Introduction to firewall (2)

Firewall Architecture

1. ScreeningRouter)

The shielded router can be implemented by a dedicated manufacturer or a host. Shield the router as the only channel for internal and external connections. All packets must pass the check here. The IP layer-based packet filtering software can be installed on the router to implement packet filtering. Many routers have packet filtering configuration options, but they are generally relatively simple. The danger of a firewall composed of a shield router is that the router itself and the host that the router allows access. The disadvantage of shielding a vro is that it is difficult to find a hidden vro and cannot identify different users.

2. DualHomedGateway)

The dual-point host gateway uses a bastion host with two NICs as a firewall. The two NICs are connected to the protected network and the external network respectively. The bastion host runs firewall software, which can forward applications and provide services. Compared with the shielded router, the system software of the dual-point host gateway bastion host can be used to maintain system logs, hardware copy logs, or remote logs. However, the vulnerabilities are also prominent. Once hackers intrude into the bastion host and make it only have the routing function, any online user can access the Intranet at will.

3. ScreenedGatewy)
Shielding host gateways is easy to implement and secure. A bastion host is installed on an internal network. Generally, a filter rule is set up on the vro and the bastion host becomes the only host that can be directly reached from the external network, this ensures that the internal network is not attacked by unauthorized external users. If the protected network is a virtual extended ingress network, that is, there is no Subnet or router, the changes in the Intranet will not affect the configuration of the bastion host and the shield router. Dangerous tapes are restricted to Bastion hosts and blocked routers. The basic control policy of the gateway is determined by the software installed above. If attackers cannot log on to it, other hosts in the Intranet will be greatly threatened. This is similar to the situation when the host gateway is under attack.

4. ScreenedSubnet)

A blocked subnet is an isolated subnet between an internal network and an external network. Two groups are used to filter routers to separate the subnet from the internal network and the external network respectively. In many implementations, the two groups filter routers at both ends of the subnet and form a DNS in the subnet. Both the internal network and the external network can access the blocked subnet, however, they are prohibited from passing through the blocked subnet communication. Some shield subnets also have a bastion host as the only accessible point, supporting terminal interaction or as an application gateway proxy. This configuration only involves the bastion host, subnet host, and all vrouters connected to the Intranet, Internet, and subnet shield. If an attacker attempts to completely damage the firewall, he must reconfigure the routers connected to the three networks, neither disconnect the connection nor lock himself out, without making himself discover, this is also possible. However, If you disable network access to a vro or only allow some hosts in the Intranet to access it, the attack will become very difficult. In this case, the attacker must first intrude into the bastion host, then enter the Intranet host, and then return to destroy the blocked vro, and do not trigger an alarm throughout the process.

Basic firewall types

Today, the market has a variety of firewalls. There are software running on a general computer, or Firmware design on a router. In general, there are three types: Packet Filtering Firewall, proxy server, and status monitor.
Packet Filtering Firewall (IPFiltingFirewall ):

PacketFilter (PacketFilter) is used to select data packets at the network layer. It checks each data packet in the data stream based on the pre-configured filtering logic, determine whether to allow data packets of this type to pass through based on the source address, target address, and port used by the package. In an information packet exchange network such as the Internet, all the exchange information is divided into many information packets of a certain length, including the sender's IP address and the recipient's IP address. When these packets are sent to the Internet, the router reads the receiver's IP address and selects a physical line to send the packets. The packets may arrive at the destination through different routes, when all packages arrive, they are re-assembled and restored at the destination. The packet filtering firewall checks all IP addresses in the information package and filters information packets according to the filtering rules specified by the system administrator. If the firewall sets an IP address as dangerous, all information from this address will be blocked by the firewall. This type of firewall is widely used. For example, the relevant national departments can use the packet filtering firewall to prohibit domestic users from accessing foreign sites that violate the relevant regulations of China or have "problems, for example, www.playboy.com and www.cnn.com. The biggest advantage of the packet filtering router is that it is transparent to users, that is, no user name or password is required to log on. This firewall is fast and easy to maintain. It is usually the first line of defense. Packet filtering router has obvious drawbacks. Generally, it does not have a user's usage record, so we cannot find hacker attack records from the access record. Attacking a pure bag-filtered anti-inflammatory wall is easier for hackers. They have accumulated a lot of experience in this aspect. "Information packet impact" is a common attack method for hackers. Hackers send a series of information packets to the packet filter firewall, but the IP addresses in these packets have been replaced (FakeIP ), instead, it is a string of sequential IP addresses. Once a packet passes through the firewall, hackers can use this IP address to disguise the information they send. In other cases, hackers use a self-developed router attack program that uses the RoutingInformationProtcol to send forged route information, in this way, all packages will be re-routed to the special address specified by an intruder. What is another technology called to deal with such a router? Quot; synchronous flooding ", which is actually a network bomb. The attacker sends many fake "synchronous requests" signal packets to the attacked computer. When the server responds to this signal packet, it will wait for the response from the request sender, And the attacker will not respond. If the server does not receive a response signal within 45 seconds, the request will be canceled. However, when the server processes tens of thousands of fake requests, it does not have time to process normal user requests. The servers under such attacks are similar to deadlocks. The disadvantage of this firewall is obvious. Generally, it does not have a user's usage record, so we cannot find hacker attack records from the access record. In addition, tedious configuration is also a disadvantage of the packet filtering firewall. It blocks others from accessing the internal network, but it does not tell you who is in your system or who is in the Internet. It can prevent external access to the private network, but cannot record internal access. Another key weakness of packet filtering is that it cannot be filtered at the user level, that is, it cannot identify different users and prevent IP address theft. Packet filter firewall is an absolutely secure system in a sense.

