Firewall technology topic
Creation time: 2003-06-04
Article attribute: original
Article submission:
liwrml (liwrml_at_vertarmy.org)
Author: liwrml
The rapid development of the Internet has brought unprecedented leap to the production and life of modern people, which greatly improved work efficiency, enriched people's lives, and made up for people's spiritual vacancies; and at the same time brought a growing and severe Problem --- Network Security. The security of the network has become one of the hottest topics today. Many companies use firewalls in order to protect their own servers or data security. With the development of technology, the firewall has gradually accepted by the public. However, since the firewall is a high-tech product, many people are not very thoroughly understood. And this article tells you the way the firewall work, as well as the basic classification of the firewall, and discusses the advantages and disadvantages of each firewall.
First, the basic classification of firewall
1. Bag filter firewall
The first generation of firewalls and the most basic form of firewall check each passing network package, or discard, or release, depending on the set of rules established. This is called packet filtering firewall.
Essentially, the bag filter firewall is multiple access, indicating that it has two or more network adapters or interfaces. For example, a device as a firewall may have two network cards (NIC), one piece to the internal network, a connected Internet. The firewall's task is that as a "communication police", guidelines and intercept those hazardous packages.
Leave the filter firewall to check each incoming package, check the basic information available in the package (source address and destination address, port number, protocol, etc.). Then, this information is compared to the setup rule. If the blocking Telnet connection has been set, the packet is 23, then the package will be discarded. If you are allowed to pass to a web connection, the destination port is 80, the package will be released.
A combination of multiple complex rules is also possible. If the web connection is allowed, only two of the specific servers, destination ports, and destination addresses must match the rules to pass.
Finally, you can determine that when a package arrives, if there is no rule for the package, what will happen next. Typically, for security reasons, the package that does not match the incoming rules is discarded. If there is reason to make the package pass, you will have a rule to process it.
An example of the rules of the package filter firewall is built as follows:
l For packets from a dedicated network, only the package from the internal address is passed, as other packages contain incorrect header information. This rule can prevent anyone in the network from attacking by spoofing source address. Moreover, if hackers have access to the interior of the dedicated network, such filtration can prevent hackers from initiating attacks from the Internet.
l In the public network, only the packets of the destination address are 80 ports. This rule only allows the incoming connection to a web connection. This rule also allows the connection with the web connection to use the same port, so it is not very safe.
l Discard the package incoming from the public network, and these packages have source addresses in your network, thereby reducing IP spoofing attacks.
l Discard the package containing the source routing information to reduce the source routing attack. To remember, in the source routing attack, the incoming package contains routing information, which covers the package through the network to take the normal route, which may bypass existing security programs. By ignoring source routing information, the firewall can reduce the attack of this approach.
2. Status / Dynamic Detection Firewall
Status / Dynamic Detection Firewall, try to track network connections and packages through the firewall, so that the firewall can use a set of additional standards to determine if communication is allowed and rejected. It is used to apply some techniques on communication using the basic package filtration firewall. When the package filtration firewall meets a network package, the package is isolated. It does not have a history or future of the firewall. The determination of the allowable and rejected package is completely dependent on the information contained in the package, such as source address, destination address, port number, etc. There is no information that describes the location described in the information stream, the package is considered stateless; it is only existent.
A state-of-state package checks the firewall tracking is not only information contained in the package. In order to track the state of the package, the firewall also records useful information to help identify packets, such as existing network connections, data transmission requests, etc.
For example, if the incoming package contains a video data stream, the firewall may have recorded information, and is information about the source address of the emitted package recently requested by the application of a particular IP address. If the incoming package is to pass the same system, the firewall matches, the package can be allowed.
A state / dynamic detection firewall can truncate all incoming communications and allow all of the outgoing communications. Because the firewall tracks the internal outgoing request, all the data that is incorporated as required until the connection is turned off. Only incoming communication that is not requested is truncated.
If you are running a server in the firewall, the configuration will become slightly complex, but the status package check is a very powerful and adaptable technology. For example, a firewall can be configured to only allow communication from a particular port, only to a specific server. If you are running a web server, the firewall simply transmits the traffic of the 80-port to the specified web server.
Status / Dynamic Detection Firewall Other additional services available:
l Redirects some types of connections to the audit service. For example, to the connection of a dedicated Web server, it may be sent to the Secuty Server before the web server connection is allowed to be sent to the SecutID server (used in a disposable password).
l Reject network communication carrying some data, such as incoming electronic messages with additional executables, or a web page containing an ActiveX program.
