Computer network security and firewall technology (1)
The core idea of firewall technology is to construct a relatively safe subnet environment in an unsecured Internet environment. This article introduces the basic concepts and system structure of firewall technology, discusses two main technical means to realize firewall: one is based on Packet filtering technology, its representative is the firewall function implemented on the screening router; one is based on proxy technology (Proxy), and its representative is the firewall function implemented on the application layer gateway. Key words network security, Firewall, packet filtering, agent, fortress host
Concept and composition of a firewall
The firewall is one or a set of network devices (computer or routers, etc.), which can be used to enhance access control between two or more networks. It has a lot of forms, some implementation is still very complicated, but the basic principle is It is very simple. You can imagine it into a pair of switches, one switch is used to prevent transmission, and another switch is used to allow transmission.
The main purpose of setting up a firewall is to protect a network from another attack. Typically, the protected network belongs to us, or we are managed, and the network to be prepared is an external network, the network is It is untrustworthy because some people may attack our networks from the network, destroy network security. Protection of the network includes the following work: Reject unauthorized user access, prevent unauthorized user access sensitive data, Allow legitimate users to access network resources from being obstructed by legal users.
Different firewall side focus. In a sense, the firewall actually represents a network access principle. If a network decides to set a firewall, then the first need to jointly determine the security of this network by the network decision staff and network experts. Security Policy, that is, determine those types of information allows through firewalls, those types of information do not allow passage of firewall. The firewall's responsibility is based on the security strategy of this unit, check the data of external network and internal network communication, in line with Enverse, not in line with the rejection.
In the design of the firewall, in addition to the security policy, it is necessary to determine the firewall type and topology. In general, the firewall is set between the reliable internal network and the untrustworthy external network. The firewall is equivalent to a fluor, available To monitor or reject the communication service of the application layer, the firewall can also operate on the network layer and the transport layer, in which case the firewall checks the IP and TCP headers of entering and leaving packets, according to pre-designed packets Packet filtering rules reject or allow packets to be passed.
The firewall is the main device for realizing network security measures for an organization. In many cases, we need to use authentication security and enhance private technologies to strengthen security or realize network security measures. This article mainly introduces the basic components of the following firewalls. And technology: Screening Router, Packet Filtering Technology, Dual-Homed Host, Proxy Service, Application Level Gateway, and Bastion Host The router that performs security measures such as screening the router is often referred to as a security router or security gateway, and the application layer gateway that implements security management is also called a secure application layer gateway.
Basic components and techniques of the second firewall
2.1 Screening Router
Many router products have functions that filter packet packets based on a given rule, including the type of protocol, source address and destination address field of a specific protocol type, and control fields as part of the protocol. For example, on common Cisco routers This router is called screening router, which is called a screening router. The earliest Cisco router can only filter according to the content of IP datagram, and the current product can also be established according to TCP ports and connectivity The situation is filtered and there is a certain improvement in the filtration syntax. The screening router provides a powerful mechanism that controls the communication service type on any network segment. By controlling the communication service type on a network segment, The screening router can control the type of network service on the network segment, so that you can limit services that are harmful to network security.
The screening router can distinguish between different network communication services in accordance with the values of the protocol type and the packet group. The router distinguishes the ability to limit the ability to packet packets through its port according to the criterion related to the protocol. Filtering. Therefore, the screening router is also referred to as a packet filtering router. Below we first introduce the security defense line settings that need to be considered when the router is applied, and the relationship between the router and the OSI model will be screened. The packet filtering technology will be discussed in the next section.
Identify dangerous area
According to statistics from January 1996, the network connected to the Internet is about 60,000, and the total number of hosts has exceeded 9 million. There are so many users on the Internet, which is inevitable to have a small number of uncomfortable so-called "hackers." The situation is like a crime in a big city. In the big city, use the lock door to protect our living room is a wise move. In this environment, everything is required to be careful, so when When someone knocked on our door, you should first check it out, then decide whether it will make people enter. If the person seems very dangerous (high security risk), it should not let it come in. Similarly, the screening router is also passed View the entry group to determine if there is a possibility of harmful grouping. The boundaries in the enterprise network are called a safe ring defense. Due to a lot of harsh "hackers" on the Internet, it is useful to determine a hazardous area. This hazard area That is to refer to all TCP / IP functions that can be directly accessed through the Internet. The "TCP / IP function" refers to a host to support TCP / IP protocols and the upper protocol it supports. "Direct Access" means There is no powerful security measures between the internet and the host network of the enterprise (no "lock door").
