Source: China Security Information Network
With the rapid development of computer network technology, network security issues have become increasingly prominent in the face of various users. According to the data obtained by the author, nearly 20% of users on the Internet have suffered from hackers. Although hackers are so rampant, the network security problem has not yet attracted enough attention. More users think that the network security problem is far from their own, this is evidenced by the fact that more than 40% of users, especially enterprise users, have not installed a Firewall. All problems are proving to everyone, most hacker intrusion events are caused by failure to correctly install the firewall.
Concept and function of Firewall
The original meaning of the firewall refers to the wall built between houses in ancient times. This wall can prevent fire from spreading to other houses. The firewall mentioned here is not a physical firewall, but a defense system isolated between the local network and the external network. It is a general term for such preventive measures. It should be said that the firewall on the Internet is a very effective network security model, through which it can isolate risky areas (that is, the Internet or networks with certain risks) and security areas (LAN) does not impede access to risky areas. The firewall can monitor inbound and outbound network traffic to complete seemingly impossible tasks. It only allows security and approved information to access data that threatens the enterprise at the same time. As security errors and defects become more and more common, network intrusion not only comes from Superb attack methods, but also may come from low-level Configuration errors or inappropriate password options. Therefore, the role of the firewall is to prevent unwanted and unauthorized communications from entering and leaving the protected network, forcing the Organization to strengthen its network security policy. Generally, firewalls can achieve the following goals: first, they can restrict others' access to the internal network, filter out insecure services and illegal users, and second, prevent intruders from approaching your defense facilities; third, restrict users to access special sites, and fourth, provide convenience for monitoring Internet security. Because the firewall assumes network boundaries and services, it is more suitable for relatively independent networks, such as relatively concentrated networks such as intranets. Firewall is becoming a very popular method to control access to network systems. In fact, more than 1/3 of Web websites on the Internet are protected by some form of firewall, which is the most rigorous and secure way for hackers, any critical server should be placed behind the firewall.
Firewall architecture and working methods
The firewall makes your network planning clearer and clear, and comprehensively prevents data access that spans permissions (because the first thing some people attempt to do after logging on is to go beyond the permission limit ). If you do not have a firewall, you may receive many similar reports. For example, the internal financial reports of the Organization have just been cracked by tens of thousands of emails, or the user's personal homepage is maliciously connected to Playboy, but another pornographic website is specified on the Report link ...... A complete firewall system is usually composed of a shield router and a proxy server. A shielded router is a multi-port IP router. It checks each incoming IP packet based on group rules to determine whether to forward it. Shield the router from getting information from the packet header, such as the Protocol number, the IP address and port number of the sent and received packets, the connection mark, and other IP options to filter the IP packets. A proxy server is a server process in the firewall. It can complete specific TCP/TP functions in place of network users. A proxy server is essentially a gateway at the application layer, and a gateway that connects two networks for a specific network application. A user deals with a TCP/TP application, such as Telnet or FTP, and the proxy server requires the user to provide the remote host name to be accessed. After the user replies and provides the correct user identity and authentication information, the proxy server connects to the remote host and acts as a relay for the two communication points. The entire process can be completely transparent to the winners. User identity and authentication information can be used for user-level authentication. The simplest case is that it only consists of the user ID and password. However, if the firewall is accessible over the Internet, we recommend that you use stronger authentication mechanisms, such as one-time passwords or responsive systems.
The biggest advantage of shield router is its simple architecture and low hardware cost. The disadvantage is that it is difficult to set up packet filtering rules, and the management cost of shield router and the lack of user-level identity authentication. Fortunately, vro manufacturers have realized and started to solve these problems. They are developing a graphical user interface for editing packet filtering rules and developing a standard user-level identity authentication protocol, the advantage of using remote identity authentication to dial in to the User Service proxy server is user-level identity authentication, logging, and account management. Its disadvantages are related to the fact that to provide comprehensive security assurance, an application-layer gateway must be established for each service. This fact severely limits the adoption of new applications.
The shielded router and the proxy server are usually combined to form a hybrid system. The shielded router is mainly used to prevent IP spoofing attacks. The most widely used configurations are Dualhomed firewalls, blocked host firewalls, and blocked subnet firewalls.
