With the rapid development of computer network technology, network security issues have become increasingly prominent in the face of various users. According to the data obtained by the author, nearly 20% of users on the Internet have suffered from hackers. Although hackers are so rampant, the network security problem has not yet attracted enough attention. More users think that the network security problem is far from their own, this is evidenced by the fact that more than 40% of users, especially enterprise users, have not installed a firewall. All problems are proving to everyone, most hacker intrusion events are caused by failure to correctly install the firewall.
Concept and function of Firewall
The original meaning of the firewall refers to the wall built between houses in ancient times. This wall can prevent fire from spreading to other houses. The firewall mentioned here is not a physical firewall, but a defense system isolated between the local network and the external network. It is a general term for such preventive measures. It should be said that the firewall on the Internet is a very effective network security model, through which it can isolate risky areas (that is, the Internet or networks with certain risks) and security areas (LAN) does not impede access to risky areas. The firewall can monitor inbound and outbound network traffic to complete seemingly impossible tasks. It only allows security and approved information to access data that threatens the enterprise at the same time. As security errors and defects become more and more common, network intrusion not only comes from Superb attack methods, but also may come from low-level Configuration errors or inappropriate password options. Therefore, the role of the firewall is to prevent unwanted and unauthorized communications from entering and leaving the protected network, forcing the Organization to strengthen its network security policy. Generally, firewalls can achieve the following goals: first, they can restrict others' access to the internal network, filter out insecure services and illegal users, and second, prevent intruders from approaching your defense facilities; third, restrict users to access special sites, and fourth, provide convenience for monitoring Internet security. Because the firewall assumes network boundaries and services, it is more suitable for relatively independent networks, such as relatively concentrated networks such as intranets. The firewall is being used to control access to the network system.
Is very popular. In fact, more than 1/3 of Web websites on the Internet are protected by some form of firewall, which is the most rigorous and secure way for hackers, any critical server should be placed behind the firewall.
Firewall architecture and working methods
The firewall makes your network planning clearer and clear, and comprehensively prevents data access that spans permissions (because the first thing some people attempt to do after logging on is to go beyond the permission limit ). If you do not have a firewall, you may receive many similar reports. For example, the internal financial reports of the Organization have just been cracked by tens of thousands of emails, or the user's personal homepage is maliciously connected to Playboy, but another pornographic website is specified on the Report link ...... A complete firewall system is usually composed of a shield router and a proxy server. A shielded router is a multi-port IP router. It checks each incoming IP packet based on group rules to determine whether to forward it. Shield the router from getting information from the packet header, such as the Protocol number, the IP address and port number of the sent and received packets, the connection mark, and other IP options to filter the IP packets. A proxy server is a server process in the firewall. It can complete specific TCP/TP functions in place of network users. A proxy server is essentially a gateway at the application layer, and a gateway that connects two networks for a specific network application. A user deals with a TCP/TP application, such as telnet or FTP, and the proxy server requires the user to provide the remote host name to be accessed. After the user replies and provides the correct user identity and authentication information, the proxy server connects to the remote host and acts as a relay for the two communication points. The entire process can be completely transparent to the winners. User identity and authentication information can be used for user-level authentication. The simplest case is:
It consists of a user ID and a password. However, if the firewall is accessible through the Internet, we recommend that you use stronger authentication mechanisms, such as one-time passwords or responsive systems .?
The biggest advantage of shield router is its simple architecture and low hardware cost. The disadvantage is that it is difficult to set up packet filtering rules, and the management cost of shield router and the lack of user-level identity authentication. Fortunately, vro manufacturers have realized and started to solve these problems. They are developing a graphical user interface for editing packet filtering rules and developing a standard user-level identity authentication protocol, to provide remote Identity Authentication Dial-In User Service (redius ).?
The proxy server has the advantages of user-level identity authentication, logging, and account management. Its disadvantages are related to the fact that to provide comprehensive security assurance, an application-layer gateway must be established for each service. This fact severely limits the adoption of new applications .?
