, serial number, confirmation number, source port, destination port, flag, and other custom features.

■ Scanning and snooping attacks

Through identifying active hosts on the network by PING scanning (including ICMP and TCP), the scanning and snooping attack locates a potential target and identifies the operating system and services enabled on the target by TCP and UDP scanning. Scanning and snooping attacks help the attacker gain an overall understanding of the target system and the services and potential security vulnerabilities available on the target, thereby getting ready for further intrusion. DPtech firewalls are effective in defending against scanning and snooping attacks targeting at IP address, port, and vulnerability.

■ Malformed packet attacks

A malformed packet attack occurs when defective IP packets are sent to a target system, causing the system to break down or bringing losses. Such defective packets include packets with overlapping fragments, or packets with illegal TCP flags. By virtue of the feature recognition technology, DPtech firewalls can accurately detect dozens of attack signatures and protect against a variety of malformed packets, including LAND attacks, ping of death, IP overlapping fragments, UDP Fraggle attacks, WinNuke attacks, TcpFlag attacks, ICMP unreachable packets, ICMP redirect packets, ICMP Smurf, source route option IP packets, route record option IP packets, and oversized ICMP packets.

3.5Virus Filtering Technology

With an integrated professional virus signature library, DPtech provides users with powerful anti-virus services, which can detect a great number of viruses transmitted on HTTP, FTP, SMTP, POP3, IMAP, RAR, and ZIP. The anti-virus module can be deployed on the network in online, bypass, bridge, and hybrid modes, and automatically detect, block, or redirect virus-carrying packets and abnormal traffic based on real-time analysis. Functions provided by the anti-virus module include:

 Anti-virus rule management;

Anti-virus signature query

 Anti-virus logs

Thanks to its defense capabilities against various types of viruses such as file, network, and hybrid type, it can accurately detect and kill various variants of viruses and unknown viruses through a new generation of virtual shell and behavior judgment technology. Three levels of antivirus protection are enabled, through which users can configure different levels of antivirus protection based on the popularity of viruses. The antivirus signature library is regularly updated to ensure timely response to new viruses. The basic functions and principles of the antivirus module are shown in the figure below.

\

Fig. 2 Virus detection and protection

Traditional virus detection methods are divided into the following four types: feature code, checksum, activity detection, and software simulation. The best way to enable anti-virus function on a network device is through feature codes. Network data stream passing through the device is accurately scanned with an integrated professional virus database. If any similar signature is found in the stream, it is deemed to be a virus. Different protection measures are available and logs are generated based on signatures and virus prevalence. DPtech anti-virus technology enjoys accurate and rapid detection, recognition capability of virus name, and low rate of false positives.

DPtech’s antivirus logs provide abundant reporting features, including all kinds of query conditions, such as virus source IP, destination IP, virus type, and various time periods. Logs can be sent remotely or backed up. DPtech’s IPS virus database is released on a regularly (weekly) basis and upon emergency (when a major security signature is found), and is automatically distributed to user devices.

3.6 Firewall with high reliability

DPtech FW1000 supports complete dual-system hot standby technologies, including regular, advanced, asymmetric, and silent dual-system hot standby.

■ Regular dual-system hot standby

With synchronized dual-system functions, the firewall configurations can be backed up mutually, including IP address object/group, service object/group, packet filtering policy, routing, etc.

■ Advanced dual-system hot standby

Based on backup configurations, sessions between the two firewalls can be synchronized in real time. In the event that the master and the backup servers switch, connected applications can continue to access to the Internet without reconnection.

■ Asymmetric dual-machine hot standby

Both configurations and sessions can be backed up. Dual-master deployment of asymmetric service traffic is enabled. For real-time synchronization of ALG sessions, multi-channel application layer services are supported.

Regular, advanced, and asymmetric dual-system hot-standby and master-backup switching can be implemented by adopting protocols such as VRRP, OSPF, and STP. Through planning the priority parameters of VRRP, OSPF, and STP, the administrators control the traffic trends to enable master/backup or master/master modes, as shown below:

\

Fig. 3 Dual-system hot standby (VRRP protocol)

 

\

Fig. 4 Dual-system hot standby (OSPF protocol)

 

■ Silent dual-system hot standby

All configurations of the active and standby firewalls (including the interface IP) are exactly the same. In normal operations, only the active device can be detected from the perspective of logics. The standby device is in a silent state, being neither visible nor perceptible on the network. The active device sends its own heartbeat packets through the heartbeat line to notify its running status. The standby device listens to the status of the active device in a silent state, without receiving or sending any packet.

