With the development of the Internet, many organizations connect their internal networks to the Internet, so network security issues are increasingly important. In order to increase the security of the network and protect important data on the internal network, the internal network needs to be isolated from the Internet, and this is currently mainly mainly due to firewall technology. However, in order to protect the internal host, the firewall software must limit the access to the host on the internal network in the external network. Therefore, in the setting of ordinary firewall software, the external network cannot access the internal host. However, in order to post own information, you need to allow external networks to access your own web server. The simplest processing method is to place the web server outside the firewall so that the web server and internal network areas are separated. The web server is exposed to the outside of the network, which is possible to attract attacks, resulting in potentials such as server paralysis or web pages. problem. At present, the information above the web server is increasingly rich and important, and the importance of the web server is also very obvious. Therefore, it is necessary to protect the firewall to protect it. I. Existing firewall technology and its limitations current firewall mainly have two types, one for package filtering firewall, this firewall recognizes whether it meets the filter rules set by administrators for each IP package, in line with certain requirements It was forwarded correctly. The filtering rules that can be used include the names of the source and destination host and the IP address, port address, the network interface used, and the type of IP package. Usually the flip-filtered firewall software protects the internal network according to the type of the IP packet. If you want to put the web server within the fire wall, you will need to allow access to this web server and the TCP port it uses. Another type of firewall is an application agent-type firewall, which provides the corresponding proxy service for each application protocol, access the network by the proxy server, and returns the result to the client. The standard HTTP protocol proxy service, the client's browser must configure the IP address of the proxy server, and other external hosts are not required to reset the address of the proxy server for hosts accessed on this internal network. The proxy server does not distinguish the external network and internal network, but the proxy server uses the name resolution on the Internet to determine the location of the web server, and the internal address is usually used in the firewall, which also determines the ordinary agent firewall does not support external network to internal Web The HTTP access request of the server. Therefore, the normal proxy server simply blocks access to external addresses, so the simplest way to protect the web server of the external publishing information is to use a flip-filtered firewall. Once the host in the external network is allowed to initiate a connection request to the internal network, the attacker can attempt to connect outside the network, which increases the way the attacker attacks the internal network, which reduces the security factor of the entire network. If the external host is not allowed to initiate a connection request to the internal network, the attacker has to initiate an attack, use Trojan or Ipspoof, etc., there is no ready-made tool for the way of initiative, so that The complexity of the attack is greatly increased, so the possibility of the network is greatly reduced, which is almost impossible. Once the attacker enters the web server in the internal network, the entire internal network is exposed to the attacker, and the firewall cannot play a role. Therefore, by redefining the filtering rules of the package filter type firewall, and put the web server in the internal network, it is just a simple way to protect the web server, but it is not conducive to protecting the security of the entire internal network. Therefore, in order to protect the security of the Web server and the internal network, the currently used safer is to implement a double firewall. Outer firewall implementation package filtering function, but allows external networks to access the web server, the internal firewall allows the most intermediate internal network to access external networks.
It is called a ceramic area between the external firewall and the internal firewall, which provides an external network access server is located in this area, indicating that even if the attacker enters this area through the external firewall, it is impossible to attack the internal network. The double-layer firewall has provided the internal network more secure by setting two firewalls. However, it is in protecting the role of the web server, similar to the single-layer firewall. Because the web server is still only protected by one layer of firewall, it is also unable to hide the various information of the host in the firewall, such as the server's IP, etc. And this firewall is a package filter firewall that knows the application protocol. Because the package filtering does not identify the application protocol, it is usually the HTTP protocol, then it is not possible to correctly identify whether the external connection request belongs to normal connections, usually cannot be performed. Detailed connection record. In order to better protect the Web server is not damaged by external attackers, you should block the IP address of the internal server, and the firewall can identify the connection protocol, apparent that this is the task of the agent firewall.
Second, the reverse proxy method The usual proxy server is only used for the proxy internal network to the Internet connection request, the client must specify the proxy server and send the HTTP request to be sent directly to the web server to the proxy server. Since the hosts on the external network do not configure and use this proxy server, the normal proxy server is also designed to search for multiple uncertain servers on the Internet, rather than accessing a certain fixed-time request for multiple clients on the Internet. The server, so the normal Web proxy server does not support access requests for internal networks. When a proxy server can proxy a host on an external network, this proxy service is referred to as a reverse proxy service. At this time, the proxy server is actually used as a web server, and the external network can simply use it as a standard web server without a specific configuration. Different, this server does not save real data of any web page, all static web or CGI programs, are saved on the internal web server. Therefore, the attack of the reverse proxy server does not make web information to be destroyed, which enhances the security of the web server. There is no conflict in reverse proxy and package filtering or normal proxy methods, so it can be used in both the firewall device, where the reverse agent is used for external network accessing internal networks, forward proxy or packet filtering mode Used to reject other external access methods and provide internal network access capabilities to external networks. Therefore, it is possible to provide the best security access method in conjunction. The integrated reverse proxy function is combined with ordinary firewall software for ordinary refused external access, it can constitute a firewall system that has both the ability to protect the internal network and provide Web information released. Since the reverse proxy capacity requires software implementation, the existing firewall system cannot be used, and the relevant software is used to develop and improve. UNIX is obviously the preferred platform, we based on the FreeBSD system, proposes a firewall setting method based on IPFW, NATD and SQUID. The IPFW can filter IP packets based on IP addresses, ports, protocols, and NATDs provide network address conversion function, which hides information such as internal networks, IPFW, and NATD combining constitute a powerful package filter gateway. And Squid is one of the most popular web proxy servers on the Internet. Although it provides ordinary forward proxy, it is open source software and has powerful configurability, so it is easy to change it to Reverse proxy server. This way to the protection capabilities of the internal network, less than the double-layer firewall software, equal to the ordinary single-layer firewall software, and its protection of the web server is greater than the protection of web servers in the parking area in the double firewall system. . However, it is a single layer system, so it is more convenient than the two-layer system configuration and is a simple and effective solution. The reverse proxy function provides a rich connection record, which can be used to provide the ability to prevent and capture the attack, and the package filtering and network address translation can allow the host of the internal network to access the external network using a variety of protocols, and do not need to consider the firewall pair. Support issues for application agreements. This approach is suitable for most intranet systems. Third, the discussion When you need further protection for internal networks, you can still use a double firewall mode, which combines the anti-proxy to protect the Web server, and a larger protection capability of the double firewall on internal data. When the organization provides information release, it is not only necessary to provide some static web pages, and more likely to dynamically publish information according to the actual data. Therefore, the published web page needs to be generated by accessing database dynamic generation, usually used by CGI or server-side document parsing. However, no matter that way, it is necessary to make the web server can connect, communicate with the database server.
