Analyze the classification of firewalls at the technical level

Technically, fire blocking can be divided into three categories: Bag Filter, application proxy (Gateway fire protection field), and state monitoring firewall.
1. Packet filtering
The flat firewall works at the network layer and transmission layer of the OS network current test model. the data mark such as Baotou Xiang address, 11 address, port token, and protocol type determines whether the port is allowed to pass. Only data packets that meet the filtering conditions are forwarded to the corresponding destination, and other data packets are discarded from the data stream.
Package theory is a general, cheap, and effective approach to female. It is common because it does not take a special processing method for specific network services. It is applicable to all network services. The reason for earning the price is that most routers provide the packet failover function, therefore, most of these types of fire prevention measures are determined by routers: they are effective because they can meet the security requirements of most enterprises in a large Pi.
During the development of the firewall technology, two different versions of the packet filtering technology emerged, namely, the first generation static package through compaction and the second generation dynamic package filtering.
The first generation of sand-state packet filtering firewall is generated almost simultaneously with the router. it fully reports a defined Filtering Rule to review each packet so as to determine whether it matches a packet passing rule. Rule 4 is based on the packet header information. Header information "1.
The second generation of dynamic captured type fireproof slopes adopt the dynamic setting of over pool gauge 4d9. eliminate the issue arising from static packet filtering. this technology was later developed into the Stateful Inspection technology. the firewall using this technology tracks all the connections established through it. and the report needs to dynamically add or update entries in the rule.
The advantage of the package mode is that you do not need to change the client and host applications, because it works at the network layer and transport layer, and has nothing to do with the application layer. However, its weakness is obvious: the basis for passing through the firewall is only the limited information of the network layer and the passing through layer. Therefore, various security requirements cannot be fully met: In many filters. there is A limit on the number of rules that pass through the condition. As the number of A rules increases with the simplicity of wij' k1C and 1, the performance will be greatly affected: due to the lack of contextual information, cannot filter such as UDP effectively. RPC (Remote process call) protocols. In addition, most filters lack auditing and reporting mechanisms. it can only be based on the header information, but cannot be used to verify the identity of the user. It is vulnerable to address spoofing attacks: high requirements on the quality of security powder management personnel, when establishing security rules. the Protocol itself and its role in different applications must be thoroughly understood. Therefore, the dashboard is usually used together with the application gateway to form a firewall system.
2. Application Proxy
Yingchuan proxy prison fire environment is working at the top of the Operating System site, that is, yingchuan layer. J [it is characterized by completely limiting network communication streams. Through the compilation of Specialized Agent programs for the Mei seichuan service, the function of monitoring and controlling the application layer communication streams is realized.
During the development of the proxy firewall technology, it has also experienced two different versions, namely, the anti-fire terminal of the t-application gateway and the second-generation adaptive proxy anti-fire blocking.
The first-generation Application Gateway (Application Gateway) Firewall participates in the whole process of a TCP connection through a Proxy technology. After the packets sent from the inside are processed by such a firewall, it is like sending packets to the firewall's external network P, so as to achieve the role of the internal network structure of the risk collector. This type of firewall is recognized by network security experts and media as a site security firewall. Its core technology is the proxy server technology.
The second generation of Adaptive Proxy fireproof slope has been widely used in recent years. it can combine the security of the proxy type fire prevention terminal and the high speed of the packet transition firewall, and the performance of the proxy type fire protection environment is reduced by more than 10 times without any loss of security. There are two elements that constitute this type of firewall: (1) Adaptive Proxy Server (Adaptive Proxy Server) and Dynamic package over X (Dynamic Packet Filter ).
There is a control channel between the adaptive proxy server and the dynamic packet filter. when the fire slope is configured with R. you only need to set the required service type, security level, and other information through the corresponding agent management interface. Then, the adaptive proxy can report the user's configuration and fork information. The decision is to use the proxy service to forward packets from the application layer and from the network layer. If it is the latter, it will dynamically notify the rule of downgrading the beach through the receiver, meeting the user's dual R Requirements on speed and security.
The proxy type fireproof slope and its outstanding advantages are security. Because it works at a high level, it can filter and protect any layer of data communication in the network, instead of filtering the data at the network layer as if it had been wrapped in packets.
In addition, the proxy firewall adopts a proxy mechanism. it thinks that 14 types of application bloating creates a dedicated proxy, so the communication between internal and external networks is not direct, but must be reviewed by the proxy. then, the proxy server will be connected on your behalf. there is no chance to directly talk to internal and external network computers. this eliminates the need for the inner to immerse Sichuan data in the I-dynamic attack mode in the intranet.
The website owner of the proxy fireproof slope is relatively slow. When the user's throughput requirements for internal and external network gateways are relatively high, proxy Fireproof Blocking will become a bottleneck between internal and external networks. This is because fire prevention and congestion require special proxy services for different network services. It takes time for internal and external network users to establish a connection. therefore, this negative I impact on system performance. it may not be very explicit.
3. Stateful Inspection
Status monitoring is an effective security control method, which is a firewall technology developed by comprehensive firewall technology and application proxy technology, this fire protection technology uses a module called status monitoring. the data extraction method is used to monitor all layers of network communication without affecting the normal operation of network security. and make security decisions based on various beach-crossing rules.
The status monitoring technology not only analyzes the header (including protocol, address, port, type, and so on) of the proposed data packet. there are also Session Filtering functions. when each connection is established. the firewall constructs a session state for this connection. it contains all the information about the connection data packet. Later, this connection will be carried out from this status information. this detection continent has the advantage of being able to monitor the content of M packets. once a session is established. the subsequent data transmission will be based on the session status. for example, the port number of a connected data packet is 8000. in the future data transfer process, the firewall will review whether the thin port of this package is 8000 or not. the data packet is intercepted. However, the It session status is retained for a limited period of time. If no data is transferred in the timeout period, the session status will be discarded. Status Monitoring can analyze the data packet content. this frees us from the limitations of the traditional fire prevention system that only checks Baotou information. in addition, this type of fire shield does not need to open too many ports, further eliminating the potential security risks caused by too many open ports.
Based on the above three types of firewalls, their features are different. The comparison is as follows.
Packet Capture firewall does not check the data area. No connection status table is created, and the frontend and backend packets are irrelevant. The application layer control is weak. The application gateway does not check IP addresses and TCP headers. The connection status table is not set up, and network layer protection is weak. The fire slope of the status detection side does not check the data area. A connection status table is established, and the front and back packets are related. The application layer has weak control.