First, the basic principle of firewall
1, Firewall technology
Firewall commonly used security control means mainly include packet filtering, state detection, agent services. Below, we will introduce the working mechanism and characteristics of these tools, and introduce some of the main firewall products.
Packet filtering technology is a simple and effective security control technology, it is through the interconnected network of devices on the device to allow, prohibit from some specific source address, destination address, TCP port number and other rules to check the packet through the device, restricting the packet access to the internal network. The biggest advantage of packet filtering is that it is transparent to the user and has high transmission performance. But because the level of security control in the network layer, transport layer, the strength of security control is limited to the source address, destination address and port number, so only a relatively preliminary security control, for malicious congestion attacks, memory coverage attacks or viruses, such as high-level attack means, can do nothing.
State detection is a more effective method of security control than packet filtering. For a new application connection, the status check checks for pre-set security rules that allow compliant connections to pass and record the connection information in memory to generate the status table. Subsequent packets to the connection can be passed as long as they conform to the state table. The advantage of this approach is that: because there is no need for a regular check of each packet, but a subsequent packet of a connection (usually a large number of packets) through the hashing algorithm, direct state check, so that the performance is greatly improved, and because the state table is dynamic, it can be selectively, The dynamic opening of more than 1024th ports, so that security has been further improved.
2, the working principle of the firewall
(1) Packet filter firewall
Packet filtering firewalls are generally implemented on routers to filter user-defined content, such as IP addresses. The packet filtering Firewall works: The system checks the packet at the network layer, regardless of the application layer. So the system has good transmission performance, scalability is strong. However, the security of packet filtering firewall has a certain flaw, because the system is not aware of the application layer information, that is to say, the firewall does not understand the content of communication, so it may be compromised by hackers.
(2) Application Gateway Firewall
The Application Gateway Firewall examines all application layer packets and puts the contents of the check into the decision-making process, thus improving the security of the network. However, the application Gateway Firewall is implemented by breaking the client/server pattern. Each client/server communication requires two connections: one from the client to the firewall and the other from the firewall to the server. In addition, each agent requires a different application process, or a background-run service program, for each new application must add a service program for this application, otherwise the service cannot be used. Therefore, the application Gateway Firewall has the disadvantage of poor scalability. (Figure 2)
(3) Stateful inspection firewall
Stateful inspection firewall basically maintained the advantages of simple packet filter firewall, performance is better, and the application is transparent, on this basis, for security has been greatly improved. This kind of firewall abandons the simple packet filter firewall only examines the data packet which goes into and out the network, does not care about the data packet state the shortcoming, establishes the State connection table in the core part of the firewall, maintains the connection, will enter and exit the data of the network as a single event to deal with. It can be said that stateful detection packet filtering firewall is the standard of network layer and transport layer behavior, and the application of proxy firewall is to standardize the behavior of specific application protocols. (Figure 3)
4) Composite Firewall
Compound firewall refers to a new generation of firewalls, which integrates state detection and transparent proxy, further based on ASIC architecture, integrating anti-virus and content filtering into the firewall, including VPN and IDS functions, as well as merging multiple units into one. Conventional firewall can not prevent hidden in the network traffic attacks, in the network face application layer scanning, anti-virus, content filtering and firewall combination, which embodies the network and information security of new ideas. It implements the content scanning of the seventh layer of OSI at the network boundary, and realizes the service measures of the application layer such as virus protection and content filtering in the network edge. (Figure 4)
3, the comparison of four types of firewalls
Packet Filter Firewall: Packet filter firewall does not check the data area, packet filter firewall does not establish the connection state table, before and after the message is irrelevant, the application layer control is very weak.
Application Gateway Firewall: Do not check IP, TCP header, not establish the connection state table, Network layer protection is weaker.
Stateful detection firewall: Do not check the data area, establish the connection state table, the front and back message correlation, the application layer control is very weak.
Compound firewall: It can check the whole packet content, establish the connection state table according to the need, the network layer protection is strong, the application layer control is fine, the session control is weak.
4, Firewall terminology
Gateway: A system that provides forwarding services between two devices. A gateway is a firewall in which Internet applications handle traffic between two hosts. This term is very common.
