With the rapid development of the Internet, E-commerce, e-government, more and more network networking with the Internet, set up in the Internet to provide public service host system, such as: WEB server, EMAIL server, FTP server and so on. At the same time, more and more users use the Web to obtain and publish information, so that the amount of content on the Internet is growing rapidly. However, some illegal intrusion into other people's systems, stealing secrets, destroying the system and other vicious behavior also quietly, if not take the necessary security measures to protect themselves, the consequences of unimaginable. Many security technologies have been used to improve the security of the network, the most representative security technologies are: Data encryption, fault-tolerant technology, port protection and subject verification and firewall (Firewall) technology. Among them, the firewall technology is proposed and promoted in recent years a network security technology.
The classification of firewall and its characteristics
At present we divide it into software firewalls (also known as firewalls based on common operating systems), hardware firewalls (also known as router-based packet filtering firewalls) and standard server-style firewalls (also known as firewalls based on dedicated security operating systems). There are a lot of things to say about the characteristics between them, so I'll just make a simple comparison.
Software firewalls, hardware firewalls, and standard Server firewall tables:
Software firewall |
Hardware firewall |
Standard Server firewall |
Installation |
More complex |
Simple |
Simple |
Security |
High |
Higher |
High |
Performance |
Dependent hardware Platform |
High |
High |
Management |
Simple |
More complex |
Simple |
Maintenance costs |
Low |
High |
Low |
Extensibility |
High |
Low |
High |
Configuration flexibility |
High |
Low |
High |
Price |
Low |
High |
Lower |
Second, the purchase point
It should be objectively observed that no firewall design can be applied to all environments, so the enterprise should choose the appropriate firewall according to the characteristics of the site:
(1) Security
Most organizations focus on how firewalls control connections and how many services the firewall supports when choosing a firewall. But often overlooked the most important of this, the firewall is also one of the hosts on the network, there may be security problems, if the firewall can not ensure its own security, the firewall control function again strong, Can not completely protect the internal network eventually. When it comes to firewall security, you don't have to mention the firewall configuration. There are three types of firewall configuration: dual-homed mode, Screened-host mode and screened-subnet mode. Dual-homed is the easiest way to do it. Dual-homed Gateway is placed between two networks, and this dual-homed gateway is also known as Bastionhost. The cost of this structure is low, but it has a problem of single point failure. This structure does not increase the security of the network of self-defense, and it is often the first target of hacker attacks, it itself once breached, the entire network is exposed. The screeningrouter in the Screened-host Way has established a barrier for the protection of bastionhost safety. It will send all incoming information to bastionhost and only accept data from Bastionhost as out of the data. This structure relies on screeningrouter and bastionhost, and as long as there is a failure, the entire network is exposed.
The screened-subnet contains two screeningrouter and two bastionhost. A network of networks is formed between public and private networks, known as the "Ceasefire Zone" (DMZ, i.e. demilitarizedzone), and Bastionhost placed in the "Ceasefire zone". This structure is secure, and the network is exposed only when two security units are compromised, but costs are also expensive.
(2) High efficiency
A good firewall should also provide users with a complete security check function, but a secure network must still rely on the user's observation and improvement, because the firewall can not effectively eliminate all malicious packets, enterprises want to achieve real security still need internal personnel constantly record, improve, tracking. Firewalls can restrict the connection to only legitimate users, but there are cases where illegal use of legal cover still relies on managers to find out. The biggest difference between a firewall and a proxy server is that the firewall is designed specifically to protect network security. A good firewall should not only have the function of checking, authentication, warning and recording, but also can solve the problem that the user may encounter, and propose the solution beforehand, such as IP conversion of IP. Information encryption/decryption problems, large enterprises require the ability to centrally manage the Internet issues, and so on, this is the choice of firewalls must consider the issue.
(3) Convenience of configuration
Hardware firewall system has a powerful function, but its configuration and installation is also more complex, requiring network administrators to make a large change in the original configuration. Firewalls that support transparent communication do not need to make any changes to the network configuration when they are installed. Currently in the market, some firewalls can only work in a transparent manner or under a gateway, while others may work in a mixed way. Firewalls that work in mixed ways are obviously more convenient. The convenience of configuration also shows the convenience of management. Users in the selection of firewalls should also see whether they support serial terminal management. If the firewall does not have terminal management method, it is not easy to determine the fault. A good firewall product must conform to the user's actual needs. For domestic users, the firewall is best to have a Chinese interface, both to support the command line management, but also to support the GUI and centralized management.
(4) Ease of management
The difficulty of firewall management is one of the main factors that can achieve the goal of firewall. The reason why the general enterprises rarely use the existing network equipment directly as a firewall, in addition to the previously mentioned packet filtering, and can not achieve complete control, set work difficulties, must have complete knowledge and difficult to debug and other management issues, but also the general enterprise is unwilling to be used by the main reasons. Therefore, the firewall management is best suited to the management habits of network administrators, with remote Telnet login management and Management commands online Help and so on. As the management tool of firewall, GUI class Manager provides effective and intuitive management way for network administrator.
