SD-WAN Security

Foreword
⚫ On a conventional enterprise WAN, enterprise branches connect to the headquarters, for example,
through MPLS private lines, to access the headquarters or data center for service operations or Internet
access. Security policies can be implemented at the headquarters, for example, deploying firewalls and
other security devices, to manage and control branch-to-Internet access behaviors. The relatively closed
network architecture of conventional enterprise WANs ensures security to some extent.
⚫ With the emergence of SD-WAN, the conventional closed architecture of enterprise WANs transforms
to an open architecture, which enlarges the attack surface and brings new security challenges such as
unauthorized access, data leakage, and network attacks.
⚫ This course describes how to cope with these security challenges to meet the confidentiality, integrity,
availability, and traceability requirements of SD-WAN networks and provide a secure, reliable, and
stable service running environment.

1 Huawei Confidential
 Objectives

⚫ On completion of this course, you will be able to:

 Describe the basic concepts and design principles of system security and service security
in the SD-WAN Solution.
 Understand the security protocols and mechanisms used for communication between
components of the SD-WAN Solution.
 Describe the basic principles and application scenarios of service security functions
provided by the SD-WAN Solution.

2 Huawei Confidential
 Contents

1. SD-WAN Security Overview

2. System Security

3. Service Security

3 Huawei Confidential
 SD-WAN Security Risks
iMaster NCE-WAN ⚫ The SD-WAN Solution is built on a public network, and
therefore its components are vulnerable to attacks and
the communication between components faces security
risks. In addition, user services carried by the SD-WAN
RR
Solution, such as site-to-site, site-to-Internet, and site-to-
SaaS application access services, are threatened by
various security risks. The SD-WAN Solution faces the
HQ/DC
following security challenges:
Branch CPE
MPLS
CPE
 Identity spoofing

Internet Branch  Data leakage

CPE
 Network attacks
Branch
 Service security requirements
CPE
SaaS applications

4 Huawei Confidential

• Identity spoofing: A component may be spoofed when it is registered and goes

online. In this case, an identity authentication mechanism is required to ensure
secure access of components and prevent identity spoofing.

• Data leakage: Inter-component communication data and user service data are
transmitted over a public network such as the Internet. Such data may be
intercepted or tampered with, which affects system running.

• Network attacks: Components provide interfaces for external interaction, and

therefore are vulnerable to various attacks and intrusions such as flood attacks
and application-layer attacks, which affect system availability.

• Service security requirements: User services carried by the SD-WAN Solution have
security requirements, such as filtering specific packets, blocking intrusion
behaviors, and limiting access to URLs.
 SD-WAN Security Solution
iMaster NCE-WAN ⚫ To help enterprises better cope with the security
Security
hardening challenges facing the SD-WAN Solution and take
measures accordingly, Huawei defines security of the
SD-WAN Solution from two aspects:
RR
 System security: refers to the security of the SD-WAN
Solution itself. Huawei SD-WAN Solution provides system
security to ensure secure and reliable system running.
HQ/DC  Service security: refers to the security of services carried by
Branch CPE
MPLS the SD-WAN Solution. Huawei SD-WAN Solution provides
CPE
security protection measures for enterprises to flexibly select
Internet Branch
based on their actual requirements to ensure secure and
CPE
reliable running of user services.
Branch
CPE
SaaS applications

5 Huawei Confidential

• System security covers the following aspects:

▫ Inter-component communication security

▫ Component security

• Service security covers the following aspects:

▫ Site-to-site access security

▫ Site-to-Internet access security

▫ Site-to-SaaS application access security

• Huawei SD-WAN Solution provides the following service security functions:

▫ IPsec

▫ Firewall

▫ IPS

▫ URL filtering

▫ Advanced security VAS

▫ Third-party cloud security

 Contents

1. SD-WAN Security Overview

2. System Security
◼ Inter-Component Communication Security

▫ Component Security

3. Service Security

6 Huawei Confidential
Inter-Component Communication Security
⚫ Key components of the SD-WAN Solution include iMaster NCE-WAN, route
reflectors (RRs), and customer-premises equipment (CPEs). The components use
iMaster NCE-WAN secure communication protocols to establish management, control, and data
channels with each other to ensure communication security.

⚫ Management channel
Management
channel  Management channels are established between CPEs or RRs and iMaster NCE-WAN.

 The management channel security mechanisms include identity authentication and

secure data transmission.
RR
⚫ Control channel
 Control channels are established between CPEs and RRs.

 The control channel security mechanisms include identity authentication and secure
data transmission.

⚫ Data channel
Branch Internet/MPLS HQ/DC  Data channels are established between CPEs.
Data channel CPE
CPE  The data channel security mechanism ensures secure transmission of service data.

