Author: mrcool
(1) The firewall introduction firewall is a function that enables internal networks and external networks or Internet to isolate each other to protect internal networks or hosts. Simple firewalls can be actually acting as an ACL (Access Control List) of Router, 3 Layer Switch, or one host, even a subnet. Complex can purchase specialized hardware firewalls or software firewalls. Firewall features: 1, filter out unsafe services and illegal users 2, control access to special sites 3, providing monitoring Internet security and warning, convenient endpoint firewall is not universal, there are also many firewalls in powerless places: 1, firewall Can't resist the attack by the firewall. For example, the firewall does not limit the connection from the internal network to the external network, then some internal users may form a connection directly to the Internet, which bypass the firewall, causing a potential backdoor. Malicious external users directly connect to internal users On the machine, with this internal user's machine is a springboard, the unrestricted attack bypass the firewall is initiated. 2, the firewall is not a gas wall, and the data that is not intercepts the virus spreads between the network. 3, the firewall is not powerful to data-driven attacks. Therefore, we cannot over-reliance on firewalls. The security of the network is a whole, not a particularly excellent configuration. Network security follows the "wooden barrel principle". General firewalls have the following features: 1. Extensive service support: By combining dynamic, application layer filtering capacity and certification, WWW browser, HTTP server, FTP, etc .; 2. Encryption support for private data: guarantee Virtual private networks and business activities via Internet are not damaged; 3. Client authentication only allows the specified user to access internal networks or selection services: Enterprise local network and branches, business partners, and mobile users with additional parts; 4 , Anti-fraud: deception is a common means of acquiring network access from the outside, which makes the packet seem to be from the interior of the network. The firewall can monitor such packets and throw them away; 5, C / S mode and cross-platform support: Make the management module running on a platform to control the monitoring module on another platform. Let's take a look at the traditional firewall working principle and advantages and disadvantages: 1. (Traditional) The working principle package filtered firewall is implemented in the IP layer, so it can be done with the router. The package is filtered according to the source IP address of the package, the destination IP address, source port, destination port, and packet transfer directions, etc. to determine whether the package is allowed to pass. Filter user-defined content, such as an IP address. The working principle is that the system checks the packet in the network layer, has nothing to do with the application layer, the application of the package filter is very wide because the CPU is used to handle the package filtration time can be ignored. Moreover, this protective measures are transparent to the user. When the legal user will not feel its existence, it is very convenient to use. This system has good transmission performance, easy to expand. But this firewall is not safe because the system does not know the application layer information - that is, they don't understand the content of communication, and cannot be filtered on the user level, that is, the different users and the anti-IP address cannot be identified. If an attacker sets its host's IP address into an IP address of a legal host, it is easier to pass the package filter, which is easier to attack hackers.
Based on this working mechanism, the packing filter firewall has the following defects: Communication information: Packet filter firewall can only access part of the data packet's header information; communication and application status information: package filter firewall is stateless, so it is impossible to save from Status information of communication and applications; information processing: The ability to package the firewall processing information is limited. For example, a Unicode attack for Microsoft IIS vulnerabilities, because this attack is the 80-port allowed by the firewall, and the package filtering firewall cannot verify the content of the packet, so the firewall is equivalent to dummy, not to fight the corresponding Patch The Web service system, even after the firewall's barrier, it will be easily permissions of the superuser by the attacker. The shortcomings and insufficient packages of the filtered firewall can be solved at the application layer. Let's take a look at the application layer gateway 2. Application Gateway 1, Application Gateway Proxy provides an authorized check and proxy service in the web application layer. When an external host attempts to access the protected network, you must first authenticate on the firewall. After authentication, the firewall runs a program specially designed for the network and connects the external host to the internal host. In this process, the firewall can limit the mode of host, access time, and access to users. Similarly, when users accessing the external network internal users, they are also required to be logged in to the firewall, and they can be accessed by verifying. The advantage of applying a gateway agent is that it can hide the internal IP address, or give a single user, even if an attacker has a legitimate IP address, it is not a strict identity authentication. Therefore, the application gateway has higher security than packet filtering. But this kind of certification makes the application gateway opaque, and users have to be certified each time, which brings us many inconvenience. This proxy technology needs to write a special program for each application. 2, loop-level proxy server, usual proxy server, it applies to multiple protocols, but cannot explain the application protocol, you need to get information in other ways, so the loop-level proxy server usually requires the modified user program. Socket Server is the loop level proxy server. Sockets is an international standard for network application layers. When the protected network client needs to interact with the external network, check the client's User ID, IP source address, and IP destination address on the firewall. After confirming, the set server is connected to the external server. For the user, the information exchange of the protected network and the external network is transparent, and it does not feel the existence of the firewall, that is because the network users do not need to log in to the firewall. However, the client's application must support "Socketsified API", and the IP address used by the protected network user access to the public network is also the IP address of the firewall. 3, the service provider server technology is to put unsafe services such as ftp, telnet, etc., so that it acts as a server, an answer to external requests. Compared with the application layer agent implementation, the server technology does not have to write a program for each service. Moreover, when the user wants to access the external network, it is also necessary to log in to the firewall, and ask the request, so that the firewall can only be seen from the external network to hide the internal address and improve the security. Sex. 4, IP Tunnels) If a large company's two subsidiaries are far apart, communicate via Internet. In this case, IP Tunnels can be used to prevent hackers from interception information on the Internet, thereby forming a virtual enterprise network on the Internet.
