Analysis on security configuration of firewall and router

Firewall has become a key component in the construction of enterprise network. But there are a lot of users, that the network has a router, you can achieve some simple packet filtering function, so why use a firewall? The following is a comparison of the security aspects of the Neteye Firewall with the industry's most widely used and representative Cisco routers To explain why there are routers in the user network and need a firewall.

The background of the emergence and existence of two kinds of equipment is different

1. Two types of equipment produce different causes

The generation of routers is based on the routing of Network packets. Routers need to do is to the different network packets for efficient routing, as to why the route, whether it should be routed, whether there is a problem after the route does not care, is concerned: whether the different network segments of the packet routing to communicate.

Firewalls are the result of people's need for security. Whether the packet can be the correct arrival, arrival time, direction, etc. is not the focus of the firewall, the focus is whether this (a series of) packets should be passed, through the network will cause harm.

2. Different fundamental purposes

The fundamental purpose of routers is to keep the network and data "through".

The fundamental purpose of a firewall is to ensure that any packets that are not allowed are "not".

Ii. Differences in Core technology

Cisco router core ACL list is based on simple packet filtering, from the perspective of firewall technology implementation, Neteye Firewall is based on State packet filtering application-level information flow filtering.

The following figure is one of the simplest applications: a mainframe in the intranet that provides services through routers (assuming that the port providing the service is TCP 1455). In order to ensure security, the router needs to be configured on the "outside-" to allow only client access to the server's TCP 1455 port, and other rejections.

For today's configuration, the security vulnerabilities are as follows:

IP address spoofing (causing connection to not reset properly)

TCP Spoofing (Session replay and hijacking)

The reason for these pitfalls is that routers cannot monitor TCP status. If the Neteye firewall is placed between the client and the router in the intranet, the vulnerability can be completely eliminated because the Neteye firewall can detect TCP status and can randomly generate the TCP serial number. At the same time, the Neteye Firewall's one-time password Authentication client function, can realize in the application completely transparent situation, realizes to the user the access control, its authentication supports the standard RADIUS protocol and the local authentication database, may carry on the interoperability with the third party authentication server completely, and can realize the role division.

Although the router's "Lock-and-key" feature enables the authentication of the user through dynamic access to the control list, the feature requires a Telnet service from the router, which users need to telnet to the router first, not very convenient to use, and not safe at the same time ( Open ports create opportunities for hackers).

Iii. the complexity of security policy formulation is different

The default configuration of routers is not enough for security, need some advanced configuration to achieve some preventive attacks, security policy is mostly based on the command line, its security rules for the formulation of relatively complex, configuration error probability is higher.

The default configuration of Neteye firewall can prevent all kinds of attacks, achieve both security, security policy is based on all Chinese GUI management tools, its security policy formulation user-friendly, simple configuration, low error rate.

Four, the impact on performance is different

Routers are designed to forward packets, rather than specifically designed as a full feature firewall, so for packet filtering, the need for the operation is very large, the router's CPU and memory needs are very large, and routers because of its high hardware cost, its high performance configuration hardware costs are relatively large.

The hardware configuration of the Neteye firewall is very high (with a common Intel chip, high performance and low cost), its software also for packet filtering for the special optimization, the main module is running in the operating system kernel mode, the design of a special consideration of security issues, its packet filtering performance is very high.

Since routers are simple packet filtering, the increase of the rule number of packet filter, the increase of the number of the NAT rules, the effect on the performance of the router increases, and the Neteye firewall adopts the status packet filtering, the rule number, and the rule number of NAT has a close to zero effect on the performance.

The difference between the audit function and the strength is huge.

The router itself has no log, event storage media, only through the use of external log server (such as Syslog,trap) to complete the storage of logs, events, the router itself has no audit analysis tools, the log, the description of events using a language that is not easy to understand; The router is not complete for the security events such as attack, and it can not produce accurate and timely events for many attacks and scans. The weakening of audit function makes administrators not be able to respond to security incidents in a timely and accurate manner.

Neteye Firewall has two kinds of log storage media, including its own hard disk storage, and separate log server, for both storage, Neteye firewalls provide powerful audit analysis tools, so administrators can easily analyze various security risks; Neteye firewall response to security incidents in time, but also reflected in his various alarm methods, including buzzer, trap, mail, log; The Neteye firewall also has the real-time monitoring function, can monitor the connection through the firewall on-line, simultaneously also may capture the data packet to carry on the analysis, does not analyze the network operation situation, the elimination network fault provides the convenience.

Vi. the ability to prevent attacks is different

For routers such as Cisco, its ordinary version does not have the application layer to prevent the function, does not have the intrusion real-time detection and so on function, if needs to have this function, needs to upgrade the iOS for the firewall characteristic set, at this time not only must undertake the software the upgrade expense, simultaneously because these functions all need to carry on the massive computation There is also a need to upgrade the hardware configuration, further increasing the cost, and many manufacturers of routers do not have such advanced security features. Can be drawn:

Router Cost > Firewall + router with firewall features

Router Features < firewalls + routers with firewall features

Router Scalability < Firewall + Router with firewall features

To sum up, you can draw the conclusion: the user's network topology simple and complex, user application of the difficulty is not to decide whether to use the standard firewall, determine whether users use a firewall is a fundamental condition of the user's network security needs!

Even if the user's network topology and application are very simple, using a firewall is still necessary and necessary, if the user's environment, application is more complex, then the firewall will be able to bring more benefits, the firewall will be an integral part of the network building, for the usual network, Routers will be the first gateway to protect the intranet, and firewalls will be the second and most stringent.