Before the development, you must first clearly know what type of firewall that is needed. The same is the hardware firewall, which can be roughly divided into high-end mainfronts represented by Gigabit, and the mid-end 100M firewall, as well as low-end families - small office firewalls (SOHU-SMB). These three levels of firewall development methods are very different. The representative of the high-end Gigabit firewall includes NetScreen's 5000 series firewall, as well as Nodia-Checkpoint's IP720 products, which can adapt to the Gigabit job, with at least 600m or more. As a domestic manufacturer, it is very difficult to launch a real Gigaby firewall. For details, please refer to:
Why is it difficult to achieve a Gigabit firewall?
As a low-end family - the firewall of small office products, mainly is the pressure of hardware costs. This level includes 50/25 / 5x series, FortiGate's FG200 and FG300, as well as some market dials, and broadband routers can belong to this firewall. Most of the work characteristics is single-in-one, mainly used in the small local area to enter and exit the Internet. Considering that the general company's access to the Internet is a few megaby, even a LAN user or Cable Modem, public export is still a few megabytes. Therefore, adaptive terminal / 100 megabytes can basically meet the requirements. In fact, some companies have used Win98 sysgate dial, and it is also self-feeling. It can be seen that this grade online firewall performance requirement is not high; the price is maintained below 20,000 yuan. However, for the firewall using the X86 architecture, it is required to have a low hardware; connect software costs, these 20,000 yuan will not be maintained. Therefore, the main development method of this level of firewall is to choose a suitable embedded system, usually Linux, even hardware and software, and the firewall application has been added. This main system development work of this firewall is completed by the supplier of each embedded system, and the system function is also weak, and the software to producers is not large, so it is more like a hardware procurement project. Containment with the minimum purchase limit (generally one thousand) and software development, you can get the next product in about one million. This firewall, although it is also a "hardware firewall", but not our focus of this article. In this article, it is the main step in the development of the company's enterprise-class 100M firewall. This level of firewall is the main object of the current enterprise procurement, but also the most needed product type. Domestic firewall, basically concentrated in this interval, the operating system generally uses open source Linux or BSD; in contrast, the BSD application upgrade speed is not fast, so most firewalls are Linux. To decide to develop a 100 megaby firewall, you need to select a suitable server motherboard, or the industrial computer, and the other is to select a good network card, usually a server-specific network card. Although the operating system like Linux can automatically adapt to different motherboards, (as long as it meets the standards such as PC2000), Linux's latest kernel can always support the performance of newer motherboards, such as PIII hyperthreading); There is still a little different between the main board and the CPU; as a firewall, unless the extreme performance requirements are not too strict, otherwise, some features of the motherboard and CPUs, such as registers, SMP, hyperthreading, etc. to target kernels. Modifications and optimization, otherwise, the default kernel can only use these motherboard / CPU the most basic part. For example, the firewall has an important performance indicator called the maximum session number, or is called the maximum number of sessions per second. If you use a general shaped kernel to use the P3CPU, the maximum number of values that can be reached is roughly only a few thousand However, it is optimized by the design of the motherboard (which can be obtained from the motherboard and CPU vendor), and the performance can be increased to about 3-5 million. Similarly, the simple upgrade motherboard and CPU are not necessarily improved performance, and the firewall is upgraded from the P3 to P4. If the special performance of P4 is not supported, if the ultra-thread, the maximum session capability is still different from P3, it is better to discharge, it is Take reduction costs. Specialized optimization can reach 500,000 performance, which is also the limit that such firewalls can achieve in the use of Intel architecture motherboards.
