Firewall security and effectiveness analysis

Network firewall has long been the main mechanism used by general enterprises to protect enterprise network security. However, the overall security of the enterprise network involves a wide range of aspects, the firewall not only can not solve all the security problems, the firewall used by the control technology, its own security protection capabilities, network structure, security policies and other factors will affect the security of the Enterprise network.

Among the many factors that affect firewall security performance are those that managers can control, but some are features that cannot be changed after a firewall has been selected, and one key is the access control technology used by firewalls. At present, the control technology of firewall can be divided into: packet filter type (Packet filter), seal test type (Stateful inspection Packet filter) and Application Layer Gate channel type (Application Gateway). These three technologies have their own characteristics in security or efficiency, but generally people only pay attention to the effectiveness of the firewall and ignore the conflict between security and efficiency. This paper explains the three technologies of firewall, compares the characteristics of various ways and the security risk or efficiency loss that may bring.

Packet Filter Type: Packet filter type of control will check all incoming and outgoing firewall packet header content, such as the source and target IP, use protocol, TCP or UDP port and other information control management. Today's routers, Switch router, and some operating systems already have the ability to control with packet filter. The most benefit of the packet-filtering control mode is the high efficiency, but there are several serious disadvantages: the management is complex, the connection can not be completely controlled, the order of the rules will seriously affect the result, not easy to maintain and record less function.

Package Inspection Type: The control mechanism of the seal inspection type is to examine each level in the package through a test module. The package inspection type is a strengthened version of the packet filtration type, the purpose is to increase the security of the packet filtration type, and to increase the ability to control the "wiring". However, due to the main inspection objects of packet inspection are still individual packets, different methods of package inspection may produce great difference. The wider the level of inspection, the more secure it will be, but the less effective it will be.

A packet-proof firewall may cause problems if it is not fully checked. One example was the security vulnerabilities of the fast Mode TCP fragment, which was published last year about FIREWALL-1. This design to increase efficiency has become a security weakness.

Application Layer Gate Channel type: The firewall of the application layer Gate channel is used to intercept the line action, by a special agent to handle the connection between the two ends, and to analyze whether the connection content conforms to the standard of the application agreement. The control mechanism in this way can effectively control the whole line action from beginning to end without being deceived by the client side or the server side, and it will not be as complicated as the packet filtering type in management. However, you must write an exclusive agent for each application, or use a general-purpose agent to handle most of the wiring. This mode of operation is the safest way, but it is also the least effective way.

Firewalls are designed to protect security, and security should be its primary consideration. Therefore, rather than simply asking for efficiency, consider how to provide maximum security without impacting performance.

Although the above three modes of operation are different in efficiency, we must consider whether the difference in effectiveness will affect the actual operation while evaluating the effectiveness. In fact, even the use of the application gateway does not really affect the effectiveness of the network for most "broadband" networks still using the T1 or future xDSL. In this application environment, the effectiveness of the firewall should not be the focus of consideration. However, when the firewall is between different departments of the enterprise network, the enterprise must consider whether this kind of efficiency sacrifice is acceptable.