In the event that an abnormality is found in the active device, or the standby device does not receive the heartbeat packets from the active device within a certain period of time, the standby device will wake up and become the active firewall. It continuously refreshes the MAC address table entry on the switch by constantly sending free ARP, thereby diverting the service traffic for forwarding on behalf of the active device. This process is known as dual-system hot standby. It is a simple and reliable way to realize dual-system hot standby on the strength of the device’s own detection mechanism without the help of any other protocols.

\


Fig. 5 Silent dual-system hot standby

3.7 Full VPN support

In response to users’ requirements for branch interconnection and mobile office, DPtech FW1000 provides full VPN support for IPSec, SSL, GRE, L2TP, PPTP and others. It supports multiple encryption algorithms including DES and 3DES, as well as certificate authentication. The built-in IPSec VPN and SSL VPN hardware encryption features not only enable a simplified network structure, but also greatly improve the cost performance of network security construction.

■  Site to Site Fixed access

1)IPSEC VPN

2)GRE VPN

\

Fig. 6 Site to Site VPN access

■  Mobile access

1)IPSEC VPN

2)PPTP VPN

3)L2TP VPN

4)SSL VPN

\

Fig. 7 Mobile office VPN

3.8 Firewall virtualization

3.8.1 Virtual firewalls

The DPtech ConPlat platform provides rich virtualization features at the OS or application level. OS-Level Virtualization is a concept in server virtualization. By running a virtualization layer software on the main operating system, it allows the installation of multiple guest OSs, each running independently without affecting others, even in case of failure. The virtualization software installed on the host OS abstracts the kernel and file system of the guest OS into individual containers, and is responsible for allocation of computing and storage resources and container isolation. ConPlat OS-level virtualization is shown below:

\

Fig. 8 OS-Level virtualization

Application-level virtualization is used on a single operating system. By running a virtualization layer between the OS and the application, failure of any application package will have no impact on other packages. Packaging the core functions of the ConPlat into a virtual firewall, the application-level virtualization ensures each virtual device has independent computing resources, forwarding entries, control plane, service plane and forwarding plane processes, in addition to stand-alone administrator and management interfaces. ConPlat Application-level virtualization is shown below:

\

Fig. 9 Application-level virtualization

The difference between OS-level virtualization and application-level virtualization lies in the degree of integrity. In OS-level virtualization, each virtualized instance is still a complete ConPlat software platform on which application-level virtualization is still available, such as further division of the virtual firewall. However, in application-level virtualization where only the core functions of ConPlat are virtualized, each virtualized instance is not a complete ConPlat software platform, and no further virtualization is allowed.

The traditional firewall is a physical device, while the virtual firewall is a plurality of virtual firewalls divided within this physical device. The function of the virtual firewall is a subset of that of the original firewall. Virtual firewalls are mostly deployed in the network of operators or IDC computer rooms. The physical firewall devices are purchased and managed by the operators, and users may manage their own resources by renting one or more virtual firewalls.

Virtual firewalls are completely isolated. Each of the virtual firewalls is provided with an independent user management system, allowing it to manage its own hardware resources and logical resources such as security domains, VLANs and others.

■ Virtualization of administrators

 

\

Fig. 10 Virtualization of administrators

Each virtual system has its own independent administrator. The public system is a global system that can manage all administrators on the device. The administrator of the virtual system can only see and manage the administrators of the virtual system.

■ Virtualization of physical hardware resources

\

Fig. 11 Virtualization of physical resources

Each virtual system is assigned with its own interfaces, which can be further divided into VLANs and allocated with IPs by the administrator of each virtual system.

■ Virtualization of logical resources

\

Fig. 12 Vlan-if virtualization

Global and unified logical resources such as VLANs are created by the administrators of public systems before being assigned to various virtual systems. Administrators of each virtual system can configure IPs for and assign interfaces to their own VLANs.

\

Fig. 13 Virtualization of security domains

Logical resources consisting merely of software, such as security domains, are maintained by administrators of each virtual system.

