Internet firewall technology and security strategy
Summary:
This article discusses the characteristics of current common firewall technology, and its applicable scope; then discusses the firewall set security strategy, and the advantages and disadvantages of these strategies.
Internet Firewall Internet Firewall Technology Internet Firewall Benefits Internet Firewall Limiting Internet Firewall Internet Hacker's Toolbox Information Collect Safety Weak Point Detection System Access to Protection System Basic Firewall Design Firewall Attitude Component: Package Router and Service-related filtering and service-free filter package filtering router Advantages package filtering the shortcomings of the filter: Application layer gateway host instance: Telnet Proxy Application layer gateway Advantage application layer gateway Disadvantages: circuit layer gateway Firewall Example 1: Package Filter Router Firewall Example 2: Shield Host Firewall Summary Reference
---- When an agency is connected to its internal network with the Internet, the internal data of the private network is exposed to the hacker on the Internet, the network administrator is more and more concerned with the security of the network. In order to provide the protection of the desired level, agency needs a security policy to prevent illegal users from accessing resources and illegally passing internal information on the internal network. Even if an institution is not connected to the Internet, it also needs to create internal security policies to manage users to access part of the network and provide sensitive or secret data.
Internet firewall
---- Internet firewall is such a system (or a set of systems) that enhances the security of the internal network of the organization. The firewall system determines those internal services that can be accessed by external services; those people in the outside world can access the internal services that can be accessed, as well as those external services can be accessed by internal personnel. To make a firewall valid, all information from and going to the Internet must pass the firewall, accept the firewall check (Figure 1). The firewall must only allow the authorized data to pass, and the firewall must also be exempt from penetration. But unfortunately, once the firewall system is broken by the attacker or roundabout, it cannot provide any protection.
Figure 1 Defense scope established by security strategy
---- Special attention should be given, the Internet firewall is not just a combination of routers, fortress hosts, or any device that provides network security, which is a part of the security policy. The security policy establishes a full range of defensive systems to protect the information resources of the agency. This security policy should include in the published security guide, tell users their responsibilities, the company's regulations, network access, service access, local and remote user authentication, dial-in, and dial, disk, and data encryption, Virus protection measures, as well as employee training, etc. All places where it is possible to attack the network must be protected with the same security level. Only firewall systems are set, and there is no comprehensive security strategy, then the firewall is in shape.
Internet firewall technology
There are two firewalls: one is hardware, one software.
Proxy technology
Software methods can be used to protect the internal network from being attacked by foreign users. On the web host or on a single computer, a class of software is running, monitoring, listening to information from the network, which is a filtering effect on the data accessed to access the internal network, thereby protecting the internal network free destruction. In this type of software, the most commonly used proxy server software.
In the proxy method, the private network's packets never enter the Internet directly, but to process processes. Similarly, the data of the external network cannot directly enter the private network, but to reach the private network after proxy processing, there can be access control, address transition, and so on. The following figure is a schematic of the work of the proxy server:
There are a variety of ways for the proxy server, the most common way is to use two network interface cards (NICs) in a computer, one connected to the internal network, one connected to the Internet, two interface cards have different IP addresses. The interface card IP address connected to the Internet must be a valid IP address, unique on the Internet. Interface cards connected to internal networks can allocate a free IP address, such as 10.xyz, 192.168.xy, as shown:, according to the internal address of the proxy server (e.g., 192.168.0.1) to allocate a unique The IP address, such as 192.168.0.2, 192.168.0.3, ..., and make the corresponding settings. Thus, when the user accesses the Internet, the request is sent to the 192.168.0.1 network card, and the proxy server will request a service to the Internet with a valid IP address 210.44.64.101. After receiving an answer, then pass it to 192.168.0.1, then the result Transfer to the user workstation.
Currently, there are many proxy software software, such as Netscape Suit Proxy, MS Proxy, Wingate, Squid, etc. These proxy servers can not only play the role of firewalls, but also accelerate local area network users to Internet access, because the proxy server has a large buffer, saving each page, and directly access the page next time Call from the buffer
In summary of the proxy server, the main features of the proxy server are:
1. Set the user authentication and accounting feature, you can make bills by the user, and the user who is not registered does not have the right to access the Internet network through the proxy server. And statistics on the user's access time, access location, information traffic.
2. Hierarchically manage the user, set access to different users, filter the external or internal Internet addresses, and set different access rights.
3. Increase the buffer (cache) to improve access speed, create buffers to frequently accessed addresses, greatly improve the access efficiency of the hot site. Usually the proxy server sets a larger hard disk buffer (possibly up to several GB or greater), when there is an external information, it also saves it to the buffer, when other users are accessible, when other users have access to the same information The information is taken directly from the buffer to enhance the access speed.
4. Connect Internet and intranet act as a FireWall (firewall): Because all internal network users access the outside world, only maps to an IP address, so the outside world cannot directly access the intranet; at the same time, IP address filtering, limit the inside The network is given to the external access.
