The first thing that happens is that any incoming cyber threat is stopped. The fiber channels that are coming into the country—let's say there are five or six main channels providing all communication into the country—the first layer of protection is essentially switched. Before the data enters the fiber, load balancing occurs, allowing the system to disable one input channel and switch to another. If one device fails, the system can reroute the traffic quickly to the appropriate destination.
The first application entrance is the denial of service (DoS) protection. For instance, if China is bombarding the Ministry of Defense of Morocco with traffic, and it's all targeting the same IP address, the DoS protection will recognize this as abnormal traffic and activate the necessary defenses. Each manufacturer has a different strategy to prevent such attacks. For example, in the case of Juniper, instead of outright blocking the IP, they reroute the traffic to a fake IP and server, which sends out dummy data while analyzing the traffic and user behavior. This process also filters out hidden cyber attacks to gather more information.
After the initial screening, the next step involves Deep Packet Inspection (DPI). DPI examines all packets, whether they are encrypted or not, and applies specific rules to them. For example, an operator might decide that all traffic to streaming services like Netflix or Prime Video should go to a particular set of servers within the country.
In the DPI section, we often use a passive split of the fiber. It's not a common technique, but in this case, before the data is sent to the firewall, the fiber is split and dispatched across several servers that will inspect the data. You can have rules applied based on the origin of the traffic—like all traffic coming from a specific country, or all voice over IP traffic being directed to a particular server.
Sometimes, there are requirements from companies like Google, or specific mobile regulations, stating that traffic must be routed according to certain rules. For instance, Google Maps might require that any call coming to a certain company or individual be intercepted by law enforcement. This is usually authorized by a judge, and the telecom operator will do its best to intercept and reroute the traffic to a server that is dedicated to law enforcement in that country.
In such cases, the telecom operator might treat the network as their own intranet, allowing them to intercept traffic while providing a security certificate to the end user. This is related to the "man-in-the-middle" attack, where traffic is intercepted for security reasons, and law enforcement can use this method to intercept calls.
In some countries, this is a highly monitored situation. Traffic, at least the destination and initiation IPs, is monitored, and even if the traffic is encrypted, authorities often want to record it for future use. This is all managed and directed by the firewall, which also provides additional capabilities.
Take an example of NVIDIA. They have a competing SIP solution for firewalls that can handle very high terabyte bandwidth, and they can be programmed to work in conjunction with the firewall. In that case, you have a piece of software running inside FortiGate or Juniper that directs specific traffic to and from NVIDIA's platform, working with the firewall to perform certain tasks.