With the popularity of computer technology applications, the operation of each organization is increasingly dependent on and insensibial, and various business running architectures in modern network environments. The enterprise computer system is high in information technology. The computer network application is more advanced, and its business is also increasingly dependent on the computer. Ensure that the business system and work are normal, reliable and safe to perform an important topic of information system work. However, due to the safety threat of computer systems, it has brought major economic losses to organizational agencies, which can be divided into direct loss and indirect loss: direct loss is the economic loss caused by this, indirect losses due to safety Work efficiency is lowered, confidential information disclosure, system abnormal, repair system, causing work, etc. Indirect losses are often difficult to measure. In all computer security threats, external intrusion and illegal access are the most serious things.
First, firewall concept
The rapid development of the Internet provides a place for posting information and retrieval information, but also has the risk of information pollution and information failure, and people deploy firewall in order to protect their data and resources. The firewall is essentially a protection device that protects data, resources, and users.
The firewall original is designed to prevent fire from distributing from a building to another. In theory, Internet firewall services also have similar purposes, which prevents dangers on Internet (or external network) from spread to the interior of the network. Internet (or external network) firewall serving multiple purposes:
1. Restrict people enter from a special control point;
2. Prevent intruders from approaching your defense facilities;
3. Limit people from one special point;
4, effectively prevent the destroyer from destroying your computer system.
The firewall is often installed on the internal network to connect to the Internet (or external network) node (1) Advantages of the firewall
1. Firewall to strengthen security strategy
Because there are millions of people in the network to collect information, exchange information, and those who are unavoidable, or those who violate the rules, the firewall is to prevent the "traffic police" that occurred in bad phenomena, it implements the security of the site Strategy, just allow "approved" and compliant requests.
2. The firewall can effectively record the activities on the network
Because all access and delivery information must pass through the firewall, the firewall is ideal for collecting information about system and network usage and misuse. As a unique point of access, the firewall can record between the protected network and the external network.
3, firewall restriction exposure user points
The firewall can be used to separate two network segments in the network, which prevents information that affects a network segment from being propagated through the entire network.
4. Firewall is an inspection station for security strategy
All accessible information must pass through the firewall, the firewall has become a checkpoint for security issues, so that suspicious access is rejected outside the door.
(2) Insufficient firewall
The disadvantage of the firewall is mainly manifested in the following aspects.
1, can not prevent malicious people
The firewall can prohibit system users from sending proprietary information through network connections, but users can copy data to disk, on the tape, put them in the briefcase. If the intruder has already inside the firewall, the firewall is impossible. Internal users can steal data, destroy hardware and software, and cleverly modify the program without approaching the firewall. For threats from insists, only internal management, such as host security and user education.
2, can't prevent it from connecting it through it
The firewall can effectively prevent information from it, but it does not prevent information that does not transmit through it. For example, if the site allows dial-up access to the internal system behind the firewall, the firewall absolutely no way to prevent intruders from dialing invasion.
3, can't prevent all threats
The firewall is used to prevent known threats. If it is a good firewall design, you can prevent new threats, but no firewall can automatically defense all new threats.
4. Firewalls cannot prevent virus firewalls generally not eliminate viruses on the network. Second, firewall technology
One mentioned that the network security first thought is the firewall. The firewall system is targeted by an external attack. Once the external intruder enters the system, they are not subject to any blocking. The authentication means is similar to this. Once the invader deiesd the authentication system, it became internal personnel.
The basic type of firewall is: package filter type, proxy service type, and state packet filter type composite type.
(1) Packing filter type firewall
Packet filter is usually installed on the router and most commercial routers provide a package filtering. Packing is a security mechanism that controls which packets can enter and exit and which data packets should be rejected by the network.
Although there are many applications in the network, the final transmission units have appeared in the form of a packet, which is mainly because the network is to provide sharing services for multiple systems. For example, when file transfer, the file must be divided into small packets, each packet being transmitted separately. In addition to the data contained in each packet, the source address, the target address, and the like are included.
The packet is the router in the Internet, from the source network to the destination network. The packet received by the router knows where the package is going, then the router queries its own routing table. If there is a route to the purpose, send the package to the next router or send the next network segment. Otherwise, the package is lost. Different from the router, package the firewall, in addition to judging whether or not there is a route to the destination network segment, it is necessary to decide whether to transfer the package according to a set of packet filtering rules.