5. Save IP overhead: All data is rewritten by the agent (NAT) when the agent is proxy, and the source address is rewritten as its own IP address, so all users only occupy a real IP, on the one hand, IP overhead, reduce IP overhead The maintenance cost of the network, and the other aspect can hide the topology of the intranet, enhance security.
From a proxy technology, there are generally following two proxy: traditional agents and transparent agents.
Traditional agent
Under the traditional proxy work mode, the unique connection between internal networks and external networks is a proxy server, and the client wants to set the address and port number of the proxy server in the browser. The customer browser will automatically check the browser before issuing a connection request. Set the proxy address and proxy port. If the proxy port and proxy address are set, the connection request sends the connection request to the specified port of the specified proxy server. A significant feature in this way is that the client is also done by the proxy server before connecting the previous DNS query. The process of parse DNS is based on the DNS query order set by the proxy server. If the proxy server is used by the proxy server in the Linux environment, and the query order is set to find / etc / hosts first, then find the DNS database. In this case, the administrator can set a client to access a certain external address as needed, actually accessing a server. To implement this feature, the administrator only needs to match the specified match of the external address to be converted to / etc / hosts. For example, the administrator sets 192.168.0.3 www.sohu.com in / etc / hosts, when the customer is accessing SOHU, the local 192.168.0.3 machine is actually accessed.
For example: from a private network to the Internet web. The private network address is 192.168.1. *, Where the client is 192.168.1.100, the firewall machine network card is 192.168.1.1. Web Agent (EG. "Squid") is installed On the firewall machine and configure port 8080. Netscape running on private network Setting firewall machine 8080 as a proxy. DNS of private network does not need to be set. The DNS on the firewall machine must be set. The machine on private network does not set the default route (alias gateway) Netscape on the client machine Access http://slashdot.org. Netscape uses the port 1050 of the client machine to connect the port 8080 of the firewall machine. Request "http://slashdot.org". Page. Proxy to find the name "SlashDot "and get the address 207.218.152.131. It establishes a connection with that address (port 1025 using firewall machine external interface) and requests a page to the web server (Port 80). When it gets the page from the web server, it Copy the data to the connection established with Netscape. Netscape submits this page. From Slashdot.org ', the connection is the port 1025 to 207.218.152.131 (Slashdot.org) from 1.2.3.4 (Dial Interface of Firewall Machine). 80. From the perspective of the client, the connection is a port 8080 from the 192.168.1.100 (client) port 1050 to 192.168.1.1 (the Anti-NIC card of the firewall machine).
Transparent agent technology
Transparent in transparent agent technology refers to the existence of the client does not feel the agent. It is not necessary to set any agents in the browser. The customer only needs to set the default gateway. The packet of the customer's access external network is sent to the default gateway. At this time, the default gateway runs with a proxy server. The data is actually redirected to the proxy port (such as 8080), that is, the required data is requested from the local proxy server and then copies to the client. Theoretically transparent agent can be universal for any protocol, and the main achievements of: DNS, Sendmail relay, and HTTP.
However, in this case the client must set up the DNS server correctly. Because the browser does not set any agents. Then the DNS query must be parsed by browser, that is, the correct DNS server must be set by the client in TCP / IP, which is completed DNS resolution.
For example: from a private network to a Web site on the Internet. The private network address is 192.168.1. *, Where the client is 192.168.1.100, the firewall machine network card is 192.168.1.1. Transparent Web Agent (I believe there is "Squid" Patch works in this way, or try "Transproxy") installed on the firewall machine and configures the port 8080. The core uses ipchains to redirect the connection to the firewall port 80 to the proxy service. Private online Netscape is configured Direct connection method. DNS for private network needs to be set (you need to run DNS proxy service on firewall machine). DNS on firewall machine must be set. The default route of the machine on the private network (alias gateway) point to the firewall machine. Client machine Netscape access http://slashdot.org. 1.Netscape obtains its address of 207.218.152. 131.Thily uses port 1050 to establish a connection with the address using port 1050 and requests the Web site Page. When the package is sent by the client (Port 1050) to Slashdot.org (Port 80) via a firewall, they redirect to the Agent's 8080 port. Transparent agent uses port 1025 and 207.218.152.131 port 80 (this is The original package sent by the address) establishes a connection. When the agent service receives the page from the web site, copy it to Netscape. Netscape display this page via the established connection. Netscape display this page. From the perspective of Slashdot.org, The connection is a port 1025 to 207.218.152.131 of 1.2.3.4 (dial-up IP address). From the perspective of the client, the connection is connected from 192.168.1.100 (client) port 1050 to 207.218.152.131 (Slashdot.org) port 80, however, it is actually dialogue with the transparent proxy server. Software IP camouflage technology
In this scenario, the package is not directly transmitted directly from the private network and the Internet. The IP address in the private network should follow the RFC1597 for private network allocation. (I like 10. *. *, 172.16. *. * Or 192.168. *. *). Here the core camouflage service is overwritten through the firewall, so the bag looks like itself from the firewall itself. Then the camouflage server rewrites the return of the built-in that they look into the original applicant. Require Internet access to all services It is necessary to be installed on a machine as a firewall. (Look down the following Internet services). For example: Accessing the Internet on the Internet on the private network. Private network address is 192.168.1. *, One of the clients is 192.168 . 1.100, firewall machine network card is 192.168.1.1. The firewall is set to achieve a package that is for any package from a private network to a host 80 port on the Internet. The private network client is configured to connect directly. DNS for private network machines must be set correctly. The default route (gateway) of the private network is set to the firewall machine. Netscape on the client machine accesses http://slashdot.org.