The shielded router and the proxy server are usually combined to form a hybrid system. The shielded router is mainly used to prevent IP spoofing attacks. The most widely used configurations are dualhomed firewalls, blocked host firewalls, and blocked subnet firewalls .?
Generally, setting up a firewall requires thousands or even tens of thousands of dollars, and the firewall needs to run on an independent computer. Therefore, users who only use one computer to connect to the Internet do not need to set up a firewall, in addition, it is not cost-effective even in terms of cost. At present, the focus of the firewall is to protect a large network composed of many computers, which is also a real interest of hacker experts. Firewalls can be simple filters or well-configured gateways. However, they work in the same way. They monitor and filter all information sent to and from external networks, the firewall protects internal sensitive data from theft and destruction, and records the time and operation of communication. The new generation firewall can even prevent internal personnel from intentionally transmitting sensitive data to the outside world. When a user connects a local network within the Organization to the Internet, you certainly do not want people all over the world to read the payroll, various documents, or databases of internal staff of your organization at will, however, even within the Organization, there is a possibility of data attacks. For example, some intelligent computer experts may modify the payroll and financial reports. After setting the firewall, the administrator can restrict the internal staff of the organization to use email, browse WWW and file transmission, but do not allow any external access to the internal computer of the Organization, the administrator can also disable access between different departments in the Organization. Placing a local network in a firewall can prevent external attacks. A firewall is usually a special software running on a separate computer.
It can identify and block illegal requests. For example, for a WWW Proxy Server, all requests are indirectly processed by the proxy server. This server is different from a common proxy server and does not directly process requests, it verifies the identity of the Request sender, the request destination, and the request content. If everything meets the requirements, the request will be approved and sent to the real WWW server. When the real WWW server does not directly send the result to the requester after processing the request, it will send the result to the proxy server, the proxy server checks whether the result violates the security regulations according to the previous regulations. When all the results are passed, the returned results are actually sent to the requester.
Firewall Architecture
1. screeningrouter )?
The shielded router can be implemented by a dedicated manufacturer or a host. Shield the router as the only channel for internal and external connections. All packets must pass the check here. The IP layer-based packet filtering software can be installed on the router to implement packet filtering. Many routers have packet filtering configuration options, but they are generally relatively simple. The danger of a firewall composed of a shield router is that the router itself and the host that the router allows access. The disadvantage of shielding a vro is that it is difficult to find it after being attacked and cannot identify different users .?
2. dualhomedgateway )?
The dual-point host gateway uses a bastion host with two NICs as a firewall. The two NICs are connected to the protected network and the external network respectively. The bastion host runs firewall software, which can forward applications and provide services. Compared with the shielded router, the system software of the dual-point host gateway bastion host can be used to maintain system logs, hardware copy logs, or remote logs. However, the vulnerabilities are also prominent. Once hackers intrude into the bastion host and make it only have the routing function, any online user can access the Intranet at will.
3. screenedgatewy)
Shielding host gateways is easy to implement and secure. A bastion host is installed on an internal network. Generally, a filter rule is set up on the vro and the bastion host becomes the only host that can be directly reached from the external network, this ensures that the internal network is not attacked by unauthorized external users. If the protected network is a virtual extended ingress network, that is, there is no Subnet or router, the changes in the Intranet will not affect the configuration of the bastion host and the shield router. Dangerous tapes are restricted to Bastion hosts and blocked routers. The basic control policy of the gateway is determined by the software installed above. If attackers cannot log on to it, other hosts in the Intranet will be greatly threatened. This is similar to the situation when the host gateway is under attack.