1, working mechanism
Packet filtering technology can allow or prohibit certain packages from being delivered on the network, which is based on the following judgments:
Judging the address of the package
Judging the source address of the package
Judging the package transfer protocol (port number)
Generally, the specific content of the package is not concerned when the package filter is performed. Packing filter can only make us more operations similar to the following cases, such as: Do not let any workstation login from the external network, allowing any workstation to use SMTP to send emails to internal networks.
However, the package filtering cannot allow us to perform the following operations, such as: Allow users to use FTP, while also restricting the user only read files that cannot be written, allowing a user to log in to Telnet without allowing other users to perform this operation.
The package filter system is in the IP layer and TCP layer of the network, rather than the application layer, so it cannot be filtered in the application layer. Taking FTP as an example, the FTP file transfer protocol application contains many specific operations, such as reading operations, write operations, delete operations, and more. Further, the package filtering system cannot identify user information in the packet.
2, performance characteristics
Because the package filter firewall works in IP and TCP layers, the speed of handling package is fast than the agency service type firewall.
Provide transparent services, users do not have to change client programs
Because it only involves the TCP layer, it is very low compared to the agent service type firewall.
User authentication is not supported, only information from which machine from the package does not contain information from which user
Do not provide log functionality
The typical representative of the filtered firewall is the early Cisco PIX firewall.
(2) agency service firewall
Proxy Service System is generally installed and run on the pair of duplexes. The dual-host is a host that is canceled, and the external network connected to the double host is disconnected between the network layer between the internal network. The purpose of this is to make the external network unable to understand the topology of the internal network. This is obviously different from the package filtration firewall. For logic topology, the agent service firewall is more secure than the package filter type.
Since the internal network and external networks are disconnected on the network layer, the application communication between the internal and external networks must be on the network layer. The agent system is working in the application layer, the agent system is an intermediary between the client and the real server, the agent system fully controls traffic between the client and the real server, and records traffic. Currently, agency service-type firewall products generally include pack filtering functions. 1, working mechanism
The proxy service firewall processes the received packets as follows:
Receive packets
Check source address and destination address
Check request type
Call the corresponding program
Processing request
Below, we use the Telnet to access the host by Telnet as an example, detail these standard steps in detail by visiting the host in the internal network.
Receive packets
The router of the external network will route the external network host to the internal network resources to the external network card of the firewall. Similarly, the host in the internal network will route the request for external network resources to the internal network card of the firewall through the routing information in the internal network.
In this example, when the external network user requests access to the host in the internal network through the Telnet, the routing information transmits the request to the external network card of the firewall.
Check source address and destination address
Once the firewall receives the packet, it must determine how to handle the packet. First, the firewall checks the source address in the packet and determines which network card is received by the package. This is to determine if the packet has IP address spoofing behavior, for example, if the source address in a packet received from the external network is found to be the address range of the internal network, this is the address spoofing behavior, the firewall will refuse to continue The package is processed and this event is recorded in the log.
Next, the firewall checks the target address in the package and determines if the package needs to be further processed. This is similar to the package filter, that is, check whether the target address is allowed to access.
In this example, Telnet's target address is a host of the internal network, and the firewall receives the Telnet request through the external network card, and there is no address spoofing behavior in the request package, the firewall receives the packet. Check request type
The firewall checks the content of the packet (requested service port number) and configures the various rules already configured in the firewall to determine if the corresponding service is provided to the packet. If the firewall does not provide a service to the requested port number, this attempt is recorded as a potential threat and rejects the request.
In this example, the content of the packet indicates that the request service is a Telnet, that is, the request port number 23 and the firewall's configuration rule is to support such requests.
Call the corresponding program
Since the firewall supports the requested service, the firewall uses other configuration information to transmit the service to the corresponding proxy service.
In this example, the firewall transmits the Telnet request to the Telnet agent.
Processing request
Now the agent service responds to the request of the destination host and uses the same protocol as the application request. Application Requests believe that it is a conversation with the target host.
Then, the proxy service uses another network card to replace the client with its true identity, and send application requests to the target host. If the application request is successful, it indicates that the application connection between the client to the target host is successfully established. Note that the proxy service-type firewall is connected to the target host, that is, the client to the firewall, the client to the firewall, the client to the firewall.
In addition, by performing proper configuration on the firewall, the client can authenticate the client party before the firewall will send the application request to the target host. The verification method includes SecureID, S / KEY, RADIUS, and the like.
