Topic firewall swap mode and routing mode Question «Previous topic | Next Topic» FONG
Published in: 2003-06-27 10:36 Reply Posting: 34 Registration: 2002-08-12 What is the difference between performance and security? Let's discuss it. Nanyang ice
Published in: 2003-06-27 11:45 Reply Posting: 3741 Registration: 2001-03-28 [has been removed] Nanyang Rock Ice deleted on 2003-06-29 11:23:50
--- I have been drunk for the plum. Beauty tall sleeves. Light red, wrote, and lingering. People are old, things are not. I don't drink tears before it. Now but want to close the door, a plum blossoms make snow.
Powdera
Published in: 2003-06-27 13:50 Reply Posting: 36 Registration: 2002-11-16 The switch mode is the principle of transparent bridge, which is equivalent to a Layer 2 switch in the network. There is a routing module in the routing mode at work, and it functions as a route in the network. Both of these are detected by the passing packets, and the status detection ability should be the same. In terms of protocol, although the routing mode adds the burden on the routing table, if the relatively simple network structure is used, the routing table is relatively small, and the performance difference is not large. Security In addition, if you need NAT, use the routing mode more reasonably. I think of this is temporarily. Powdera
Published in: 2003-06-27 14:21 Reply Posting: 36 Registration: 2002-11-16
Quote (Nanyang Rock Ice @ 2003-06-27 11:45)
It should be an interactive mode. . Data arrival - detection - judgment - give a challenge response. Routing mode data arrives - addressing routing - forwarding
The explanation of "Nanyang Rock Ice" is quite new. It turned out to understand the basic technology of the firewall ... It turned out that there was such a theoretical level to engage in so-called replacement firewall at home ... It is a bit Xuan ... Nanyang Rock Ice
Published in: 2003-06-27 14:33 Reply Posting: 3741 Registration: 2001-03-28 It is a bit of honest. . . If you do a transparent bridge forwarding, the data frame is only acting as a switch function when passing through the firewall, so that you don't want it. Is it not based on routing function????? Use? If it is a state-based SPI technology judgment, is there a challenge back on the internal policy module? There are also NAT and routers can also complete the features, do you pay for a firewall? Nanyang Rock Ice Edited in 2003-06-27 15:23
--- I have been drunk for the plum. Beauty tall sleeves. Light red, wrote, and lingering. People are old, things are not. I don't drink tears before it. Now but want to close the door, a plum blossoms make snow.
FONG
Published in: 2003-06-27 15:39 Reply Posting: 34 Registration: 2002-08-121, I also often listened to the firewall in the exchange mode "Is equivalent to the Layer 2 switch in the network", but I feel Implementation and switching opportunities have different, I remember that the exchange mode uses the ARP agent to be implemented, and some firewalls set the route in switched mode. 2, whether it is a swap mode or a routing mode, the firewall will handle the network layer, transport layer, and application layer data due to certain functions, and its status detection is the same, and these factors seem to do not affect the security of both. And performance. In security, the routing mode can also be set to the outside world and cannot access the firewall. I seem to have heard the routing mode is safe than the exchange mode, but that person can not say the reason. Powdera Posted: 2003-06-27 16:42 Reply Posting: 36 Registration: 2002-11-16 General exchange mode is the same principle as two-layer switches, and manage the MAC tables of the ports, so that you can truly In the IP layer transparent, and this "transparent feature" is the benefits, in addition to their own security, it is easy to install to the network, you can say where is it? The routing mode is different, and it is necessary to change the way the table is required. If there is a dynamic route in the network, it is troublesome. For your own safety, I think the difference is not big, and if the products of each home cannot protect their safety, what firewall? Yes, there is a bit different from the processing of the application layer. If it is a transparent non-IP mode, some agents are not running, and IP is needed. To Nanyang Rock Ice: Safety is good and bad work mode does not matter, even if it is a transparent bridge mode, still state detection, can still filter. Vioence, if the information filtering is not solid, no matter whether it is a bridge or routing, or what GAP switches are, no security effects. As for NAT, this is a feature that the firewall must have to buy a firewall for NAT without buying a router. I don't know, but I know that the NAT of the general router does not have a good firewall, better than performance or more support The protocol range is not. How about Cisco's router, you can know carefully with PIX. Nanyang ice
Published in: 2003-06-27 16:53 Reposted: 3741 Registration: 2001-03-28 Based on the second floor exchange, it is nothing more than the LLC sub-layer to protocol, and the problem is dealt with Mac in collision domain. On, it is not seen where the firewall can go. Cisco Configuration NAT is troublesome, but it is not so embarrassed. Does the firewall do NAT is not based on routing mode? On the NAT issue, I still support the router without considering the firewall. Although some people make NAT firewall products for users with special large-scale networks, it is only a load sharing. Welcome to explore technical issues and refuse personal attack behavior. . . . Thank you for your pointing. . .
