Deeply talking about the firewall
With the sharpness of computer network technology, network security issues are increasingly highlighted in front of various users. The information only mastered from the author indicates that users currently have more than 20% of users who have suffered hackers. Although hackers are so embarrassing, online security issues still have no sufficient attention, more users believe that network security issues are far away from their own, this point from about 40% of users, especially enterprise users, no firewalls ( FireWall can see a spot, and all the questions have proved to everyone. Most hacker intrusion events are caused by failure to properly install firewalls. The concept of firewall and the original meaning of firewall refers to the wall built between the ancient people's houses, which prevents spread to other homes when the fire occurs. The firewall mentioned here is certainly not a physical firewall, but is a defense system that isolates between local networks and external networks is the general name of this type of prevention measures. It should be said that firewalls on the Internet are a very effective network security model that can isolate the risk zone (ie Internet or a network of risks) and the security area (LAN) connection, and will not hinder people's risk zones. Access. The firewall can monitor the traffic of the input and export network, thereby completing the seemingly impossible task; only information that is secured, approved, while resisting the data that pose a threat to the enterprise. With the income and defects on safety issues, the invasion of the network is not only from superb attack methods, but also possible low-level errors or unsuitable password selection. Therefore, the role of the firewall is to prevent unwanted, unauthorized communications into and out of protected networks, forcing unit to strengthen their network security policies. The general firewall can achieve the following: First, it can limit others to enter the internal network, filter out unsafe services and illegal users; the second is to prevent intruders from approaching your defensive facilities; third is to limit users to special sites; four is for monitoring Internet security provides convenience. Since the firewall assumes a network boundary and service, it is more suitable for relatively independent networks such as intranet, etc., relatively concentrated networks. The firewall is becoming a very popular way to control the access to network systems. In fact, in the web site on the Internet, more than one-third of the Web website is protected by some form of firewall, which is a way to prevent the most strict and security of hackers, any key Servers, it is recommended to place behind the firewall. The firewall architecture and work mode firewall can make the user's network planning is more clear, fully prevent data access across permissions (because some people log in, the first thing to be tried to exceed the permission limit). If there is no firewall, you may receive a lot of similar reports, such as the financial report inside the unit just being shaken, or the user's personal home page is maliciously connected to Playboy, and the report link But the other erotic website is specified ... a complete firewall system is usually composed of a shielded router and a proxy server. The shield router is a multi-port IP router that determines whether it is forwarded by checking each arriving IP package in accordance with the group rules. The shield router obtains information from the header, such as the protocol number, the IP address and port number of the message, and the port number, connection flags, and other IP options, filter the IP package. The proxy server is a server process in the firewall that can accommodate a specific TCP / TP function in place of the network user. A proxy server is essentially a gateway of an application layer, a gateway for two networks for a particular network application. The user is a TCP / TP application, such as Telnet or FTP, dealing with the agent server, and the proxy server requires the user to provide the remote host name to be accessed. When the user replies and provides the correct user identity and authentication information, the proxy server connects the remote host to serve as the secondary communication point. The whole process can be fully transparent to the victim.
The user's identity and authentication information provided by the user can be used for user-level authentication. The simplest case is: it consists only by the user identity and password. However, if the firewall is accessible through the Internet, it should be recommended that users use stronger authentication mechanisms such as one-time password or response system. • The biggest advantage of the shield router is simple and low hardware costs, and the disadvantage is to establish a pack filtering rule is more difficult, plus the management cost of the shield router and the lack of user-level identity authentication. Fortunately, router producers have realized and began to solve these problems. They are developing a graphical user interface of editing packages, developing standard user-level authentication protocols to provide remote authentication Dial-in User Services (Redius). • The advantage of a proxy server is that user-level authentication, logging, and account management. Its shortcomings are related to such a fact; to provide a comprehensive security guarantee, it is necessary to establish a corresponding application layer gateway for each service. This fact severely limits the outline of new applications. • Shield router and proxy servers are usually combined to form a hybrid system, where shielded routers are mainly used to prevent IP spoofing attacks. The most extensive configuration is currently a DualHomed firewall, shielded hosting firewall and a shielded sub-network firewall. Usually, the firewall will need to be invested in thousands or even 10,000 US dollars, and the firewall needs to run on a separate computer, so users who use a computer into the Internet are unnecessary firewalls, and doing so even from cost Aspects are also too cost-effective. At present, the focus of the firewall is still used to protect large networks composed of many computers, which is also a place that hackers is really interested. The firewall can be a very simple filter, may also be a well-configured gateway, but their principles are the same, all monitor and filter all the information from the external network and from the external network, the firewall protects internal sensitive data. Not stolen and destroyed, and record the time and operation of communication, the new generation of firewalls can even prevent internal personnel from delivering sensitive data to the outside world. When the user connects the local network within the unit into the Internet, everyone is certainly unwilling to let people around the world will freely read the salary, various documents or databases, but even in units of data attacks. possibility. For example, some heartbeats may modify wage forms and financial reports. After setting the firewall, the administrator can define internal employees to use Email, browse WWW, and file transfer, but do not allow the outside world to access the computer within the unit, and the administrator can also disable each other from different departments in the unit. After placing the local network, you can block attacks from the outside world. The firewall is usually a special software running on a separate computer that identifies and blocks illegal requests. For example, a WWW proxy server, all requests are handled indirectly by the proxy server, which is different from the ordinary proxy server, which does not directly handle the request, it will verify the identity of the request, the destination request, such as Request content. If everything meets the requirements, this request will be approved to send it to the real WWW server. When the real WWW server handles this request, it will not send the result to the requester. It will send the result to the proxy server, and the proxy server checks if the result is in violation of the safety regulations, when all After passing, the return result will only be sent to the requester's hand. The architecture of the firewall 1, the screen router (screening router)? The shield router can be implemented by the manufacturer's dedicated router, or you can implement it with a host. The shield router is the only channel of internal and external connections, requiring all messages to be checked here. The IP layer-based packet filtering software can be installed on the router to implement packet filtering. Many routers themselves with packet filtering configuration options, but it is generally relatively simple. The risk of a firewall consisting of a single shield router includes a host that the router itself and the router allow access. The disadvantage of the shield router is that it is difficult to find out after being attacked, and different users cannot be identified.
