Technology evolution and development trend of hardware firewall

Source: Internet
Author: User
Tags ftp firewall

Firewall is the first barrier of network security, the largest market, security technology is also relatively mature. In order to better enable users to understand the hardware fire will be the evolution of the process and development trends, in particular, summed up some of this knowledge, I hope you can help! The architecture of hardware firewall products is divided into three categories: the General processor architecture represented by X86, the AISC (ASIC) architecture and the recent NP (Net Processor) architecture. The functionality of the

Firewall,

, from the capabilities of the firewall, mainly includes the following aspects: Access control, such as the application of ACL access control, NAT; VPN; routing, authentication and encryption, logging, management, attack prevention, etc.

In order to meet the diverse networking requirements, reduce user demand for other specialized equipment, reduce the cost of network construction, the firewall is often combined with other networking technologies, such as support for DHCP server, DHCP replay, dynamic routing, support dial-up, PPPOE and other characteristics; Support for wide area network, transparent mode (bridge mode), content filtering (such as URL filtering), anti-virus and IDS.

State detection technology

State detection technology to monitor the entire process of each connection initiated to the end, for some protocols, such as FTP, H.323 protocol, is stateful protocol, the firewall must analyze these protocols to know when, The direction from which to allow specific connections to enter and close. The

State firewall can decode a particular protocol, so security is also better. Some firewalls can be FTP, SMTP and other harmful commands to detect and filter, but because in the application layer decoding analysis, processing speed is relatively slow, for this, some firewalls adopt adaptive mode, so the processing speed is very fast. Another feature of the

State firewall is that when a SYN FLOOD attack is detected, the agent is started. At this point, if the source IP session is forged, because the three-layer handshake can not be completed, the attack message can not reach the server, but the normal access to the message can still be reached.

Technology Trends

Future development of firewalls is toward high-speed, multi-functional, and safer direction.

from the results of previous tests at home and abroad can be seen, the current firewall a big limitation is not enough speed. Application ASIC, FPGA and network processor is the main method to realize high speed firewall, in which the network processor is optimal, because the network processor uses microcode programming, can upgrade at any time according to need, can even support IPV6, and adopt other method not so flexible.

ImplementsHigh-speed firewall, the algorithm is also a key, because the network processor integration of a lot of hardware coprocessor unit, it is easier to achieve high-speed.

for firewalls that use pure CPUs, there must be an algorithm support, such as an ACL algorithm. At present, some application environment, the application of hundreds of or even tens of thousands of rules, no algorithm support, for the state firewall, the speed of the establishment of the session will be very slow. The

is limited by existing technologies, and there is no effective method for using layers for high-speed detection, and no chip can do that. Therefore, firewalls are not appropriate for integrated content filtering, antivirus, and IDs features (except for IDS below the transport layer, which are less CPU intensive). For IDs, the most common way to do this is to mirror traffic on the network to the IDS device, which avoids the network jam when the traffic is larger. In addition, the application layer has many vulnerabilities, the attack characteristic library needs to escalate frequently, so it is unrealistic to upgrade the firewall in the key position of the network exit.

Multi-function is also one of the development of the firewall, in view of the current router and firewall prices are relatively high, networking environment is increasingly complex, the general user always hope that the firewall can support more functions to meet the network and save investment needs. For example, a firewall that supports a WAN port does not affect security, but in some cases it can save a router for the user, and supports some router protocols, such as routing, dialing, and so on, to better meet the needs of the networking; IPSEC VPN can be used to build secure dedicated channels. It is safe and saves the investment of the special line.

The operating system of the future firewall will be more secure. With the development of algorithm and chip technology, the firewall will be more involved in application layer analysis and provide more security for the application.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.