1.Netscape By looking for "Slashdot.org", getting its address is 207.218.152.131. Then it uses port 1050 to establish a connection with this address, and request a page to the web site. When the package is enclosed by the client (Port 1050) When sent to SLASHDOURG (Port 80), they are rewritten as being issued by the PPP address. The port is 65000. The firewall has a legitimate IP address, so the package returned from www.slashdot.com can find the correct return path. After the package from Slashdot.org (port 80), after the port 65000), they are rewritten as the sending client, the port 1050. This is the real mystery of camouflage: it can remember it override Sending the package, when the reply package of this package is returned, it will be changed to the visitor in the private network. Netscape displays this page. From the perspective of Slashdot.org, the connection is 1.2.3.4 (firewall) The ports 65000 to 207.218.152.131 of the dial-up connection IP address are ports 80 connected from the 192.168.11.100 port 1050 to 207.218.152.131 (slashdot.org) from the perspective of the client. Port forwarding
Port Forwarding Technical refers to various information servers in the park, such as: WWW, DNS, Email, etc. are placed in the internal network, and their address is internal address, such as: 192.168.0.1. The address of these servers in DNS points to the firewall. When the external server needs to access these servers, the firewall performs specific settings, which will forward this packet to internal specific, and when the internal server generates a reply package, the package is rewritten when the firewall is issued.
The specific process is as follows: Set port forwarding rules on the firewall, specify all TCP connections to firewall external addresses 194.160.1.1, and all connectors of the destination port are 80, redirect to the port 80 of the internal machine 192.168.11.2. It is assumed that the host IP that comes in any external connection is 163.158.1.2. The source and destination address and port number are Source: 163.158.1.2/7890 DEST: 194.158.1.1/80 The package after the internal host replies is: Source: 192.168.11.2/80 DEST: 163.158.1.2/7890 The source address of the firewall is rewritten. Source 194.160.1.1/80 DEST: 163.158.1.2/7890.
Reverse proxy technology
The reverse proxy and port forwardings are similar, and the difference is that the reverse agent works in the application layer, while the port forwarders work in the IP layer.
The role of various proxy methods:
1. IP camouflage, Squid Traditional Agent and Transparent Agent Suitable for users who have no real IP addresses on the LAN. 2. Apache reverse proxy, PLUG-GW General Agent, port forwarding is suitable for external users to access the local area network without real IP addresses Server.
Benefits of Internet Firewall
---- Internet firewall is responsible for managing access between Internet and internal networks (Figure 2). When there is no firewall, each node on the internal network is exposed to other hosts on the Internet, which is extremely vulnerable to attack. This means that the security of the internal network is determined by the strong degree of each host, and the security is equivalent to the weakest system.
Figure 2 Benefits of Internet Firewall
Concentrated network security can be used as a center "Corporation" to generate a security alarm monitor and record the ideal location of the Internet's use of NAT WWW and FTP servers.
---- Internet firewall allows network administrators to define a center "Corporation" to prevent illegal users, such as hackers, network destroyers, etc. into internal networks. It is forbidden to have a safe vulnerability service to enter and exit and fight against attacks from various routes. The Internet firewall can simplify security management, network security is reinforced on firewall systems, rather than distributed over all hosts of the internal network. ---- It can be very convenient on the firewall to monitor the security of the network and generate alarm. It should be noted that an important issue is not an attack on an internal network to be attacked, but when it will be attacked. Network administrators must audit and record all important information through the firewall. If the network administrator cannot respond to alarm and review routine records in time, the firewall is in shape. In this case, the network administrator will never know if the firewall is attacked.
---- In the past few years, the Internet has experienced the crisis of address space, making IP addresses less and less. This means that institutions who want to enter the Internet may apply for less than enough IP addresses to meet the needs of users on their internal networks. The Internet firewall can be used as a logical address for deploying NAT (Network Address Translator, Network Address Transform). Therefore, the firewall can be used to mitigate the shortage of address space, and eliminate the agency's rendering of the rendrimation of the ISP.
---- Internet firewall is an optimal place to audit and record Internet usage. Network administrators can provide the Internet connection of the Internet connection to the management department, and can detect the position of the potential bandwidth bottleneck and can provide department-level bills depending on the agency's accounting mode.
