I. The concept of a firewall
In recent years, with the increasing number of ordinary computer users, the word "firewall" is no longer the agency of the server domain, most home users know to install a variety of "firewall" software for their own love machine. However, not all users are aware of the "firewall", some users even think that "firewall" is a name of the software ...
What the hell is a firewall? Where does it work, and what's the role it plays? Check history books know that in ancient times when building and using wooden structures to prevent the occurrence and spread of fire, people put solid stones around the house as a barrier, this protective structure is called "Firewall" (FireWall). Time shuttle, with the development of computer and network, all kinds of attack and intrusion means have emerged, in order to protect the security of computers, people have developed a technology to prevent direct communication between computers, and the use of the ancient similar function of the name-"firewall" technology from this. In professional terms, a firewall is a collection of components that are located between two or more networks to enforce access control between networks. For ordinary users, the so-called "firewall", refers to is placed in their own computer and the external network between the defense system, from the network sent to the computer all the data must be processed by its judgement, before deciding whether to give the data to the computer, once found harmful data, the firewall will intercept down, realizes the protection function to the computer.
Firewall technology from the birth began, in a moment non-stop development, a variety of different structures and functions of the firewall, built into a network of a road defense levee.
Two. Classification of firewalls
There is no one thing in the world is unique, firewalls are the same, in order to more efficiently deal with various attacks on the network, the firewall also sent out several defense structures. According to the physical characteristics, the firewall is divided into two categories, hardware firewalls and software firewalls. A software firewall is a special program that is installed in a gateway server or a stand-alone personal computer that is responsible for internal and external network transformations, and it is in a logical form, with the firewall program following the system startup, By running the special drive module at the RING0 level, the defense mechanism is inserted between the processing part of the system and the network interface device driver to form a logical defense system.
Before the software firewall, the channel between the system and the network interface device is direct, the network interface device passes the network Driver Interface (Network Driver Interface Specification,ndis) to the system to deal with all kinds of messages transmitted on the network faithfully. For example, a computer receives a request to list all the shared resources on the machine data packets, NDIS directly submit this message to the system, the system will return the corresponding data after processing, in some cases will cause information leakage. And after using a software firewall, although NDIS received the still intact data message, but in the channel submitted to the system a layer of defense mechanism, all the data packets through this mechanism according to a certain rules of the processing, only it believes that the security of the data can reach the system, the other data is discarded. Because there is a rule that "listing shared resources is risky", the message is discarded at the firewall's discretion, so that the system does not receive the message, and it doesn't think anything has happened, and it doesn't leak out.
Software firewall works between the system interface and NDIS, used to check the data sent by NDIS, without changing the hardware, can achieve a certain intensity of security, but because the software firewall itself belongs to the program running on the system, the inevitable need to occupy a part of the CPU resources to maintain work, And because the data judgement processing needs a certain amount of time, in some data traffic network, the software firewall will make the whole system efficiency and data throughput speed drop, and even some software firewall will have loopholes, leading to harmful data can bypass its defense system, to data security loss, therefore, Many companies do not consider using software firewall solutions as a defensive measure of the corporate network, but using a visible hardware firewall.
Hardware firewall is a physical form of a special device, usually set up in two network connections, directly from the network equipment to check the filtering of harmful data packets, the firewall device at the back end of the network or the server received by the firewall processing relatively safe data, It is not necessary to separate CPU resources to perform NDIS data detection based on software architecture, which can greatly improve the working efficiency.
Hardware firewall is generally connected to the external network interface with the internal server or the enterprise network between the device, which is divided into two different structures, a common hardware-level firewall, it has a standard computer hardware platform and some features of simplified processing of UNIX series of operating systems and firewall software, This kind of firewall measures is equivalent to take out a computer installed software firewall, in addition to not need to deal with other transactions, it is still the general operating system, so there may be loopholes and instability factors, security can not do the best; the other is the so-called "chip" level hardware firewall, It uses the specially designed hardware platform, the software which constructs on the above also specially develops, is not the popular operating system, thus may achieve the good security safeguard. However, regardless of the hardware firewall, the administrator can set up the working parameters through the computer connection. Because the main function of the hardware firewall is to filter the incoming data message and forward it to the network behind the firewall. Therefore, its own hardware specifications are also grade, although the hardware firewall is enough to achieve a relatively high processing efficiency, but in some of the data throughput requirements of a high network, Low-grade firewalls will still create bottlenecks, so for some large enterprises, chip-level hardware firewall is their first choice.
