Disadvantages of traditional network firewalls

The network firewall plays an important role in the security protection, but we should also see its deficiencies.

Today, knowledgeable hackers can use the network firewall open ports, cleverly escaped the network firewall monitoring, directly targeted applications. They come up with complicated

Attack methods that can bypass traditional network firewalls. According to expert statistics, 70% of the current attack is occurring in the application layer, not the network layer. For this kind of attack, the traditional network firewall's protection effect, is not very ideal.

The traditional network firewall, there are the following deficiencies:

1, unable to detect the encrypted web traffic

If you are deploying a light key portal, you want all network and application layer vulnerabilities to be masked outside the application. This requirement, for the traditional network firewall, is a big problem.

Because the network firewall is not visible to the data in the encrypted SSL stream, the firewall cannot intercept the SSL data stream quickly and decrypt it, so it cannot prevent the application from attacking, even some network firewalls do not provide the function of data decryption at all.

2, the ordinary application encryption, can easily escape the firewall detection

What the network firewall cannot see is more than SSL-encrypted data. Data that is encrypted by the application is also not visible. In most network firewalls today, a static feature library is relied on, similar to the principle of the intrusion detection system (ids,intrusion detect systems). The firewall can recognize and intercept the attack data only when the characteristics of the attack behavior of the application layer exactly match the features already in the database in the firewall.

But today, with common coding techniques, malicious code and other attack commands can be hidden and converted into a form that can deceive both the front-end network security system and the backend server. This kind of encrypted attack code, as long as the rules in the firewall rule library is not the same, can evade the network firewall, successfully avoid feature matching.

3, for Web applications, the ability to prevent inadequate

The network firewall was invented in 1990, and the commercial Web server was published a year later. A firewall based on stateful detection, which is based on the TCP and IP address of the network layer, sets up and strengthens the state Access control list (acls,access controlling Lists). In this regard, the network firewall performance is indeed very good.

In recent years, HTTP is the main transport protocol in the practical application process. Mainstream platform vendors and large application vendors have shifted to web-based architectures, and the goal of security protection is no longer just important business data. The protection scope of the network firewall, has changed.

For the regular enterprise LAN protection, the common network firewall still occupies a high market share, continue to play an important role, but for the newly emerged upper layer protocol, such as XML and SOAP applications such as the prevention, network firewall seems to be a bit powerless.

For architectural reasons, even the most advanced network firewalls cannot intercept application-level attacks because of the inability to fully control the network, applications, and data flows when defending against Web applications. Because of the lack of complete, conversational (session)-level monitoring capabilities for the overall application data stream, it is difficult to prevent new unknown attacks.