--- I have been drunk for the plum. Beauty tall sleeves. Light red, wrote, and lingering. People are old, things are not. I don't drink tears before it. Now but want to close the door, a plum blossoms make snow.
Antiacurity
Published in: 2003-06-27 17:07 Reply Posting: 600 Registration: 2002-08-02 The router is in terms of safety in the safety of the firewall, and the ACL, which is based on simple package filter, in the face of high-level In the face of the attack, it will be slightly fragile, and if the IOS is upgraded, it will cause the router itself's hardware configuration that is not suitable for a large amount of package filtering, resulting in increased hardware configuration, and even more than the firewall. It is not suitable for customers, and a large number of complex access rules are not acceptable in the command line. ----惊 惊 开 开 开 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦 拦
Hellotoo
Published in: 2003-06-27 17:24 Reply Posting: 231 Registration: 2002-09-23 In NetScreen or other firewall, switch mode is a completely transparent bridge, so you can't manage DMZ district, but in Lenovo claims In the firewall mix mode technology, its technology can manage DMZ and intranet when the bridge mode can be managed, and set various strategies, and you can do PAT, which is more convenient.
--- After a lot of years, you are still a old pig ... ╭︿︿ ★ ╮ οο {/. . /} ((Oo))) )))) ---
Nanyang ice
Published in: 2003-06-29 12:04 Reply Posting: 3741 Registration: 2001-03-28 Who said that the router does NAT does not have a firewall? I am with anxious. . . . Do NAT PAT on Cisco. . . Make a transparent bridge on the router. . . . I have tried it, and I am very ideal. . . . Test those firewalls, no one who is strong. . . . I don't know if the firewall and router tested on the upstairs are compared. Can I propose documents such as test environment and data, methods such as reference comparison? ? ? ?
--- I have been drunk for the plum. Beauty tall sleeves. Light red, wrote, and lingering. People are old, things are not. I don't drink tears before it. Now but want to close the door, a plum blossoms make snow.
VADERYANG
Published in: 2003-06-29 23:34 Reply Posting: 16 Registration: 2002-05-03
Quote (FONG @ 2003-06-27 10:36)
What is the difference between the two performance and security? Let's discuss it.
The firewall of the switch mode is actually equal to the network-level firewall based on the packet filtering principle / state mechanism from the data link layer; if the guard wall supports routing mode, it is equal to routers with enhanced filter rules and state mechanisms; these two Overall, the exchange mode brings difficulty in the convenience and management of deployment; of course, if there is an analytical capabilities on additional DLC, this model can bring a certain security effect, but very limited Routing mode is the difficulty of confusion and management on deployment; from the core business of the company, the firewall should work from border security defense from border security, the firewall, the firewall should be a blocking specific. Anti-attack barriers (status filtration Anti-DOS) from high-speed networks should be IDP, NO Firewall Jed
Published in: 2003-07-03 16:08 Reposted: 6 Registration: 2003-07-03 I want to transparency or routing, but also to depends on customer needs, including exchange and routing, mixed mode, it It is because the needs of the market, the so-called innovation of the pursuit of technology is not to standardize, but it can meet more demand, occupy more markets, based on the above three models, first of all, in any mode, It should be called firewall. Since it is a firewall, it should have enough detection, and create a safe network, thinking about the problem, I think it is because of the customer, such as why is it transparent? Perhaps because the customer thinks that the IP or the network will cause trouble, and the route mode is completely isolated from the outside, why mix? Perhaps it is also a safe point, and I want to be simple. Some network complex customers will definitely like :), such as separating the intranet with the external network, while DMZ retains the public network address, this is a type. As for the difference between routers and firewalls, I want to be the benefits of the two to make the network mature. The router has a list of controls, but it is more important to do a router. Although the firewall is also a router, the status test is active. There are many comparisons between the two, I can't say it. I would rather think of a comparison of low-end servers and high-configured PCs, like advertising, because the user is different, so choose different, Ya Qian, ah to ... JED Edited from 2003-07-03 16: 11 - - We regard each of the people on the earth as a great adventure, you are brave in the earth and expand your life, complete your mission in this great adventure of the Lord to create the world.