7 Huawei Confidential
 Management Channel Security (1)
⚫ After a CPE is powered on and registers with iMaster NCE-
Bidirectional certificate authentication
WAN, iMaster NCE-WAN configures and delivers services to
the CPE. In this process, the CPE and iMaster NCE-WAN may iMaster
CPE
be spoofed because they reside on a public network. NCE-WAN
Pre-configured Pre-configured
⚫ Bidirectional certificate authentication is used to enable the device certificate device certificate
and CA certificate TCP and CA certificate
CPE and iMaster NCE-WAN to verify the certificates of each
other to ensure their validity. SSH (Callhome)

Send the CPE's

certificates.
⚫ Certificate Authority (CA): issues certificates. Verify the CPE's
certificates.
⚫ CA certificate: refers to a certificate issued by a CA. Send the certificates of 1. Certificate validity
iMaster NCE-WAN. 2. Certificate validity
⚫ Device certificate: refers to a certificate issued by a CA to a period
Verify the certificates of
device. Here, devices refer to the CPE and iMaster NCE-WAN. iMaster NCE-WAN.
1. Certificate validity Bidirectional certification
2. Certificate validity authentication succeeds.
period

8 Huawei Confidential

• iMaster NCE-WAN verifies the validity and validity period of a CPE's certificates.

• A CPE verifies the validity and validity period of the certificates of iMaster NCE-
WAN.

• Callhome: proactive device registration function

 Management Channel Security (2)
⚫ Because CPEs and iMaster NCE-WAN reside on a public
network, data transmitted between them may be leaked or
Secure data transmission
tampered with.
iMaster
⚫ The Network Configuration Protocol (NETCONF) provides a
NCE-WAN
mechanism for managing network devices, which can be used NETCONF over SSH
CPE
to add, delete, modify, and obtain network device data. File download over SSL
NETCONF uses the Secure Shell (SSH) protocol as the secure HTTP/2 over SSL
transport layer to provide a communication path for interaction
between the client and server.

⚫ Secure Sockets Layer (SSL) is a security protocol that provides

security and data integrity for network communication. It can
• The data security of management channels relies on the
be used to encrypt network connections between the transport SSH and SSL protocols, with NETCONF over SSH, HTTP/2
layer and application layer. over SSL, and file download over SSL implemented.
• The encryption and verification functions provided by SSH
and SSL ensure confidentiality and integrity of data
during transmission.

9 Huawei Confidential

• Management channels contain NETCONF connections, file download

connections, as well as HTTP/2 connections for performance data reporting.

• SSH provides secure remote login and other security network services over
insecure networks.
 Control Channel Security
⚫ Because CPEs and RRs reside on a public network, control channels established between them may be spoofed. After control
channels are established, data may be intercepted or tampered with during transmission in the channels.

Bidirectional certificate authentication Secure data transmission

CPE RR

Pre-configured Pre-configured
device certificate device certificate
DTLS
and CA certificate and CA certificate CPE RR
DTLS BGP over GRE over IPsec

Send the CPE's

certificates.

Verify the CPE's

certificates.
1. Certificate validity
Send the RR's 2. Certificate validity
certificates. period • The Datagram Transport Layer Security (DTLS) protocol
provides a security solution for UDP transmission.
Verify the RR's
certificates. • The data security of control channels relies on the DTLS
1. Certificate validity and IPsec protocols, which ensure confidentiality and
2. Certificate validity
period Bidirectional certification integrity of data during transmission.
authentication succeeds.

10 Huawei Confidential

• Control channels contain DTLS connections and BGP connections that are derived
from DTLS connections. A CPE exchanges IPsec tunnel information with an RR
through a DTLS connection and then establishes a BGP connection with the RR
under the protection of the IPsec encryption mechanism.

• The RR verifies the validity and validity period of the CPE's certificates.

• The CPE verifies the validity and validity period of the RR's certificates.
 Data Channel Security
⚫ Inter-site data is transmitted across public networks, and may be leaked or tampered with during transmission. In this case,
encryption is required to ensure security of data during transmission.

Secure data transmission IPsec SA generation

RR

GRE over IPsec

CPE CPE SA
IPsec SA
information SA SA

IPsec tunnel IPsec tunnel

• Data between CPEs is carried over the overlay tunnel established CPE-1 CPE-2 CPE-3
between them. IPsec is used to ensure confidentiality and integrity
• A Security Association (SA) defines elements for secure communication between
of the data during transmission.
two peers, such as security protocols as well as encryption and authentication
algorithms.
• CPEs establish IPsec SAs based on IPsec SA information advertised by RRs through
control channels, but not through Internet Key Exchange (IKE) negotiation. This
improves the establishment flexibility and scalability of IPsec tunnels.