---- Internet firewall can also be a place to post information to customers. The Internet firewall is ideal as a deployment of WWW servers and FTP servers. It is also possible to configure the firewall, allowing the Internet to access the above services, and prohibiting access to other systems on the protected internal network.
---- Maybe some people say that deploying firewalls will generate a single failure point. However, it should be emphasized that even if the connection to the Internet is invalid, the internal network is still working, but it is not accessible to the Internet. If there are multiple access points, each point may be attacked, and the network administrator must set the firewall every point and monitor it frequently.
Internet firewall limit
---- Internet firewall cannot prevent attacks of other channels other than firewalls. For example, there is an unrestricted all-in-one, and the user on the internal network can enter the Internet via the SLIP or PPP connection. Smart users may be bored with a proxy server that require additional authentication, thus purchasing a direct SLIP or PPP connection to ISP, thus trying to bypass the security system provided by a well-constructed firewall system. This creates great possibilities to start from the back door attack (Figure 3). Users on the network must understand that this type of connection is absolutely not allowed for a comprehensive security system.
Figure 3 Repairing the connection of the firewall system
---- Internet firewall also does not prevent the threats from internal variables and unusual users. The firewall cannot prohibit the dissemination of the interior of the change in the interior of the company to copy sensitive data to the floppy disk or PCMCIA card and bring it out of the company. The firewall cannot prevent such an attack: disguise into a superuser or fraudulent known new employee, so that it is advisable to prevent psychological users public passwords or awarding their temporary network access. Therefore, employees must be educated to let them understand the various types of network attacks, and understand the necessity of protecting their user passwords and periodic transformation passwords.
---- Internet firewall also does not prevent transmission of the infected virus software or document. This is because the type of virus is too much, and there are also a variety of operating systems, and the methods for encoding and compressing binary documents are different. So you can't expect the Internet firewall to scan each file to find a potential virus. A mechanism for viruses should deploy antivirus software at each desktop to prevent viruses from entering the network system from floppy disks or other sources. ---- The last point is that the firewall cannot prevent data-driven attacks. Data drive type attacks from the surface is the harmless data being mailed or copied to the Internet host. But once the execution is executed, it is an attack. For example, a data type attack may cause the host to modify and securely relevant files, making the intruder easily obtain access to the system. Behind we will see that deploying a proxy server on the fortress host is the best way to directly generate network connections from the outside, and reduce the threat of data-driven attacks.
Hacker toolbox
---- To describe a typical hacker's attack is very, because intruders' technical level and experience are very different, their motivation is not the same. Some hackers are just to challenge, there are some to give trouble, and some are confidential data in Tuli is a purpose.
collect message
---- Generally speaking, the first step in breakthrough is to collect in various forms. The purpose of information fear is to construct the database of the target network and collect information about the individual hosts residing on the network. Hackers can use the following tools to collect this information:
The SNMP protocol is used to review the routing table of the non-secure router, thus understanding the internal details of the target mechanism network topology. The Traceroute program can get the number of networks and routers to the target host. The WHOIS protocol is an information service that provides system administrator data on all DNS fields and responsible for individual domains. However, this data is often outdated. DNS servers can access the host's IP address table and their corresponding host name. The Finger protocol provides detailed information on a particular host (registration name, phone number, last registration time, etc.) PING utility can be used to determine the location of a specified host and determine if it is up to. To use this simple tool in the scanner, you can ping each possible host address on your network, so that you can construct a list of hosts that actually reside on the network.
Safety weakness detection system
---- After collecting the network information of the target mechanism, the hacker detects each host to seek a safe weakness. There are several tools that may be used by hackers to automatically scan hosts reside on the network:
Since there are fewer service vulnerabilities, horizontal hackers can write short programs to try to connect to a specific service port on the target host. The output of the program is a host list that supports an attackable service. There are several public tools such as ISS (Internet Security Scanner, Internet Security), Satan (Security Analysis Tool for Auditing Networks, Safety Analysis Tools for Auditing Network), can scan all domains or subnets and find safety Vulnerability. These programs can determine their weaknesses for the vulnerability of different systems. Intruders use the information that scans collected to obtain illegal access to the target system.
---- Smart network administrator can use these tools inside its network to discover the safe weakness of the hidden, and determine that host needs to upgrade with new software patches.