From our own point of view, regional networks in the Internet, the National Net and the main network represent a dangerous area, and the host in the dangerous area is very fragile for external attacks. Therefore, we certainly hope to put your own Network and hosts are placed outside the dangerous area. However, there is no corresponding device to intercept the attack on your own network, and the dangerous area will extend to your own network. Screening the router is such a device, it can be used to reduce Dangerous areas, thereby can't penetrate into the safety line of our network.
In our corporate network, it may not be all hosts with TCP / IP. Even this non-TPC / IP host may become easy to attack, although it is technically not a dangerous area. If a non- This will happen with a TCP / IP host. Intruders can use a TCP / IP host and non-TCP / IP host to access non-TCP / IP host access non-TCP / IP host, for example, if the two hosts are connected to the same Ethernet network segment, invaders can access non-TCP / IP hosts through the Ethernet protocol. Filtering the router itself can eliminate hazardous areas. But they can be extremely Effectively reduce hazardous areas.
Screening the relationship between routers and firewalls and OSI models
The screening router and firewall will be compared according to the relationship with the OSI model. Screening the function of the router is equivalent to the network layer (IP protocol) of the OSI model (IP protocol) and the transport layer (TCP protocol). The firewall is often described as a gateway, and the gateway should be in OSI All seven hierarchies of the model are performed. Typically, the gateway performs processing functions in the seventh layer (application layer) of the OSI model. It is also true for most firewall gateways. The firewall can perform packet filtering, because the firewall The network layer and transport layer are covered. Some manufacturers may be due to marketing strategies, blurred the difference between the screening routers and firewalls, refer to their screening router products as firewall products. For clarity, we are based on OSI models Screening routers and firewalls are different.
Sometimes, the screening router is also referred to as a packet filtering gateway. The term "gateway" is used to call packet filtering device, that is, the filter function executed by the transport layer according to the filter function is not to the router, because the router runs The network layer in the OSI model. The device running above the network layer is also referred to as a gateway.
2.2 Packet Filter (Packet Filtering) Technology
The screening router can use packet filtering capabilities to enhance the security of the network. Filtering features can also be achieved by many commercial firewall products and some purely software similar to Karlbridge. However, many commercial router products can be programmed for Perform packet filtering. Many router vendors, like Cisco, Bay Networks, 3COM, DEC, IBM, etc., their router products can be used to implement packet filtering.
Packet filtering and network security strategy
Packet filtration can be used to implement many kind of network security policy. Network security policies must clearly describe the type, importance of the protected resources and services, and objects.
Typically, the network security policy is mainly used to prevent external intrusions, rather than monitoring internal users. For example, it is more important to prevent external people from invading internal networks, which are more important to access and destroy network services for some sensitive data. This type of network The security policy determines where the screening router will be placed and how to program the programming.
Good network security implementation should also make internal users to hinder network security, but this is usually not the focus of network security work.
One main goal of the network security policy is to provide a transparent network service mechanism to the user. Since the packet filtering is executed in the network layer and transport layer in the OSI model, not at the application layer, this way is usually more transparent than the firewall product. Sex. We have mentioned that the firewall is running on the OSI model application, and security measures implemented at this level are usually not transparent.
Simple model of a packet filtering
A packet filtering device is often placed between one or several network segments and other network segments. The network segment is usually divided into internal network segments and external network segments, and the external network segment connects your network to external networks, such as Internet; The internal network segment is used to connect a unit or organization inside the host and other network resources.
The network security policy can be implemented in each port of the packet filtering device, which describes the type of network service that can be accessed through this port. If there are many network sections connected to the filter device, the packet filtering device is implemented. The strategy will become complicated. In general, it should be avoided when solving network security issues, which is as follows:
* It is difficult to maintain,
* Errors when configuring filter rules,
* Performing a complex solution will have a negative effect on the performance of the device.
In many actual circumstances, only simple models are used to implement network security policies. Only two network segments are connected to the filter device in this model, typically a network segment is connected to the external network, and the other is connected to the internal network. Limit the network communication stream requested to be denied by packet filtration. Since the design principle of packet filtering rules is conducive to internal networking external networks, the filter rules performed on both sides of the router are different. In other words The packet filter is asymmetrical.