11 Huawei Confidential

• IPsec encryption can be enabled or disabled based on VPNs (departments).

• The IKE protocol provides the mechanisms of automatic key negotiation and
IPsec SA establishment to simplify IPsec configuration and maintenance.
 Contents

1. SD-WAN Security Overview

2. System Security
▫ Inter-Component Communication Security
◼ Component Security

3. Service Security

12 Huawei Confidential
 Component Security (1)
⚫ Security of iMaster NCE-WAN
 iMaster NCE-WAN is a key component of the SD-WAN Solution, and its security directly determines the reliability and availability of the entire network.
iMaster NCE-WAN must be deployed in a firewall-protected area and provide comprehensive security functions to mitigate security risks. The security
functions include but are not limited to those in the following tables.

Category Measures Category Measures

• Local and remote authentication (LDAP) Privacy protection Strict access permission control
Identity
Authentication • Two-factor authentication (user name/password
authentication Security Comprehensive logging and event
and permission + SMS verification code)
control audit recording functions
Permission • Role-based permission control
control • Tenant- and domain-based permission control Security Secure Administrator authentication (Only
management upgrade and authenticated administrators can
Key • Secure encryption algorithms patch perform upgrade and patch
management • Hierarchical key management installation installation operations.)
• Data access control Integrity protection and signature
Data protection Data storage System protection
• Encrypted data storage verification for software and patches
Data • Secure communication protocols Zone planning, hierarchical
transmission • Encrypted data transmission Security deployment deployment, and firewall deployment
Attack detection from multiple dimensions, for isolation
Attack detection
including ports, web pages, and operating systems
Security
detection and Intrusion
Defense against various intrusion behaviors
response prevention
Anti-DoS/DDoS Defense against common traffic attacks

13 Huawei Confidential

• The Lightweight Directory Access Protocol (LDAP) is used for accessing online
directory services based on TCP/IP.
 Component Security (2)
⚫ Security of CPEs and RRs
 The security of the physical and network environments where CPEs and RRs reside must be ensured, so that the CPEs and RRs can
run securely, reliably, and stably. The system architecture of CPEs and RRs complies with the three-layer and three-plane security
isolation mechanism defined by ITU-T X.805, in which the management, control, and forwarding planes are isolated. This ensures
that attacks on any of the planes do not affect other planes. In addition, CPEs and RRs themselves must have multiple security
protection capabilities, including but not limited to those in the following table.

Category Measures
Physical security The service ports, serial ports, and services that are not in use are disabled to prevent attacks to devices through them.
Sensitive data, such as service data, user names, and passwords, are encrypted to prevent leakage.
Data security
Data access permissions are controlled to prevent unauthorized access to data.
Identity authentication and permission control are performed on user login behaviors. Local authentication and remote
authentication (HWTACACS) are supported.
Authentication
User names and passwords are strictly protected, password complexity check is performed, and the anti-brute force cracking
mechanism is implemented.
CPEs and RRs can defend against various network attacks, such as IP flood attacks, ICMP flood attacks, malformed packet
Attack defense
attacks, and packet fragment attacks.
A log system records all the system configuration operations and the exceptions that occur during running of the system,
Security audit
facilitating post-event auditing.

14 Huawei Confidential

• The ITU-T X.805 standard defines a security architecture for end-to-end

communication systems. It defines three security layers (infrastructure, service,
and application security layers) and three security planes (control, management,
and forwarding planes). In addition, this security architecture protects each
security plane at each security layer from eight security dimensions.

• Huawei Terminal Access Controller Access Control System (HWTACACS) is an

enhancement of TACACS (defined in RFC 1492), and is a centralized information
exchange protocol using the client/server architecture. It uses TCP for
transmission, and the TCP port number is 49.

• The authentication, authorization, and accounting services provided by

HWTACACS are independent of each other and can be implemented on different
servers.
 Contents

1. SD-WAN Security Overview

2. System Security

3. Service Security
◼ Site-to-Site Access Security

▫ Site-to-Internet Access Security

▫ Site-to-SaaS Application Access Security

15 Huawei Confidential
Site-to-Site Access Security
Service traffic between sites is transmitted over a public
network (such as the Internet), and may be leaked or
Site-to-site tampered with during transmission. In this case, IPsec is
access traffic HQ/
IPsec
Branch DC required to protect data. Site-to-site access security is also
CPE
CPE a type of data channel security.
MPLS

Internet

Branch

CPE
Branch

CPE
SaaS applications

16 Huawei Confidential
GRE over IPsec for Secure Data Transmission
⚫ Site-to-site access traffic is first encapsulated by GRE. GRE is simple. However, data is transmitted over GRE tunnels
in clear text and prone to interception.
⚫ Typically, GRE is used together with IPsec on the live network. GRE is used to establish interconnection channels
between sites, and IPsec is used to encrypt GRE tunnel packets.
GRE over IPsec data encapsulation

IPsec tunnel GRE tunnel

(external) (internal)
IPA IPB
IP1 Branch IPsec
GRE tunnel HQ IP2

S:IP1, D:IP2 Data Encapsulate Decapsulate

the header the header
GRE tunnel
interface S:IPA, D:IPB ESP GRE S:IP1, D:IP2 Data
GRE tunnel
interface
Encryption
S:IP1, D:IP2 Data

Note: The IPsec transport mode is used as an example.

