Firewall has become a key part of enterprise network construction. However, many users think that there are already routers in the network and some simple packet filtering functions can be implemented. So why should we use firewalls? The following is a security comparison between the NetEye firewall and the most widely used and representative Cisco router in the industry. We will explain why a user's network includes a router and a firewall.
One or two devices have different backgrounds.
1. The two devices have different origins
The router is generated based on the route of network packets. What the router needs to do is to effectively route data packets of different networks. As for why routing, whether routing should be done, and whether there is a problem after routing, the router is not concerned at all. The concern is: can data packets of different network segments be routed for communication.
Firewalls are derived from people's security requirements. Whether data packets can arrive correctly, the arrival time, and the direction are not the focus of the firewall. The focus is on whether the data packets (a series) should pass through and whether they will cause harm to the network.
2. Different fundamental purposes
The fundamental goal of a vro is to keep the network and data accessible ".
The fundamental purpose of the firewall is to ensure that any non-permitted data packets are "inaccessible ".
Ii. Differences in core technologies
The core ACL list of a Cisco router is based on simple packet filtering. From the perspective of firewall technology, NetEye firewall is an application-level information flow filtering based on status packet filtering.
Brief application Description: A host on the Enterprise Intranet provides services to the Intranet through a router (assuming that the port for providing services is tcp 1455 ). To ensure security, you must configure the vro to allow only the client to access the tcp port 1455 of the server.
For the current configuration, the security vulnerabilities are as follows:
1. IP Address Spoofing (abnormal Connection Reset)
2. TCP spoofing (Session replay and hijacking)
The cause of the above risks is that the router cannot monitor the TCP status. If the NetEye firewall is placed between the client and the vro in the Intranet, because the NetEye firewall can detect the TCP status and generate a TCP serial number randomly, this vulnerability can be completely eliminated. At the same time, the one-time password authentication client function of the NetEye firewall can implement user access control when the application is completely transparent, its Authentication supports the standard Radius protocol and local Authentication database. It can fully interoperate with third-party Authentication servers and implement role division.
Although the "Lock-and-Key" function of a vrotelnet can authenticate users through the dynamic access control list, this feature requires the vrotelnet to provide the Telnet service, users also need to Telnet to the vrotelnet for use, which is inconvenient to use and insecure (open ports create opportunities for hackers ).
|
| [Content navigation] | |
| Page 1st: Let's look at the firewall and router in the hacker's eyes | Page 2nd: Let's look at the firewall and router in the hacker's eyes |
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