Icetee
Published in: 2003-07-07 01:07 Reply Posting: 26 Registration: 2003-07-05 Some users' networks have already been stuck, and they used to think of safety facilities for a long time, then they may need transparent models to control Security issues in the same network segment. As for routers and firewalls, the managers and security managers of routers are different from those of some companies. It is difficult to manage security control on the router. In particular, large networks, on some backbone networks, router plus ACS will grow at least CPU utilization rate of 10% / per ACS. This is just as in a large network, no network planners will be willing to use the firewall to rise to the protocol.
--- Tears
W1W
Published in: 2003-07-09 07:36 Reply Posting: 248 Registration: 2002-11-21 "Who said that the router does NAT does not have a firewall? I am with anxious .... Do Nat Pat on Cisco ... Make transparent bridges on the router .... 俺 Test, and very ideal .... Test those firewalls, do not see who is weak .... I don't know the firewall and router that the friend test above upstairs. Documentation, can you propose a document such as a test environment and data, a method such as a comparison ???? "The NAT type provided by the firewall is more, while the existing router is less, but it is not very different. The huge difference is that the firewall is essentially a network edge device. It is best to support more application protocols. Status test itself is important. The edge routing support status detection or only support package filtering is a relatively difficult router design selection, if support status detection With the expense of routing, the routing protocol is expected, and the routing on the backbone should never support state detection, and there should not even support NAT. For routers that are arranged on the edges, there is a strong NAT function and firewall function, or the firewall has a routing capacity replacement edge router. The integration of both is a foreseeable result. For edge routers currently only support package filtering, it is necessary to add firewalls to the firewall. There are many ways to break through the package filtration unit. The unsafeness of the package filters has been discussed for ten years. Search Google, "from the high-speed network, It should be IDP, NO FireWall ??? "IDP needs to consume a large computing resource, realize the depth resolution of the high-level application protocol on the passage, the current Gigabit IDS does not have a line speed, how can IDP? On the contrary, for low-speed networks, IDP can try it, but pay close attention to the impact of network abnormal traffic to IDP. W1W Editor at 2003-07-09 08:22 FONG Posted: 2003-07-09 08:36 Reposted: 34 Registration: 2002-08-12nat When connecting, write a write, not like the way forward, only ask for reading . This is a good firewall, I tried to do NAT and use NetScreen to do NAT and use NetScreen. The application feels that NetScreen is fast. FONG editor at 2003-07-09 08:36 Nanyang Rock Ice
Published in: 2003-07-09 13:12 Reply Posting: 3741 Registration: 2001-03-28nat is a status table to map illegal IP addresses to the legitimate IP address. Each package is translated into a correct IP address in the NAT device, issued to the next level, in this case, for these PC structural firewalls, the CPU is a serious bottleneck, NetScreen firewall is used. The custom hardware devices, which include ASIC chips and RISC processors, etc., the processing speed is much higher than that of the industrial architecture, which is not fair. And different comparisons of the selected device series are of course different.
--- I have been drunk for the plum. Beauty tall sleeves. Light red, wrote, and lingering. People are old, things are not. I don't drink tears before it. Now but want to close the door, a plum blossoms make snow.