For the optimization of the selected hardware, despite the main software works independent of the firewall development, it will not show the necessity of its necessity, but when the firewall is extremely useful or evaluated, the degradable gap is very large. . In addition to optimizing performance, another purpose is to bind the firewall with the gateway to avoid being pirated. This driver is more difficult to piracy with the core of the centered firewall. The development of firewall software is the development of firewall management software. In this regard, the architect must understand what is the way of developing the firewall, the management idea of the firewall. This kind of development is simple, it is a program that uses some web calls. Linux's firewall management tools such as ipchains; the rest of the work is mainly to prepare a number of default configurations (equivalent to template). Therefore, the development is difficult, and ten individuals will be completed in a year and half years; a large number of domestic firewalls are developed. This firewall is unnecessary for experts who are familiar with Linux firewalls, and they can achieve the same purpose from IPChains. Therefore, this firewall is not in the table today. Today's firewall is mainly from facilitating management, focusing on administrators can easily maintain a large number of complicated, most of the policies, which requires the development of "object-oriented-oriented firewall". In this way, it is not enough to use PHP or Delphi graphic using PHP or Delphi. In fact, this time is simple to use iPtables. It is difficult to meet the requirements, and developers often have to develop their own firewall management as iptables. tool. This part of the work is very large. The kernel of the operating system and firewall as a carrier of the firewall is also a key point. As the first defense line of the network, the firewall can use the operating system of the default settings, except for the most necessary services, all things must be deleted. Therefore, the enterprise-class firewall is basically used to the development of embedded operating systems. It is usually a secure operating system that is running in memory, such as a diskless workstation. The firewall must work without a fault work, and it is necessary to cope with the phenomenon of sudden power-off, so, the connection system hard disk is generally prohibited, so as not to cause power failure. The firewall is generally not large, and there is more than 16m to 32M. Some firewall manufacturers have no ability to do this, using high-priced Flash as the system disk, is actually very dangerous. The reason is that the Flash is poor, and the number of writable is only in a thousand quantities, and the file system read and frequent in the UNIX class, so it is easy to cause loss of data on the flash; and once a power off shut down, if there is still a system disk installation On the catalog, it is likely to cause damage to the file system, the end result, even if it can be rescued, it will also give the user the impression of the firewall quality. The kernel of the firewall is also an indispensable work. At present, the general firewall uses Netfilter as the kernel of the firewall, and requires the addition of a certain number of anti-attack performance. Refer to Netfilter in-depth application example
. However, some firewall products enlarge this work, hoping to complete the core, such as IDS, anti-virus, although it can be done, but the basic performance of the firewall will cause serious damage. Enterprise-class firewalls require a variety of remote management tools, generally three, SSL HTTP, remote Secure Shell, or use a dedicated client tool. Whether it is one, it is based on the same user management program predetermined in the firewall. After these managers are called, they are interactive with the firewall interface management program (like iptables, or self-written interface programs, like totem Objectmgr) interaction. , Complete the management of the firewall. This part of the work is also bigger. The firewall can allow the user to log in with SSH, but it is impossible to allow direct return root shell (too dangerous), so it is necessary to develop a secure shell as the first heavy interface, so that developers are equivalent to self-developed a BASH A class of interpretation procedures. Safety control for remote access is a focus of firewalls, often combining multiple safety means such as management machine restrictions, IP / MAC restrictions, passwords, certificate certifications. Otherwise, we have to try to log in to the firewall, the firewall is very dangerous, and it is not discussed to the security of the network. After completing the above work, complete the first WEB-SSL management interface, or the client management tool for Delphi (or C ). The firewall is basically formed, and the difference is that the user is not easy to use by your management tool. (Many programmers believe that the firewall project is not large, in fact, their minds have thought that there is only this graphics management interface in their minds. But even in this way, the R & D project as a firewall is still not completed. Developers often have to add VPN to firewalls (this is also a huge project), the proxy server (if necessary, you must write a variety of protocols for proxy servers), such as PPPoE dialing, do you have to add a conversation certification; and HA and Load balance, and support transparent mode access; whether external account management, etc. The previous works have finally completed, probably can be loosen to pay for your homework? It's true that if you don't mind your firewall, there is a bug! Otherwise, the top of this project is only half. The following work is to write a test instance for testing. The hardware firewall is due to software hardening, and there is no time to run for a long time, the quality requirements of the software are very high. The tester should be prepared at least the following three test instances for testing: 1) Whether there is a memory object in the program, there is no clearing; the residual thing for the program is not clear, and there is a problem with Windows, so Windows has opened a section. After time, you will be restarted to empty the memory; in the firewall, this requirement is much strict, one and a half object remains not big, but it is fatal for the firewall; the firewall system resources will be short. Time is completely eaten by this bug. 2) When using a firewall management tool to generate each specified policy instance, whether to do this release, the package is not released; 3) The firewall's limit working conditions; nor the biggest session this test, these A special test tool such as SmartBit; high-performance firewall also needs an outsourcing test because equipment is too expensive. If the firewall integrates functions such as VPN, IDS, anti-viruses, it is also necessary to further write test instances, and test the decline in other performance of the firewall when these functions are started.