Some people may think so, since the firewall of the PC architecture is so much, then the purchase of such a firewall is not as good as their own technical staff to create a special computer to do the firewall program. While this can be done, productivity is not comparable to a real PC architecture firewall because the PC architecture firewall uses a specially modified system and corresponding firewall program, which is more tightly integrated than the general computer system and software firewalls. And because the nature of its work determines it to have a very high stability, practicality and very high system throughput performance, these requirements are not installed multiple network card computer can be simply replaced, so the PC architecture firewall is similar to the computer configuration, the price is very different.
In reality, we often find that not all enterprises have a chip-level hardware firewall, but with the PC architecture firewall and even the aforementioned computer alternatives to support, why? This is probably the most obvious drawback of the hardware firewall: It's too expensive! The cost of buying a PC architecture firewall is at least thousands of yuan, high-grade chip-level firewall program is more than 100,000 yuan, these prices are not small enterprises can withstand, and for the average home users, their own data and system security does not need to use a special hardware equipment to protect, What's more, for a firewall to invest enough to allow users to buy more high-end computer, so the majority of users just install a good software firewall is enough.
There are a lot of ways to classify firewalls, in addition to the form of it into software firewalls and hardware firewalls, but also from the technical to be divided into "packet filter type", "Application Agent" and "State monitoring" three categories; from the structure is divided into a single host firewall, routing integrated firewall and distributed firewall three kinds , according to the work location is divided into border firewalls, personal firewalls and mixed firewalls, according to the performance of the firewall is divided into hundred mega-level firewall and gigabit firewall two categories ... It seems to be a wide variety, but this is only because the industry classification method is different, for example, a hardware firewall may be planned as a "Gigabit state monitoring boundary Firewall" because of its structure, data throughput, and work location, so the technical classification is mainly described, that is, "packet filter", "Application Agent" and " Stateful monitoring firewall technology.
So what are the concepts of so-called "border firewalls" and "single host Firewalls"? The so-called "boundary" refers to the interface between two networks, the firewall working in this is called "Border Firewall", and the relative is "personal Firewall", they are usually software-based firewall, processing only one computer data, not the entire network data, Now the common home users of the software firewall is this classification. and "Single host Firewall", is our most common one of the hardware firewall; some manufacturers in order to save costs, directly into the firewall function embedded in the routing device, the formation of a routing integrated firewall ...
Three. Firewall technology
The traditional firewall technology is divided into three categories, "packet filtering" (Packet filtering), "Application Agent" (Application proxy) and "State Monitoring" (Stateful inspection), no matter how complicated the implementation process of a firewall, In the final analysis, the function is extended on the basis of these three technologies.