■ Routing virtualization

Routing virtualization is performed at the forwarding level and on the routing management. From the perspective of kernel forwarding, each virtual firewall contains multiple hardware interfaces, which are managed by their own virtual forwarding planes to realize complete isolation between different virtual firewalls. As a result, the same IP address is allowed for different virtual firewalls.

\

Fig. 14 Routing virtualization

From the perspective of routing management, each virtual system has its own routing management software, management domains and management processes independent of other systems, allowing routing protocols such as OSPF and BGP to be run and managed independently. As the management domains of virtual systems are independent, a more rational allocation of CPU resources among virtual systems can be realized, preventing the breakdown system from affecting others.

3.8.2 VSM virtualization

Virtualization has been changing and evolving ever since its inception. Diverse implementation solutions have been provided by different vendors. DPtech VSM (Virtual Switching Matrix) technology is the first in the industry to integrate network and application.

\

Fig. 15 VSM multi-frame cascading

Aggregation of multiple VSM member devices is realized by using 10G ports. The VSM system and its upper and lower devices are also aggregated. In this way, the VSM systems are more reliable thanks to the multi-link backup technology and the logical links are simplified. The VSM system is composed of multiple member devices, including the Master and the Slave devices. The Master is responsible for the operation, management, and maintenance of the VSM, and the Slave may process services while serving as a backup. Once the Master fails, the system will automatically elect a new Master to ensure service continuity of the VSM system, which is also known as 1:N virtualization at the device level.

VSM is compatible with extended SW, FW, IPS, UAG, ADX, SSL VPN and other functional boards. With easy scalability of network interfaces, functions and performance, it is an ideal choice for protecting your investment.


\

Fig. 16 VSM virtualization configuration

√ VSM boasts the following advantages:

  • Simplified management When the VSM mode is enabled, users may perform unified management on all member devices in the VSM on the Master Device page through any port of any device, rather than connecting to each one for separated configuration and management.
  • Simplified network structure The various control protocols running in the virtual devices formed by the VSM are also operated as a single device, significantly simplifying the network structure.
  • High reliability VSM is highly reliable in the following aspects. For example, aggregation is supported on VSM physical ports of member devices,

and the VSM system and its upper and lower devices are also aggregated. In this way, the VSM systems are more reliable thanks to the multi-link backup technology. What’s more, the VSM system is composed of multiple member devices, including the Master and the Slave devices. The Master is responsible for the operation, management, and maintenance of the VSM, and the Slave may process services while serving as a backup. Once the Master fails, the system will automatically elect a new Master to ensure service continuity of the VSM system, enabling dual-system standby.

High performance As the VSM system is resulted from the stand-alone virtualization of two or more devices that support VSM features, the processing capacity and number of ports of the VSM system is the sum of the switching capacity and the total number of ports of all stand-alone devices inside the VSM system. Therefore, the VSM technology can easily multiply the core switching capabilities and the density of user ports by several times through virtualization of two or more stand-alone devices, substantially improving the device performance.

  • Multiple cascading modes In frame devices, VSM allows multiple boards to serve as cascading boards in order to meet diverse requirements of users. It currently supports 4*10GE and 8*10GE boards cascading.
  • Rich functions All functions available for stand-alone devices are supported in the VSM system.

3.8.3 N:M virtualization

DPtech’s original N:M virtualization technology can realize virtualization by integrating N devices into a VSM system (N-->1), which is then divided into M virtual firewalls as needed (1-->M) to achieve N:M virtualization.

  • Cascade N frame devices, and virtualize VSM as a device
  • The cascaded devices are virtualized into M logical sub-devices and assigned to corresponding administrators for independent management and use
  • Processing performance, port density, and number of virtual firewalls can be expanded as needed

 

\

Fig. 17 N:M virtualization

N:M virtualization enables secure Cloud computing:

  • High performance single-board processing capability
  • Large-capacity backplane switching capability, multi-frame cascading, and expanded overall processing capabilities through the board and the frame
  • Integrating network security, application delivery, and service switching, it provides all-round protection to ensure the security of Cloud computing.
  • Comprehensive OS-level virtualization is realized in terms of management, protocol, forwarding, and resources. By virtualizing one device into multiple stand-alone devices, it guarantees the security of Cloud computing.

 

 

Subscription account Service account