(i) Introduction to the firewall
A firewall is a feature that protects an internal network or host by isolating the internal network from the external network or the Internet. A simple firewall can be performed by the ACL (Access control list) of the router,3 Layer switch, or it can be implemented with a single host, or even a subnet. Complex can be purchased by a dedicated hardware firewall or software firewall to achieve.
The features of the firewall are:
1, filter out unsafe services and illegal users
2, control access to special sites
3. Provides convenient endpoints to monitor Internet security and Alerts
Firewalls are not everything, and there are a number of firewalls that are powerless:
1, the firewall does not prevent bypassing the firewall attack. For example, firewalls do not restrict connections from the internal network to the external network, so some internal users may form a direct connection to the Internet, bypassing the firewall, Create a potential backdoor. A malicious external user is directly connected to the internal user's machine and initiates an unrestricted attack bypassing the firewall with the internal user's machine as a springboard.
2, firewall is not the antivirus wall, can not intercept the virus data transmission between the network.
3, the firewall on the data-driven attack also powerless.
Therefore, we cannot rely too much on firewalls. The security of the network is a whole, not a particular outstanding configuration. Network security is guided by the "cask principle".
General firewalls have the following characteristics:
1, a wide range of service support: Through the dynamic, application-level filtering capabilities and certification combined to achieve WWW browser, HTTP server, FTP
2, encryption of private data support: to ensure that virtual private network through the Internet and business activities are not damaged
3. Client authentication allows only designated users to access the internal network or select services: An additional part of the secure communications between the local network and branch offices, business partners, and mobile users
4. Anti-deception: Deception is a common means to gain access to the network from the outside, it makes the packet seems to come from within the network. Firewalls can monitor such packets and throw them away.
5. C/S mode and Cross-platform support: The management module running on one platform can control the monitoring module running on another platform.
Let's take a look at the traditional firewall working principle and its pros and cons:
1. The working principle of the (traditional) packet filtering firewall
Packet filtering is implemented at the IP layer, so it can be done only with routers. Packet filtering determines whether packets are allowed to pass through header information such as the source IP address, destination IP address, source port, destination port, and packet delivery direction. Filters user-defined content, such as an IP address. Its working principle is that the system checks the data packet on the network layer, it has nothing to do with the application layer, the application of packet filter is very extensive, because the time that the CPU uses to process packet filtering can be neglected. and the protection of the user is transparent, legitimate users in and out of the network, do not feel the existence of it, easy to use. So the system has good transmission performance, easy to expand. However, this firewall is not very secure because the system does not perceive the application-layer information-that is, they do not understand the content of the communication, can not be filtered at the user level, that is, do not recognize different users and prevent IP address theft. If an attacker sets the IP address of its host computer to the IP address of a legitimate host, it can easily pass through the packet filter, which is more likely to be compromised by hackers. Based on this working mechanism, the packet filtering firewall has the following defects:
Communication information: Packet filtering firewall can only access the header information of some packets
Communication and Application status information: Packet filtering firewalls are stateless, so it is not possible to save state information from communications and applications
Information Processing: The ability of packet-filtering firewalls to process messages is limited.
For example, for the Microsoft IIS vulnerability of the Unicode attack, because this attack is the firewall allowed 80 ports, and packet filtering firewall can not check the contents of the packet, so at this time the firewall is equivalent to a fictitious, not hit the corresponding patch of the system to provide Web services, even after the firewall barrier, It also makes it easy for an attacker to take superuser privileges.
The shortcomings and deficiencies of the packet filtering firewall can be solved in the application layer. Let's take a look at the application layer gateway below.