Powdera
Published in: 2003-07-10 23:00 Reply Posting: 36 Registration: 2002-11-16
Quote (Nanyang Rock Ice @ 2003-07-09 13:12)
NAT is a test maintenance of a status table to map illegal IP addresses to the legitimate IP address. Each package is translated into a correct IP address in the NAT device, issued to the next level, in this case, for these PC structural firewalls, the CPU is a serious bottleneck, NetScreen firewall is used. The custom hardware devices, which include ASIC chips and RISC processors, etc., the processing speed is much higher than that of the industrial architecture, which is not fair. And different comparisons of the selected device series are of course different. NAT is never "address translation" is so simple, there is a connection table or port allocation table, otherwise the packet does not translate correctly; if you want to track the application protocol, parse the dynamic connection of the application layer, the simplest, such as FTP The establishment of data connections, complex, such as video, audio applications, etc. The main processor of the router is very weak, and these mentioned above requires the main processor to be completed, so its performance is very normal, and the supported applications are also very normal. Powdera
Published in: 2003-07-10 23:07 Reply Posting: 36 Registration: 2002-11-16
Quote (Nanyang Rock Ice @ 2003-07-09 13:12)
NAT is a test maintenance of a status table to map illegal IP addresses to the legitimate IP address. Each package is translated into a correct IP address in the NAT device, issued to the next level, in this case, for these PC structural firewalls, the CPU is a serious bottleneck, NetScreen firewall is used. The custom hardware devices, which include ASIC chips and RISC processors, etc., the processing speed is much higher than that of the industrial architecture, which is not fair. And different comparisons of the selected device series are of course different.
PIX is the PC structure and performance is not poor than NetScreen. NetScreen's ASIC's ingredients are large, as for RISC, there is no show. arrow
Published in: 2003-07-11 09:01 Reply Posting: 346 Registration: 1999-11-16PIX is indeed a PC structure, but performance and NetScreen comparison. . . Can you tell us more about it?
--- Tao Li Chunfeng a glass of wine river night rain ten years light
Nanyang ice
Published in: 2003-07-11 10:28 Reply Posting: 3741 Registration: 2001-03-28 There is a FWSM module called 6500 on the Cisco65 series of switches. This guy is hardware module. Ha ha. Although the core of PIX has used a stripped-down / hardund OS, but it should be compared to Checkpiont. . If NetScreen is compared with FWSM. . . Then there is a good show. I hope someone can get one. . .
--- I have been drunk for the plum. Beauty tall sleeves. Light red, wrote, and lingering. People are old, things are not. I don't drink tears before it. Now but want to close the door, a plum blossoms make snow.
Killgo
Published in: 2003-07-12 22:39 Reply Posting: 39 Registration: 2002-08-18 How to Safe Product Forum Come to a group of people to engage in the firewall, and it is very light to understand the router to the network. The firewall is understood. The firewall can replace router. But the router can not replace the firewall. When your network needs to do NAT in the transparent mode of the access device, the router cannot be achieved. Because many manufacturers' firewall support transparent NAT in the mode. On the performance. If the router launches the access control list, the function will fall after the function of NAT is not routing. All routing forwarding of the router is its activity. Firewall transparent mode And routing mode The function and security of the firewall is not an impact. Cisco's PIX series firewall is also OEM others. And Cisco recently announced the upgrade of the PIS530 and previous versions. For FWSM on 65, IOS module is Functionally, it is unable to be able to compare with Checkpoint ratio. NetScreen is not necessary to follow FWSM. If you are more than performance. To know that a 65 is more expensive than a netscreen fw. Killgo Edited from 2003-07- 12 22:40 --- I only have two days, one day used to die for death
I only have two days, one day used to fantasize, I used to despair, I only have two days, one day, I used to think about you or another day or miss you.
Compaq
Published in: 2003-07-21 14:23 Reply Posting: 5 Registration: 2003-07-21 Agree of views of fong and Powdera! It was really dizzy, and the Nanyang's brother provoked a low-level debate. In fact, I don't know if Ids will not be saved! ! ! How does the transparent mode can't complete the function of the firewall, just work less, the source destination address, the port is not a still analysis? As for NAT, I will see that development is willing to work hard, and I have MAC, IP, TCP information, and NAT is nothing more than maintaining a session. Sanhui
Published in: 2003-07-24 15:30 Reply Posting: 3 Registration: 2003-07-24 Firewall instead of the router, the router does not instead of the firewall! Although the router has the function of policy routing, it is limited to package filtering, its security It is very low. Although the firewall has routing function, all firewalls can only realize routing in IP networks, ie, internal and external networks are IP networks. If two different network connections must use routers (such as IP network and ATM The connection of the network, etc.). Amaranten
Published in: 2003-07-30 15:15 Reply Posting: 4 Registration: 2003-07-30 Yes, only professional is best! Boxer2000
Published in: 2003-08-01 16:19 Reply Posting: 83 Registration: 2002-12-27 Foreign walks I also ask everyone a few questions, 1. Why do you want to buy a firewall, 2. Why does the firewall support transparent mode, 3, why is the firewall to support routing mode, 4, some firewall support routing and transparent mode, why? Tell you because the environment needs. As for the router to replace the firewall to do NAT function, I have no opinions, just want to ask Nanyang brothers, are you not against the safety product?
