Basic knowledge: Firewall transparent mode and transparent proxy

With the development of firewall technology, firewall with high security, simple operation, and user-friendly has gradually become a hot spot in the market. In this case, the transparent mode and transparent proxy that can greatly simplify firewall settings and improve security performance become an important indicator to measure product performance. As a result, many vendors often introduce their products to achieve a transparent mode and transparent proxy. So what is transparent mode and transparent proxy? What is the relationship between them? The following is a detailed analysis.

Transparent mode, as the name implies, is the first feature of Transparent to users, that is, users do not realize the existence of the firewall. To implement the transparent mode, the firewall must work without an IP address. You do not need to set an IP address for the firewall, nor do you know the IP address of the firewall. As a physical device, a firewall also acts as a route. Therefore, when you install a firewall for a user, you need to consider how to modify the original network topology or modify the route table of the connected firewall to meet your actual needs, which increases the complexity and difficulty of your work. However, if the firewall adopts the transparent mode, that is, it runs in the IP-free mode, and you do not have to reset or modify the route, the firewall can be directly installed and placed in the network for use, you do not need to set IP addresses like vswitches.

A transparent firewall is like a bridge (a non-transparent firewall is like a router), network devices (including hosts, routers, workstations, etc.), and all computer settings (including IP addresses and gateways) no need to change. At the same time, parsing all data packets passing through it not only increases the security of the network, but also reduces the complexity of user management.

In contrast to the transparent mode, the transparent proxy is similar to the traditional proxy in terms of naming. Like the traditional proxy, it can filter data information more deeply than the package, such as The port command of the FTP package. At the same time, it is also a very fast proxy, physically separating connections, which can provide more complex protocol needs, such as H.323 with dynamic port allocation, or a connection with different command ports and Data ports. Such communication cannot be completed by packet filtering.

The firewall uses transparent proxy technology. These proxy services are also transparent to users. Users can complete internal and external network communication without being aware of the existence of the firewall. When an internal user needs to use a transparent proxy to access external resources, the proxy server will establish a transparent channel so that the user can directly communicate with the outside world, this greatly facilitates your use.

Generally, when using a Proxy server, each user needs to specify the Proxy in the client program and set the Proxy parameters by themselves (for example, there are special settings in the browser to specify the Proxy for HTTP or FTP ). The transparent proxy service allows you to use the proxy server without any configuration, which simplifies the network setting process.

The principle of transparent proxy is as follows: assume A is an internal network client, B is an external network server, and C is A firewall. When A has A connection request to B, the TCP connection request is intercepted and monitored by the firewall. After the interception, when the connection requires A proxy server, A and C will first establish A connection, and then the firewall will establish A connection between the proxy service channel and the target B, the proxy server is used to establish A data transmission path between A and B. From the user's perspective, the connection between A and B is direct, but in fact, A establishes A connection through Proxy Server C and B. If B has A connection request to A, the principle is the same. Because these connection processes are automatic, the client does not need to manually configure the proxy server, or even the user does not know the existence of the proxy server, it is transparent to the user.

The proxy server can convert internal and external addresses to block the details of the internal network, so that illegal elements cannot find the internal structure. The proxy server provides special filter commands to Prevent Users From Using Insecure commands that may easily cause attacks and fundamentally defend against attacks.

The firewall uses the transparent proxy technology, which also prevents Firewall Service ports from being detected, and thus cannot attack the firewall, greatly improving the security and anti-Attack of the firewall. Transparent proxy avoids possible errors during configuration or use, reduces the inherent security risks and Error Probability during use of the firewall, and facilitates user use.

Therefore, both transparent proxy and transparent mode can simplify firewall settings and improve system security. However, there is also an essential difference between the two: a firewall working in the transparent mode uses the transparent proxy technology, but the transparent proxy is not the whole of the transparent mode, the firewall can also use transparent proxy in non-transparent mode. It is worth noting that although many Firewall Products in the Chinese market can provide transparent proxy access mechanisms, but there are not many vendors that actually implement the transparent model-many vendors claim that their firewall products have implemented the transparent model, but they often cannot do this in practical applications, it only implements transparent proxy.