(5) Reliability
For firewalls, its reliability directly affects the availability of the controlled network, and its important role in important industries and key business systems is obvious. Improving the reliability of a firewall is usually done in the design by improving the robustness of the components, increasing the design thresholds, and adding redundant components. In addition to the firewall should provide security enhancements to the operating system, preferably without human operations, can indeed strengthen the operating system. This feature usually temporarily stops unnecessary services and fixes the operating system's security vulnerabilities, although not entirely valid, but at least prevents unnecessary interference from outside.
(6) Scalability
For a good firewall system, its size and function should be able to adapt to the changes in network size and security policy. Ideal firewall system should be a scalable modular solution, including from the most basic packet filter to the encryption function of the VPN packet filter, until an independent application gateway, so that users have ample room to build their own required firewall system. The current firewall generally standard three network interfaces, respectively connected to the external network, the intranet and the SSN. Users must find out if they can increase the network interface when they purchase a firewall because some firewalls cannot be extended.
(7) Other factors to consider
Enterprise security policy often some special needs (such as network address translation (NAT), dual DNS, anti-drug and other functions) is not every firewall will provide, this is often a choice of firewalls to consider one of the factors.
In addition, the maintenance cost of the firewall is also a problem to consider, the general security is higher, the more complex the implementation, the higher the cost of equipment, the future maintenance costs are relatively higher.
Suggestions:
For ISPs, Web sites and other users, because of their large data flow, high speed and stability requirements, if these users need to publish the web in the external network (the Web server to the outside), while the need to protect the database or application server (placed in the firewall), This requires that the firewall in use have the ability to transfer SQL data, and must have a faster delivery speed, it is recommended that these users adopt efficient packet filtering and allow only external Web servers and internal transfer of SQL data use, 100M and above the bandwidth of the hardware firewall.
Small and medium enterprises are generally connected to the Internet for the purpose of facilitating internal users to browse the Web, send and receive e-mail, and publish home pages. This type of user in the purchase of firewalls, should pay attention to the protection of internal (sensitive) data security, to pay special attention to security, the diversity of service agreements and speed can not make specific requirements. It is recommended that such users choose a general proxy firewall, with HTTP, Mail and other agent functions.
For large and medium-sized enterprises, finance, insurance, government and other institutions, the common point is that the network traffic is not very large, and external contact more, and the internal data is more important. Therefore, the first thing to consider when choosing a firewall is the security issue. From the overall plan, the firewall should at least be able to divide the internal network into two parts, that is, the network that holds the important data internally and the network that can provide the external access data. For the transfer of important data, the firewall must provide encrypted VPN traffic. This type of user to buy a 10M or 100M firewall is enough.
Third, hardware firewall products at a glance
1. East Dragon and Horse hardware firewall
Oriental Dragon Horse Firewall is the Oriental Dragon Horse Company with the latest network security technology, self-developed network security products. Its basic functions include: Real-time connection state monitoring function, dynamic setting of filtering rule function, bidirectional network address translation function, transparent proxy access mode for FTP, Telnet, HTTP, SMTP, POP3, and providing application layer URL-level statistic, shielding function; secure architecture ; A secure network structure, the network structure which is separated by the internal network, the DMZ area, the control area, the transparent mode operation mode, the MAC address binding function, the anti attack and self-protection ability, the reliable fault-tolerant/hot standby function through the dual-computer hot backup, the audit log function, the Post analysis and query function of the network Provide report function, provide the function of terminal authentication using network resources through firewall, provide simple graphical user interface, object-oriented visual rule Edit and monitor and manage firewall.
Hardware configuration indicators: network interface, four 10/100m Adaptive network card interface, or Gigabit NIC interface, peripheral interface, terminal interface (RS-232).
2, Tsinghua Violet Nisecure UF3500 Firewall
Tsinghua Violet Nisecure UF3500 Firewall uses the SSL based browser management interface, allowing the use of the HTTPS protocol to manage and configure firewalls through popular web browsers, ensuring the security and ease-of-use of firewall management. Support the network browser timeout out of the function, to ensure that administrators leave the management of the computer security. With network address translation, traffic control, user authentication, support virtual private network (VPN) and network management functions, combined with network-level packet filtering (Network-level Packet filter) and application-level proxy server (Application-level proxy Server) function.
Extensive Network service support: ARP, DNS, FINGER, FTP, GOPHER, HTTP, HTTPS, ICMP, IRC, MAIL, NFS, SNMP, NNTP, POP3, RLOGIN, TELNET, WAIS, and other protocols.
Hardware configuration metrics: 3 Ethernet RJ-45 ports (10/100mbps Adaptive, Full-duplex), each Ethernet interface has two LEDs, Power LED, LCD display system State, serial control port.