? 2, DualHomedGateway)? The double hole host gateway is a firewall with a fortress host with two NIC. Two NIC are each connected to the protected mesh and external network. Firewall software is running on the fortress host, you can forward the application, provide services, etc. Compared to the shield router, the system software for the double-hole host gateway horses can be used for maintenance system logs, hardware copy logs or remote logs. However, weakness is also highlighted, once hackers invade the fortress host and make it only have routing functions, any online users can access intranets. 3. The mask host gateway (Screnedgatewy) shielded host network is also safe to implement. A fortress host is installed on an internal network, typically sets filter rules on the router, making this fortress host a host that can be directly reached from the external network, ensuring an internal network from an unauthorized external user attack. If the protected network is a virtual extension local network, that is, there is no subnet and router, the change in the internal network does not affect the configuration of the fortress host and the shielded router. Dangerous belts are limited to the fortal host and shield router. The basic control strategy of the gateway is determined by the software installed above. If the attacker can't log in to it, the remaining hosts in the intranet will be greatly threatened. This is similar to the situation when the two-hole host gateway is attacked. 4, the screen of the ScrieeeenedSubnet is a subnet is to establish an isolated subnet between the internal network and the external network, and the router is separate from the internal network and the external network with the internal network and the external network with two packet filtering routers. In many implementations, two packet filtering routers are placed on both ends of the subnet, forming a DNS, internal network, and external networks within the subnet, can access the shielded subnet, but prohibiting them from communicating through the shielded subnet. Some shielded subnet also have a fortress host as the only accessible point, support terminal interaction or as an application gateway agent. This risk is only included with a bastion host, a subnet host, and a router that connects the intranet, external network and shielded subnet. If an attacker tries to completely destroy the firewall, he must reconfigure the router that connects the three networks, neither locks the connection and locks yourself outside, and does not make you discovered, which is still possible. However, if the network access router is prohibited or only some hosts in the intranet will be difficult to access it, the attack will become difficult. In this case, the attacker must first invade the fortress host, then enter the intranet host, then return to the destroying the shielded router, and the alert cannot be triggered throughout the process. The basic type of firewall is now in the total standard of firewood forest forests in the market. There is also a software form in the form of a normal computer, and it is also designed in the router in firmware. In general, it can be divided into three types: packaged firewall, proxy server and status monitor. Packet filter firewall (Packetfilter): The package filter is selected in the network layer, and the data packet is checked in accordance with the system in advance, check each packet in the data stream, according to the packet The source address, destination address, and the package use port to determine if the class packet is allowed to pass. On the Internet Switching Network in the Internet, all the information is split into a number of packets, including the sender's IP address, and the receiver IP address. When these packets are sent to the Internet, the router reads the recipient's IP and selects a physical line to send it. The packet may arrive at the destination at different routes, and will be reassembled after all the package arrive. reduction. Packing filter firewall checks all IP addresses in the packet and filter packets in accordance with the filter rules given by the system administrator. If the firewall sets an IP is dangerous, all information from this address will be blocked by the firewall. This kind of firewall is much more, such as the relevant departments of the state can ban domestic users from accessing the relevant provisions of my country or "problem" foreign sites, such as www.bleboy.com, www.cnn.com, etc. .