17 Huawei Confidential
 Contents

1. SD-WAN Security Overview

2. System Security

3. Service Security
▫ Site-to-Site Access Security
◼ Site-to-Internet Access Security

▫ Site-to-SaaS Application Access Security

18 Huawei Confidential
Site-to-Internet Access Security
Advanced
security VAS Direct site-to-Internet access faces various security risks. In
such access scenario, CPEs need to provide certain service
security protection capabilities, such as firewall, intrusion
HQ/DC
Branch prevention system (IPS), and URL filtering. In addition,
CPE
CPE Value-Added Service (VAS) functions can be deployed on
MPLS
SD-WAN networks to provide advanced security protection
through physical firewalls deployed in off-path mode.

Internet
Access to the
Internet
Branch
Access to SaaS
applications CPE
Branch

CPE Firewall/IPS/URL
filtering SaaS applications

19 Huawei Confidential
 URL Advanced
Firewall IPS
Filtering Security VAS

Basic Firewall Concepts: Zone

⚫ Security zones (or zones) are defined on a firewall. A security zone is a collection of networks
connected through one or more interfaces. The firewall considers that data flows within a single
security zone are trustful and no security policy is required. The firewall checks data and carries out
security policies only when the data flows from one zone to another.

Zone Default Security Priority

DMZ
Untrust zone 5 (low security level)

Demilitarized
50 (medium security level)
zone (DMZ)
Trust zone Trust zone 85 (high security level)
Untrust zone

A local zone is a device itself, including

Internet
interfaces on the device. The local zone of
Local zone
a device is the highest-level security zone
Egress (built-in
firewall)
with a security priority of 100.

20 Huawei Confidential

• The names of default security zones on a firewall contain only lowercase letters
and are case-sensitive. The security zones include:
▫ Untrust zone: defines insecure networks such as the Internet.
▫ DMZ: defines the zone where intranet servers reside. Intranet servers are
frequently accessed by extranet devices but are not allowed to proactively
access the extranet. Therefore, intranet servers face security risks, and need to
be deployed in a security zone with a priority lower than the trust zone and
higher than the untrust zone.
▪ A DMZ is originally a military term, referring to a partially controlled
area between a military control area and a public area. A DMZ
configured on a firewall is logically and physically separated from
intranets and extranets.
▪ The servers such as WWW servers and FTP servers that provide network
services for external devices are deployed in a DMZ. If these servers are
deployed on an intranet, malicious users may exploit security
vulnerabilities of some services to attack the intranet. If they are
deployed on an extranet, their security cannot be ensured.
▫ Trust zone: defines the zone where intranet terminals reside.
▫ Local zone: defines a device itself, including the interfaces on the device. All
packets constructed on and proactively sent from the device are considered to
be sent from the local zone, and the packets to be responded and processed
by the device (not only detected or forwarded) are considered to be received
by the local zone. Local zone configurations cannot be modified. For example,
interfaces cannot be added to the local zone.
• Due to the particularity of the local zone, a security policy needs to be
configured to permit packet exchange between the local zone and the
security zone of a peer in scenarios where a device is required to send and
receive packets.
 URL Advanced
Firewall IPS
Filtering Security VAS

Basic Firewall Concepts: Interzone Direction

⚫ The traffic passing through a firewall is directional. An interzone security policy takes effect only when
it is applied to the correct direction.
⚫ The direction of traffic on a firewall is determined by zone priorities.
 Inbound direction: refers to the direction of traffic flowing from a low-priority zone to a high-priority zone.
 Outbound direction: refers to the direction of traffic flowing from a high-priority zone to a low-priority zone.
DMZ (priority: 50)

Trust zone (priority: 85) Untrust zone (priority: 5)

Internet

Egress (built-in
firewall)

22 Huawei Confidential
 URL Advanced
Firewall IPS
Filtering Security VAS

Basic Firewall Concepts: Security Policy

⚫ Security policies can be used to control traffic between security zones on a firewall.

