How to identify the actual functional differences between firewalls _ Web surfing

Some problems often confuse users: in the function of products, the description of each manufacturer is very similar, some "up-and-comer" and well-known brands are very much alike. In the face of this situation, how to identify?

Products described very similar, even the same functionality, in the implementation of the specific, usability and ease of use, the individual difference is very obvious.

First, the network layer of access control

All firewalls must have this feature, otherwise they cannot be called firewalls. Of course, most routers can also implement this function through their own ACLs.

1. Rule edits

The access control of the network layer is mainly reflected in the rules of the firewall editing, we must investigate: the network layer of access control can be expressed through the rules? Is the granularity of access control thin enough? Does the same rule provide control at different time periods? Does the rule configuration provide a friendly interface? Can it easily embody the security will of network management?

2. Ip/mac Address Binding

The same is Ip/mac address binding function, some details must be inspected, such as firewall can achieve IP address and MAC address automatic collection? Do you provide an appropriate alert mechanism for access violations of the IP/MAC address binding rules? Because these functions are very practical, if the firewall can not provide IP address and automatic collection of MAC addresses, network management may be forced to take other means to obtain the IP and MAC address of the user under the jurisdiction, it will be a very tedious job.

3, NAT (network address translation)

This function of the original router has evolved into one of the standard functions of the firewall. But to this one function, each factory realizes the difference is very big, many manufacturers realize the NAT function to have the very big problem: difficult to configure and use, this will cause the network administrator to bring the huge trouble. We must learn the principle of NAT, improve the level of network knowledge, through analysis and comparison, to find a NAT configuration and use of simple to deal with the firewall.

Access control of Application layer

This function is the strength of each firewall manufacturer competition point, is also the most brilliant place. Because a lot of firewall based on free operating system can have State monitoring module (because Linux, FreeBSD and other kernel modules already support state monitoring), but the control of the application layer cannot realize "copycat", need real programming.

On the control of the application layer, the following points can be examined when choosing a firewall.

1. Do you provide content filtering for the HTTP protocol?

In the current enterprise network environment, the two main applications are WWW access and email. The fine granularity of control over WWW access reflects the technical strength of a firewall.

2. Do you provide content filtering for the SMTP protocol?

More and more attacks on e-mail messages: Mail bombs, mail viruses, leaking confidential information, etc., can provide content filtering based on SMTP protocol and filtering granularity has become the focus of attention of users.

3. Do you provide content filtering for the FTP protocol?

In the review of this function must be careful, many manufacturers of firewalls are advertised with FTP content filtering, but careful contrast will find that most of them only implemented the FTP protocol in the control of two commands: Put and get. A good firewall should be able to control all other FTP commands, including CDs, LS, and so on, to provide command-level control, to achieve access control of directories and files, all filters support wildcard characters.

III. Management and Certification

This is a very important function of the firewall. At present, the firewall management is divided into Wui management mode based on Web interface, GUI management method based on graphical user interface and management method based on CLI of command line.

In a variety of ways, the CLI approach based on the command-line is the least suitable for firewalls.

The Wui and GUI management methods have their own advantages and disadvantages.

Wui management is simple, without specialized management software, as long as the browser is available; At the same time, Wui management interface is very suitable for remote management, as long as the firewall is configured with a IP, can be implemented in the United States to manage the firewall in China.

Wui form of the firewall also has disadvantages: first, the Web interface is very unsuitable for complex, dynamic page display, the General Wui interface is difficult to display rich statistical charts, so for audit, statistical function requirements more stringent users, try not to choose Wui way; It will cause a firewall management security threat to increase, if the user at home through the browser to manage the firewall in the company, the trust relationship relies only on a simple username and password, hackers can easily guess the password, which increases the security threat.

GUI is the most commonly used firewall in the current way. This approach is characterized by a professional, can provide a wealth of management functions, easy for administrators to configure the firewall. But the disadvantage is that there is a need for specialized management-side software, while there is no WUI management flexibility in remote and centralized management.

Iv. audit and logging and storage methods

At present, most firewalls provide audit and log functions, the difference is that the size of the audit of different granularity, the storage of the log and the amount of storage.

Many firewalls have a weak audit and logging function, especially in firewalls that use the DOM, doc, and other electronic disks (which do not provide network database support) as storage media, and some do not even distinguish between event logs and access logs. If you need a rich audit and logging capabilities, you need to examine the way the firewall storage, if the DOM, doc and other flash electronic disk storage mode, will likely limit the audit and log function effect.

At present, the vast majority of firewall audit log using hard disk storage, the advantage of this way is to store a large number of logs (g to dozens of g), but in some extreme cases, such as abnormal power off, hard disk damage is often more serious than the damage of the electronic disk.

A good firewall should provide a variety of storage methods for users to choose and use flexibly.

V. How to distinguish between packet filtration and state monitoring

Some small companies in order to promote their own firewall products, often declared that the use of State monitoring technology; On the surface, we are apt to be deluded. Here are some tips for distinguishing between these two techniques.

1. Do you provide real-time connection status view?

Stateful monitoring firewalls provide the ability to view the current connection state and the interface, and can instantly disconnect the current connection, which should have rich information, including IP, port, connection status, connection time, and so on, and simple packet filtering does not have this feature.

2. Do you have a dynamic rules library?

Some application protocols use not only a single connection and a port, they often do an application-level operation through a series of associated connections. For example, the FTP protocol, the user command is transmitted through the 21-port connection, and the data through another temporarily established connection (the default source port is 20, in passive mode is a temporary allocation of the port) transmission. For such an application, it is difficult for a packet filtering firewall to simply set a security rule, often having to open all access to the source port of 20.

Stateful monitoring firewalls can support dynamic rules by automatically allowing legitimate connections to enter through the process of tracking application-tier sessions, and prohibiting other connection requests that do not conform to session state. For FTP, only a firewall to set a 21-port access rules, you can guarantee the normal FTP transmission, including passive way of data transmission. This feature not only makes the rules simpler, but also eliminates the risk of having to open all 20 ports.