Access protected system
---- Intruder uses the result of host detection to attack the target system. After obtaining access to protected systems, hackers can have multiple options:
Intruders may try to ruin the traces of the attack and build a new security vulnerability or back door on the damaged system so that you can continue to access this system after the original attack is discovered. Intruders may secure package detectors, including Trojan programs, to spy the activities of the system, collect Telnet and FTP account names and passwords. Hacker uses this information to extend the attack to other machines. Intrusioners may find a host with trusted system. This hacker can take advantage of this weaknesses of a host and will attack the attack on the entire organization network. If hackers can get privileged access to privilege access, he, or she can read emails, search private files, stealing private files, destroying or destroying important data. Basic firewall design
---- When designing the Internet firewall, network administrators must make several decisions:
Firewall's gesture (stance) organizer's overall security policy firewall's economic cost firewall system components or components
Firewall's gesture
---- The posture of the firewall has fundamentally elaborates an agency's view. The Internet firewall may play two truncated gestures:
Refuse to not have anything specially allowed. This posture assumes that the firewall should block all the information, and each desired service or application is implemented on Case-by-case. This is a recommended solution. It is a very secure environment because it is only supported by prudently selected services. Of course, this solution also has a shortcoming, which is not easy to use because limiting the selection range provided to the user. Allow anything that is not particularly refused. This posture assumes that the firewall should forward all information, and any service that may have hazards should be turned off on the basis of Case-by-case. This program is established a very flexible environment that provides users with more services. The disadvantage is that since this feature is easy to use in front of the security, the network administrator is in response, so it is difficult to ensure the security of the network with the increase of the network size.
Institutional security strategy
---- As mentioned earlier, the Internet firewall is not independent - it is part of the overall security strategy of institutions. The overall security policy defines all aspects of security defense. To ensure success, the agency must know what all of its protection is. Security strategies must be based on careful safety analysis, risk assessment, and business demand analysis. If the agency does not have a detailed security policy, the firewall that is carefully constructed will be bypass, so that the entire internal network is exposed to the attack.
--- What kind of firewall can be burdened? A simple package filter firewall is the lowest, as a mechanism requires at least one router to be connected to the Internet, and the package filtering function includes in a standard router configuration. Commercial firewall systems provide additional security features, costs between $ 4,000 to $ 30,000, specific prices to see the complexity of the system and the number of systems to be protected. If an institution has its own professionals, you can also build your own firewall system, but still have cost issues for development time and deploy firewall systems. Also, the firewall system requires management, general maintenance, software upgrades, safe trapping, accident processing, etc., these are costly.
Figure 4 Package filtering router
Composition of firewall systems
---- After determining the posture, security strategy, and budget issues of the firewall, the specific components of the firewall system can be determined. Typical firewalls have one or more components:
Package Router Application Layer Gateway (or Proxy Server) Circuit Layer Gateway
---- In the following we will discuss each component and describe how it makes it together to form an effective firewall system.
Components: Packaged Router
---- Package Router (Figure 4) Performing a decision to reject each packet received. The router reviews each datastist to determine if it matches a pack filtering rule. The filtering rule is based on the header information that can be provided to the IP forwarding process. The iphe information includes IP source addresses, IP destination, ICP, ICP, ICMP, or IP tunnel, TCP / UDP target port, ICMP message type, package entry interface and out-of-interface if there are matches and rules The packet is allowed to be forwarded as information in the routing table. If you match and the rule rejects the packet, the packet will be discarded. If there is no matching rule, the default parameter of the user configures will decide whether forwarding or discarding the packet. Filter related to service
---- Package the router allows the router to allow or reject the flow of data based on a particular service, because most of the service listeners are in known TCP / UDP port numbers. For example, a Telnet server listens far connection on the 23rd port of TCP, while the SMTP server listens to people on the 25th port of TCP. In order to block all the entry Telnet connections, the router simply discards all TCP port numbers equal to 23 packets. In order to limit the Telnet connection to the internal several machines, the router must reject all TCP port numbers equal to 23 and the target IP address is not equal to the packet of the IP address of the host.
---- Some typical filtering rules include:
Allow access to Telne sessions Allow access to the FTP session to enters the specified internal host connection allows all outdated Telne sessions to allow all outgoing FTP sessions to reject all packets from specific external hosts
Unrelated filtering with services
---- There are several types of attacks that it is difficult to use basic header information to identify because these attacks are independent of services. The router can be configured to prevent these types of attacks. But they are difficult to specify because the filtering rules need additional information, and this information can only be learned by reviewing the routing table and specific IP options, checking the content of a particular section. Here are examples of these attack types:
---- Source IP address spoofing attack (Sowrce IP Address Spoofing Attacks). This type of attack is characterized by transmitting an intruder from an external to a packet that is from the internal host, that is, the IP address included in the packet is an IP address on the internal network. Intruders want to penetrate into a system that only uses source address security features by means of a fake source IP address. In such a system, the data packet from the internal trust host is accepted, and the packets from other hosts are all discarded. For the source IP address spoofing attack, you can use the method of discarding all packets from the router's external port using the internal source address.
--- Source Rowing Attacks. This type of attack is characterized by the source site specifies the route that the packet taken in the Internet. This type of attack is for bypass security and causes the data package to follow the other party unpredictable path to the destination. Simply discard all packets containing the source routing options to prevent this type of attack.