DMZ demilitarized zone: For configuration management convenience, servers that need to be serviced outside the intranet are often placed in a separate network segment, which is the demilitarized zone. Firewalls typically feature three network adapters, which are typically connected to the intranet, the Internet, and the DMZ, respectively, when configured.
Throughput: The data in the network is composed of a packet of data, the firewall for each packet processing to consume resources. Throughput is the number of packets that pass through the firewall within a unit of time without losing the packet. This is an important indicator for measuring firewall performance.
Maximum number of connections: As with throughput, the larger the number the better. But the maximum number of connections is closer to the actual network situation, and most connections in the network refer to a virtual channel established. The firewall is a resource-intensive process for each connection, so the maximum number of connections becomes a test of the capabilities of the firewall.
Packet forwarding rate: refers to the speed at which the firewall handles data traffic when all security rules are configured correctly.
Ssl:ssl (Secure Sockets Layer) is a set of Internet data security protocols developed by Netscape, with the current version of 3.0. It has been widely used for identity authentication and encrypted data transmission between Web browsers and servers. The SSL protocol is located between the TCP/IP protocol and various application layer protocols, providing security support for data communication.
Network Address translation: Network address translation (NAT) is a way to map an IP address domain to another IP address domain technology to provide a transparent route for a terminal host. NAT includes static network address translation, dynamic network address translation, network address and port conversion, dynamic network address and port conversion, port mapping and so on. NAT is often used to convert private address domains to public address domains to address the lack of IP addresses. After NAT is implemented on the firewall, the internal topological structure of the protected network can be hidden and the security of the network is improved to some extent. If the reverse NAT provides dynamic network address and port conversion function, it can also achieve load balancing functions.
Bastion Host: A fortified, defensive-attacking computer that is exposed to the Internet as a checkpoint into the internal network to focus the entire network's security problems on a single host, saving time and effort without considering the safety of other hosts.
Second, the common hardware firewall on the market
(1) NetScreen Firewall
NetScreen technology company launched the NetScreen firewall product is a new type of network security hardware products. NetScreen uses built-in ASIC technology, with low latency, efficient IPSec encryption, and firewall capabilities for its security devices to seamlessly deploy to any network. Device installation and manipulation is also very easy to manage through a variety of management interfaces including a built-in WebUI interface, command line interface, or NetScreen central management program. NetScreen integrates all features into a single hardware product that is not only easy to install and manage, but also provides higher reliability and security. Because the NetScreen device does not have the stability problems of other branded products to the hard drive, it is the best solution for users who have a high demand for online time. With NetScreen devices, only the firewall, VPN, and traffic management functions need to be configured and managed, reducing the need to configure additional hardware and complexity operating systems. This approach shortens the time to install and manage, and omits the steps of the setup in the effort to guard against security vulnerabilities. NetScreen-100 Firewall is better than the network security requirements for midsize enterprises.
(2) Cisco Secure PIX 515-e Firewall
The Cisco Secure PIX Firewall is a dedicated firewall facility in the Cisco Firewall family. The Cisco secure PIX 515-e Firewall system provides high security through an organic combination of end-to-end security services. For those remote sites that need only two-way communication with their own corporate network, or where all Web services are provided by the enterprise network on their own enterprise firewalls. Unlike the common CPU-intensive dedicated proxy server (which has a large amount of processing for every packet at the application level), the Cisco Secure PIX 515-E Firewall employs a non-UNIX, secure, real-time, built-in system. Provides the features to extend and reconfigure IP networks without causing an IP address shortage problem. Nat can do this by using an existing IP address, or by using the address specified by the Internet's designated number mechanism [IANA] reserved pool [rfc.1918]. The Cisco Secure PIX 515-e can also selectively allow addresses to be converted as needed. Cisco guarantees that NAT will work with all the other PIX firewall features, such as multimedia application support. Cisco Secure PIX 515-e Firewall is better than the network security requirements for small and midsize enterprises.