When traffic matches a security

A security policy must be
policy, the firewall determines
applied to a direction.
whether to permit the traffic or
perform in-depth security protection
Security based on the security policy.
Trust -> Untrust (Outbound)
policy
Traffic A Policy 10 Matching traffic A Permit IPS
URL
Traffic B Policy 20 Matching traffic B Deny Traffic A
filtering
Default Matching all
Traffic C Deny
policy traffic The security policies are enforced in
sequence. The traffic that does not
match any security policy is denied
based on the default policy.

Internet
Trust zone Untrust zone
Egress (built-in
firewall)

23 Huawei Confidential

• A firewall basically protects a network from being attacked by any untrusted

network while permitting legitimate communication between two networks.
Security policies are used to check data flows passing through a firewall. Only the
data flows that match the security policies with the action of Permit are allowed
to pass through the firewall.
• Security policies on a firewall can control the access permissions of intranet users
to the extranet and control the access permissions between the subnets of
different security levels on the intranet. In addition, security policies can control
the access to a firewall itself, for example, restricting the IP addresses that can be
used to log in to the firewall through Telnet and the web system and controlling
communication between the NMS/NTP server and the firewall.
• Security policies define rules for processing data flows on a firewall. The firewall
processes data flows according to the rules. Therefore, the core functions of
security policies are to filter the traffic passing through the firewall according to
the defined rules and determine the next operation performed on the filtered
traffic based on keywords.
• Security policies on a firewall are a basic means for providing secure network
access to the data flows passing through the firewall, and determine whether
subsequent application data flows are processed. An NGFW analyzes traffic and
retrieves traffic attributes, including the source security zone, destination security
zone, source IP address, source region, destination IP address, destination region,
user, service (source port number, destination port number, and protocol type),
application, and time range.
 URL Advanced
Firewall IPS
Filtering Security VAS

Application Scenarios of the Firewall Function

Centralized Internet access scenario Local Internet access scenario

MPLS MPLS
Overlay traffic Underlay traffic
Underlay traffic

CPE CPE CPE CPE

Branch HQ Branch HQ

• Internet access traffic of all branch sites is diverted to the HQ • Internet access traffic of the branch site and HQ site is directly
site and then to the Internet. The firewall function needs to be transmitted to the Internet from the local CPEs. The firewall
enabled on the CPE at the HQ site to isolate the intranet and function needs to be enabled on the CPEs at the branch site and
extranet. HQ site to isolate the intranet and extranet.

24 Huawei Confidential
 URL Advanced
Firewall IPS
Filtering Security VAS

IPS Overview
⚫ The IPS is a network security mechanism.
Trojan
⚫ It is used to detect intrusion behaviors (such as buffer Viruses horses Spyware

overflow attacks, Trojan horses, and worms) by analyzing Worms

network traffic, and then block the intrusion behaviors in

real time through certain response methods. The IPS helps Egress (built-in firewall,
IPS function enabled)
to protect enterprise information systems and network
architectures against intrusions.
Campus
network
⚫ The IPS has the following advantages:
 Real-time attack blocking
 In-depth protection Access switch

 All-round protection
 Internal and external prevention
 Constant update for up-to-date protection
Authorized user Authorized user Authorized user

25 Huawei Confidential

• The IPS can detect and block network intrusions in real time. After detecting
network intrusions, the IPS can automatically discard intrusion packets or block
attack sources to fundamentally prevent attacks. The IPS has the following
advantages:
▫ Real-time attack blocking: When the IPS deployed on a network in in-path
mode detects network intrusions, it can block the intrusions and attack traffic
in real time, minimizing impacts of the intrusions.
▫ In-depth protection: New attacks are hidden at the application layer of the
TCP/IP protocol. The IPS can detect the content of application-layer packets,
analyze and reassemble network data flows for protocol analysis and
detection, and determine the traffic that must be blocked based on the attack
type and policy.
▫ All-round protection: The IPS provides protection measures against a variety of
attacks such as worms, viruses, Trojan horses, botnets, spyware, adware,
Common Gateway Interface (CGI) attacks, cross-site scripting attacks, injection
attacks, directory traversal attacks, information leaks, remote file inclusion
attacks, overflow attacks, code execution, DoS attacks, and scanning attacks,
comprehensively protecting network security.
▫ Internal and external protection: The IPS can protect enterprises from both
external and internal attacks. The IPS can detect the traffic passing through
and protect servers and clients.
▫ Constant update for up-to-date protection: The IPS signature database is
constantly updated to maintain the highest security level. You can periodically
update the IPS signature database from the update center to ensure effective
intrusion prevention.
 URL Advanced
Firewall IPS
Filtering Security VAS