Packet filter operation
Currently, almost all packet filtration devices (screening routers or packet filtering gateways) are operated as follows: (1) The packet filtering criteria must be set for the relevant ports of the packet filtering, also known as packet filtering rules. (2) When one When the packet reaches the filter port, the header of the packet will be analyzed. Most packet filtration devices only check the fields within the IP, TCP, or UDP headers. (3) Packet filtering rules are stored in a certain order. When a group When arriving, each rule will be checked in sequence by the storage order of the group rule. (4) If a rule blocks pass or receives a packet, the packet is not allowed to pass. (5) If a rule allows delivery or The packet is allowed to pass. (6) If a packet does not satisfy any rules, the packet is blocked.
From Rule 4 and 5, we can see that it is very important to arrange the rules appropriate order. A common mistake is to arrange the packet filtering rules to arrange the packet filtering rules. If a packet filtering rule Sort is wrong, we may reject certain legitimate access, and allow access to the service you want to rejection.
Rule 6 follows the following principles: will be disabled if it is not explicitly allowed.
This is a principle of failure security that should be followed when designing a safe and reliable network. The relative is a tolerant principle, namely: not explicitly prohibited is allowed.
If the latter idea is designed to design packet filtering rules, you must carefully consider every possible situation that the packet filtering rules is not included to ensure the security of the network. When a new service is added to the network, we can easily In this case, it is not the service to be blocked by the service, and then allow the service to be blocked by the user, then allow the service, we can also use the service. The cost is to allow users to freely access the service until the corresponding safety rules have been developed.
2.3 Double Hosts (DUAL-HOMED HOST)
In the TCP / IP network, the term multi-hook host is used to describe a host with multiple network interfaces. Typically, each network interface is connected to a network. In the past, this multi-hosted host can also be used Several different network segments are used to describe the diameter function performed by the multi-hook host. However, in recent years, it has been used to describe this type of finding function, and the gateway is used to describe equivalent to Troublefral function in several layers on the OSI model.
If the diameter function is disabled in a multi-hook, this host can isolate communication traffic between the network connected to it; however, each network connected to it can perform the network application provided by it, If this application allows, they can also share data.
Forbidden to find in the dual-and-hook-host firewall
Most firewalls are built on a machine running UNIX. It is important to confirm whether the finding function in the two-storey firewall is prohibited; if the feature is not disabled, you must know how to ban it.
In order to disable the diameter in the UNIX-based two-storey host, you need to reconfigure and compile the kernel. This process is as follows in the BSD UNIX system.
Compile the UNIX system kernel using the make command. Use a command called Config to read the kernel profile and generate the file needed to rebuild the kernel. The kernel configuration file is in / usr / sys / conf or / usr / src / sys directory. The configuration file is in the / usr / src / sys / i386 / conf directory using the BSDI UNIX platform of Intel hardware.
To check which kernel profile you are using, you can use the strings command to the kernel image file and find the name of the operating system. For example:
% strings / BSD | GREP BSD
BSDI $ ID: IF_PE.C, V 1.4 1993/02/21 20:35:01 Karels Exp $
BSDI $ ID: IF_PETBL.C, V 1.2 1993/02/21 20:36:09 Karels Exp $
BSD / 386
@ (#) BSDI BSD / 386 1.0 Kernel # 0: Wed Mar 24 17:23:44 MST 1993Polk@hilltop.bsdi.com: /Home/Hilltop/polk/sys.clean/compile/Generic
The last line shows that the current profile is generic.
Enter the configuration file directory (/ usr / src / sys / i386 / conf), copy the file generic into a new configuration file, and its name should be inspired by the new configuration. For example, you can call this file as Firewall or Local.
CD / USR / SRC / SYS / I386 / CONF
CP Generic FireWall
Next, edit the option parameter ipforward in file FireWall, change its value to - 1, represent "Do not forward any IP datagram". This variable is to set the value of kernel variable ipforwarding, thus disable IP forwarding.
Options ipforwarding = -1
In some other systems, you may not be an ipforwarding parameter, but:
Options Gateway
In order to prohibit the forwarding of IP packets, you can put a ## in the beginning of this line, annotate this sentence.
At the same time, check if the following TCP / IP kernel configuration statements exist:
Options inet # internet protocol support is to be incdued
Pseudo-device loop # the loop back device is to be defined (127.0.0.1)
Pseudo-Device Ehter # generic Ethernet Support Such as AS AS ARP FUNCTIONS
Pseudo-Device Pty # Pseudo Teletypes for Telnet / Rlogin Access
Device WE0 AT ISA? Port 0x280 # Could Be Different for your Ethernet Interfa
CE
Run the config command to create the local directory, then enter the directory:
Config Local
Cd ../../compile/local
Then, run the Make command to establish the necessary related components and kernels:
Make depe
Make
Copy the kernel image to the root directory and restart (Reboot):
CP / BSD /BSD.OLD
CP BSD / BSD
Reboot
Now, this host can be used as a two-store host firewall.
