How to choose the function and architecture of the firewall

Network World most often used, is also the most important security equipment is the firewall, in the face of today's various firewalls, we choose who it is, Ciso, jump, or simply DIY, the firewall selection index is what it, CPU, bandwidth or OS it, For the choice of function we need to vpn,layer7 filter, flow control, or IDs, Exchange routing combination? Of course, there are prices, power, stability and other effects ...

In fact, two kinds of big choice is a direct purchase brand firewall (certainly will kill you tens of thousands of hundreds of thousands of of the hehe, can get some rebate good), two of course is their own DIY Luo, below we will enter the subject, the view is purely fictitious, if there are similarities, pure coincidence:

1, the choice of firewall operating system

In fact, this problem also involves the choice of firewall hardware, very simple hardware is the basis of the operating system is to drive a variety of hardware, software development and use of a platform to build, the market has a system of Linux (Debian,clearos,openwrt,dd-wrt,tomato, Router,ros) BSD (FREEBSD,PF,M0LL0WALL,NETBSD,OPENBSD), who are we to choose, to answer this question first we need to understand the architecture of the firewall:

In general, we are only divided into 86 architectures, non-86 architecture, 86 architecture is the early many developers to use the hardware firewall operating system, the development of small, more functional, but there is a fatal disadvantage is that the 86 architecture of the CPU is a complex instruction set, processing a packet needs to execute tens of thousands of instructions, rather than 86 schema ( We often say that the embedded CPU is a streamlined instruction, even specifically for the firewall optimization, so in the processing of a large number of small packets of 64-bit performance is 86 10 times times as high as 200 times times that is why gigabit gigabit firewalls are generally x86 main cpu+mips network CPU architecture, One would ask why not configure a high-performance Intel network card to share the task. In fact, a high-performance network card is helpful to the performance of networks, but the NIC is a low-level equipment, function, complexity is not the CPU to malicious, and finally to the CPU to place the high-level task, so often the NIC can withstand, The CPU is dead!! So sometimes when the CPU is not strong enough, it is better to buy a low performance card to match the CPU, do not let the CPU exhausted! Say so much I just want to say 64 for Packet SYN attack defense, embedded 800MHZ non 86cpu than 3GHZ 86cpu strong don't know how many times, personal estimate at least if 10 times times!

A, when your firewall to deal with high traffic, packet attack DDoS, please choose embedded, arm,np,mips architecture firewall hardware, operating system directly choose Linux is Battalion, its representative is originated from the Ciso/syslink system opoenwrt or DD-WRT, Tomato (People support multiple WAN port overlay is actually a policy route), why not choose freebsd-because FreeBSD does not support hardware, why not choose Netbsd/openbsd, because performance is low, many wireless, new hardware, NIC does not support! and firewall does not open what server software, do not need too high penetration intrusion, mandatory access security and so on ... This one of my suggestions to choose OpenWrt Bar, free, can be customized very high, and a Linux machine like the configuration!! Dd-wrt Charge! Tomato is also based on OpenWrt, the author configured a strategic route support dual, four wan! as for the Route,ros is also the Chinese people to change the Linux system, fees, functions cumbersome, internet cafes can consider!!

b, if your choice of hardware is x86 architecture, I suggest that only one system is suitable for you, that is, FreeBSD, or customize the firewall, or choose M0llowakk or pfsense! Why not Linux is very simple, when encountered a lot of small packet attacks (SYN) FreeBSD's ability to carry much more than Linux, the most extreme when you can open the network card polling mode, can effectively reduce the CPU interrupt load, not your cpu0 100% occupancy! And, in particular, Pfsense selected OpenBSD PF firewall, Support SYN three times handshake agent, address pool, automatic blacklist, etc. useful functions, and very small and stable, performance is only a little more than Linux, but completely enough! Can be directly configured with a hard disk, only CPU, memory, memory card small box system, power, stability, complete!! And can be achieved through Ipfw-classic and iptable layer-7 the same application layer filtration, anyway, we are Shanzhai ClearOS company! There are commercial panbit, the master of Flow control is also selected FreeBSD, but unfortunately Ah, signatures to encrypt ...!!!!!

C, when your server is in the VPS guess, then there is no way, install Linux with their own Iptale installed FreeBSD on the use of their own IPFW,IPFITER,PF bar!

2, function selection

Now many firewalls by default are very powerful, Vpn,web interface control, 7-layer filtering, ids/ips, and even put the firewall into the switch, the router composed of what 7-layer switch AH, four-layer switch, 7-layer four-layer router and so on, of course, they are not simply the use of bsd/ Linux install switch software, routing software, or firewalls, is two development, can effectively accelerate the exchange, routing performance, but if we are DIY firewalls need so multi-function?

A principle that functions affect performance and also affects security! In turn, the function affects security and affects performance! In fact, we have to do according to their own situation to open the function:

1, turn off the Web control, since it is custom, must be master, full-screen console operation, handwriting firewall, routing rules, what web do you want! Affect performance safety!

2, close Telnet access to the portal, direct local login firewall DIY machine, control, what ssh,telent will forget to keep the firewall on the dry three things, is forwarding filter flow control!! With basic system customization kernel, configure Policy Routing, firewall forwarding filter, or use Layer7 filter (but to customize the 7-layer filter signature, free are very outdated, use analysis package software analysis, writing regular expression, not difficult to learn, need patience and observation hehe!

3, as for vpn,ids,ips or through the firewall forward to the independent computer for analysis, deal with it, the firewall itself is to take the old hardware customization, not what professional hardware firewall, do not run so much consumption of resources large program,

4, when all the configuration is set up, you can learn m0n0wall simply bar the console is also disabled, no one wants to land!

3, the purchase of hardware

1, the choice of old hardware, the elimination of the computer, it is best to find a U disk bar hdd removed, the most error-prone Dongdong!

2, to the specialized custom firewall equipment place, the custom box chassis, the power supply and so on, the motherboard best chooses the embedded Development Board, or Nimi type x86 board, Taobao on a lot of OH

3, want to support wireless, 3G as long as the purchase of wireless network card, 3G card plug on the go as long as the system supports 10 and the antenna can hehe

4,diy Firewall cost control (Buy new hardware) See you want to achieve that brand firewall performance, if it is 200,000 firewall performance, you'd better prepare 5000 or so, is generally 1/10-1/100, to see the brand black is not black

Well, say how much, on the word summary, choose a firewall to see the architecture (affect OS) Two see packet forwarding bandwidth three see price, hope to give you a little inspiration, whether you want to DIY firewall, can or buy the exhibition industry firewall.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/