5. NAT Network Address Translate When the protected network is connected to the Internet, the protected network users must use a legal IP address. However, due to the limited IP address of the IP address, and the protected network often has its own set of IP address planning (informal IP addresses). The network address converter is a legitimate IP address set on the firewall. When an internal user is accessible to the Internet, the firewall dynamically assigns an unassigned address from the address set to the user, which can communicate with this legal address. At the same time, for some of the internal servers such as web servers, the network address converter allows them to assign a fixed legal address. Users of external networks can access internal servers through firewalls. This technique has eased both a small amount of IP address and a large number of hosts, and hidden the IP address of the internal host, improves security. 6. Split Domain Name Server is isolated from the domain name server of the protected network with the domain name server of the protected network with the domain name server of the external network, so that the domain name server of the external network can only see the IP address of the firewall. Protecting the specific situation of the network, which ensures that the IP address of the protected network is not known by the external network. 7. Mail forwarding When the firewall uses several techniques mentioned above such that the external network only knows that the email from the external network is only sent to the firewall. At this time, the firewall checks the email, only the firewall conversion to the destination address of the message when the source host sent by the mail is allowed, and sent to the internal mail server, which is forwarded. The application gateway is the packet checking all application layers, and puts the content information of the inspection into the decision process so security has improved. However, they are implemented by breaking client / server mode, each client / server communication requires two connections: one is from the client to the firewall, the other is from the firewall to the server. In addition, each agent requires a different application process, or a background running service program, so if there is a new application, you must add a service program for this application, otherwise the service cannot be used, and the scalability is poor. Based on this working mechanism, the application gateway firewall has the following defects: connection restrictions: Each service requires its own agent, so the number of services and scalability that can be provided; technical limitations: application gateway cannot be UDP, RPC and ordinary protocol Other services provide agents; performance: Implementing application gateway firewall sacrifies some system performance. The architecture and combination form of the firewall 1, screening router This is the most basic component of the firewall. It can be implemented by the manufacturer's dedicated router or can be implemented with a host. The shield router is the only channel for internal and external connections, requiring all messages to be checked here. The router can install the IP layer-based packet filtering software to implement packet filtering. Many routers themselves with packet filtering configuration options, but it is generally relatively simple. A dangerous belt of a firewall composed of a shielded router includes a host of the router itself and a router to allow access to the host. Its disadvantage is that once it is difficult to find out, it is not possible to identify different users. 2, Dual HomeD Gateway) Any system with multiple interface cards is known as a multi-hook, and the two-store host gateway is a firewall with a host with two NIC. Two NIC are each connected to the protected mesh and external network. The firewall software is running on the host, which can forward the application, provide services, etc.