1. Packet Filtration Technology
Packet filtering is one of the first firewall technologies used, and its first generation model is "static packet Filtering" (static packet filtering), and firewalls using packet filtering techniques typically work in the network layer of the OSI model (network Layer), the later development of the updated "Dynamic Packet Filter" (dynamic packet filtering) increased the transport layer (Transport layer), in short, Packet filtering technology is the location of a variety of TCP/IP protocol based on the access to data packets, it takes these two layers as the object of data monitoring, the head of each packet, protocol, address, port, type and other information analysis, and with the pre-set firewall filtering rules (filtering Rule), which is discarded when one or more parts of a package are found to match the filter rules and the condition is "blocked". The proper setting of filtering rules can make the firewall work more safely and effectively, but this technique can only be judged by the preset filtering rules, and once a bad packet request is not expected from the designer, the protection of the entire firewall is equivalent to the display. Perhaps you would like to let users add their own does not it? But don't forget, we have to consider for ordinary computer users, not everyone is aware of network protocols, if the firewall tool has a filter omission problem, they can only wait to be invaded. Some companies are using the method of periodically upgrading filtering rules from the network, this idea can be a convenience to some home users, but for relatively professional users, but not necessarily good, because they may have the machine environment to set up and change the rules, if this rule just and upgrade to the rules of conflict, Users should be depressed, and if two rules conflict, the firewall should listen to whose, will not "die to you on the spot" (crash)? Perhaps because of these factors, I have not seen how many products to provide filtering rules update function, this can not be compared with anti-virus software virus feature library upgrade principle. In order to solve the problem of the fish and Bear's paw, the package filtration technology has been improved, the improved technology is called "Dynamic Packet Filtering" (There is a "stateful packet filtering firewall" technology in the market, that is, stateful-based packet filtering, they are actually the same type), compared with its predecessors, dynamic packet filtering, based on maintaining the original static packet filtering technique and filtering rules, tracks the transmission of messages that have been successfully connected to the computer, and determines whether packets sent by the connection will pose a threat to the system, Once its judgment mechanism is triggered, the firewall automatically generates new temporary filtering rules or modifies existing filtering rules.To prevent the continuation of this harmful data transmission, but because dynamic packet filtering consumes additional resources and time to extract the content of the packet to judge processing, so compared with static packet filtering, it will reduce operational efficiency, but static packet filtering has almost exited the market, we can choose, Most of them have only dynamic packet filtering firewalls.
Packet filtering technology based on the firewall, its shortcomings are very significant: it can work properly all the basis is the implementation of filtering rules, but can not meet the requirements of the establishment of fine rules (the number of rules and firewall performance is inversely proportional), and it can only work in the network layer and Transport layer, It is not possible to determine whether the data in the advanced Protocol is harmful, but because it is cheap and easy to implement, it is still serving in a variety of fields, working for us in the frequent setting of technicians.
2. Application Agent Technology
Because packet filtering technology can not provide perfect data protection measures, and some special packet attacks only use filtering method can not eliminate the harm (such as SYN Attack, ICMP flood, etc.), so people need a more comprehensive firewall protection technology, in such a demand background, the use of "Application Agent" The firewall (application Proxy) technology was born. Do our readers remember the concept of "agent"? Proxy server, as a data forwarding channel, is widely used in the network as a security or breakthrough access restrictions. As we all know, a complete agent device contains a server and a client, the server receives the request from the user, invokes its own client to simulate a user-requested connection to the target servers, and then forwards the data returned by the target server to the user to complete an agent work process. So, what if a filter is connected between the server side of a proxy device and the client? This idea creates the "Application Agent" firewall, which is actually a small transparent proxy server with data detection filtering (transparent proxy), but it is not simply embedded in a proxy device packet filtering technology, but is called "Application protocol Analysis "(Application Protocol Analysis) of the new technology.
The Application Protocol analysis technology works at the highest level of the OSI model-the application layer, all the data that is accessible in this layer is the final form, that is, the firewall "sees" the same data as we see, rather than a packet of raw content, such as an address-port protocol, Therefore, it can realize more advanced data detection process. The entire agent firewall maps itself to a transparent line, in terms of user and external lines, the connection between them without any obstruction, but the connection of the data transceiver is actually through the agent firewall, when the external data into the proxy Firewall client, "Application Protocol Analysis" The module is based on the application layer protocol to deal with this data, through the preset processing rules (yes, again rules, firewalls can not be separated from the rules) query this data is harmful, because this layer is no longer a combination of limited message protocol, can even identify similar to "get/sql.asp?id=1 and 1 "Data content, so the firewall can not only according to the information provided by the data layer to judge the data, but also as the Administrator Analysis Server log" see "The contents of the hazard. And because work in the application layer, the firewall can also achieve two-way restrictions, in the filtering of harmful data outside the network while also monitoring the information of the internal network, the administrator can configure the firewall to achieve an authentication and connection time of the function to further prevent the internal network information leakage of hidden dangers. Finally, because the proxy firewall is to take the agent mechanism to work, the communication between the internal and external network must first pass the proxy server audit, through and then by the Proxy server connection, does not have to separate the external network on both sides of the computer direct session opportunity, can avoid intruders using "data-driven" Attack mode (a packet filtering technology firewall rules of the data packet, but when it entered the computer processing, but become able to modify the system settings and user data malicious code) penetrate the internal network, it can be said that "application Agent" is better than packet filtering technology more complete firewall technology.