---- Extreme Small Data Attacks. This type of attack is characterized by invaders that use the IP segmentation characteristics, create minimal segments and forcibly divide the TCP headers into multiple data package segments. This attack is to bypass user-defined filtering rules. The hacker hopes that the filter router only checks the first segment to allow the rest of the segmentation. For this type of attack, as long as the discard protocol is TCP, IP FragmentOffset is equal to 1 packets.
Advantages of package filtering routers
---- Most of the deployed firewall system only uses a package filter router. In addition to the time to plan the filter and configure the router, realize that the package filtering is no longer required (or very cost), as these features are included in the standard router software. Since Internet access is generally available on a WAN interface, there is little impact on the performance of the router when traffic is moderate and defined less filters. In addition, the package filtering router is transparent to users and applications, so it is not necessary to conduct special training for users and install specific software on each host. Packet filtering the shortcomings of the router
---- Defining packet filter is more complicated because network administrators need a very deep understanding of the meaning of all kinds of Internet services, Baotou formats, and each domain. If you must support a very complex filtering, the filter rule collection is very large and complex, so it is difficult to manage and understand. In addition, after the rule configuration is performed on the router, there is almost no tool to be used to filter the correctness of the rule, so it will become a fragile point.
---- Any packets directly passing through the router have potential dangers that are used as data-driven attacks. We already know that the data-driven attack is from the surface to be forwarded by the router to the data that is not harmful to the internal host. This data includes some hidden instructions that allow the host to modify access control and security-related files, so that intruders can obtain access to the system.
---- Generally, as the number of filters increases, the throughput of the router will decline. You can perform such an optimization of the router to extract the destination IP address of each packet, perform a simple routing table query, and then forward the packet to the correct interface to transfer. If the filter is turned on, the router must not only make a forward decision for each packet, but also apply all filter rules to each packet. This consumes the CPU time and affects the performance of the system.
---- IP pack filter may not provide comprehensive control over information flowing on the network. The package filtering the router allows or rejects specific services, but does not understand the context environment / data of a particular service. For example, a network administrator may need to filter information in the application layer to limit access to the subset of the available FTP or Telnet commands, or block the entry of the message and the news of the specific topic. This control is preferably done by the high-level by the proxy service and application layer gateway.
Components: Application Layer Gateway
---- Application layer gateway allows network administrators to achieve more stringent security policies than package filtering routers. The application layer gateway does not need to rely on the package filtering tool to manage the Internet service in the firewall system, but use the way to install a special code (proxy service) on the gateway for each required service. If the network administrator does not install the agent code for some application, the service does not support and cannot be forwarded through the firewall system. At the same time, proxy coding can be configured to support only partial features that network administrators think they must.
---- This enhanced security has brought additional costs: the time and knowledge required for the gateway hardware platform, the proxy service application, the configuration gateway, the decline in service levels provided to the user, due to lack of transparency, leading to lack of friendship Sexual system. As in the past, network administrators still require balancing in institutional security needs and systematic easy usability. It is important to allow users to access the proxy service, but the user is absolutely not allowed to register to the application layer gateway. If the user is allowed to register into the firewall system, the security of the firewall system will be threatened because the intruder may make some damage to the firewall validity movement in secret. For example, invaders get root privileges, install Troja to intercept the password, and modify the security profile of the firewall.
Bastion host
---- The package filtering router (which allows the packet to flow and outflow between the internal system and the external system), the application layer gateway allows information to flow between the system, but not allowed to exchange the data packet. Main dangers that allow direct exchange of packets between internal systems and external systems are host applications that reside on protected network systems to avoid any threats caused by the allowed services.
---- An application layer gateway is often referred to as "bastion host". Because it is a special system, there are special equipment and can resist attacks. There are several features that specialize in designing to provide security: the hardware of the fortress host executes a secure version of the operating system. For example, if the fortress host is a UNIX platform, it executes the secure version of the UNIX operating system, which has been specially designed to avoid the fragility of the operating system to ensure the integrity of the firewall. Only the network administrator considers the necessary service to be installed on the fort. The reason is that if a service is not installed, it cannot be attacked. In general, there is a limited proxy service on the fortress host, such as Telnet, DNS, FTP, SMTP, and user authentication. Users may require additional authentication before accessing the proxy service. For example, the fortress host is an ideal location for installation strictly certified. Here, the smart card authentication mechanism produces a unique access code. Each agent may perform its own authorization before granting user access. Configuring proxy makes it only supports subsets of a set of commands for standard applications. If the agent application does not support standard commands, it is very simple, and the authenticated user does not use the permissions of the command. Configure the agent so that it only allows access to a particular host. This shows that limited command / feature can only be applied to a limited number of hosts on the internal network. Each agent maintains a detailed audit information by registering all information, each connection, and duration of each connection. The audit record is a basic tool for discovering and terminating intruder attacks. Each agent is a short program that is designed for network security purposes. Therefore, the source program code for the agent can be checked to determine if it has a leakage and a safe vulnerability. For example, a typical UNIX mail application may include 20,000 lines of code, while the mail agent is only less than 1,000 rows. Each agent is not related to all other agents on the fortress host. If any agent's work produces a problem, or finding fragility in the future, simply unloading does not affect other agents. Also, if some users require support for new applications, network administrators can easily install the required applications on the fortress host. In addition to reading the initialization profile, the agent is generally not performed. This makes intruders difficult to install Trojma programs or other dangerous documents on the fortress host. Each agent runs in its own and secure directory on its own and secure directory.