Basic Concepts of IPS

⚫ The IPS needs to identify intrusion traffic before controlling the intrusion traffic. Intrusion traffic identification and
control are implemented by the following functional modules:
 IPS signature database: defines features of various common intrusion behaviors and assigns a unique intrusion behavior ID for
each kind of intrusion behavior feature.
 IPS signature: describes the features of an intrusion behavior on the network and the action to be taken for the intrusion
behavior. IPS signatures can be pre-defined or user-defined.
 Signature filter: is a collection of signatures that meet specified filtering conditions. You can add multiple signatures to a
signature filter and redefine the action to be taken for the traffic matching any signature in the signature filter.
 Exception signature: Some signatures in a signature filter can be configured with actions different from that of the signature filter.
 IPS profile: contains multiple signature filters and exception signatures. A CPE processes traffic based on an IPS profile.
Signature (feature + behavior) IPS profile
Feature 1 Signature filter 1 Signature filter 2 Exception signature 1
A01 Protocol: HTTP Protocol: UDP Action: Allow
Action: Alert
Action: Default Action: Allow
Feature 2
B01 A01 B01 C01
Action: Block

Feature 3 C01
C01
Action: Block

26 Huawei Confidential

• By default, a CPE has multiple default IPS profiles for different application
scenarios. The default IPS profiles can be viewed, copied, and referenced by
security policies, but cannot be modified or deleted.

▫ strict: It contains all signatures and the action is block. It is applicable to all
protocols and all threat categories. This profile applies to scenarios where all
packets that match signatures need to be blocked.

▫ web_server: It contains all signatures and the default actions are used. It is
applicable to the DNS, HTTP, and FTP protocols, and all threat categories. This
profile applies to the scenarios where the CPE is deployed in front of a web
server.

▫ file_server: It contains all signatures and the default actions are used. It is
applicable to the DNS, SMB, NetBIOS, NFS, SunRPC, MSRPC, file transfer, and
Telnet protocols, and all threat categories. This profile applies to the scenarios
where the CPE is deployed in front of a file server.

▫ dns_server: It contains all signatures and the default actions are used. It is
applicable to the DNS protocol and all threat categories. This profile applies to
the scenarios where the CPE is deployed in front of a DNS server
▫ mail_server: It contains all signatures and the default actions are used. It is
applicable to the DNS, IMAP4, SMTP, and POP3 protocols, and all threat
categories. This profile applies to the scenarios where the CPE is deployed in
front of a mail server.

▫ inside_firewall: It contains all signatures and the default actions are used. It is
applicable to all protocols and all threat categories. This profile applies to the
scenarios where the CPE is deployed behind a firewall.

▫ dmz: It contains all signatures and the default actions are used. It is applicable
to all protocols except NetBIOS, NFS, SMB, Telnet, and TFTP, and all threat
categories. This profile applies to the scenarios where the CPE is deployed in
front of a DMZ.

▫ outside_firewall: It contains all signatures and the default actions are used. It
is applicable to all protocols and all threats except Scanner. This profile applies
to the scenarios where the CPE is deployed in front of a firewall.

▫ ids: It contains all signatures and the action is alert. It is applicable to all
protocols and all threat categories. This profile applies to the scenarios where
the CPE is deployed in off-path mode as an IDS device.

▫ default: It contains all signatures and the default actions are used. It is
applicable to all protocols and all threat categories. This profile applies to the
scenarios where the CPE is deployed in in-path mode as an IPS device.
 URL Advanced
Firewall IPS
Filtering Security VAS

IPS Implementation
⚫ When a data flow matches a security policy that contains an IPS profile, the CPE sends the data flow to the IPS
module to match the signatures referenced by the IPS profile one by one.
⚫ If the data flow matches a signature, the action defined for the signature, such as block or alert, will be taken for
the data flow. IPS module
Signature (feature + behavior) IPS profile
Signature filter 1 Signature filter 2
Type: Predefined
Protocol: HTTP Protocol: UDP
Protocol: HTTP Action: Default
A01 Action: Default
Action: Alert
Others: condition A
A01 B01
Type: predefined
Protocol: UDP
B01
Action: Block
Others: condition B Actual action of the
signature
A01 Alert
B01 Block

UDP video traffic

Internet

HTTP traffic
Egress (built-in firewall/IPS)

28 Huawei Confidential

• When a data flow matches multiple signatures, the actual action for the data
flow is as follows:

▫ If the actions defined for all the matched signatures are alert, the action for
the data flow is alert.

▫ If the action defined for any of the matched signatures is block, the action for
the data flow is block.

• When a data flow matches multiple signature filters, the action defined for the
signature filter with the highest priority will be taken for the data flow.
 URL Advanced
Firewall IPS
Filtering Security VAS

Application Scenarios of IPS

Centralized Internet access scenario Local Internet access scenario

MPLS MPLS
Overlay traffic
Underlay traffic
Underlay traffic

CPE
CPE CPE IPS enabled CPE IPS enabled IPS enabled

Branch HQ Branch HQ

• Internet access traffic of all branch sites is • Internet access traffic of the branch site and HQ site
diverted to the HQ site and then to the Internet. is directly transmitted to the Internet from the local
The IPS function needs to be enabled on the CPE CPEs. The IPS function needs to be enabled on the
at the HQ site to block various intrusions from CPEs at the HQ site and branch site to block various
the Internet. intrusions from the Internet.