The way to track the connection is dependent on the type of firewall through the firewall:
l TCP package. When a TCP connection is established, the first package is labeled the SYN flag with a package. Normally, the firewall discards all external connection attempts unless a specific rule has been established to handle them. For internal connectivity attempts to connect to external hosts, firewalls note the package, allow response and the package between two systems, until the connection ends. In this way, the incoming package is only allowed to pass when it responds to a established connection.
l UDP package. The UDP package is simpler than the TCP package because they do not contain any connection or sequence information. They only contain data from source addresses, destination addresses, checksum. The lack of this information makes it difficult for the legality of the firewall determination package because there is no open connection available to test whether the incoming package should be allowed. However, if the firewall tracking the state of the package, it can be determined. For incoming packets, if the address of the address and the protocol carried by the UDP package matches the transmitted connection request, the package is allowed to pass. As with the TCP package, the UDP package without incoming will be allowed to pass unless it is a response to the request or has established a specified rule to handle it. Similar to other types of packages, situations, and UDP packets. The firewall carefully tracks the outgoing request, record the type of address, protocol, and packets used, and then check the incoming package to ensure that these packages are requested.
3. Application Agent Firewall
The application agent firewall does not actually communicate directly between the network it connects. Instead, it is a communication from internal network-specific user applications and then built separately from a public network server. Users within the network do not communicate with external server, so the server cannot directly access any part of the internal network. In addition, if you do not install the agent code for a particular application, this service is not supported, and any connection cannot be established. This establishment method refuses any connection without explicitly configuring, thereby providing additional security and control.
For example, a user's web browser may be at 80 ports, but it is often possible to be at 1080 ports to connect to the HTTP proxy firewall for internal networks. The firewall will then accept this connection request and turn it to the requested web server.
This connection and transfer are transparent to the user because it is completely automatically processed by the proxy firewall.
Some common applications that are often supported by the agency firewall are:
l http
l https / ssl
l SMTP
l POP3
l IMAP
l nntp
l telnet
l ftp
l IRC
The application agency firewall can be configured to allow any connections from the internal network, which can also be configured to require user authentication to establish a connection. The way to be certified is provided with this restriction that is only established for the known users, providing additional guarantees for security. If the network is harmful, this feature makes the possibility of attacking the attack from the internal attack.
4. NAT
To discuss the theme of the firewall, it must be mentioned that there is a router, although it is technically that it is not a firewall. Network Address Transformation (NAT) protocol converts multiple IP addresses of the internal network to a public address to the Internet.
Nat is often used in small offices, homes, etc. Networks, multiple users share a single IP address and provide some security mechanisms for the Internet connection.
When the internal user communicates with a public host, NAT tracking is a request, modify the outgoing package, so that the package is like a single public IP address and then opens the connection. Once the connection is established, the communication between the internal computer and the Web site is transparent.
When an unsocir passed from the public network, NAT has a set of rules to determine how it handles it. If there is no prior defined rule, NAT is just a simple discarding all unsolicited incoming connections, just like a pack filtering firewall.
However, just like a firing firewall for a package, you can configure NAT to accept incoming connections from certain ports and send them to a specific host address.
5. Personal firewall
Now there is a lot of personal firewall software on the network, which is the application level. Personal Firewall is a software that protects your personal computer system security, which can be run directly on the user's computer, using the same manner as the status / dynamic detection firewall, protecting a computer from attack. Typically, these firewalls are at a lower level of installation in a computer network interface such that they can monitor all network communication that is incoming an outgoing network card.
Once the personal firewall is installed, it can be set to "learning mode". In this case, every new network communication encountered, personal firewall prompts the user once, and ask how to handle the communication. The personal firewall then remembers the response method and is applied to the same network communication in the future.
For example, if the user has installed a personal web server, the personal firewall may make the first incoming web connection to the flag and ask if the user allows it to pass. Users may allow all web connections, connectors from some specific IP addresses, etc., personal firewall then applied this rule to all incoming web connections.
Basically, you can imagine a personal firewall into a virtual network interface on the user's computer. It is no longer a computer's operating system to communicate directly through the NIC, but the operating system passes the network communication, and then checks the network communication, and then communicates with the NIC. Second, the advantages and disadvantages of all kinds of firewalls
1. Bag filter firewall
The advantages of using the package filter firewall include:
l The firewall performs low level control on the package of each incoming and outgoing network.
l The fields of each IP package are checked, such as source addresses, destination addresses, protocols, ports, and the like. Firewall will apply filtering rules based on this information.
l The firewall can identify and discard the package with a deceptive source IP address.
l Packet filter firewall is the only source of access between two networks. Because all communication must pass through the firewall, it is difficult to bypass.
l Filtering is typically included in the router packet, so do not have to be additionally handled.