Proxy Server (ProxyServer ):

Proxy servers are also called application-level firewalls. The packet filtering firewall can prohibit unauthorized access by IP address. However, it is not suitable for enterprises to control internal staff access to external networks. For such enterprises, application-level firewall is a better choice. The so-called proxy service, that is, the link between the application layer of the computer system inside and outside the firewall, is achieved through two links terminated from the proxy service, thus successfully realizing the isolation of the computer system inside and outside the firewall. The proxy service is an application configured on the Internet firewall gateway. It is a specific application or service that the network administrator allows or rejects. At the same time, it can also be used to implement strong data flow monitoring, filtering, recording and reporting functions. Generally, it can be applied to specific Internet services, such as Hypertext Transfer (HTTP) and Remote File Transfer (FTP. The proxy server usually has a high-speed cache, And the cache contains content that users often visit the site. When the next user wants to visit the same site, the server does not need to repeatedly capture the same content, this saves both time and network resources.
The following is a brief introduction to the design and implementation of several proxy servers:

1. ApplicationGatewayProxy)

The application proxy server can provide authorization check and proxy services at the network application layer. When an external host attempts to access a protected network (such as Telnet), it must first pass authentication on the firewall. After passing identity authentication, the Firewall runs a program specially designed for Telnet to connect the external host to the internal host. In this process, the firewall can restrict the user's access to the host, access time, and access methods. Similarly, users in the protected network must log on to the firewall before using valid commands such as Telnet or FTP to access the external network. The advantage of the application gateway proxy is that the internal IP address can be hidden or authorized to a single user, even if an attacker steals a valid IP address. He cannot pass strict identity authentication. NAT Gateway provides higher security than message filtering. However, this authentication makes the application gateway non-transparent, and users are "questioned" every time they connect, which brings a lot of inconvenience to users. In addition, this proxy technology requires a dedicated program for each application gateway.

2. Loop-level Proxy Server

A loop-level proxy server is also called a general proxy server. It applies to multiple protocols, but cannot interpret application protocols. You need to obtain information in other ways. Therefore, loop-level proxy servers usually require modified User Programs. The socket server is a loop-level proxy server. Sockets (Sockets) is an international standard for the network application layer. When the protected network client needs to interact with the external network, the socket server on the firewall checks the customer's UserID, IP source address, and IP destination address. After confirmation, establish a connection with an external segment server. For users, the information exchange between the protected network and the external network is transparent, and the existence of the firewall is invisible, because the users of the NAT network do not need to log on to the firewall. However, the application software on the client must support "SocketsifideAPI". The IP addresses used by users on the protected network to access the public network are also the IP addresses of the firewall.

3. Managed servers

In other words, the managed server technology puts insecure services, such as FTP and Telnet, on the firewall so that it acts as a server at the same time to answer external requests. Compared with the application-layer proxy implementation, the managed server technology does not have to write programs for each service. In addition, when users in the protected network want to access the external network, they also need to log on to the firewall first, and then send a request to the external network. In this way, the firewall can only be seen from the external network, this hides the internal address and improves security.

4. IP channel (IPTunnels)

If two subsidiaries of a company are far apart from each other and communicate over the Internet, IPTunnels can be used to prevent hackers from intercepting information on the Internet, thus forming a fictitious Enterprise Network on the Internet.

5. Network Address converter (NetworkAddressTranslate)

When a protected network is connected to the Internet, you must use a valid IP address to access the Internet. However, the valid InternetIP address is limited, and the protected network usually has its own IP address plan. The network address converter is to attach a valid IP address set to the firewall. When an internal user wants to access the Internet, the firewall selects an unallocated address from the address set and assigns it to the user. The user can use this legal address to access the Internet.