Computer Network Security and Firewall Technology (2) How to Destroy the Safety of Subtock Host Firewalls
It is useful to understand how the security of the two-store host firewall is destroyed, because you can take appropriate measures to prevent this damage.
For security the biggest critical is an attacker to master privileges directly logged in to the two-storey host. Log in to a two-storey host should always be done through an application layer agent on the double host. Passing from the external untrusted network Strict authentication should be performed
If the external user gets the right to log in on the pair of dies, the internal network is easily attacked. This attack can be performed by any of the following ways:
1) Local permission limit on file system
2) Volumes installed by NFS on the internal network
3) Use the user account that has been destroyed, through the host equivalence file in such a user's home directory, such as .rhosts, to access the service authorized by Berkeley R * Tools
4) Network backup program that utilizes excessive access to possible recovery
5) By using the shell script for management without proper security
6) Master the system's vulnerability by revised and distributed documents from the revised software that does not have an appropriate security prevention
7) The old version of the operating system kernel is installed by installing the old version of the IP or the old version of the security problem is installed.
If a two-hiter is invalid, the internal network will be placed under external attack unless this problem is quickly isolated and resolved.
In front, we have learned that UNIX kernel variable ifrorwarding controls whether IP routing is allowed. If an attacker gets sufficient system permissions, then this attacker can change the value of this kernel variable, allow IP forwarding. After allowing IP to forward, the firewall mechanism will be fell by bypass.
Double-host firewall service
In addition to prohibiting IP forwarding, you should also remove all the programs, tools, and services that affect secure, tools, to avoid falling into the hands of the attacker. Below is a useful checkpoint for UNIX dual-host firewall:
1) Remove procedure development tools: compilers, linkers, etc.
2) Remove the program with SUID and SGID privileges that you don't need or don't know. If the system does not work, you can move back to some of the necessary basic programs.
3) Use disk partition so that attacks that fill all disk space on one disk partition are limited to that disk partition.
4) Delete unwanted systems and special accounts.
5) Delete unwanted network services, use NetStat -a to check. Edit the /etc/inetd.conf and / etc / service file, delete unwanted network service definitions.
2.4 Agent Service and Application Layer Gateway
Proxy Service
The method used by the proxy service is different from the packet filter. Agency (proxy) uses a client (or modified) to connect to a specific intermediate node, then the intermediate node is actually connected to the desired server. With the packet filter Different, there is no direct connection between the external network and the internal network when using such a firewall. Therefore, even if the firewall has problems, the external network can also be connected to the protected network. The intermediate node is usually a double-and-hook.
Agent service provides detailed logging (log) and audit, which greatly improves the security of the network, but also provides possibilities for improving the security of existing software. The proxy server can run on the double and hook It is based on a specific application. In order to support a new protocol through the agent, the agent must be modified to adapt to the new protocol.
In a free library called SOCKS, it includes a substantially compatible agent version with many standard systems, such as SOCKS (), Bind (), Connect (), etc. In the URL Unified Resource Location Address ftp: //ftp.inoc This program can be obtained in .dl.nec.com / pub / security / sock.cstc.
Agent services are typically constructed of two parts: proxy server programs and client programs. Quite a number of proxy servers require a fixed client. For example, Socks requires adaptation to SICKS client. If the network administrator cannot change all proxy servers and client programs The system does not work properly. The agent makes the network administrator have a greater ability to improve the security features of the network. However, it also brought great inconvenience to software developers, network system, and end users, this is use The price of the agent. There are also some standard customer programs to use the proxy server to run through the firewall, such as Mail, FTP, and Telnet, etc. Even so, end users may also need to learn a specific step by firewall. Communication.