Double-host gateways are preferred to shield routers: The system software of the Fort Host can be used to maintain system logs, hardware copy logs or remote logs. This is useful for future checks. But this cannot help network managers confirm which hosts may have been invaded by hackers. A deadly weak point for the double-versatile gateway is: Once the intruder invades the fortress host and makes it only with routing, any online users can access the intranet. 3. The mask host gateway (Screned host gateway) shielded host network is also safe to implement, so it is widely used. For example, a packet filtering router connects external networks, and a fortress host is installed on the internal network, typically set filtering rules on the router, and makes this fortress host a host that can reach directly from the external network, which ensures internal network Attacks that are unauthorized external users. If the protected network is a virtual extension local network, that is, there is no subnet and router, then the change in the internal network does not affect the configuration of the fortress host and the shielded router. Dangerous belts are limited to the fortal host and shield router. The basic control strategy of the gateway is determined by the software installed above. If the attacker is trying to log in to it, the rest of the main network will be greatly threatened. This is similar to the situation when the two-hole host gateway is attacked. 4. This method of shielded subnet (Screned Subnet) is to establish an isolated subnet between the internal network and the external network, which separates the subnet to the internal network and external network with the internal network and the external network with two packet filtering routers. In many implementations, two packet filtering routers are placed on both ends of the subnet, constitute a "non-military zone" DMZ within the subnet. Some shielded subnets also have a fortress host as a unique access point, support terminal interaction or as an application gateway agent. The danger zone of this configuration includes only a fortress host, a subnet host, and a router that connects the intranet, external network and shielded subnet. If an attacker tries to completely destroy the firewall, he must reconfigure the router that connects the three networks, neither locks the connection and locks yourself outside, and does not make you discovered, which is still possible. However, if the network access router is prohibited or only some hosts in the intranet will be difficult to access it, the attack will become difficult. In this case, the attacker has to invade the fortress host, then enter the intranet host, then return to the destroying the shielded router, and the alert cannot be triggered throughout the process. When building a firewall, a single technology is generally used, usually a combination of techniques for solving different problems. This combination depends mainly on what kind of service providing users from the network management center and what level risk can be accepted. Which technique adopted mainly on funding, investment size or technician's technology, time and other factors. The following forms are generally: 1. Use multi-furnished hosts; 2, combined internal routers and external routers; 3, combined with the bastion host and external router; 4, combined the fortress host and internal router; 5, use multiple internal routers; 6 Using multiple external routers; 7, use multiple peripheral networks; 8, use dual host hosts and shielded subnets. With the improvement of network security awareness, the application of firewall is increasingly wide. With money, high-grade hardware firewall, no money, free software firewall. So, what kind of advantages compared to the hardware firewall and software firewall? The hardware firewall uses a dedicated hardware device and then integrates the manufacturer's dedicated firewall software. From the functional point of view, the hardware firewood builds security software, using exclusive or strengthened operating systems, easy to manage, easy to replace, and hardware and hardware matching. Hardware firewall is high efficiency, solving firewall efficiency and contradiction between performance, can achieve linear. Software firewalls are generally based on an operating system platform, directly installed and configured on a computer.
Due to the diversity of the customer platform, the software firewall needs to support multi-operating systems, such as UNIX, Linux, SCO-UNIX, Windows, etc., the code is huge, high installation cost, high after-sales support cost, low efficiency. 1, performance advantage. The performance of the firewall is critical to the firewall. It determines the traffic through the firewall through the firewall every second. The unit is BPS, from dozens of M to a few hundred m, and there is a Gigabit firewall even reaching a few G's firewall. The software firewall cannot achieve such a high rate. 2, the advantage of CPU usage. The CPU usage of the hardware firewall is of course 0, and the software firewall is different. If the cost-saving considerations are installed on the host of providing services, when the data traffic is large, the CPU usage will be the killer of the host. Will drag the host. 3, after-sales support. Hardware firewall manufacturers will have trackable service support for firewall products, and users of software firewalls can get relatively few opportunities, and manufacturers will not be too big to have too much effort and research and development funds on the software firewall. -------------------------------------------------- ---------- (2) The firewall penetrates more than the principle, classification, advantages and disadvantages of the firewall. Below, we will make a brief introduction to the penetration technology of the firewall. Effective-confident