29 Huawei Confidential
 URL Advanced
Firewall IPS
Filtering Security VAS

Overview of URL Filtering

⚫ URLs, provided for manual operations on clients, open
the first door for web attacks. Video and
Pornographic and shopping websites News
violent websites websites
⚫ Uncontrolled access of employees to website resources
severely reduces work efficiency, wastes network
bandwidth resources of enterprises, and introduces
Egress (built-in firewall,
threats such as viruses and Trojan horses from malicious URL filtering enabled)
sites to the intranet. In addition, a great deal of
Denied
pornographic and violence information affects people's web traffic Campus
network
physical and psychological health.
⚫ URL filtering regulates users' online behaviors by
Access switch
controlling URLs accessible to users and permitting or
denying users' access to some web resources.

Authorized user Authorized user Authorized user

30 Huawei Confidential

• URL filtering regulates users' online behaviors by controlling their HTTP requests
and permitting or denying users' access to certain network resources.
 URL Advanced
Firewall IPS
Filtering Security VAS

URL Matching
⚫ Each web page on the Internet has a unique identifier, that is, the URL.
⚫ The URL format is as follows:
Hostname Path

http://www.abcd.com:8080/news/education.aspx?name=tom&age=20
Protocol :Port Query
⚫ A regular expression is typically used for URL matching. The following table lists commonly used matching modes.

Matching Mode Definition Example Matching Result

All URLs that start with www.test.com are
Prefix matching All URLs that start with a specified character string are matched. www.test.com* matched, for example,
www.test.com/index.html.
All URLs that end with aspx are matched, for
Suffix matching All URLs that end with a specified character string are matched. *aspx
example, www.test.com/news/solutions.aspx.
Keyword All URLs that contain sport are matched, for
All URLs that contain a specified character string are matched. *sport*
matching example, sports.test.com/it/.
A URL is first matched against a specified character string. If the Based on matching rules, the following URLs
URL is not matched, the last directory in the URL is removed, match www.example.com:
www.example.
Exact matching and the remaining part is matched against the character string. • www.example.com
com
If the URL is still not matched, the last directory is removed. This • www.example.com/news
process continues until the URL matches the character string. • www.example.com/news/en/

31 Huawei Confidential

• Each web page on the Internet has a unique identifier, that is, the URL.

• URLs fully describe the addresses of web pages or other resources on the
Internet. To put it simply, a URL is a web address.

• The URL format is protocol://hostname[:port]/path[? query]

▫ protocol: Used application protocol. HTTP is the most commonly used

protocol. You do not need to enter http:// when the protocol is HTTP.

▫ hostname: DNS host name or IP address of the web server.

▫ port: (Optional) Communication port. Each transmission protocol has a

default port number.

▫ path: Directory or file address on the web server.

▫ query: (Optional) This field is used to transmit parameters to dynamic web

pages.
 URL Advanced
Firewall IPS
Filtering Security VAS

Implementation of URL Filtering

⚫ When an HTTP request matches a URL, a CPE functioning as a gateway processes the HTTP request according to
the URL filtering mode and URL filtering process. The following URL filtering modes are supported:
 Blacklist- or whitelist-based URL filtering: A CPE filters received HTTP requests based on the URL whitelist or blacklist configured
on it.
 Category-based URL filtering: After receiving an HTTP request, a CPE queries the URL category in the predefined URL category
database. After the URL category is queried, the CPE processes the HTTP request according to the action defined for the URL
category.
URL
filtering
Whitelist *huawei* Permit
Blacklist *game* Deny
Visit www.huawei.com. www.huawei.com

Internet
www.game.com
Visit www.game.com. Egress (built-in firewall,
URL filtering enabled)

32 Huawei Confidential

• On a gateway, URL filtering is implemented as follows:

▫ After the gateway receives an HTTP GET or POST request from a user, it
checks the validity of the request based on the configured policies.

▪ If the URL is valid, the HTTP request is permitted and the user can browse
the website.

▪ If the URL is invalid, the gateway pushes an alarm page and blocks the
HTTP connection.

• URL categories fall into user-defined and predefined URL categories.

▫ User-defined categories are configured and maintained by administrators.

Administrators can perform more refined control over URLs in user-defined
categories than over URLs in predefined categories.