Transparency is obviously a big problem on the firewall based on a proxy service enterprise. Even those who claim to be a transparency firewall also expect applications to use specific TCP or UDP ports. If a node runs a standard application on non-standard ports This application will not support this application. Many firewalls allow system administrators to run two proxy copies, one running in standard port, another maximum number of common services in non-standard ports, depending on the firewall products. Based service Firewall manufacturers are beginning to solve this problem. Real-based products began to improve the common service and non-standard ports. However, as long as the application needs to upgrade, the agent-based user will find that they must develop new agents. An obvious example It is a lot of security measures to join in many web browsers. The purchasers of firewalls should pay attention to the firewall manufacturers to process which applications can be handled. In addition, the firewall based on the proxy server often makes the network performance significantly decreased. Quite The firewall cannot handle high load network communication.
Application layer gateway
The application layer gateway can handle storage forwarding communication services, or handle interactive communication services. The application layer gateway can be understood in the user's application layer (OSI model seventh layer) communication business. This can be in the user layer Or the application layer provides access control, and can be used to maintain a smart log file for the usage of various applications. You can record and control all the import and export communication services, which is the main advantage of the application layer gateway. When needed, The gateway can also increase additional security measures.
For each application of the transfer, the application layer gateway needs to use a dedicated program code. Due to this dedicated program code, the application layer gateway can provide high reliability security mechanism. Whenever a new needed application joins the network In time, you must prepare a special program code. For this reason, many application layer gateways can only provide limited application and service functions.
In order to use the application layer gateway, the user or login on the application layer gateway, or use a program code specially prepared on the local machine. Each gateway module for a particular application has its own management tool and command. Language.
One defect in the application layer gateway is to prepare a private program for each application. But from a security perspective, this is also an advantage, because unless explicitly provides the application layer gateway, it is impossible to pass the firewall. This is also practical The principle of "will be banned" will be banned.
The role of the dedicated application is the "agent" to receive the entry request, and verify according to an access rule checklist, check the allowed request type. In this case, this agent is called an application layer. Server agent. When a request is received and confirmed that the request is allowed, the agent will forward the request to the required service program. Therefore, the agent acts as a dual role of the client and server. It is received as a server Always request, while it is a client when forwarding the request. Once the session has been established, the application agent is used as a transit station to convert data between the client and the server. Between the client and the server All data passed by the application layer agent, so it fully controls the session process and can be recorded in detail. In many application layer gateways, the agent is implemented by a single application layer module.
In order to connect to an application layer agent, many application layer gateways require users to run a dedicated client application on the host of the internal network. Another way is to use the Telnet command and give the port number of the application service available to the agent For example: If the application agent is running on the host Gatekeeper.kinetics.com, its port number is 63, you can use the following command:
Telnet Gatekeeper.kinetics.com 63
After connecting to the port where the proxy service is located, you will see a specific prompt that identifies the application agent. At this time, you need to perform a dedicated command to specify the destination server. No matter which method, users and standard services The interface will be changed. If you are using a dedicated client, you must modify the program so that it always comes to the host (ie, a proxy) where the agent is located and tells you. The destination address to which you want is. Since then, the agent will connect to the final destination address. Some proxy servers simulate the work mode of the standard application service, when the user specifies a connection target in different networks, the agent application is Will be called. For an application agent, if you need to use a dedicated client program, you must install a dedicated customer program on all internal network hosts to use Internet. When the network is large, This will be a difficult job. If some users are using the DOS / Windows or Macintosh client, they do not have a proxy corresponding to this client application. At this time, if you don't have the corresponding client application The source code of the program (usually used on the PC or MAC), you will not be able to modify these programs.
If the agent client can only use an application layer gateway server, this system is easy to occur when the server is turned off. If a client agent can specify another application layer gateway by the administrator, Avoid single point failure errors.
Since many problems existing in the client configuration of the agent, some sites tend to use packet filtering techniques to handle applications that can be implemented by ftp or telnet or the like to ensure security applications; Applications such as DNS, SMTP, NFS, HTTP and GOPHER, etc.
When you need to communicate with the proxy server through a dedicated client application, some standard system calls like Connect () must be replaced with the corresponding proxy version. At this time, you must call the client application and the system of these agent versions. Compile and link together.
The proxy service program should be designed to provide "Fail Safe" operating mode without using the appropriately modified client program. For example: When a standard client application is used to connect to the proxy server Then, this communication should be prohibited and cannot cause undesired or unpredictable behavior to the firewall or screening router.
Another type of application layer gateway is called "Circuit Gateway). In the line layer gateway, the address of the group is a user process for an application layer. The line gateway is used to transfer packets between the two communication endpoints. The line gateway is only copied between the two endpoints.