4. screenedsubnet)
A blocked subnet is an isolated subnet between an internal network and an external network. Two groups are used to filter routers to separate the subnet from the internal network and the external network respectively. In many implementations, the two groups filter routers at both ends of the subnet and form a DNS in the subnet. Both the internal network and the external network can access the blocked subnet, however, they are prohibited from passing through the blocked subnet communication. Some shield subnets also have a bastion host as the only accessible point, supporting terminal interaction or as an application gateway proxy. This configuration only involves the bastion host, subnet host, and all vrouters connected to the Intranet, Internet, and subnet shield. If an attacker attempts to completely damage the firewall, he must reconfigure the routers connected to the three networks, neither disconnect the connection nor lock himself out, without making himself discover, this is also possible. However, If you disable network access to a vro or only allow some hosts in the Intranet to access it, the attack will become very difficult. In this case, the attacker must first intrude into the bastion host, then enter the Intranet host, and then return to destroy the blocked vro, and do not trigger an alarm throughout the process.
Basic firewall types
Today, the market has a variety of firewalls. There are software running on a general computer, or Firmware design on a router. In general, there are three types: Packet Filtering Firewall, proxy server, and status monitor.
Packet Filtering Firewall (ipfiltingfirewall ):
Packetfilter (packetfilter) is used to select data packets at the network layer. It checks each data packet in the data stream based on the pre-configured filtering logic, determine whether to allow data packets of this type to pass through based on the source address, target address, and port used by the package. In an information packet exchange network such as the Internet, all the exchange information is divided into many information packets of a certain length, including the sender's IP address and the recipient's IP address. When these packets are sent to the Internet, the router reads the receiver's IP address and selects a physical line to send the packets. The packets may arrive at the destination through different routes, when all packages arrive, they are re-assembled and restored at the destination. The packet filtering firewall checks all IP addresses in the information package and filters information packets according to the filtering rules specified by the system administrator. If the firewall sets an IP address as dangerous, all information from this address will be blocked by the firewall. This type of firewall is widely used. For example, the relevant national departments can use the packet filtering firewall to prohibit domestic users from accessing foreign sites that violate the relevant regulations of China or have "problems, for example, www.playboy.com and www.cnn.com. The biggest advantage of the packet filtering router is that it is transparent to users, that is, no user name or password is required to log on. This firewall is fast and easy to maintain. It is usually the first line of defense. Packet filtering vro has obvious drawbacks. Generally, it does not have a user's usage record, so we cannot find hackers from the access record.
Attack records. Attacking a pure bag-filtered anti-inflammatory wall is easier for hackers. They have accumulated a lot of experience in this aspect. "Information packet impact" is a common attack method for hackers. Hackers send a series of information packets to the packet filter firewall, but the IP addresses in these packets have been replaced (fakeip ), instead, it is a string of sequential IP addresses. Once a packet passes through the firewall, hackers can use this IP address to disguise the information they send. In other cases, hackers use a self-developed router attack program that uses the routinginformationprotcol to send forged route information, in this way, all packages will be re-routed to the special address specified by an intruder. Another technology used to deal with such a router is called "synchronous immersion", which is actually a network bomb. The attacker sends many fake "synchronous requests" signal packets to the attacked computer. When the server responds to this signal packet, it will wait for the response from the request sender, And the attacker will not respond. If the server does not receive a response signal within 45 seconds, the request will be canceled. However, when the server processes tens of thousands of fake requests, it does not have time to process normal user requests. The servers under such attacks are similar to deadlocks. The disadvantage of this firewall is obvious. Generally, it does not have a user's usage record, so we cannot find hacker attack records from the access record. In addition, the configuration is cumbersome and is also a firewall for packet filtering.
A disadvantage. It blocks others from accessing the internal network, but it does not tell you who is in your system or who is in the Internet. It can prevent external access to the private network, but cannot record internal access. Another key weakness of packet filtering is that it cannot be filtered at the user level, that is, it cannot identify different users and prevent IP address theft. Packet filter firewall is an absolutely secure system in a sense .?