The biggest advantage of the package filtering router is that it is transparent to the user, that is, no username and password are required to log in. This firewall is fast and easy to maintain, usually as the first line of defense. The drawbacks of the package filtering the router are also obvious, usually there is no user's use record so that we cannot find hackers' attack records from the access record. Attack a simple bag filter anti-inflammatory wall is easier to hackers, and they have accumulated a lot of experience in this respect. "Packet Impact" is a combination of hackers, which makes a series of packets for the package filter firewall, but the IP address in these packages has been replaced (FAKEIP), which is a string of order IP address. Once there is a package through the firewall, hackers can use this IP to disguise the information they sent. In other circumstances, hackers use a router attack program they own, this program uses the router protocol (RoutingInformationProtcol) to send fake routing information, so all packages will be rerouted to an intruder specified by the invaders. address. Another technique dealing with this router is called "synchronous flooding", which is actually a network bomb. The attacker issues many false "Synchronous Request" signals to the attacked computer, and when the server responds to this signal package, the aggressor will wait for the request to answer, and the attacker does not do any response. If the server does not receive the reaction signal in 45 seconds, the request will be canceled. However, when the server is handling the 万 上 虚 虚 虚, it does not have time to handle normal user requests, and there is no two servers under this attack. The disadvantage of this firewall is very obvious, usually there is no user's use record so that we cannot find hackers' attack records from access records. In addition, the configuration is cumbersome is also a shortcomings that pack the filtered firewall. It blocked others into the internal network, but don't tell you where to enter your system, or who is entering the Internet from the interior. It prevents access to private networks, but cannot record internal access. Packet filtering the other key weakness is not possible to filter at the user level, that is, different users and prevent IP address stolen are not identified. Packing filter firewall is an absolutely safe system in a sense. • Proxy Server: The proxy server is often also referred to as an application-level firewall. The package filter firewall can prohibit the unauthorized access by IP address. However, it is not suitable for the unit to control internal people to access the outside world, and the application-level firewall is a better choice for such companies. The so-called agent service, that is, the link between computer system application layers inside and outside the firewall is implemented in two links that terminate the proxy service, so that the isolation of computer systems inside and outside the firewall. Agent service is an application that is set on the Internet firewall gateway. It is a specific application or specific service that is allowed or rejected, while it can also be applied to implement strong data stream monitoring, filtering, recording, and reporting functions. . Under normal circumstances, it is applicable to specific Internet services, such as hypertext transmission (HTTP), remote file transfer (FTP), etc. The proxy server typically has a cache. There is a user who has frequently accessed the site in the cache. When the next user wants to access the same site, the server does not need to repeat the same content, which saves time and saves network resources. • The following author briefly introduces the design implementation of several proxy servers: 1. Application Proxy Server (ApplicationGatewayProxy) • Application proxy server can provide authorization check and proxy service on the web application layer. When an external host tries to access (such as Telnet), it must first authenticate on the firewall. After authentication, the firewall runs a program specifically designed to Telnet and connects the external host to the internal host. During this process, the firewall can limit the time and access to the host, access to the host, access to the user.
Similarly, when the user has access to the external network internal users, you will also need to log in to the firewall before verifying the Telnet or FTP and other valid commands. The application of the gateway agent is that it can hide the internal IP address, or give a single user, even if the attacker has a legitimate IP address. He also passed strict identity certification. The Internet is higher than packet filtering with higher security. But this kind of certification makes the application gateway opaque, and users have to be "in-case each connection, which brings us many inconvenience. And this agent technology needs to write a special program for each application gateway. 2, loop-level proxy server? Route agent server also known as a general proxy server, it applies to multiple protocols, but it is not possible to explain the application protocol, which needs to obtain information in other ways. Therefore, the loop-level proxy server usually requires a modified user program. Among them, socketsserver is the loop level proxy server. Sockets is an international standard for network application layers. When the protected network client needs to interact with the external network, the socket server checks the client's UserID, IP source address, and IP destination address, after confirmation, the set server establishes the connection with the external server. For the user, the information exchange of the protected network and the external network is transparent, and it does not feel the existence of the firewall, that is because the Internet users do not need to log in to the firewall. However, the client's application must support "SocketsiDeapi" protected network users to access the IP address used by the public network is also the IP address of the firewall. 3. Directory server? In other words, in other words, unsafe services, such as FTP, Telnet, etc., so that it acts as a server, an answer to external requests. Compared with the application layer agent implementation, the server technology does not have to write a program for each service. Moreover, when the user wants to access the external network, it is also necessary to log in to the firewall, and ask the request, so that the firewall can only be seen from the external network to hide the internal address and improve the security. Sex. 4, IPTunnels? If the two subsidiaries of a company are far apart, when communicating over the Internet, IPTunnels can be used to prevent hackers on the Internet to intercept information, thereby forming a fictional enterprise network on the Internet. 5. NetworkaddressTranslate When the protected network is connected to the Internet, the protected network users must use a legal IP address. But due to the limited INTERNETIP address, and the protected network often has its own set of IP address planning. The network address converter is a legitimate IP address set on the firewall. When an internal user is accessible to the Internet, the fire-free wall state is assigned a unallocated address from the address set to the user, which can communicate with this legal address. At the same time, for some of the internal servers such as web servers, the network address converter allows them to assign a fixed legal address. Users of external networks can access internal servers through firewalls. This technique has eased both a small amount of IP address and a large number of hosts, and hidden the IP address of the internal host, improves security. 6. Splitdomainnamesever? This technology is to isolate the domain name server of the protected network with the domain name server of the external network through the firewall, so that the domain name server of the external network can only see the IP address of the firewall, and cannot understand the protected network. The specific situation, this ensures that the IP address of the protected network is not known by the external network.