Example: Telnet Proxy
---- Figure 5 illustrates the operation of the Telnet agent on the fortress host. In this example, the external customer wants Telnet to the server that is protected by the application layer gateway.
Figure 5TELNET agent
---- This Telnet agent will never allow remote users to register to internal servers or directly access the internal server. External customer Telnet to the Fort Host, using a one-time password technology to authenticate the user. After certification, the external customers have access to the Telnet proxy user interface. This Telnet agent only allows some telnet commands to be used and determines those hosts that can be provided to Telnet to access. External customers specify the target host, then the Telnet agent establishes its own connection to the internal server and forwards the command for the external customer. External customers believe that the Telnet agent is a real internal server, while the internal server also treats the Telnet agent as an external customer.
---- Figure 6 shows the output of the external client terminal when the connection to the internal server is established. Note that the customer is not registered on the fortress host, which is certified by the fortress and is allowed to be challenged before allowing Telnet proxy. After challenge, the proxy server gives the set of commands that can be used and the target host that can provide approximately external customers.
Outside-host> Telnet BastionHost
Username: John Smithchallenge Number "237936"
Challenge Response: 723456
Trying 200.43.67.17 ...
CONNECTING to BASTIONHOSTESCAPE Character IS '^]' BastionHost Telnet Proxy (Version 1.4) Ready: BH-Telnet> HelpValid Commands Are:
Connect HostnameHelp /? Quit / exit
BH-Telnet> Connect InsideHostsunos Unix (InsideHost)
Login: John SmithPassword: ###### Last Login: Wednesday Dec 13 11: 17: 15welcomeInde-Host
Figure 6 Telnet "Session" display on the terminal
---- Authentication can be based on what users know (such as password) or things (such as smart cards). Both techniques are facing theft, but combinations using two methods can increase the correctness of user authentication. In this example of Telnet, the agent issues a challenge, and the user gets answers to the challenge with the smart card. Typically, users can unlock smart cards by entering his PIN, and the card returns a encrypted value based on the shared "secret" encryption key and its internal clock, returns a encrypted value to the user to answer the challenge.
Advantages of applying layer gateway
---- There are many advantages to deploying application layer gateways. The application layer gateway allows network administrators to fully control the service because the agent application limits the command set and determines that the internal host can be accessed by the service. At the same time, network administrators can fully control those services because the service does not provide. The application layer gateway has the ability to support reliable user authentication and provide detailed registration information. In addition, filtering rules for applying layers are easier to configure and test relative to packet filtering routers.
Disadvantages of application layer gateway
---- The biggest disadvantage of the application layer gateway is to require users to change their behavior, or install special software on each system of accessing the proxy service. For example, access to the application layer gateway Telnet requires the user to establish a connection by two steps rather than one step. However, special end system software allows users to specify target hosts in the telnet command instead of the application layer gateway to transparently.
Component: Circuit layer gateway
---- Circuit layer gateway is a special feature that can be done by the application layer gateway. The circuit layer gateway only depends on the TCP connection and does not perform any additional package processing or filtration.
---- Figure 7 illustrates the operation of the Telnet connection. The circuit layer gateway simply relays the Telnet connection and does not do any review, filtering or Telnet protocol management. The circuit layer gateway is the same as the wire, just between the internal connection and the external connection. However, since the connection seems to be from the firewall, it hides information about the protected network.
Figure 7 Circuit layer gateway
---- Circuit layer gateway is often used to connect outward, and the network administrator is trustworthy. Its advantage is that the bastion host can be set to a hybrid gateway that supports the application layer or proxy service for the people, and supports the circuit layer function for the external connection. This makes it easy for the firewall system to use internal users to access Internet services, while providing a firewall feature that protects internal networks from external attacks.
Firewall Example 1: Package Filter Router
---- The most common firewall is a packet filtering router placed between Internet and internal networks (Figure 8). The package filtering the router completes the normal routing function forwarded between the packets between the network and allows or rejects the packet using the package filter rules. In general, this is to define filtering rules: The host on the internal network can directly access the Internet, and hosts on the Internet are restricted on the host on the internal network. This type of firewall system is rejected against packets without specially allowed. Figure 8 Package filter routing firewall
---- Although this firewall system has the advantages of low and easy to use, there is also a shortcoming, such as the configured router may be attacked, and using the attack package in allowing the service and the system to be attacked. Since the data packets are allowed to directly exchange data packets between internal and external systems, the attack surface may extends all the services allowed by all hosts and routers. This means that the host can be accessed directly from the Internet to support complex user authentication, and the network administrator should constantly check the network to determine if the network is attacked. In addition, if there is a packet filtering router being penetrated, all systems on the internal network may be damaged.