(3) Days Rong Xin Network defender Ngfw4000-s Firewall
Beijing Tian Rong Letter Company's network bodyguard is China's first set of independent copyright firewall system, currently in China's telecommunications, electronics, education, scientific research and other units widely used. It consists of a firewall and a manager. Network defender Ngfw4000-s Firewall is China's first nuclear detection firewall, more secure and more stable. Network defender Ngfw4000-s Firewall system focuses on the functions of packet filtering firewall, application agent, network address translation (NAT), user identification, virtual private network, Web page protection, user Rights control, security audit, attack detection, flow control and billing, can provide a full range of network security services for different types of Internet access networks. Network Bodyguard Firewall system is the Chinese design, so the management interface is entirely in the culture, so that the management of more convenient, network defender Ngfw4000-s Firewall management interface is the most intuitive of all firewalls. Network defender Ngfw4000-s Firewall than the network security requirements for midsize enterprises.
(4) Neusoft Neteye 4032 Firewall
The Neteye 4032 Firewall is the latest version of the Neteye Firewall series, which is greatly improved in terms of performance, reliability, and manageability. The flow filtering architecture based on stateful packet filtering ensures the complete high-performance filtering from the data link layer to the application layer, and can carry out the timely upgrade of the application level plug-ins and the timely response of the attack mode to realize the dynamic security of the network. The Neteye firewall 4032 convection filter engine is optimized to further improve performance and stability, while enriching application-level plug-ins, security defense plug-ins, and increasing the speed of developing the corresponding plug-ins. The network security itself is a dynamic, it changes very quickly, every day may have the new attack way to produce. The security policy must be able to adjust dynamically as the attack mode is generated, so that the security of the network can be protected dynamically. The flow filtering architecture based on stateful packet filtering has the characteristics of dynamic protection of network security, so that the Neteye firewall can effectively resist all kinds of new attacks and dynamically guarantee network security. Neusoft Neteye 4032 Firewalls are better than the network security requirements for small and medium-sized enterprises.
Third, the basic configuration of the firewall
Below I take the domestic firewall first brand Tin Rong letter Ngfw 4000 As an example to explain to you in a typical network environment should how to configure the firewall.
NGFW4000 has 3 standard ports, one of which is an extranet (Internet network), an intranet, a DMZ area, and a network server in the DMZ. Install firewall to achieve the effect is: Intranet area of the computer can be arbitrary access to the extranet, can access the specified network server in the DMZ, Internet network and the DMZ computer can not access the intranet; Internet access to servers in the DMZ.
1, Configuration Management port
Days Financial Network defender NGFW4000 Firewall is composed of firewalls and managers, management firewalls are through the network of a computer to achieve. Firewall by default, 3 is not a management port, so we must first through the serial port to fuse the network defender NGFW4000 Firewall and our computer connection, to the firewall to specify a management port, the firewall can be set up after the remote to achieve.
Use a serial line to connect the computer's serial port (COM1) to the console port of the NGFW4000 firewall, start the computer "Super Terminal", Port selection COM1, communication parameters set to 9600 bits per second, data bit 8, parity no, stop bit 1, data flow control none. Enter the super Terminal interface, input the firewall password into the command line format.
Define Admin Port: if eth1 XXX.XXX.XXX.XXX 255.255.255.0
To modify the GUI login permissions for the admin port: Fire Client Add topsec-t gui-a extranet-I 0.0.0.0-255.255.255.255
2, the use of GUI management software configuration firewall
Install days fuse firewall GUI management software "Topsec centralized manager", and set up NGFW4000 management project, enter the IP address and description of firewall management port. Then log into the admin interface.
(1) Define network area
Internet (extranet): On eth0, the default Access policy is any (that is, default readable, writable), blank log option, no ping, GUI, Telnet.
Intranet: On Eth1, the default Access policy is none (unreadable, not writable), log option is to record user commands, allow ping, GUI, Telnet.
DMZ area: On eth2, the default Access policy is None (unreadable, writable), log option is to log user commands, ping, GUI, Telnet.
(2) Defining network objects
A network node represents a physical machine in a region. It can be used as a source and destination in an access policy, or as a source and destination in a communication strategy. The network node can also be used as address pool, which represents the actual machine of address mapping, and the communication strategy is described in detail.
A subnet represents a contiguous IP address. can be the source or destination of a policy, and can also be used as an address pool for NAT. If you have IP that is already in use by another department in the subnet segment, to avoid using three subnets to describe the IP address used by the technology department, you can specify the two addresses that are occupied by other departments in the excepted address.