The line gateway is a more flexible and universal way to establish an application layer firewall. The line gateway may include program code that supports some specific TCP / IP applications, but this is usually limited. If it supports some applications, These applications are usually some TCP / IP applications.
In the line-circuit gateway, you may need to install a dedicated client software, and the user may need to deal with the changed user interface, or change their work habits. Install and install it on each internal host. Configuring a dedicated application will be a fee-time work, and it is easy to erroneous for large heterogeneous networks because the hardware platform and the operating system are different.
Since each packet group will be processed by software running in the application layer, the performance of the host will be affected. Each group will be handled twice by all communication hierarchical, and need to process and convert work on the user layer. Environment. Application layer gateway (whether the fortress host or two-store host) is exposed to the network, so other means may need to protect the application layer gateway host, such as packet filtering technology.
Bastion host and its application
The fortress host refers to a firewall host that is critical to network security. The fortress host is a central host of an organization network security. Because the fortress host is critical to network security, it must be perfect for a perfect defense. This is said, The fortress host is strictly monitored by the network administrator. The security situation of the fortress host software and system should be reviewed regularly. Viewing access records should be viewed to discover potential security vulnerabilities and testive attacks on the fortress host. Double host It is an example of the fortress host because they are essential for the security of the network. In order to achieve higher level of security requirements, some manufacturers combine the method of packet filtering technology and proxy-based methods to form a new type. Firewall products. This combination is usually implemented in one of the following two programs: screen-shaped host (Screned Subnet). In the first scheme, a packet filtering router is connected to the Internet. At the same time, a fortress host is installed on an internal network. Typically, filtering rules are set up on the router so that this fortress has become the unique node that can achieve on the Internet. This ensures that the internal network is not unauthorized external users. Attack. Method with a shielded subnet is to create an isolated subnet, between Internet and internal networks, separate this subnet with the Internet and internal networks, respectively. In the implementation, two packet filtering routers are placed on both ends of the subnet, constitute a prohibited walking area within the subnet. That is, Internet and internal networks can access the shielded subnet, but they are prohibited from being conducted through the shielded subnet. Communication. Internet servers like WWW and FTPs are generally placed in this prohibited walking area.
The simplest setup method of the fortress host
Because the fortress host is an interface point that is untrustworthy network, they are often easily attacked. The simplest setting of the fortress host is the only entry point for the external network communication service.
Shield host gateway
Because the security of the horses is critical to the security of internal networks, people often add another defense between external untrustworthy networks and internal networks. The first line is usually served by the screening router. Figure 9 illustrates the screening router as the first An application method of a defense line of fortress. In this example, only the network interface of the fortress host is configured with the internal network. One port of the filter router is connected to the internal network and the other is connected to the Internet. This configuration is called a shield host gateway.
For the screening router must be configured as follows, it should first send all the communication services received from the external network to the internal network to the Fort Host. Before transferring the information to the Fort Host, filter the router to run yourself for the received packet. Filtering rules. Only network information passed through the filter rules is sent to the fortress host, all other network information will be rejected. This architecture gives network security and higher confidence, the attacker must first pass the screening router, if Try to pass the screening router and must also deal with the fortress host.
"The base host uses the application layer function to determine the request or reject request from or to the external network. If the request passes the strict review of the fortress host, it will be forwarded as the information to the internal network. For the outside Information of the network, the request is forwarded to the filter router.
Three concluded words
From the analysis of packet filtering technology and agent access, it can be seen that both modes have a deficiencies, so people are looking for other modes of firewalls, such as network address converters, encrypted routers (Encrypting Router) , "Authentication Token, Secure Kernel, Minimum Privilege, etc. In short, a good firewall should have high security, high transparency and high network performance. In addition, people also In developing other computer network security technologies, such as encryption technology, enhanced Internet Server XINETD (ExteTed Internet Service Daemon) and Ethernet Sniffer, etc. There are many free firewall products or tools on the Internet, such as TIS. (Trusted Information Systems, Inc.) Development TIS Internet Firewll Toolkit (FWTK), a general proxy service system is SOCKS, TAMU's network security system and Karlbridge, etc. With the rapid development of Internet, firewall technology has caused all aspects. Wide attention. On the one hand, on the development of foreign information security and firewall technology, some research work has been carried out on the other hand.
More use, is to provide security guarantees on the router to provide security guarantees, and lack in-depth understanding of other technical techniques. Firewall technology is still in a development stage, there are still many problems to be resolved. Therefore, close attention to firewalls The latest developments have important significance for driving the Internet in our health.
