How to identify functional differences between firewalls

There are some problems that often make users confused: in terms of product functions, the descriptions of various vendors are very similar, and some "coming soon" are extremely similar to well-known brands. How can we identify this situation?

Similar Products are described. Even for the same function, individual differences are obvious in terms of implementation, availability, and ease of use.

I. Access Control at the network layer

All firewalls must have this function; otherwise, they cannot be called firewalls. Of course, most routers can also implement this function through their own ACLs.

1. Edit Rules

Access control over the network layer is mainly manifested in the firewall rule editing. We must check whether access control over the network layer can be expressed by rules? Is the access control granularity fine enough? Does the same rule provide control measures for different time periods? Does Rule Configuration provide a friendly interface? Can it easily reflect the security will of network management?

2. IP/MAC Address binding

It is also the IP/MAC Address binding function. Some details must be checked. For example, can the firewall automatically collect IP addresses and MAC addresses? Does the system provide an alarm mechanism for access that violates the IP/MAC Address binding rules? Because these functions are very practical, if the firewall cannot provide automatic collection of IP addresses and MAC addresses, the network management may be forced to use other means to obtain the IP addresses and MAC addresses of the users under its jurisdiction, this would be a very boring job.

3. NAT (Network Address Translation)

The functions of the original router have gradually evolved into one of the standard functions of the firewall. However, the implementation of this function varies greatly from manufacturer to manufacturer. Many manufacturers have a major problem in implementing the NAT Function: It is difficult to configure and use, which will cause great trouble for network administrators. We must learn how Nat works to improve our network knowledge. Through analysis and comparison, we can find a firewall that can be used for NAT configuration and usage.

2. Access Control at the application layer

This function is the best choice for various Firewall vendors. Although many firewalls based on free operating systems can have status monitoring modules (because kernel modules such as Linux and FreeBSD support status monitoring ), however, the control of the application layer cannot achieve "come-as-you-go" and requires real programming.

In terms of application layer control, the following points can be investigated when selecting a Firewall.

1. Is HTTP content filtering provided?

Currently, the two most important applications in the enterprise network environment are WWW access and email sending and receiving. The fine-grained control over WWW access reflects the technical strength of a firewall.

2. Does the SMTP protocol provide content filtering?

More and more attacks on Emails: email bombs, email viruses, and leakage of confidential information. Whether or not SMTP-based content filtering and filtering granularity become the focus of user attention.

3. Does the FTP protocol provide content filtering?

You must be careful when observing this function. Many manufacturers' firewalls advertise that FTP content is used for filtering. However, we will find that, most of them only implement the control of two commands in the FTP protocol: Put and get. A good firewall should be able to control all other FTP commands, including CD and Ls. It should provide command-level control to control access to directories and files, all filters support wildcard characters.

Iii. Management and authentication

This is a very important function of the firewall. Currently, firewall management is divided into Wui Management Based on Web interfaces, Gui Management Based on graphical user interfaces, and command line CLI management.

In various management methods, CLI Based on command line is not suitable for firewalls.

Wui and GUI have their respective advantages and disadvantages.

The Wui management method is simple and requires no special management software, as long as it is equipped with a browser. At the same time, the Wui management interface is very suitable for remote management, as long as the firewall is configured with an reachable IP address, allows you to manage the firewall of a Chinese branch in the United States.

Wui firewalls also have disadvantages: first, the Web interface is not suitable for complex and dynamic page display. Generally, Wui interfaces are difficult to display rich statistical charts, therefore, do not select the Wui mode for users with demanding audit and statistics functions. In addition, it will increase the security threats of firewall management, if a user manages the firewall in the company through a browser at home, the trust relationship only depends on a simple user name and password. Hackers can easily guess the password, which increases security threats.

GUI is currently widely used by most firewalls. This method is specialized and provides rich management functions for administrators to configure the firewall. However, the disadvantage is that dedicated management software is required, and Wui management is not flexible in remote and centralized management.

Iv. Auditing, logs, and storage methods

At present, most firewalls provide audit and log functions. The difference is that the audit granularity is different, and the log storage method and storage volume are different.

The auditing and logging functions of many firewalls are weak. This is especially evident in those firewalls that use Dom, Doc, and other electronic disks (and do not provide Network Database Support) as the storage media, some do not even distinguish between event logs and access logs. If you need a wide range of audit and log functions, You need to evaluate the firewall's storage methods. If you use Dom, Doc, and other flash electronic disk storage methods, the audit and log functions may be limited.

Currently, most firewall audit logs are stored on hard disks. The advantage of this method is that it can store a large number of logs (several GB to dozens of GB), but in some extreme situations, in case of abnormal power loss, the hard disk is often more damaged than the electronic disk.

A good firewall should provide multiple storage methods for users to choose and use flexibly.

5. How to differentiate packet filtering and status monitoring

Some small companies often claim to adopt status monitoring technology to promote their firewall products. On the surface, we are often confused. Here are tips for distinguishing these two technologies.

1. Can I view the real-time connection status?

The status monitoring firewall provides the function and interface for viewing the current connection status, and can disconnect the current connection in real time. This connection should have rich information, including the IP address, port, connection status, and connection time of the connected parties, but simple package filtering does not.

2. Do I have a dynamic rule repository?

Some application protocols use not only one connection and one port, but also a series of associated connections to complete an application layer operation. For example, in the FTP protocol, user commands are transmitted through a connection to port 21, while data is transmitted through another temporary connection (the default source port is 20, in passive mode, it is a temporary allocated port) for transmission. For such an application, it is difficult to set a security rule for the packet filtering firewall, and it is often necessary to open access from all source ports to 20.

The status monitoring firewall supports dynamic rules to automatically allow valid connections to access by tracking application-layer sessions, and prohibit other connection requests that do not conform to the session status. For FTP, you only need to set an access rule for port 21 in the firewall to ensure normal FTP transmission, including passive data transmission. This function not only makes the rule simpler, but also eliminates the risk of opening all 20 Ports.