3, NetScreen Firewall
NetScreen Company's NetScreen firewall products can be said to be a hardware firewall in the field of the upstart. NetScreen's products are completely based on the hardware ASIC chip, and it is simple to install and use like a box. At the same time it is a set of firewall, VPN, flow control three kinds of functions in one of the network products. NetScreen integrates a variety of security functions on an ASIC chip, integrating firewalls, virtual private networks (VPNs), network traffic control and broadband access into all of the hardware, which can effectively eliminate the bottleneck of the performance of traditional firewalls in data encryption, To achieve the highest level of IPSec. NetScreen firewall configuration can be done on any network browser-equipped machine, one of the advantages of NetScreen is the adoption of a new architecture, can effectively eliminate the traditional firewall to achieve the data to join the performance bottleneck, to achieve the highest level of IP security. Let me briefly introduce the three series of its main products:
(1) NetScreen-100
NETSCREEN-100 is an Internet security device designed specifically for network security, which provides a specially optimized firewall for E-commerce sites, ASP/ISP data centers, and enterprise center sites. VPN traffic control (bandwidth monitoring) features NetScreen-100 includes a specially designed ASIC to speed encryption engineering and firewall functions, a high-performance multi-bus architecture, high-speed RISCCPU and dedicated software. Its patents-unique architecture eliminates the performance bottlenecks in traditional systems due to firewalls, VPNs, and encryption that run software on a general-purpose processor, PC, or workstation NetScreen eliminates performance bottlenecks while still providing ICSA-certified stateful monitoring firewall security and the highest level of 3DESIPSEC encrypted data security.
Application areas: E-commerce sites, ASP sites, application service providers, Enterprise Center site.
(2) NetScreen-200
Since the increased port can divide the network into multiple monitoring areas, the NETSCREEN-200 series can establish a VPN channel between multiple monitoring areas, that is, the NETSCREEN-200 series has the use of ASIC security mechanism, the provision of multiple interfaces, all interfaces have firewall defense function, All interfaces have VPN channels, centralized star VPN (Hub-and-spoke) Central site, high reliability (redundant HA for equipment) and so on. The NETSCREEN-200 series includes NetScreen-204 and NetScreen-208 products, and the difference is in the number of 10/100 Gigabit Ethernet interfaces. NetScreen-208 and NetScreen-204 support 1000 IPSec VPN channels and 128,000 concurrent sessions with the ability to handle more than 10,000 new sessions per second, effectively preventing denial of service attacks. The NetScreen-208 firewall and VPN transfer rates are at Mbps and Mbps, respectively. The NetScreen-204 firewall and VPN transfer rates are Mbps and Mbps, respectively. At the same time, multiple Ethernet ports are provided, each Ethernet port can be flexibly set to the trust zone, untrusted zone or DMZ. The NETSCREEN-200 series is loaded with the latest version of the ScreenOS 3.1 operating system. The ScreenOS 3.1 optimization feature makes it easier for users to set up and configure security zones within the network.
Application areas: Large and medium-sized enterprises, service providers.
The
(3) NetScreen-1000
NetScreen-1000 Firewall is an Internet security system that targets the environmental requirements of most data centers, including E-commerce sites, web hosting sites, and ASP. The NetScreen firewall combines the capabilities of firewall and VPN security encryption and has throughput handling capabilities of Gigabit Ethernet. The NetScreen gigascreen ASIC architecture, which combines concurrent process and hardware acceleration, has the characteristics of high speed transmission and effective encryption acceleration engine, and netscreen efficient transmission can satisfy the application of wideband data. NETSCREEN-1000 's scalable architecture constantly meets customer needs, such as business growth, NetScreen-1000 to meet the needs of most environments.
4, Cisco PIX500 Series Firewall
The U.S. Cisco Systems PIX500 Series Firewall employs a dedicated operating system that reduces the likelihood that hackers can exploit operating system bug attacks, with the kernel based on applicable security policies (adaptive Security algorithm's protection mechanism, ASA completely isolates the internal network from the unauthenticated user. Whenever an internal network user accesses the Internet,pix firewall to remove the IP address from the user's IP packet, replace it with a valid IP address stored in the PIX firewall and hide the real IP address. The PIX firewall also has the audit log function, and supports the SNMP protocol, the user may use the firewall system to contain the real-time alarm function The network browser, produces the alarm report. PIX500 Firewall through a Cut-through agent requires the user to initially resemble a proxy server, work in the application layer, but once the user is authenticated, PIX firewall switch session flow and all traffic, the two sides of the session state will communicate quickly and directly.
Scope of application:
Applicable scope |
When the customer needs the following features |
Cisco Secure PIX Firewall 515R |
- Suitable for small office dedicated firewall equipment;
- 50,000 simultaneous connections;
|
Cisco Secure PIX Firewall 515UR |
- Suitable for medium-sized enterprises dedicated firewall equipment;
- 100,000 simultaneous connections;
|
Cisco Secure PIX Firewall 520 |
- Suitable for large enterprises of the special firewall equipment;
- 128, 1024 or more than 250,000 at the same time;
|