firewall will have the vast majority of Crackers to block the peripherals, master the initiative of network control, but the firewall is not universal, and we also briefly tell the shortcomings of the firewall in the previous section. No network products can be said to be absolutely safe. An article in the San of the Green Alliance introduces the SHELLCODE that penetrates the firewall. Interested friends can refer to: http://www.winnerinfo.net/infoview.asp? Kind = 145 & id = 529, I want to mention it here again "Channel technology". Speaking of channel technology, I want to mention "port multiplexing", many friends think that channel technology is port multiplexing technology. So, wrong, port multiplexing refers to a plurality of connections on a port instead of opening multiple services on a port. If you want to add a service on the 80-port on the host that has already opened the WWW service, only 2 may: 1. Add service failed 2.www service error. So what is channel? The so-called channel here refers to a communication method that winding the firewall port shield. The data packets on both ends of the firewall are encapsulated on the packet type or port allowed by the firewall, and then pass through the firewall and the host communication behind the firewall. When the packaged packet reaches the destination, the packet is restored, and The restored data packet is sent to the corresponding service, which is not interfered with each other on one port. For communication, no matter what firewall, it is impossible to close all services, all ports. (If there is such a firewall, it is better to pull the net line directly, huh, huh. Most firewalls, more or less to open a port or service (such as http), as long as the port and service are opened, I have given us penetration. may. HTTP is a relatively simple and common intertteral agreement, you send a request to the server, the server returns to you a response. Almost all hosts are allowed to send HTTP requests. The online HTTP protocol is so broad, which also determines that we can send our needs to the target through the firewall or other similar equipment easily by using channel technology. A typical example is http-tunnel. There is such a sentence on the official website of HTTP-Tunnel http://www.http-tunnel.com: "HTTP-Tunnel creates a two-way virtual data connection in the HTTP request. .
The HTTP request can be sent by the agent, which can be used by users behind the firewall that limit the port. If the WWW browsing through the HTTP agent is allowed, the http-tunnel can also be settled, that is, can be inside the firewall Telnet or PPP to the firewall. "In this way, attackers can use this technique to achieve remote control. Let's take a look at HTTP-Tunnel's design ideas: A host outside the firewall, did not do any restrictions. The host is inside the firewall, protected by firewalls, The access control principle of firewall configuration is only the 80 port data is allowed to enter and exit, but the host opens Telnet service. Now suppose you need to go from the A system telnet to B system, what should I do? Use normal Telnet is definitely impossible, because Telnet uses The 23-port is blocked by the firewall. After the firewall receives this Telnet package, it is found that the filter principle that does not meet only the 80-port data is passed, but we know that there is an 80-port available, then use the Httptunnel channel at this time. Is a good way, the idea is as follows: Run the Tunnel client on the A machine, let it listen to any of the specified ports that are not used by this machine (preferably 1024 or more 65535 or less), such as 8888. The data from the 8888 port is guided to the 80 port of the B machine, because it is an 80-port, the firewall is allowed to pass. Then a server on the B machine, (in the case of only 80 ports, you can get it first A WebShell, find a way to improve your permissions, and run the server) On the 80-port, point the 190-port forward to the Telnet service port 23 of the client, this is OK. Now on the machine Telnet Native Port 8888, according to the setup data packet, will be forwarded to the B machine of the target port as 80, because the firewall allows data to be passed through the 80-port, so the packet is smooth through the firewall, arrive at the B machine. At this time B machine The process of the 80-port listening is received from the packets from A. The packet is restored, and then it will be given to the Telnet process. When the packet needs to return by b to a, it will be re-transferred by the 80 port, which can also pass the firewall smoothly. The above function seems to be done with port mapping, redirect the 23 port on the A host to the 80 port, and then redirect the 80 port on the B-Host to the 23-port. But if the B host has already opened WWW Service? To use the above features, use port mapping must sacrifice the 80-port of the host, which is not paid. Imagine that in an osmotic firewall's attack on a host, I have opened the WWW service that others have already opened. Download. How long can you still stay in this host? But use http-tunnel to be perfect, even if the B host has opened 80, provide WWW, we also save Telnet to its 80 port, enjoy "genuine" Telnet service. For channel technology, our solution is to use the application layer data packet detection technology, because in normal HTTP requests, get, post and other behavior is not Less, if there is always a GET, POST, then this connection must have a problem. That thus terminates this connection. Now there is a company IDS product to find Tunnel hidden in 80, but the cost of these IDS products is not a small and medium-sized businesses. For the penetration of the firewall, there are some methods, such as finding the design defects of the firewall itself, but those difficulties are too difficult. I am afraid it is not what we should consider.