In this example, the customer is now established with the firewall, and then the firewall immediately issues an authentication request to the customer. If verified, the firewall is sent to the customer direction target host; otherwise, the firewall is disconnected to the connection to the client.
2, performance characteristics
The security level is higher than the bag filter firewall
The proxy service-type firewall can be configured to be uniquely seen by the outside to protect the internal host from external attacks.
You can force the user authentication agent to work between clients and real servers, fully controlled sessions, so you can provide more detailed audit logs.
The agent's speed is slower than the package
Axent Raptor in a proxy service-type firewall is completely agency-based software firewall.
With the development of Internet technology, the firewall technology must be updated in terms of speed or safety, and the context-based dynamic package filtration firewall is a technical update for traditional package filters and proxy service firewalls. (3) State package filtering type firewall
In order to overcome the problem of insufficient security in the package filtration mode, some package filter firewall manufacturers launched the concept of state pack filtration. On the basis of the package filtering technology, the security check is enhanced by checking the context-based dynamic packet filtering module. It is no longer just to simply check the address, and the dynamic packet filtering of the filter firewall intercepts in the network layer until sufficient quantity so that it is possible to determine the "state" of this attempt to connect. These packets are then checked in the firewall system core "dedicated check module". The relevant status information required for safety decision is recorded after this "dedicated check module" check, recorded in the dynamic state table to securely evaluate the subsequent packet communication. The inspected package passes through the firewall and establishes a direct connection between the internal and external systems.
Although the method based on the context-based state packet filtering is significantly improved, it still cannot compare with the application layer agent firewall. The typical representative of the dynamic package filtration firewall is the Checkpoint Firewal-1 firewall. The figure below shows the logical structure of the dynamic packet filtering firewall based on the context.
Third, safety demand analysis
The flexible design of TCP / IP and the universal application of Internet provide the basis for the development of network hacking technology. Hacai technology is easy to be mastered by people who have a heart or like to show off, and the number of hackers has increased. In addition, there is a wide range of network connection points, and it is objectively invasive intrusion. There are many information on internal online information in the enterprise computer network, which will bring difficult to estimate loss once you are stealing or by unpleasant hackers or by competitors. In order to make the information system are properly accessed on the basis of guaranteeing security, a certain device is required to protect the system, ensuring that only legal users can access the system. As far as it is, it is a firewall that can realize the performance price of this need to be better than the optimal equipment.
Based on the economy, efficient principle, it is necessary to isolate the internal network and external non-confidence network, the main application servers and internal other network segments in the internal network to achieve access control and border security for internal networks and host systems. Centralized management.
Fourth, the firewall plan is implemented
(1) Principle of product selection
In carrying out the firewall product selection, in addition to the need to follow the principle of network security system, the firewall should be required to contain at least the following functions:
1. Access Control: By accessing the access control system established for a specific network segment and a specific service, the most attack is blocked before arriving at the attack target;
2. Attack monitoring: through the attack monitoring system established for a specific network segment, the service, it can be detected in real time, and take corresponding actions (such as disconnecting network connections, recording attack procedures, tracking attack sources, etc.);
3, Encryption Communication: Active encrypted communication, enabling an attacker to understand, modify sensitive information;
4, identity authentication: Good certification system prevents attackers from fake legitimate users;
5, multi-storey defense: After breaking through the first line of defense, delay or block its arrival target;
6, hide internal information: Make an attacker not to understand the basic situation within the system;
7, Safety Monitoring Center: Provide security system management, monitoring, protection and emergency services for information systems.
In the actual network, it is contradictory to ensure network security and providing efficient and flexible network services. The availability, flexibility and network performance of network services, network structure and technology implementation should be as simple as possible, not introducing additional control factors and resource overhead. However, from network security, it is required to provide services for network systems to provide services as much as possible, and achieve such additional security features inevitably consume limited network resources or Limit the use of network resources, thereby producing a significant impact on the performance, service usage of the network system. In addition, security network security often involves additional hardware, software input, and network operation management, which can be seen that the security of the security network is available. The pursuit of security can be unlimited, but the cost will also grow. Establish a security system with a firewall, which can fully take into account the following factors: 1. Safety and convenience, the convenience of network use will decrease due to network security measures. Whether the firewall is installed from the installation, configured to the policy adjustment, it is completed in the same GUI interface, and the management is very convenient and fast. The additional intensity of the network administrator is small. In addition, the internal network card transparent settings in the firewall have also greatly facilitated internal users, and internal workstations (including servers) do not have to add any additional configurations.