▫ Predefined categories contain common URLs in the system. Unlike user-

defined categories, predefined categories enable administrators to easily
control accessible and inaccessible URL categories.
 URL Advanced
Firewall IPS
Filtering Security VAS

Application Scenarios of URL Filtering

Application scenarios of URL filtering

HQ Overlay traffic • Randomly visiting various websites at branch

Underlay traffic
sites may bring security risks. URL filtering
CPE
Traffic for accessing regulates users' online behaviors by controlling
2
an SD-WAN site
URLs accessible to users and permitting or
denying users' access to some web resources.
MPLS
Traffic for accessing
• URL filtering applies to the following scenarios:
a legacy site Traffic for accessing
1 3 the Internet 1. Site-to-legacy site access

2. Site-to-SD-WAN site access

URL filtering 3. Site-to-Internet access
CPE CPE enabled

Branch Branch

33 Huawei Confidential
 URL Advanced
Firewall IPS
Filtering Security VAS

Application Scenarios of Advanced Security VAS

Application scenarios

Firewall
HQ
Physical firewall
• A physical firewall is deployed in off-path mode and
CPE deployed in off-
path mode provides advanced security protection for centralized
Internet access traffic of sites.

MPLS • After the VAS function is deployed, the centralized

Internet access traffic of sites is diverted to the LAN-
side physical firewall connected to the CPE at the HQ

CPE site in off-path mode. After being processed by the

CPE
firewall, the traffic is transmitted to the Internet
Branch Branch
through the underlay network.

34 Huawei Confidential
 Contents

1. SD-WAN Security Overview

2. System Security

3. Service Security
▫ Site-to-Site Access Security

▫ Site-to-Internet Access Security

◼ Site-to-SaaS Application Access Security

35 Huawei Confidential
Site-to-SaaS Application Access Security

As traditional enterprise applications are gradually

HQ/DC migrated to the cloud, branch sites of enterprises access
Branch
CPE applications on the cloud through the Internet, which may
CPE
MPLS face security risks. In such service scenarios, a third-party
cloud security gateway can be deployed to implement
security protection on the cloud.

Third-party
Internet cloud security
gateway
Branch
Access to SaaS CPE
Branch applications
CPE
SaaS applications

36 Huawei Confidential
Application Scenarios of Third-Party Cloud Security
Application scenarios

iMaster NCE-WAN

• As traditional enterprise applications are

CPE Third-party cloud
gradually migrated to the cloud, branch sites of
security gateway
Branch enterprises can directly access applications on
public clouds through the Internet, which faces
security risks. In such service scenarios, security
protection can be implemented on the cloud.
SaaS applications • The SD-WAN Solution supports interconnection

Branch with a third-party cloud security gateway, so

CPE Access control that traffic for accessing SaaS applications on

Threat detection
Attack defense
the cloud can be sent to the third-party cloud
Data protection security gateway for security protection.
...

37 Huawei Confidential
 Deployment Modes of Third-Party Cloud Security Gateways
Deployment modes

Single-gateway scenario Access point 1

GRE
• To improve network reliability, a third-party cloud
CPE
security gateway usually provides two access points
Branch
to establish GRE tunnels with a CPE.
GRE • Single-gateway scenario
Access point 2  A CPE establishes one active GRE tunnel and one standby
GRE tunnel with the two access points of the third-party
Dual-gateway scenario cloud security gateway.
Access point 1
GRE
CPE1 • Dual-gateway scenario
 Two CPEs establish four GRE tunnels (two pairs of active
Branch GRE and standby GRE tunnels) with the two access points of
the third-party cloud security gateway.

CPE2 GRE
Access point 2

38 Huawei Confidential

• Policy-based routing (PBR) is configured on CPEs to divert the traffic for

accessing SaaS applications to GRE tunnels. In addition, CPEs can use network
quality analysis (NQA) to detect network reachability and perform an
active/standby tunnel switchover.
 Quiz

1. (Multiple-answer question) Which of the following are included in the inter-component

communication security of the SD-WAN Solution?
A. Management channel security

B. Data channel security

C. Control channel security

D. Connection channel security

2. (True or False) The built-in firewall function enables CPEs to control the traffic between
different security zones. For example, when the priorities of zone 1 and zone 2 are 20 and
60 respectively on a firewall, the traffic from zone 1 to zone 2 is outbound traffic.

39 Huawei Confidential

1. ABC

2. False
 Summary

⚫ SD-WAN security includes system security and service security.

⚫ System security includes the security of components (iMaster NCE-WAN, CPEs, and
RRs) as well as the security of management, control, and data channels
established between the components.
⚫ Service security includes the site-to-site, site-to-Internet, and site-to-SaaS
application access security. The firewall, IPS, URL filtering, advanced security VAS,
and third-party cloud security functions can effectively defend against various
security threats.

40 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright © 2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors
that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.