Since 1995, after China's Internet commercialization, the Internet industry has achieved great development. Governments and businesses have internet access, e-government and e-commerce such as fire, Internet and internal network security issues. The network security market has been highly mature in 2002, and the competition is increasingly competitive. In 2001, encryption, firewall and antivirus were three pillars in my country's network security market. In 2002, China's network security market entered a high-speed growth period, firewall, intrusion detection, anti-virus, and encrypted four major products became the mainstream of the market. From the current market demand, it is expected that physical isolation network locks, anti-attack gateways, firewalls, antivirus gateways, identity authentication, encryption, intrusion detection and central network management will become eight trends in the 2003 security market. I. Physical isolation solution: Physical isolation network brake physiological isolation is very different from logical isolation. Philosophical philosophy is unsafe, it is absolutely guaranteed. Logical Isolation Philosophy: Do as safe as possible in the case of ensuring normal use. Both are completely different products. The physical isolation of the idea is from two fully connected computers. The user copies the data from one computer from a computer, sometimes called "data ferry". Since the two computers are not directly connected, there will be no network-based attack threats. Second, logical isolation solutions: The firewall has a lot of ways to realize logical isolation, but mainly firewalls. The firewall has different types in the architecture: there are dual network ports, multi-network ports, DMZ and SSN. Different types have obvious working mechanism on the 7-layer model of OSI. The main evaluation system of the firewall includes: performance, security and functionality. In fact, these three are contradictory and mutual constraints. Technologies, more features, good security, often have affected; functions also affect system security. Third, the defense from the network attack solution: anti-attack gateway network attack, especially the defective service attack (DOS), using the TCP / IP protocol defects, some DOS attacks are consuming bandwidth, some are the CPU and memory of network devices. Among them, representative attack means include SYN FLOOD, ICMP FLOOD, UDP FLOOD, etc. The principle is to use a large number of forged connection request packets to attack the port of the network service, such as 80, resulting in the server's resource, system stop responding Even crashes. The connection is exhausted, then uses a real IP address to initiate a large number of real connections to the network service to seize the bandwidth, or cause the resources of the web server to exhaust, resulting in service abort. Other DOS technology that uses network protocol defects include LAND, Winnuke, Ping of Death, Teardrop, etc. Anti-attack gateway can identify the packets of normal services, distinguish between attack packages. At present, DDOS has a concurrent attack of more than 100,000, so the defense capabilities of the anti-attack gateway must reach more than 100,000. Fourth, prevent viral solutions from the network: Anti-virus gateway traditional virus detection and killivirus are completed at the client. But this approach has a fatal disadvantage if a computer discovers the virus, indicating that the virus has been infected with almost all computers inside the unit. If the virus is new, the old killivirus software generally does not detect and clear. Anti-virus gateway should be placed at a computer network and the Internet of the Internet. If a new virus occurs, you only need to update the anti-virus gateway without updating each end software. V. Identity Solution: The identification of the network, authorization and management (AAA) system 80% of the attack occurs instead of external. The management and access control of the internal network is much more complicated relative to external isolation. The isolation of the external network is basically prohibited and released, which is a crude particle access control.