--- Qianjiang has a river, thousands of miles!
Dibotiger
Published in: 2003-08-06 11:34 Reply Posting: 84 Registration: 2002-09-23 Oh, I will answer a question on the upstairs. Buying or selling FW, belongs to social consumption. It can live better for everyone. As for the issue of technology, TMD in China is a shit. No need to compete with who is low here. In China, the previous network model creates almost 90% of the final users with a Cisco's Router, huh, so Router has created the 'social wealth', with now, you can say these Is Router necessary? So, the FW is the same, but it is only the same thing as it is, it is also the land we look. Nanyang Rock Ice Published in: 2003-08-06 12:57 Reply Posting: 3741 Registration: 2001-03-28 I don't dare to oppose fat or thin problems, but a powerful shouting of product specialization. Fat and thin are the needs of the market, and the difference is that the difference is that the understanding of the person who chooses this product is caused by the cause of the knowledge is not popular. Specialization is different, specialization is a technical refinement problem based on standard. In quantization, we are required, in the refinement, we ask for professional, such a product is the real product we have in the four seas that we take. Chinese people are calling the brand, but where can I reflect the brand? Using specialized to create a boutique to build China's brand. While we deliver garbage, we will always pay attention to the appearance of boutique.
--- I have been drunk for the plum. Beauty tall sleeves. Light red, wrote, and lingering. People are old, things are not. I don't drink tears before it. Now but want to close the door, a plum blossoms make snow.
Dibotiger
Published in: 2003-08-06 17:30 Reply Posting: 84 Registration: 2002-09-23 Nanyang Rock Ice Do you do technology? Still do the market? Or do you do national macro-control? Even a nationalist? Haha If you are doing technology, your text is too lyrical. Nanyang ice
Published in: 2003-08-12 08:06 Reply Posting: 3741 Registration: 2001-03-28 I am swept away. . . Since we talk, let's talk again. . . . Based on routing mode: Everyone knows that the router determines whether the data package is based on two basic protocols of LS and DV, both protocols find the best route to the destination based on Metrics. . If it is a firewall working based on such a protocol, how do it achieve transparency?
--- I have been drunk for the plum. Beauty tall sleeves. Light red, wrote, and lingering. People are old, things are not. I don't drink tears before it. Now but want to close the door, a plum blossoms make snow.
L0OP8Ack
Published in: 2003-08-26 14:50 Reply Posting: 33 Registration: 2003-04-22 "Where is the router to determine the data package is based on the two basic protocols of LS and DV," According to the routing table in its memory, the LS and DV are only two types of methods of maintaining the routing table, and other ways there are also manual adds (STIC). "The two protocols are found to find the best routes to the purpose of the purpose according to Metrics, and they also use English, and more use of metrics when DV, while LS is more described with COST. "If it is based on such protocols, how do it achieve transparency?" If a device has been forwarded based on this type of protocol, then it is obvious that it has been working in routing mode, and talk about what transparent opaque, Sliding the world. The router focuses on the security of the IP layer, such as the visits control between IP network segments, access packets / type restrictions, etc., the firewall pay more attention to the security of the application layer. The interpretation of NAT popular nature should provide address translation for a session, not IP. An obvious example is: You can specify an IP, some session NATs, other non-conversions, using Access-Lsit to control. It means that the router is divided into IP [protocol] [protocol port], this resolution is still very weak. L0OP8ACK Edited from 2003-08-26 14:57 --- ========== Falling Flower Independent Micro Shuangfei