To configure an access policy, define special nodes and subnets first:
Ftp_server: On behalf of the FTP server, the zone =dmz,ip address = XXX.XXX.XXX.XXX.
Http_server: On behalf of HTTP Server, zone =dmz,ip address = XXX.XXX.XXX.XXX.
Mail_server: On behalf of mail server, zone =dmz,ip address = XXX.XXX.XXX.XXX.
V_server: The virtual server that represents the extranet access, the zone =internet,ip= firewall IP address.
Inside: Represents all machines on the intranet, area =intranet, starting address =0.0.0.0, ending address =255.255.255.255.
Outside: All machines on the outside, area =internet, starting address =0.0.0.0, ending address =255.255.255.255.
(3) Configure access Policy
Add three access policies in the DMZ area:
A, visit destination =ftp_server, destination port =tcp 21. Source =inside, access rights = Read, write. Source =outside, access rights = read. This configuration means that users in the intranet can read and write files on the FTP server, and that users can only read files and not write files.
B, Access purpose =http_server, destination port =tcp 80. Source =inside+outside, access rights = Read, write. This configuration means that both intranet and extranet users can access HTTP servers.
C, Access purpose =mail_server, destination port =tcp 25,tcp 110. Source =inside+outside, access rights = Read, write. This configuration means that users in the intranet and extranet can access mail servers.
(4) Communication strategy
Because the intranet machines do not have a legitimate IP address, they need address translation to access the extranet. When an internal machine accesses an external machine, it can convert its address to the address of the firewall or to an address in an address pool. Add a communication strategy to =outside, source =inside, mode = NAT, destination port = ALL ports. If you need to convert to an address in an address pool, you must first define a subnet in the Internet, the address range is the scope of the address pool, and then select the Nat method in the communication policy and select the address pool you just defined in the address pool type.
The server also does not have the legitimate IP address, must rely on the firewall to do the address mapping to provide the external service. Increase communication strategy.
A, the purpose =v_server, the source =outside, the communication way =map, specifies the protocol =tcp, the port mapping 21->21, the target machine =ftp_server.
B, Purpose =v_server, source =outside, communication mode =map, specify protocol =tcp, port mapping 80->80, Target machine =http_server.
C, Purpose =v_server, source =outside, communication mode =map, specify protocol =tcp, port mapping 25->25, Target machine =mail_server.
D, Purpose =v_server, source =outside, communication mode =map, specify protocol =tcp, port mapping 110->110, Target machine =mail_server.
(5) Special port
In the firewall default port definition without the special port we want to use, we need to manually add these special ports. Select "Advanced Management" > "Special Object" > "Special port" in the firewall central manager, will pop up the definition interface of special port, point "define New Object", type special port number and define area.
(6) Other configuration
Finally enter the "Tools" option to define the firewall administrator, permissions and the linkage with the IDs and so on. (Figure 8)
Four, firewall contrast
After understanding the working principle of the firewall and the basic configuration, here is a brief introduction to NetScreen 208, Cisco PIX 515E, NGFW 4000-s, Neteye 4032, four of the most common hardware firewalls in the market for basic performance, operation management and market price comparison.
| Firewall | NetScreen208 |
CiscoPIX515E |
NGFW4000-S |
NetEye4032 |
| Core technology | State detection | State detection | Nuclear testing | State detection |
| Product Type | ASICHardware |
Hardware devices | Hardware devices | Hardware devices |
| Working mode (routing mode, bridge mode, blending mode) | Routing mode, bridge mode | Routing mode, bridge mode | Routing mode, bridge mode, blending mode | Routing mode, bridge mode |
| Number of concurrent connections | 130000 |
130000 |
600000 |
300000 |
| Network throughput | 550M |
170M |
100M |
200M |
| Maximum Support Network interface | 8A |
6A |
12A |
8A |
| Operating system | ScreenOS |
Dedicated operating system | Dedicated operating system | Dedicated operating system |
| Management mode | Serial port,,, CLI Telnet Web ,GUI |
Serial port,,, Telnet WebGUI |
Serial port,,, Telnet WebGUI |
Serial, Telnet ,GUI |
| Market Quotes | 142,000RMB |
80,000RMB |
138,000RMB |
|
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
