Source: http://tech.ccidnet.com/
In the network economy era, the Internet has already entered thousands of households. When we enjoy the Internet, we often leave network security problems behind. In fact, risks are everywhere. Firewalls are an important protection measure for network security and are used to protect networks and systems. Monitor the data that passes through the firewall. As required by the Administrator, allow and disable the passing of specific data packets, and monitor and record all events.
The simplest firewall configuration is to directly add a packet filtering router or application gateway between the Intranet and the external network. To achieve better network security, we sometimes need to combine several firewall technologies to build a firewall system. Currently, the following three popular firewall configuration solutions are available.
1. Dual-host Gateway)
This configuration uses a dual-host machine with two network adapters as a firewall. The dual-host machine uses two network adapters to connect two networks, also known as the bastion host. The bastion host runs firewall software (usually a proxy server) and can forward applications and provide services. The dual-host gateway has a critical weakness. Once an intruder intrude into a bastion host and enables the host to only have the vro function, any online user can access the protected internal network (1 ).
2. Screened Host Gateway)
The shielded host gateway is easy to implement, secure, and widely used. It is divided into two types: Single-host bastion host and dual-host bastion host. First, let's look at the single-host bastion host type. A packet filters the vro to connect to the external network, and a bastion host is installed on the internal network. The bastion host has only one Nic and is connected to the internal network (2 ). Generally, a filter rule is set up on the vro and the single-host bastion host becomes the only host that can be accessed from the Internet. This ensures that the internal network is not attacked by unauthorized external users. Clients inside the Intranet can be controlled by shielding hosts and routers from accessing the Internet.
The difference between the dual-host bastion host and the single-host bastion host is that the bastion host has two NICs, one connecting to the internal network and one connecting packet filtering router (3 ). The dual-host bastion host provides proxy services at the application layer, which is more secure than a single-host.
3. Screened Subnet)
This method establishes an isolated subnet between the Intranet and the Internet, and uses two packets to filter the router to separate the subnet from the Intranet and the Internet respectively. The two packet filtering routers are placed at both ends of the subnet, forming a "buffer zone" in the subnet (4). The two routers control the Intranet data flow and the other control the Internet data flow, both Intranet and Internet can access and shield subnets, but prohibit them from passing through and blocking subnet communication. You can install a bastion host in the subnet as needed to provide Proxy services for mutual access between the internal network and the external network. However, access from both networks must be filtered by two packets. For servers exposed to the Internet, Internet servers such as WWW, FTP, and Mail can also be installed in a blocked subnet, so that they can be accessed by both external users and internal users. This structure features high security and strong attack resistance, but requires a large number of equipment and high cost.
Of course, the firewall also has its own limitations. For example, it cannot prevent intrusion by bypassing the firewall. For example, a general firewall cannot prevent transmission of software or files infected with viruses, and it is difficult to avoid internal attacks. In short, firewalls are only part of an overall security protection policy. Only firewalls are not enough. Security policies must also include comprehensive security rules, that is, security policies related to network access, local and remote user authentication, outbound dial-in calls, disk and data encryption, and virus protection.
