Order: Static package filter
This type of firewall reviews each packet based on the defined filtration rule to determine if it matches a pack filtering rule. Filtering rules are developed based on the header information of the packet. In the header information, IP source addresses, IP destination addresses, transport protocols, TCP, UDP, ICMP, etc., TCP / UDP target port, ICMP message type, etc. The basic principle of firewall to be filtered by package is "Minimum Principles", which is clearly allowed to allow data packets to pass by, and prohibit other packets. Second generation: Dynamic package filtering
This type of firewall uses a dynamic setup package filtering rule to avoid the problem of static packet filtering. This technique is later developed into a STATEFUL INSPECTION technology. The firewall using this technique is tracked on each connection established, and can be dynamically increased or changed in the filtering rule as needed. The third generation: agency firewall
The agency firewall is also called an Application Gateway firewall. This firewall involves a TCP connection through a agent (Proxy) technology. After the packets issued internally after such a firewall process, it seems to be just like a firewall external network card, so that the role of hidden inner network structure can be achieved. This type of firewall is recognized as a safest firewall by network security experts and media. Its core technology is proxy server technology.
The so-called proxy server refers to a program that represents a client to process the server connection request. When a proxy server gets a customer's connection intention, they will verify the customer request, and pass the proxy application to process the connection request through a specific secure process, pass the processed request to the real server, then accept the server, and do After further processing, the final customer will be replied to the request. The proxy server has played an intermediate transfer when the external network is applied to the internal network.
The most prominent advantage of the agent type firewall is safe. Since the connections between each internal and external network must be processed through the intervention and conversion of PROXY, the application specifically for specific services such as HTTP is handled, and then submitted and responded by the firewall itself, no internal and external networks The computer uses an opportunity to directly sessions to avoid an invading internal network using the data-driven type attack. The firewall of the package filter type is difficult to completely avoid this vulnerability. Just like you have to submit a statement to a strange important person. If you first hand over this statement to your lawyer, then the lawyer will review your statement, confirm that there is no negative impact, he will give him That stranger. During this time, strangers don't know about your existence. If you want to violate you, he will be your lawyer, and your lawyer is of course better than you how to deal with this person. The biggest shortcoming of the agency firewall is relatively slow. When the user is high, when the throughput of the internal network gateway is relatively high, (for example, when reaching 75-100Mbps), the agent firewall will become the bottleneck between internal and external networks. Fortunately, the speed of the user is currently usually much lower than this number. In a realistic environment, consider using the package filter type firewall to meet the speed requirements, most of which are firewalls between high-speed network (ATM or Gigabit Ethernet, etc.). The fourth generation: adaptive agency firewall
Adaptive Proxy is a revolutionary technology that is realized in commercial application firewalls. It can combine the security of the agent type firewall and the high speed of the package filter firewall, and the performance of the agent firewall is more than 10 times higher than if the safety is not lost. There are two basic elements that make up this type of firewall: Adaptive Proxy Server and Dynamic Packet Filter.
