The firewall function can use various techniques to allow or block communication based on the functions supported by the firewall. Based on the function of the firewall, these technologies provide varying degrees of protection. The following firewall functions are listed in the order in which complexity is incremented:
Network Adapter Enter Filter Static Packet Filter Network Address Transformation (NAT) Checklist Tips Checklist Tips Checking Application Layer Filter
In general, a firewall that provides complex functions also supports simpler features. However, when choosing a firewall, you should read the supplier information carefully because there may be a subtle difference between the firewall function and the actual function. The selection of firewall usually involves inquiring about functions and testing to ensure that the product does have the functions in the specification.
Network Adapter Enter Filter Network Adapter Enter Filter Check the source address or destination address and other information in the incoming packet, and then prevent the packet from pass or allow it to pass. It is only suitable for incoming communication and cannot control the outgoing communication. It matches UDP and TCP IP addresses and port numbers, as well as communication protocols TCP, UDP, and General Routing Packages (GRE). The network adapter input filter can quickly and effectively reject standard incoming data packets that meet the rule standards configured in the firewall. However, it can be easily avoided because it only matches the IP communication header and assumes that the communication is being filtered in accordance with the IP standard and is not intentionally circumvented.
Static Packet Screening Static Packet Filter The Similar to the Network Adapter Enter Filter is that they simply match the IP header to determine if the communication is allowed to pass through the interface. However, static packet filters allow the inbound and outbound communication of the interface. In addition, static packet screeningers typically allow additional functions on the network adapter filter, you can check if confirmed (ACK) bits are set on the IP data header. The ACK bit provides information about the packet is a new request or returning request from the original request. It does not verify that the packet is sent by the interface that has received its interface; based on the IP data header specification, it only checks if the communication entering the interface is displayed as returning communication.
This technology is only available for TCP protocols without applicable to UDP protocols. Similar to the network adapter input is similar, the static packet filter is very fast, but its function is limited and specially carefully made communications can avoid it.
Network address translation is within the global IP address range, and some addresses are specified as "dedicated address". These addresses are intended to be used in your organization, there is no meaning in the Internet. Communication specified for any IP address in this cannot pass the Internet route, so some dedicated addresses can be provided for intrusion protection for your internal device. However, these internal devices themselves often need to access the Internet, so network address translation (NAT) can convert dedicated addresses to the Internet address.
Strictly speaking, although NAT is not a firewall technology, the true IP address of the hidden server can prevent the attacker from obtaining valuable information about this server.
Status check In the status check, all of the outgoing communications are recorded in the status table. When the connection communication is returned to the interface, the status table is checked to ensure that these communications come from this interface. Status check is slightly slower than static packets. However, it can ensure that it is allowed to pass only when the communication requests the communication with the transmitted communication request. The status table includes various items, such as target IP addresses, source IP addresses, ports that are calling, and starters.
Some firewalls may store more information in the status table (such as the IP segmentation that has been sent and received), while other firewall stores. The firewall can verify whether communication is processed when all or some segmented information is returned. Different suppliers' firewall implement state inspection function in different ways, so you must read the firewall document carefully. Status check features typically help reduce the risk caused by network reconnaissance and IP spoof.
Line-Level Check Use line-level filtering to check the session (relative to the connection or packet). The session may include multiple connections. Similar to dynamic packets, establish a session only in response to user requests. The line-level filtering provides a secondary support for the protocol, such as FTP and streaming media. It usually helps reduce the risk caused by network reconnaissance, DOS and IP spoofing attacks. The application layer screens the most complete level of the firewall communication check is the application level screening. A good application filter allows you to analyze the data stream of specific applications and provide application specific processing. This process includes checking, screening, or blocking, and modifying data when data is checked, screening, or blocking, reordering, and modifying data. This mechanism is used to protect events such as unsafe SMTP commands or attacks such as internal domain name system (DNS). Typically, third-party tools for content screening, such as virus detection, vocabulary analysis, and site classification can be added to your firewall.
Based on its communication, the application layer firewall can check a lot of different protocols. Different from the proxy firewall (usually checking Internet communication, such as HTTP, FTP Download, and SSL), the application layer firewall can better control any communication through it. For example, an application layer firewall can only be passed from UDP communication within the firewall boundary. If the Internet host is to scan the firewall of the monitoring status to see if the DNS communication is allowed to enter this environment, this port scan may display the well-known ports associated with the DNS have been opened, but once the attack is launched, the firewall that monitors the status will refuse These requests because they are not from the interior. The application layer firewall may dynamically open the port based on whether the communication is derived inside.
The application layer firewall function helps reduce the risk caused by IP spoofing, DOS, some application layer attacks, network reconnaissance and viral / Trojan horse attacks. The disadvantage of the application layer firewall is that it requires more processing capabilities and is usually slower than the firewall or static screening firewall than the monitoring state by communication. Be careful when using the application layer firewall, it is important to determine what the firewall can do on the application layer.
The application layer screens are widely used to protect the publicly reported services. If your organization has online storage that collects credit card numbers and other personal information about customers, taking the highest level of measures to protect this information is wise. The application layer function ensures that communication through the port is appropriate. Check firewalls with data packets or monitoring status (they simply view ports and source IP addresses and target IP addresses) are different, and the firewall that supports application layer filtering features can check the data and commands that come back and forth.
Most firewalls that support application layer feature can only filter application layer screening of plaintext communication (such as agency's message service, HTTP, and FTP). Not much remember, the firewall that supports this feature can control communication in this environment. Another advantage of this feature is that when DNS communication passes through a firewall, it can check it to find DNS-specific commands. This additional protective layer ensures that the user or attacker cannot hide information in the allowable type of communication.
