Firewall has become a key component in the construction of enterprise network. But there are a lot of users, that the network has a router, you can achieve some simple packet filtering function, so why use a firewall? The following is a comparison of the security aspects of the Neteye firewall and the most representative Cisco routers in the industry to explain why there are routers in the user network and firewalls are needed.
The background of the emergence and existence of two kinds of equipment is different
1, the two kinds of equipment produced by different sources
The generation of routers is based on the routing of Network packets. Routers need to do is to the different network packets for efficient routing, as to why the route, whether it should be routed, whether there is a problem after the route does not care, is concerned: whether the different network segments of the packet routing to communicate.
Firewalls are the result of people's need for security. Whether the packet can be the correct arrival, arrival time, direction, etc. is not the focus of the firewall, the focus is whether this (a series of) packets should be passed, through the network will cause harm.
2, the fundamental purpose is different
The fundamental purpose of routers is to keep the network and data "through".
The fundamental purpose of a firewall is to ensure that any packets that are not allowed are "not".
Ii. Differences in Core technology
Cisco router core ACL list is based on simple packet filtering, from the perspective of firewall technology implementation, Neteye Firewall is based on State packet filtering application-level information flow filtering.
The following figure is one of the simplest applications: a mainframe in the intranet that provides services through routers (assuming that the port providing the service is TCP 1455). In order to ensure security, the router needs to be configured on the "outside-" to allow only client access to the server's TCP 1455 port, and other rejections.
For today's configuration, the security vulnerabilities are as follows:
1, IP address spoofing (so that the connection is not normal reset)
2. TCP Spoofing (Session replay and hijacking)
The reason for these pitfalls is that routers cannot monitor TCP status. If the Neteye firewall is placed between the client and the router in the intranet, the vulnerability can be completely eliminated because the Neteye firewall can detect TCP status and can randomly generate the TCP serial number. At the same time, the Neteye Firewall's one-time password Authentication client function, can realize in the application completely transparent situation, realizes to the user the access control, its authentication supports the standard RADIUS protocol and the local authentication database, may carry on the interoperability with the third party authentication server completely, and can realize the role division.
Although, the router's "lock-and-key" function can achieve the authentication to the user through the dynamic Access control list, but this feature needs the router to provide the Telnet service, the user needs to telnet to the router first, the use is not very convenient, It's also not safe enough (open ports create opportunities for hackers).
Iii. the complexity of security policy formulation is different
The default configuration of routers is not enough for security, need some advanced configuration to achieve some preventive attacks, security policy is mostly based on the command line, its security rules for the formulation of relatively complex, configuration error probability is higher.
The default configuration of Neteye firewall can prevent all kinds of attacks, achieve both security, security policy is based on all Chinese GUI management tools, its security policy formulation user-friendly, simple configuration, low error rate.
Four, the impact on performance is different
Routers are designed to forward packets, rather than specifically designed as a full feature firewall, so for packet filtering, the need for the operation is very large, the router's CPU and memory needs are very large, and routers because of its high hardware cost, its high performance configuration hardware costs are relatively large.
The hardware configuration of the Neteye firewall is very high (with a common Intel chip, high performance and low cost), its software also for packet filtering for the special optimization, the main module is running in the operating system kernel mode, the design of a special consideration of security issues, its packet filtering performance is very high.
Since routers are simple packet filtering, the increase of the rule number of packet filter, the increase of the number of the NAT rules, the effect on the performance of the router increases, and the Neteye firewall adopts the status packet filtering, the rule number, and the rule number of NAT has a close to zero effect on the performance.
The difference between the audit function and the strength is huge.
The router itself has no log, event storage media, only through the use of external log servers (such as Syslog,trap) to complete the storage of logs, events, the router itself has no audit analysis tools, the log, the description of events using a language that is not easy to understand , the routers are not complete to the attack and so on, so many attacks and scans can not produce accurate and timely events. The weakening of audit function makes administrators not be able to respond to security incidents in a timely and accurate manner.
There are two types of log storage media for Neteye firewalls, including their own hard disk storage and separate log servers; for both types of storage, Neteye firewalls provide powerful audit analysis tools that enable administrators to easily analyze various security risks; Neteye The timeliness of the firewall's response to security events, also reflected in his various alarm methods, including buzzer, trap, mail, log; Neteye firewall also has real-time monitoring functions, can monitor the connection through the firewall online, but also can capture packets for analysis, non-analysis of network operation, Provides convenience for troubleshooting network failures.
Vi. the ability to prevent attacks is different
For routers such as Cisco, its ordinary version does not have the application layer to prevent the function, does not have the intrusion real-time detection and so on function, if needs to have this function, needs to upgrade the iOS for the firewall characteristic set, at this time not only must undertake the software the upgrade expense, simultaneously because these functions all need to carry on the massive computation There is also a need to upgrade the hardware configuration, further increasing the cost, and many manufacturers of routers do not have such advanced security features. Can be drawn:
• Router cost > firewall + router with firewall features
• Router Features < firewalls + routers with firewall features
• Router Scalability < Firewall + Router with firewall features
To sum up, you can draw the conclusion: the user's network topology simple and complex, user application of the difficulty is not to decide whether to use the standard firewall, determine whether users use a firewall is a fundamental condition of the user's network security needs!
Even if the user's network topology and application are very simple, using firewalls is still necessary and necessary, if the user's environment, application is more complex, then the firewall will be able to bring more benefits, the firewall will be an integral part of the network construction, for the usual network, Routers will be the first gateway to protect the intranet, and firewalls will be the second and most stringent.