Disadvantages of using a pack filtering firewall include:
l Configuration difficulties. Because the package filter firewall is complicated, people often ignore the establishment of the necessary rules, or the existing rules are configured, leaving a vulnerability on the firewall. However, in the market, many new version of the firewall is making improvements to this shortcoming, such as developers implement the configuration and more direct rule definitions based on graphical user interface (GUI).
l There is a danger of ports open for specific services and may be used for other transmissions. For example, the WEB server default port is 80, and RealPlayer is installed on the computer, then it will search for ports that can be connected to the Reaudio server, regardless of whether this port is used by other protocols, RealPlayer is just using the 80-port. . In this case, RealPlayer uses the port of the web server.
l There may be other methods to bypass the firewall into the network, such as dial-in. But this is not the shortcomings of the firewall itself, but should not be simply rely on the reasons for the firewall safely on the network.
2. Status / Dynamic Detection Firewall
The state / dynamic detection of the advantages of the firewall:
l Check the capabilities of each field of the IP package and follow the filtering rules based on the information in the package.
l Identify the ability to deceive the IP address package.
l Packet filter firewall is the only source of access between two networks. Because all communication must pass through the firewall, it is difficult to bypass.
l Verify the ability of a packet based on the application information, such as based on an established FTP connection, allowing the returned FTP package to pass.
l The ability to verify a packet status based on application information, such as allowing a previously certified connection to continue to communicate with the granted service.
l Record the ability of the detailed information about each package through. Basically, all information used to determine the state of the package can be recorded, including applications, requests for the package, duration, internal, and external systems.
Status / Dynamic Detection Firewall Disadvantages:
The only disadvantage of state / dynamic detection firewall is that all of these records, tests, and analysis work may cause some hysteresis of network connections, especially when there are many connection activation, or have a large number of rules with a large number of filtering networks. . However, the faster the hardware speed, the less acceptable this problem, and the manufacturer of firewall has been committed to improving their products.
3. Application Agent Firewall
The advantages of using the application agency firewall are:
l Specify control of the connection, such as allowing or reject access based on the server IP address, or allows or reject access to the IP address based on the user's request.
l Reduce unnecessary services in the network by limiting the outgoing request of certain protocols.
l Most agent firewalls can record all connections, including address and duration. This information is useful for tracked attacks and unauthorized access to unauthorized access.
The disadvantage of using the application agent firewall is: l You must customize the user's system within a certain range, depending on the application used.
l Some applications may not support the proxy connection at all.
4. NAT
The advantages of using NAT are:
l All internal IP addresses are hidden on the people outside. For this reason, no one outside the network can initiate an attack on any particular computer within the network by specifying an IP address.
l If a public IP address resource is shorter because of some reason, NAT can share an IP address throughout the internal network.
l You can enable basic package filter firewall security mechanisms because all incoming packages are not specified to be configured to NAT, and will be discarded. The internal network computer is not possible to access the external network directly.
Disadvantages with NAT:
NAT's shortcomings and disadvantages of the bag filter firewall are the same. Although the security of the internal network can be guaranteed, it is also some similar bureaus.
limit. Moreover, the intranet can utilize the extensive Trojan program that can be performed by NAT, just like it can pass through the package filtered firewall.
Note: There are now many firewalls developed by vendors, especially status / dynamic detection firewalls, in addition to their functionality, also provides NAT's functionality.
5. Personal firewall
The advantages of personal firewall are:
l Added protection levels and does not require additional hardware resources.
l Personal firewall can resist internal attacks while resisting external attacks.
l Personal firewall provides protection for a single system in public networks. For example, a home user uses Modem or ISDN / ADSL Internet. It may be that a hardware firewall is too expensive for him, or it is too much trouble. The personal firewall has been able to seclude information on the network, such as information such as IP addresses, and the like.
Disadvantages of personal firewall:
The main disadvantages of the personal firewall are that there is only one physical interface to the public network. Remember, the real firewall should monitor and control two
Communication between or more network interfaces. In this way, the personal firewall itself may be easily threatened, or there is such a weakness, and network communication can bypass the rules of the firewall.
Ok, we have introduced several types of firewalls on it and discussed the advantages and disadvantages of each firewall. Remember, any firewall only provides more secure security for network communication or data transmission, but we can't completely depend on the firewall. In addition to ensuring safety while ensuring safety, we also reinforce the security of the system and improve their safety awareness. In this way, data and communication and Web sites will be more secure.
Finally, some suggestions for the system and network administrators:
1. Contact some security product providers in a timely manner to install the firewall.
2. Pay attention to some powerful security sites in China, such as: security focus (
Www.xfocus.org) to get the latest system vulnerability message.
3. Interested readers can communicate with us through IRC (using IRC client software to log in to Irc.sunnet.org:6667 servers, enter the #isbase channel), you will get more information. You can also communicate with me. My OICQ: 6913341, E-mail: liwrml@vertarmy.org
Special thanks for antionline.org to provide some technical information for this article. If you have any questions, please contact me.