智能安全策略技术白皮书-新华三

语言	格式	评分
中文（简体）	.pdf	3
概览
智能安全策略技术白皮书 Copyright © 2025 新华三技术有限公司版权所有，保留一切权利。非经本公司书面许可，任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部，并不得以任何形式传播。除新华三技术有限公司的商标外，本手册中出现的其它公司的商标、产品标识及商品名称，由各自权利人拥有。本文中的内容为通用性技术信息，某些信息可能不适用于您所购买的产品。 i 目录 1 概述·························································································································································· 1 1.1 产生背景 ··············································································································································· 1 1.2 技术优点 ··············································································································································· 2 2 技术实现 ·················································································································································· 1 2.1 安全策略基本概念 ································································································································ 1 2.1.1 安全策略规则 ····························································································································· 1 2.1.2 过滤条件 ···································································································································· 1 2.1.3 动作 ··········································································································································· 1 2.1.4 DPI 深度安全检测 ······················································································································ 1 2.1.5 安全策略组 ································································································································· 1 2.1.6 安全策略加速 ····························································································································· 1 2.1.7 时间段 ········································································································································ 1 2.2 安全策略的报文处理机制······················································································································ 1 2.3 安全策略的报文识别原理······················································································································ 2 2.3.1 源/目的安全域 ···························································································································· 2 2.3.2 源/目的 IP 地址 ·························································································································· 3 2.3.3 源 MAC 地址 ······························································································································ 3 2.3.4 用户/用户组 ································································································································ 3 2.3.5 应用/应用组 ································································································································ 4 2.3.6 终端/终端组 ································································································································ 5 2.3.7 地区/地区组 ································································································································ 5 2.3.8 URL 过滤分类 ···························································································································· 6 2.3.9 VPN 实例 ··································································································································· 6 2.3.10 服务 ········································································································································· 6 3 应用场景 ·················································································································································· 1 3.1 本设备需被其他设备访问······················································································································ 1 3.2 本设备需访问其他设备 ························································································································· 2 3.3 流量由本设备转发 ································································································································ 2 4 技术特色 ·················································································································································· 1 4.1 策略冗余分析 ········································································································································ 1 4.2 策略命中分析 ········································································································································ 1 4.3 应用风险调优 ········································································································································ 2 ii 4.4 宽泛策略分析 ········································································································································ 3 5 典型组网应用 ··········································································································································· 1 5.1 基于应用控制报文组网 ························································································································· 1 5.2 OSPF 组网 ··········································································································································· 2 5.3 NAT 组网 ·············································································································································· 4 5.3.1 NAT 源地址转换组网 ················································································································· 4 5.3.2 NAT 目的地址转换组网 ·············································································································· 4 5.4 IPsec VPN 组网 ···································································································································· 5 1 1 概述 1.1 产生背景传统的防火墙的包过滤防护策略配置通常都是基于报文入接口、出接口配置，在复杂的组网环境中，基于接口的策略配置方式需要为每一个接口配置防护策略，给网络管理员带来了极大的负担，防护策略的维护工作量成倍增加，从而也增加了因为配置不当引入安全风险的概率。图1 基于接口的包过滤引入安全域的概念之后，安全管理员将安全需求相同的接口或 IP 地址进行分类（划分到不同的安全域），从而实现策略的分层管理，管理员只需要部署各安全域之间的防护策略即可。如果后续网络变化，只需要调整相关安全域内的接口，而防护策略不需要修改，不但简化了策略的维护复杂度，同时也实现了网络业务和安全业务的分离。图2 安全域的划分内网主机 Internet Device 数据中心接口下应用包过滤控制报文 DMZ Trust Trust 内网主机 Internet Device 数据中心丢弃主动访问的报文通过域间策略判断是否放行 2 随着网络逐渐复杂，安全域的数量随着不同安全需求的出现越来越多，在每两个安全域间配置防护策略的工作量也变得庞大起来。此时智能安全策略（以下简称安全策略）的出现解决了该问题，它基于全局进行配置并立即生效，不需要再手动应用在某两个安全域间或某个接口上。从全局视角识别报文属性，通过多种维度过滤条件精准匹配报文，精细化全局管控报文转发。从而不仅大大降低了防护策略的配置难度，还可支持识别更多类型的报文属性并可引用 DPI 业务实现对报文内容的深度检测。图3 基于全局应用的一体化智能安全策略 1.2 技术优点与包过滤、对象策略相比，安全策略具有如下优势： • 与包过滤相比，安全策略不仅可以通过五元组对报文进行控制，还可以有效区分协议（如 HTTP 协议）上承载的不同应用（如基于网页的游戏、视频和购物），使网络管理更加精细和准确。 • 与对象策略相比，安全策略可以基于用户、终端、地区、URL 过滤分类等属性对报文进行控制，使网络管理更加灵活。 • 可以通过在安全策略中引用 DPI 业务，实现对报文内容的深度检测，有效阻止病毒和黑客的入侵。 • 安全策略基于全局配置并生效，无需应用到域间或接口，配置灵活简洁。 • 安全策略扩展了丰富的易用性功能，如冗余分析、命中分析、宽泛策略分析等，帮助管理员更快速配置精细、合理的安全策略。 • 安全策略支持应用风险调优，对已配置的安全策略进行风险分析并支持一键自动调优消除风险。安全策略动作过滤条件 DPI业务源安全域目的安全域用户 VRF 放行丢弃入侵防御防病毒一体化安全策略 ...... ...... 1 2 技术实现 2.1 安全策略基本概念 2.1.1 安全策略规则安全策略对报文的控制是通过安全策略规则实现的，规则中可以设置匹配报文的过滤条件、处理报文的动作和对报文内容进行深度检测等功能。 2.1.2 过滤条件每条规则中均可以配置多种过滤条件，具体包括：源安全域、目的安全域、源 IP 地址、源 MAC 地址、目的 IP 地址、用户、用户组、应用、应用组、终端、终端组、地区、地区组、URL 过滤分类、 VPN 和服务。每种过滤条件中（除 VPN 外）均可以配置多个匹配项，比如源安全域过滤条件中可以指定多个源安全域等。 2.1.3 动作当报文与某条安全策略规则的过滤条件匹配成功后，将执行该规则所配置的动作，包括：放行和丢弃。 2.1.4 DPI 深度安全检测当报文与某条配置了 DPI 业务的安全策略规则匹配成功后，并且执行动作为放行，则需要对报文进行 DPI 深度报文检测，支持的 DPI 业务类型包括：Web 应用防护、入侵防御、URL 过滤、数据过滤、文件过滤、APT 防御和防病毒。 2.1.5 安全策略组安全策略组可以实现对安全策略规则的批量操作，例如批量启用、禁用、删除和移动安全策略规则。只有当安全策略规则及其所属的安全策略组均处于启用状态时，安全策略规则才能生效。 2.1.6 安全策略加速安全策略加速功能用来提高安全策略规则的匹配速度。当有大量用户同时通过设备新建连接时，若安全策略内包含大量规则，此功能可以提高规则的匹配速度，保证网络通畅。 2.1.7 时间段每条安全策略规则均可配置其生效的时间段，仅当处于时间段指定的时间范围内时，该安全策略才