Generally, setting up a firewall requires thousands or even tens of thousands of dollars, and the firewall needs to run on an independent computer. Therefore, users who only use one computer to connect to the Internet do not need to set up a firewall, in addition, it is not cost-effective even in terms of cost. At present, the focus of the firewall is to protect a large network composed of many computers, which is also a real interest of hacker experts. Firewalls can be simple filters or well-configured gateways. However, they work in the same way. They monitor and filter all information sent to and from external networks, the firewall protects internal sensitive data from theft and destruction, and records the time and operation of communication. The new generation firewall can even prevent internal personnel from intentionally transmitting sensitive data to the outside world. When a user connects a local network within the Organization to the Internet, you certainly do not want people all over the world to read the payroll, various documents, or databases of internal staff of your organization at will, however, even within the Organization, there is a possibility of data attacks. For example, some intelligent computer experts may modify the payroll and financial reports. After setting the firewall, the administrator can restrict the internal staff of the organization to use Email, browse WWW and file transmission, but do not allow any external access to the internal computer of the Organization, the administrator can also disable access between different departments in the Organization. Placing a local network in a firewall can prevent external attacks. A firewall is usually a special software running on a single computer. It can identify and block illegal requests. For example, for a WWW Proxy Server, all requests are indirectly processed by the proxy server. This server is different from a common proxy server and does not directly process requests, it verifies the identity of the Request sender, the request destination, and the request content. If everything meets the requirements, the request will be approved and sent to the real WWW server. When the real WWW server does not directly send the result to the requester after processing the request, it will send the result to the proxy server, the proxy server checks whether the result violates the security regulations according to the previous regulations. When all the results are passed, the returned results are actually sent to the requester.
1. ScreeningRouter)
The shielded router can be implemented by a dedicated manufacturer or a host. Shield the router as the only channel for internal and external connections. All packets must pass the check here. The IP layer-based packet filtering software can be installed on the router to implement packet filtering. Many routers have packet filtering configuration options, but they are generally relatively simple. The danger of a firewall composed of a shield router is that the router itself and the host that the router allows access. The disadvantage of shielding a vro is that it is difficult to find a hidden vro and cannot identify different users.
2. DualHomedGateway)
The dual-point host gateway uses a bastion host with two NICs as a firewall. The two NICs are connected to the protected network and the external network respectively. The bastion host runs firewall software, which can forward applications and provide services. Compared with the shielded router, the system software of the dual-point host gateway bastion host can be used to maintain system logs, hardware copy logs, or remote logs. However, the vulnerabilities are also prominent. Once hackers intrude into the bastion host and make it only have the routing function, any online user can access the Intranet at will.
3. ScreenedGatewy)
Shielding host gateways is easy to implement and secure. A bastion host is installed on an internal network. Generally, a filter rule is set up on the vro and the bastion host becomes the only host that can be directly reached from the external network, this ensures that the internal network is not attacked by unauthorized external users. If the protected network is a virtual extended ingress network, that is, there is no Subnet or router, the changes in the Intranet will not affect the configuration of the bastion host and the shield router. Dangerous tapes are restricted to Bastion hosts and blocked routers. The basic control policy of the gateway is determined by the software installed above. If attackers cannot log on to it, other hosts in the Intranet will be greatly threatened. This is similar to the situation when the host gateway is under attack.
4. ScreenedSubnet)
A blocked subnet is an isolated subnet between an internal network and an external network. Two groups are used to filter routers to separate the subnet from the internal network and the external network respectively. In many implementations, the two groups filter routers at both ends of the subnet and form a DNS in the subnet. Both the internal network and the external network can access the blocked subnet, however, they are prohibited from passing through the blocked subnet communication. Some shield subnets also have a bastion host as the only accessible point, supporting terminal interaction or as an application gateway proxy. This configuration only involves the bastion host, subnet host, and all vrouters connected to the Intranet, Internet, and subnet shield. If an attacker attempts to completely damage the firewall, he must reconfigure the routers connected to the three networks, neither disconnect the connection nor lock himself out, without making himself discover, this is also possible. However, If you disable network access to a vro or only allow some hosts in the Intranet to access it, the attack will become very difficult. In this case, the attacker must first intrude into the bastion host, then enter the Intranet host, and then return to destroy the blocked vro, and do not trigger an alarm throughout the process.
Basic firewall types
Today, the market has a variety of firewalls. There are software running on a general computer, or Firmware design on a router. In general, there are three types: Packet Filtering Firewall, proxy server, and status monitor.
Packet Filtering Firewall (IPFiltingFirewall ):
PacketFilter (PacketFilter) is used to select data packets at the network layer. It checks each data packet in the data stream based on the pre-configured filtering logic, determine whether to allow data packets of this type to pass through based on the source address, target address, and port used by the package. In an information packet exchange network such as the Internet, all the exchange information is divided into many information packets of a certain length, including the sender's IP address and the recipient's IP address. When these packets are sent to the Internet, the router reads the receiver's IP address and selects a physical line.