The development of traditional firewall technology has been based on a default assumption: as a boundary protection device, the object it protects is a network (generally internal network) and access points between different networks. Just make sure the boundary network is fully included, and excludes bypass and backdoors, deploy the firewall on this defense boundary to monitor all internal and external communication traffic, provide a husband, Wanfu's effective protection .
However, the use of new network infrastructure, as well as the emergence of new network applications and new network computing models, and put forward severe challenges for firewalls, all kinds of attack and threat forms of all penetration firewalls are endless. The authority of international security field proposed the "firewall: an outdated defense technology" in 2003.
Mobile users
In increasing applications, users need to access sensitive data from any location. The firewall in the boundary network can only be protected for mobile users through authentication programs or other mechanisms.
Internal threat
The original intention of the firewall design is that the protection of the internal network is not subject to external attacks, so the default internal network is a trusted network. This design principle is no longer adapted to the current needs, and the dangerous movement of attacks or attempts from the local area network has become network security. Important threat. In addition, if the bypass appears in the trusted network, if the dial-up is allowed, the internal host can bypass the firewall to directly connect to the untrusted Internet, so that the firewall defense boundary has a vulnerability.
Active Content
Message software and a large popular Active X control on a web browser, JavaScript, and other activity contents (Active Content), bringing trusted network protection challenges. The operating environment of these controls or applets is always claimed to be secure, but due to the complexity of design and development, it is actually unable to avoid the generation of vulnerabilities and malicious utilization.
IM and P2P application
IM software such as MSNs, etc., allows users to disseminate text files and data files, and senders will have some malicious behavior on the recipient's computer. In the P2P application of BT software, the user allows the alighe to enter their own hard drive, copy shared a specific file. These applications provide a similar virtual private channel to both ends of the communication and protocols, bringing hidden dangers that lead to the spread of data leaks, viral infections, and back programs.
Reality forces people to further understand the essence of firewalls, recognize the limitations of traditional firewall technology, and find new technological breakthroughs. The key to the problem is that the object needs to be protected in the end? What is the form of security defense boundaries that firewall?
In the traditional concept, according to the internal and external network, the credible area and the non-trusted area are actually a division method based on the network physical structure, and the system determines the area belonging to the host according to the IP address of the protected host and the network environment, The firewall develops rules and implements access control mechanisms based on the source address destination address and other information of the packet. The firewall protects the internal local area network, and its security border is the physical boundaries of the LAN.
We really need protection, data information and control capabilities, unlike security domains composed of physical devices, they are identified by security level rather than physical locations, and this security domain must be concatenated as a logic The concept. Its border is also called "logical boundary".
When the physical boundaries of the security domain are coincident, the traditional physical boundary-based firewall can meet the safety needs, once the physical boundary and logic boundary deviates, that is, data information or control flows flow and cross the physical border, tradition The firewall is no longer able to meet safety protection needs. To achieve efficient protection of sensitive objects, data information, and control capabilities, the protection border must always be attached to the logical boundaries and the location of the firewall device should deploy.
