Firewall design principles and key points (1) Scheme selection

1. Scenario: Hardware? Or the software?

Now the function of the firewall is more and more fancy, so many functions must require the system to have an efficient processing ability.

Firewall from implementation can be divided into software firewalls and hardware firewalls. The software firewall is represented by the firewall-i of checkpoint company, whose implementation is to load the filter function by Dev_add_pack method (Linux, the other operating system does not make analysis, estimate is similar), Implement the various functions and optimizations of the firewall by doing work at the bottom of the operating system. There are some so-called software firewalls in the country, but it is understood that most of the so-called "personal" firewall, and the function and its limited, it is not discussed in this scope.

In the country has passed the Ministry of Public Security inspection of the firewall, hardware firewall accounted for the vast majority. Hardware firewall one is from hardware to software are designed separately, typical such as NetScreen firewall not only software part of the design, hardware part also uses specialized ASIC integrated circuit.

Another is the so-called hardware firewall based on the PC architecture that uses a customized general-purpose operating system. At present the domestic absolute big

Most firewalls belong to this type.

Although the so-called hardware firewall, domestic manufacturers and foreign manufacturers still exist a huge difference. Hardware firewalls require both hardware and software to work at the same time, the common practice of foreign manufacturers is software operation Hardware, its design or selection of the operating platform itself may not be high performance, but it will be the main operational program (look-up table operation is the main work of the firewall) into a chip to reduce the CPU operating pressure of the host. The domestic manufacturer's firewall hardware platform basically adopts the common PC system or the Industrial PC architecture (the direct reason is can save the hardware development cost), in enhances the hardware performance aspect to be able to do the work only to enhance the system CPU processing ability, increases the memory capacity. Now a typical structure of the domestic firewall is: Industrial motherboard +x86+128 (256) m memory +doc/dom+ hard disk (or do not have a hard drive and add a log server) + gigabit network card Such an industrial PC structure.

In terms of software performance, the difference between domestic and foreign manufacturers is even greater, foreign (some well-known) manufacturers are using a dedicated operating system, the design of their own firewalls. and all domestic manufacturers operating system systems are based on General Linux, without exception. The difference between the manufacturers is simply the amount of changes made to the Linux system itself and the firewall section (the kernel is netfilter after the 2.2 kernel is ipchains,2.4).

In fact, Linux is just a general-purpose operating system that does not optimize for firewall functionality, and its ability to handle large amounts of data traffic has not been significant or even low (which is why Linux has always been the darling of low-end servers), and I think, At this point it is not as good as the BSD series, which is said to be useful abroad BSD firewall, not yet seen in the country. Now the vast majority of manufacturers, including the so-called domestic largest letter of the day, in the software work is nothing more than the system targeted reduction, the firewall part of the code small changes (most of them still no changes) and a small number of system patches. And we are in the analysis of the manufacturers of products can pay attention to this, if which manufacturer of the system itself has made any major changes, it will certainly regard this as an important selling point, big blow special blow, Unfortunately, there seems to be no manufacturers have the ability to do publicity (checkpoint seems to have a similar function: Open Security Application Interface Topsec, but it does how much work, but also need to carefully understand).

At present, domestic manufacturers have also recognized this problem, some in the bottom of the work, but there are obvious results, it seems not yet.

Here we only for Linux (or other general-purpose operating systems) based on the PC architecture as the hardware carrier of the firewall to do the discussion, the following if not specifically proposed, are the same.

2. Kernel and firewall design

Now there is a commercial selling point, that is, "built on the security operating system on the fourth generation Firewall" (on the issue of firewall generation, there are many discussions, the more consistent is the packet filter firewall called the first generation of firewalls, the application of the firewall (generally combined with packet filtering function, So also become a hybrid firewall, known as the second generation firewall, some manufacturers to increase the detection of communication information, State detection and application monitoring firewall called the third generation firewall, but also on this basis to adopt a secure operating system firewall, and this is called the fourth generation firewall. The so-called safe operating system, in fact, most of the use of Linux, the difference is to do some of the core hardening and simple transformation of the work, mainly the following: the elimination of dangerous system calls, or intercept system calls, a little change (such as loading some llkm);

Restrict command execution permissions;

Cancel IP forwarding function;

Check the interface of each packet;

Using random connection serial number;

Resident packet filtering module;

Canceling the dynamic routing function;

The adoption of multiple security cores (this one was presented, but not seen, is not clear).

Many of the above work, in fact, basically did not make too big changes to the kernel source code, so from a personal point of view can not be too exaggerated place.

For the firewall section, most of the country has been upgraded to NetFilter supported by the 2.4 kernel. NetFilter is already a full-featured firewall framework that has supported stateful monitoring (implemented through connection track modules). And NetFilter is a reasonably designed framework to register some of the required processing functions in the appropriate locations, and many processing functions have been registered in the formal code, such as the NF_IP_ The packet filtering function (packet filtering, etc.) registered on the forward point is implemented by these formal registration functions. We can also register our own processing functions, extending functionality (such as adding a simple IDs feature, and so on). This is the domestic manufacturers can make a fuss of the place, as for the NetFilter source code changes, for domestic manufacturers seems not very realistic.

As for the adoption of other firewall models, it has not yet been seen (perhaps NetFilter has been designed successfully and does not require us to do too much work).

3. Self-protection capability (safety)

Because of the special features and special location of the firewall, it is naturally the target of many attackers, so its self inclusion ability should be placed in the first place in the design process.

A Security on the management

Firewalls require a management interface, and how the management process is designed to be more secure is an important issue. There are currently two options.