2, security and performance
For networks, security measures are done by network resources, or occupy the host CPU and memory, or occupy network bandwidth, or add information processing, all of which can cause overall performance to reduce the firewall has unique Status Package filtering technology, you can automatically find the ideal balance between security and speed.
3, security and cost
Both network security measures or establish a network security system will increase additional costs, including the cost of buying hardware, software, system design, and implementation, management and maintenance of safety systems.
(2) Firewall specific implementation
1. Deploy border firewall
Setting the correct position of the boundary firewall to be between the internal network and the external network. The firewall is set at this location, and the internal and external network card of the firewall belongs to the internal and external network segments. The internal network and external networks are completely separated. All service requests from the external network can only reach the firewall. After the firewall is analyzed, the legal request is transmitted to the corresponding service host and refuses to illegally access. The internal network situation is completely invisible for users of external networks. Since the firewall is the unique communication channel of the internal network and external network, the firewall can record all access to the internal network to form a complete log file. The network to be protected by the firewall should only have only a unique connection path. If there are other pathways after the firewall, the firewall will be short-circuited and cannot complete the work of the internal network. If there is a plurality of external connections in the internal network, the firewall should be placed at each entrance.
Set the boundary firewall, we can effectively prevent attacks from external networks. After setting the firewall, the internal network is effectively isolated from the external network. All access requests from external networks must have improved through firewalls.
Boundary firewalls can complete the following specific tasks:
Through source address filtering, reject external illegal IP addresses, effectively avoiding external networks and business-related hosts access firewalls can only reserve useful services, close other unwanted services, can attack the system Reduce the minimum, enabling the hacker inorganic multipart firewall to develop a visiting policy, only the authorized external host can access the limited IP address of the internal network to ensure that the external network can only access the necessary resources in the internal network, regardless of the business The operation will be rejected due to all access to the DMZ region host through the external network, the firewall can fully monitor the access activity of the external network to internal networks, and perform detailed records, through analysis, you can get suspicious attack behavior for remote login User, such as Telnet, etc., the firewall uses a strengthened authentication function, which can effectively prevent illegal intrusion from installing the boundary firewall, the network's security policy is managed by firewall, so that hackers cannot achieve control by changing a host's security policy. The destination boundary firewall for other resource access can perform address conversion, and the external network cannot see the structure of the internal network, so that the hacker attack has lost the content more than the contents of the target. After the company's computer network is installed, the internal network can be implemented. Effective isolation of external networks prevents illegal attacks from external networks. At the same time, the relative security and use of the DMZ area server are guaranteed. 2. Computer network deploying internal firewall companies is a multi-level, multi-node, multi-service network, and the degree of trust between nodes is low, but due to business needs, all nodes and server groups are frequent exchange data. . By setting an internal firewall at the entrance of the server group, a complete security policy can be developed, and the access to the internal network can be effectively controlled, and the following functions can be implemented:
Internal firewalls can accurately develop access to each user to ensure that internal network users can only access the necessary resources for dial-up backup lines, through powerful authentication functions, implement the internal firewall for remote users can record access to network segments. Information, timely discovery errors and attack behavior firewalls from other network segments of internal networks, through the centralized management of security policies, hosts on each network segment do not have to set up security policies separately, reduce people-oriented network security issues.
In summary, after setting the firewall in the enterprise computer network, on the one hand, it can effectively prevent attack behaviors from the external network. On the other hand, a complete security access policy can be developed for the internal network, so that the entire enterprise network has high security. level.
V. Firewall program characteristics
A excellent network security system must establish a "best balance point" based on the application performance and price and security requirements of network security requirements and the environment of the network, making network security to introduce network security The additional overhead is equivalent to the benefits it. According to the specific characteristics of the enterprise computer network, we recommend the following features of the firewall security system:
1, equipment cost is relatively low
This is mainly included, there is no need to purchase a complete set of safety equipment, mainly using software instead of hardware to achieve safety, such as software type firewall, use cost relatively low share version or free version software.
2, personnel cost is relatively low
There is no need to hire foreign professional security to participate in the construction of the internal network of the enterprise, but you can hire one to two to two domestic professional security companies to plan the internal professional security company, and the system security maintenance is mainly The internal technicians are completed part-time.
3, unified deployment security strategy
That is, under the guidance of security experts, establish a unified security system, eliminate significant security vulnerabilities caused by improper system configuration.
4, good upgrade scalability