Firewall Example 2: Shield Host Firewall
---- This second firewall system consists of a package filtering router and a fortress host (Figure 9). The security level provided by this firewall system is high than the firewall system in the previous example because it implements network layer security (package filtering) and application layer security (proxy service). Therefore, the intruder must first penetrate two different safety systems before destroying the security of the internal network.
Figure 9 Shield host firewall (single buffet host)
---- For this firewall system, the Fort Host is configured on the internal network, and the package filtering router is placed between the internal network and the Internet. Regular configuration on the router so that the external system can only access the fortress host, and the information on other hosts on the internal system is blocked. Since the internal host is in the same network, whether the internal system allows you to access the Internet, or require a proxy service on the horses to access the Internet by the agency's security policy. Configuring the filter rule of the router so that it only accepts internal packets from the fortress host, you can force internal users to use proxy services.
---- One of the advantages of such a firewall system is to provide a server for public information services such as web, FTP, etc., can be placed on a network segment shared by a package filtering router and a fortress host. If there is a very high security feature, the Fort Host can run a proxy service so that internal and external users must access the fortress host before communicating with the information server. If the lower security level is enough, router configuration allows external users to access public information servers.
---- Use a double-storeing fortress that can even construct a safer firewall system (Figure 10). The Shuangbo forther has two network interfaces, but the host directly forwarding the information between the two ports (which can bypass proxy service) is turned off. This physical structure is forcibly will allow all information to the internal network through the fortress, and when the external user is granted directly to the right to access the information server, additional security is provided.
Figure 10 Shielding firewall system (Shuangbu fortress)
---- Since the fortress host is the only internal system that can directly access it directly on the Internet, there is only a hosted host itself. However, if the user is allowed to register to the Fort Host, the host on the entire internal network will be attacked. This is because for intruders, if registration is allowed, the destroying the fort is relatively easy. Firmly reliably, avoid being infiltrated and not allowed to register for the fortress host.
Firewall Example 3: DMZ or Shield Subnet Fire Wall
---- The final instance of this firewall system uses two bag filtering routers and a fortress host (Figure 11). This firewall system is the safest firewall system because it supports network layer and application layer security after defining the Non-military zone (DMZ) network. The network administrator puts the fortress host, the information server, the MODEM group, and other public servers in the DMZ network. The DMZ network is small and is in the Internet and the internal network. Under normal circumstances, the DMZ is configured to use the Internet and internal network systems to access the number of limited numbers on the DMZ network, and the information transmission directly through the DMZ network is strictly prohibited. Figure 11 Screen firewall system
---- For information, this router outside is used to prevent usual external attacks (such as source address spoofing and source routing) and manage Internet to DMZ network access. It only allows external systems to access the fortress host (may have an information server). The router inside provides a second defense, only accepting packets from the fortress host, responsible for managing DMZ to internal network access.
---- For packets to the Internet, the router inside the management of the internal network to the DMZ network. It allows the internal system to access the fortress host (may have an information server). The filter rules on the outside routers require a proxy service (only the packets from the Best Host to the Internet).
---- Deploying the shielded subnet firewall system has the following special benefits:
Intruders must break through three different devices (Mrs.) to invade internal networks: external routers, fortress hosts, and internal routers. Since the external router can only present the existence of the DMZ network to the Internet, the system on the Internet does not require the router and internal networks. This network administrator can ensure that the internal network is "invisible", and only the system selected on the DMZ network is open (via routing table and DNS information). Since the internal router is only in the internal network to advertise the DMZ network, the system on the internal network cannot communicate directly to the Internet, which ensures that the user on the internal network must access the Internet through a proxy service residing on the fortress host. The package filtering router directly leads the data to the system specified on the DMZ network, eliminating the necessary bastion hosts. The internal router can support more packet throughput than the double polar fortune host as the last firewall system between the internal network and the Internet. Since the DMZ network is a network different from the internal network, the NAT (Network Address Transform) can be installed on the fortress host to avoid rendering or re-dividing the subnet on the internal network.
to sum up
---- Design and deploy Internet firewall never have the only correct answer. Network security decisions of each institution may be affected by many factors, such as security strategies, staff's technical background, cost, and estimated attacks, etc. This paper focuses on building a number of issues of Internet firewall, including their advantages and disadvantages, components, and examples of firewall system topology. Since the benefits of connecting with the Internet are likely to be greater than their cost support, network administrators should fully understand their hazards and take appropriate precautions to ensure that the network has its necessary safety.
references
Ipchains-HOWTO
3COM Technology White Paper
Traditional agent, transparent agent, PLUG-GW, Apache reverse agent, IP camouflage, port forwarding
