Author: Pan Lei
This article discusses the basic principles and basic criteria for choosing firewalls, as well as special requirements for companies that should consider.
1 Choose the basic principles that firewalls must consider
- First of all, you should clear your purpose, you want to operate this system, that is, you only allow the desired work, such as an enterprise only needs an electronic letter service, then the company set the firewall to only allow the electronic letter service, and Prohibit FTP, WWW, etc., or allow multiple services to pass through the firewall, but set corresponding monitoring, measurement, registration, and auditing.
- Second, what level monitoring and control is to achieve. Establish a corresponding risk level according to the actual needs of the network user, which can also form a list that needs to be monitored, allowed, and prohibited. The function of the firewall is set according to the requirements of the list.
- The third is the cost problem. In the market, the price of firewall is extremely disassembled, from tens of thousands to hundreds of thousands, or even million yuan. Because each enterprise user uses the safety extent, the products launched by the manufacturer have also distinguished, and some companies have also launched a similar modular functional product to meet the safety requirements of various companies. The higher the security, the more complex the realization, the higher the cost, the higher the cost. This requires detailed economic assessment of information and data that need to be protected in the network. The cost of the general network security protection system is about 1% of the resources of resources. Therefore, when assembling the firewall, the trade and security compromise is inevitable, which determines the "absolute security" firewall does not exist. However, various defense measures can be scientifically configured as much as possible to make the firewall to make a role in the existing economic conditions.
2 Choose the basic standard of firewall
- Generally, as long as it is a network device capable of restricting a package, or software installed on various operating systems can be used as a firewall. We can assess whether all kinds of firewalls are safe enough by different characteristics of firewall design, and whether they can meet the safety needs of the enterprise. Specifically, there are several types of indicators.
- (1) Firewall management difficulty
- The difficulty of the firewall is also one of the main considerations that the firewall can achieve the purpose. If the management of the firewall is too difficult, it may cause an error to be set, but it cannot achieve its function. The reason why the general enterprise is rarely used as a firewall, in addition to the previously mentioned package filtering, it does not achieve full control, set work difficulties, and it is necessary to have a complete knowledge and it is not easy to except. It is the main reason why management issues are unwilling to use.
- (2) Safety of the firewall itself
- Most people will focus on how to control connectors and firewalls when choosing firewalls, but often ignores one of the mainframes of the network, and there may be security issues, and if they cannot be guaranteed by firewalls Self-safety, the firewall's control function is stronger, and it will not fully protect the internal network.
- Most firewalls are installed on a general operating system such as UNIX, NT systems, and the like. In addition to the firewall software, all procedures, system cores, and most of the procedures from the operating system itself. When the software implemented on the firewall occurs, the firewall itself will also be threatened. At this point, any firewall control mechanism may fail, because after a hacker has obtained the control of the firewall, hackers can almost modify the access rules on the firewall to the firewall, which in turn invades more systems. Therefore, the firewall itself should still have a considerable security.
- (3) NCSC certification standard
- We will often see or hear some firewalls with secure levels such as B, C levels. What is the safety level specification? White Paper is the official standard promulgated by the National Bureau of Computer Security (NSA) (NSA), which grants a computer system acceptable trust, and divided by high-to-low score as A, B, C, D four grades, these security levels are not linear, but rising in an index level. - (4) It is best to make up for other operating systems.
- A good firewall must be based on the operating system instead of operating the system, so the vulnerability in the operating system may not affect the security provided by a good firewall system, due to the popularity of the hardware platform and Most enterprises will disperse the servers of providing various services to many operations platforms, but we choose a firewall as a whole security guard in the case of all host security, this is not explained. The operating system provides B-level or C-class security does not necessarily affect overall security, as a good firewall must compensate for the shortcomings of the operating system.
- (5) Whether to provide users with different platforms
- Since the firewall is not completely constructed of hardware, the functionality provided by the software (operating system) will definitely affect the overall performance, and the user's willingness and familiarity must also be considered. Therefore, a good firewall not only has good execution efficiency, but also provides multi-platform execution methods for users, after all, the user is a complete controller, should choose a set of software that meets existing environmental needs, and It is not to change the existing environment for software limits.
- (6) Can you provide a perfect after-sales service to users?
- Since there are new products, some people will study new crack methods, so a good firewall provider must have a huge organization as a safe backing of users, and there should be many reputation established by many users. Firewall test.
- (7) Consider the special needs of the company
- There are often some special needs in corporate security policies. It is not one of every firewall. This is often one of the factors for choosing firewalls. The common needs are as follows:
--A.ip address conversion (IP Address Translation)
- There are two benefits of the IP address conversion: one is to hide the true IP address of the internal network, which makes hacker Hacker unable to directly attack internal networks, which is the main reason for the author's safety problem; Another benefit is that you can use the IP address that is reserved inside, which is useful for companies that are insufficient for many IP addresses.
--B. Double DNS
- When the internal network uses no registered IP address, or the firewall performs IP address transition, DNS must also be converted, because the same host is different from the IP address of the internal IP address, some The firewall will provide dual DNS, and some must install one DNS in different hosts.
--C. Virtual Enterprise Network (VPN)
--VPN can encrypt the contents of all networks to all networks with firewalls or mobile Clients, create a virtual channel, so that the two feels in the same network, can be safe and unresolved. Between the company and the branch or the employees of the company and the foreign countries, they need to be directly contacted, and they don't want to spend a lot of money to apply for a special line or use long-distance telephone dial-up. It will be very useful.
Sweeping function
- Most firewalls can achieve anti-virus function with anti-virus firewalls, and some firewalls can directly integrate anti-disappracting functions. The difference is only the firewall is completed by the firewall, or is done by another dedicated computer.
--E. Special control requirements
- Sometimes enterprises will have special control requirements, such as restricting specific users to send E-mail, limit simultaneous number of nets, limit usage, block Java, ActiveX, etc., depending on demand.
3 Conclusion