But it seems that nothing can escape the rule of Murphy's law, the structure of the proxy firewall is its biggest drawback, because it is based on agent technology, each connection through the firewall must be based on the agent process created for it, and the agent process itself is to consume a certain amount of time, Moreover, the agent process also has a set of complex protocol analysis mechanism at the same time work, so the data in the proxy firewall on the inevitable data lag phenomenon, to change the image of the argument, each data connection through the agent firewall will be first invited into the security room to have a cup of tea search and then continue to travel, Security doesn't work fast enough. Proxy firewall is at the expense of speed at the expense of more than packet filtering firewall security performance, in the network throughput is not very large case, perhaps the user will not be aware of what, however, when the data exchange frequently, agent firewall has become the bottleneck of the entire network, And once a firewall's hardware configuration fails to withstand high levels of data traffic, the entire network could be paralyzed. Therefore, the scope of the agent firewall is far less than packet filter firewall, and in the software firewall is almost never seen similar products-single machine does not have the required conditions for agent technology, so at present the entire huge software firewall market, Agent firewall is difficult to have a foothold.
3. State Monitoring Technology
This is the following "packet filtering" technology and "application agent" technology developed after the firewall technology, it is a checkpoint technology company based on the "packet filter" principle of "dynamic packet Filtering" technology developed, and similar to other vendors jointly developed "depth packet detection" (Deep Packet Inspection) technology. This kind of firewall technology through a module called "State Monitoring", without affecting the normal operation of network security on the premise of the use of data extraction methods to monitor the various levels of network communication, and according to a variety of filtering rules to make security decisions.
The "Stateful Monitoring" (Stateful inspection) technology further develops the session filtering (sessions filtering) feature, based on the retention of information on the headers, protocols, addresses, ports, types, and so on for each packet, and when each connection is established, The firewall constructs a session state for the connection that contains all the information about the connected packet, which is based on this state information, which is clever enough to monitor the contents of each packet, once a session state is established, Then the data transfer will be based on this session state. For example, a connected data package source port is 8000, then in the future data transmission process firewall will audit the source port of this package or not 8000, otherwise this packet is intercepted, and the retention of session state has a time limit, The session state is discarded if no further data transfer is made within the timeout range. State monitoring can analyze package content, thus getting rid of the traditional firewall only limited to a few packet header information detection weaknesses, and this firewall does not have to open multiple ports, further eliminate the possibility of excessive open ports caused by the security risks.
Because the state monitoring technology is equivalent to the combination of packet filtering technology and application agent technology, it is the most advanced, but due to the implementation of technology complex, in the actual application can not be truly fully effective data security detection, And in general computer hardware system is difficult to design based on this technology to improve the defensive measures (most of the software firewall in the market is actually just packet filtering technology plus a little other new features).
Four. Technology Outlook
Firewall, as the key equipment to maintain network security, occupies a pivotal position in the system of network security protection currently adopted. With the development of computer technology and the popularization of network applications, more and more enterprises and individuals have encountered different degrees of security problems, so the market for the firewall equipment requirements and technical requirements are constantly upgrading, and increasingly serious network security issues also require a faster firewall technology to improve, Otherwise, it will be helpless in the face of a new approach to the invasion.
Multi-function, high security firewall can make the user network more worry-free, but the premise is to ensure the efficiency of the network, so in the development of the firewall, must always be high performance in the main position, the major manufacturers are working towards this direction, and the rich product function is also a user to choose a firewall based on one, A perfect firewall products, should include access control, network address translation, proxy, authentication, log audit and other basic functions, and have their own characteristics of security-related technologies, such as the rule Simplification program, tomorrow's firewall technology will be how to develop, let us wait and see.
Reference documents:
The Evolution course and technical reflection of firewall depth packet detection technology
"Understanding Firewalls and firewalls"
"NetScreen VS Checkpoint"
"Firewall Technology and Design"
"Firewall security and effectiveness analysis"
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.