IT168 Heaven 2003-09-17 14:32 [IT168 Reviews] The firewall products have begun to develop from 95 years, and hardware firewalls have developed in these years. Calculated that the hardware firewall is already the fourth product of the firewall, which is a firewall with a safe operating system, and the safety operating system, including Windows, NetBSD, Linux and other mainstream operating systems, and vxworks or similar Real-time operating system, in these systems, the firewall using the Linux kernel accounts for most, especially in China, almost all mainstream firewalls use the Linux kernel.
Xiaobian exchanges on the firewall's core issues and several firewall manufacturers, their statements are the topping of the Linux kernel now in a technology. At the same time, the Linux kernel as a ripe and open source kernel system, whether the security of its kernel itself can adapt to future network security requirements, and no one can give a positive reply.
Inside the kernel-based firewall market, Linux can monk, the relative stability and safety of the kernel are the most mainly reason, and because Linux's source code is open, there are many companies and individuals in the world research and rewrite their internal nuclear source. The code, so that its kernel can be constantly improving, and can find a vulnerability in the first time. The biggest benefits of firewalls using the Linux kernel are also relatively mature. Develop firewalls, secure kernels, proxy systems, multi-level filters, security servers, and encryption are the key to firewalls under the kernel kernel kernel.
After recent years, the safety technology of the firewall and the security technology of the firewall and the upper layer of data monitoring are continuously upgraded with the continuous upgrade of network security requirements, but at the same time, the security of the Linux core itself has been neglected. Due to the data filtering requirements of the firewall, the Linux kernel must open a part of the security port, but after all, Linux is a source code open core system. Although all firewall manufacturers can make certain modifications and optimization, and closed everything when they leave. The hidden dangers have never stopped, and the seamless connection between the manufacturers in the kernel and firewall software is not strong, and there is a certain hidden danger for the security of the network.
On the other hand, the Linux kernel firewall also has certain drawbacks on data forwarding. Regardless of the bandwidth and data flow in the network, your security solutions should never be a network of bottlenecks. However, because the Linux kernel itself consumes a part of the system resources and bandwidth, it has caused the firewall to reach the line speed on the data forwarding. Especially in packet forwarding below 64K, the problem of kernel occupation system resources is more prominent. Although the Linux kernel is already saving system resources relative to BSD and Windows, the Linux kernel's firewall in the Linux kernel will increase with the improvement of the firewall's application level and the higher requirements of the network. Forwarding performance to adapt to the needs of the network?
At present, some manufacturers have already have a firewall based on non-operating system kernel. The traditional kernel firewalls are all data through the kernel, but this firewall kernel is the smallest Boot Loader and only a few hundred kilobytes of compact firewall. The kernel composition, which is all the software that runs the entire firewall system. This means avoiding the safety vulnerabilities in which the potential operating system itself. Moreover, there is no system resource consumed by the system kernel, which can easily reach or close the line speed.
As the mainstream firewall currently and the future, the Linux kernel firewall is currently concerned about the industry. However, Xiaobian and some industry experts exchanged the results, the Linux kernel firewall is still the most mature firewall over time, after all, its technology matures and product maturation applications are well known. The firewall without operating system kernels has appeared in some low-end products. Now this product has achieved high-end, and its technology's stability and confidentiality is the company's concern. Xiaobian briefly introduces the manufacturer of some production of this firewall, and its security should be in the Linux firewall, after all, it is mainly to see the level of firewall software. As long as its technology is perfect, and it is recognized by the user, it is reflected in the advantages of data forwarding, which may gradually be accepted by users in future applications. If the Linux kernel firewall must maintain its existing technical advantages, it must be optimized for its kernel. Why is the domestic firewall that can get to Gigabit? Or even if you nominate Gigabit, it is about 800 megabytes when the actual application is? The original intention is that the Linux kernel occupies too much bandwidth. This problem is solved, and the Linux kernel firewall will go further.
