Firewall is undoubtedly the most widely recognized network security technology in the network security field. According to the data provided by CCID, this year, firewall accounts for 38.7% of the information security product market, slightly higher than Anti-Virus products, ranking first. In the past year, what new ideas and highlights have firewall technology developed?
As the firewall technology has been developing for a long time and the technology has been relatively mature, the basic framework and design ideas of the firewall have not changed much over the past few years. All the adjustments are to support some new applications, the basic functions of the firewall are expanded. In this way, we will ask a question when selecting a firewall-each firewall seems to have similar functions, and even if a new module is created, soon, other users will also have it. So, as a user, how should we choose a suitable firewall product?
Two ideas about firewall Development
There are two different opinions on the development of firewalls in the industry. One holds that firewalls are in the most critical part of the network security system, the advantages and disadvantages of the control of this part directly affect the security level of the entire network. Therefore, the firewall should have powerful functions, various functions such as access control, intrusion detection, VPN, anti-virus, content filtering, Server Load balancer, and audit should be included, so that various security threats can be controlled and eliminated at network boundaries, avoid the possibility of threatening to penetrate into the network and maximize the overall security of the system.
Comparison of Two linkage Modes
Another point of view is that the purpose of network security is to serve network applications. Although Security and applicability are mutually contradictory, however, security solutions should minimize the impact of security policies on system applications. Because of the special location of the firewall, we should pay more attention to the impact of firewall deployment on network applications. From its initial design philosophy and its main role in information security, the firewall provides logical isolation means for different network segments to effectively isolate different levels of trust areas, the establishment of network security policies and the flow of information are centrally managed and controlled to provide the first-level border protection for the network. This is the door to the security system and the most important force in network defense. Starting from this original intention, we should improve the firewall's ability to process data streams while ensuring its role in access control. Particularly with the development of network technology, the popularity of Mbit/s, Gbit/s, and even Mbit/s has begun. If the performance of the firewall cannot keep up with the pace of network applications, the firewall will become a bottleneck in the network system, will be abandoned by users.
With such a design philosophy, the firewall should focus on improving its own performance and ensuring the stability and reliability of its operation, that is, Throughput (Throughput) (RFC 2544) frame Loss Rate (RFC 2544), Back-to-back (RFC 2544), Latency (RFC 2544), the maximum number of Concurrent connections (Concurrent Sessions) (RFC 2647), the maximum number of policies, the maximum number of Sessions, DES and 3DES performance increased research efforts, improve the performance of these parameters in the firewall system. The functions of the firewall should be simple and reliable, so that its access control capability can operate normally and effectively. Therefore, other functions that occupy a large amount of device resources, such as intrusion detection, VPN, anti-virus, content filtering, Server Load balancer, and auditing, should be removed from the firewall, these protection methods can establish a three-dimensional and hierarchical protection system by establishing a joint interface with the firewall.
Different firewalls are applicable to different users.
In fact, the two ideas are not contradictory. On the contrary, their basic starting points are the same. They also reflect that information security ideas and related knowledge have been popularized and recognized by the majority of users, the security awareness of users is also deepening. We often say that security is a dynamic, three-dimensional, and comprehensive system. It is a process. It is impossible for a firewall to solve all security problems, this requires other methods to support and supplement each other. Therefore, IDS, VPN, and anti-virus are required. The arguments encountered during the development of the firewall also show that the concept of the system is deeply rooted in the hearts of the people, but the specific expressions are different. This type of divergence can also be said to be caused by a customer orientation. The customer's network construction is different, the customer's applications are different, and the customer's security requirements are different, the difference in the customer's security budget leads to different development requirements for the firewall.
From the first point of view, we can think that this is an enterprise application model that is small and medium-sized, not profit-making through the network. Their demand for security is the highest security protection with the minimum investment, it can even be said that they want to get a package of solutions that meet both network applications and ensure their network security with the minimum investment. Therefore, for this type of requirements, it is best to have an essential firewall and various security protection measures, which can be used for anti-virus, intrusion detection, and encrypted transmission. If possible, the firewall can also provide various network applications, such as the company's WWW and MAIL services. In foreign countries, there are many customers with such requirements. Correspondingly, many manufacturers provide such products.
For the second point of view, I think it reflects the real development direction of security and the most effective way to improve security performance. Through a distributed, collaborative approach, make full use of the power of the network to connect products with the best functionality and performance in each technology through open protocols for interaction, each product can focus on the development, improvement, and optimization of its own technology to achieve a great combination of optimization power. This method is suitable for network applications. It plays an important role in enterprise operation, has high security requirements, and has a large investment in security, it is typical for large networks such as ISP, telecom, and finance. There are many such products, many large security vendors are committed to this research, and are also actively introducing standards for this approach.
Article entry: csh responsible editor: csh