How to configure a hardware firewall

This article will introduce some practical knowledge, that is how to configure the security policy in the firewall. However, it should be noted that the specific configuration of the firewall is not uniform, do not say that different brands, is the same brand different models are not exactly the same, so this can only be some general firewall configuration methods for a basic introduction. At the same time, the specific firewall policy configuration will vary greatly depending on the specific application environment. First, introduce some basic configuration principles.

I. Basic configuration principles for firewalls

By default, all firewalls are configured in the following two scenarios:

Reject all traffic, which requires specific types of traffic that can be entered and out in your network.
Allow all traffic, this situation requires you to specifically specify the type of traffic to be rejected. Arguably, most firewalls reject all traffic as security options by default. Once you have installed the firewall, you need to open some necessary ports to enable users within the firewall to access the system after authentication. In other words, if you want your employees to be able to send and receive emails, you must set the rules on the firewall or open the process that allows POP3 and SMTP.

In the firewall configuration, we first have to follow the principle is safe and practical, from this point of view, in the firewall configuration process should adhere to the following three basic principles:

(1). Simple and practical: to the firewall environment design, the first thing is the simpler the better. In fact, this is the basic principle of any thing. The simpler the implementation approach, the easier it is to understand and use. And the simpler the design, the less prone to error, firewall security features easier to ensure that the management is more reliable and simple.

Each product before development will have its main function positioning, such as the original intention of the firewall product is to achieve the security between the network control, intrusion detection products are mainly for illegal internet monitoring. But with the mature and development of technology, these products in the original main function of more or less added some value-added functions, such as the fire wall to increase the killing virus, intrusion detection and other functions, in the intrusion detection increased virus killing function. But these value-added functions are not all the application environment need, in the configuration we can also be configured for the specific application environment, do not have to configure each function in detail, such a will greatly enhance the configuration difficulty, but also because of various aspects of configuration uncoordinated, resulting in new security vulnerabilities, outweigh the gains.

(2). Comprehensive Depth: Single defensive measures are difficult to ensure the security of the system, only the use of comprehensive, multi-level defense strategy system can realize the real security of the system. In the firewall configuration, we do not stay on several surface firewall statements, but should be systematic look at the entire network of security protection system, as far as possible to make all aspects of the configuration to strengthen each other, from the deep-seated protection of the entire system. This can be reflected in two aspects: on the one hand, embodied in the firewall system deployment, multi-level firewall deployment system, that is, the use of the Internet Border firewall, departmental border firewall and host firewall at the level of defense; On the other hand intrusion detection, network encryption, Virus killing, and many other security measures combined with the multi-layer safety system.

(3). Both inside and outside: A feature of the firewall is to prevent outside, in fact, in the real network environment, more than 80% of the threats are from the internal, so we have to set up the concept of prevention, fundamentally change the past kind of prevention from the traditional concept of the outside. Other security measures can be taken against internal threats, such as intrusion detection, host protection, vulnerability scanning, virus killing. This aspect is embodied in the firewall configuration is to introduce the concept of comprehensive protection, it is best to deploy with the above internal protection means linkage mechanism. For now, it is more difficult to do this.