Proxy Server (proxyserver ):
Proxy servers are also called application-level firewalls. The packet filtering firewall can prohibit unauthorized access by IP address. However, it is not suitable for enterprises to control internal staff access to external networks. For such enterprises, application-level firewall is a better choice. The so-called proxy service, that is, the link between the application layer of the computer system inside and outside the firewall, is achieved through two links terminated from the proxy service, thus successfully realizing the isolation of the computer system inside and outside the firewall. The proxy service is an application configured on the Internet firewall gateway. It is a specific application or service that the network administrator allows or rejects. At the same time, it can also be used to implement strong data flow monitoring, filtering, recording and reporting functions. Generally, it can be applied to specific Internet services, such as Hypertext Transfer (HTTP) and Remote File Transfer (FTP. The proxy server usually has a high-speed cache, And the cache contains content that users often visit the site. When the next user wants to visit the same site, the server does not need to repeatedly capture the same content, it saves both time and network resources .?
The following is a brief introduction to the design and implementation of several proxy servers:
1. What is applicationgatewayproxy )?
The application proxy server can provide authorization check and proxy services at the network application layer. When an external host attempts to access a protected network (such as telnet), it must first pass authentication on the firewall. After passing identity authentication, the Firewall runs a program specially designed for telnet to connect the external host to the internal host. In this process, the firewall can restrict the user's access to the host, access time, and access methods. Similarly, users in the protected network must log on to the firewall before using valid commands such as telnet or FTP to access the external network. The advantage of the application gateway proxy is that the internal IP address can be hidden or authorized to a single user, even if an attacker steals a valid IP address. He cannot pass strict identity authentication. NAT Gateway provides higher security than message filtering. However, this authentication makes the application gateway non-transparent, and users are "questioned" every time they connect, which brings a lot of inconvenience to users. In addition, this proxy technology requires a dedicated program for each application gateway .?
2. Loop-level proxy server?
A loop-level proxy server is also called a general proxy server. It applies to multiple protocols, but cannot interpret application protocols. You need to obtain information in other ways. Therefore, loop-level proxy servers usually require modified User Programs. The socket server is a loop-level proxy server. Sockets (sockets) is an international standard for the network application layer. When the protected network client needs to interact with the external network, the socket server on the firewall checks the customer's userid, IP source address, and IP destination address. After confirmation, establish a connection with an external segment server. For users, the information exchange between the protected network and the external network is transparent, and the existence of the firewall is invisible, because the users of the NAT network do not need to log on to the firewall. However, the application software on the client must support "socketsifideapi". The IP addresses used by users on the protected network to access the public network are also the IP addresses of the firewall .?
3. Managed servers?
In other words, the managed server technology puts insecure services, such as FTP and telnet, on the firewall so that it acts as a server at the same time to answer external requests. Compared with the application-layer proxy implementation, the managed server technology does not have to write programs for each service. In addition, when users in the protected network want to access the external network, they also need to log on to the firewall first, and then send a request to the external network. In this way, the firewall can only be seen from the external network, this hides the internal address and improves security .?
4. IP channel (iptunnels )?
If two subsidiaries of a company are far apart from each other and communicate over the Internet, iptunnels can be used to prevent hackers from intercepting information on the Internet, thus forming a fictitious Enterprise Network on the Internet.
5. Network Address converter (networkaddresstranslate)
When a protected network is connected to the Internet, you must use a valid IP address to access the Internet. However, the valid internetip address is limited, and the protected network usually has its own IP address plan. The network address converter is to attach a valid IP address set to the firewall. When an internal user wants to access the Internet, the firewall selects an unallocated address from the address set and assigns it to the user. The user can use this legal address for communication. In addition, for some internal servers such as web servers, the network address Converter allows them to be assigned a fixed legal address. Users of the external network can access internal servers through the firewall. This technology not only relieves the conflict between a small number of IP addresses and a large number of hosts, but also hides the IP addresses of internal hosts and improves security.
6. What is splitdomainnamesever )?
This technology isolates the Domain Name Server of the protected network from the domain name server of the external network through the firewall, so that the Domain Name Server of the external network can only see the IP address of the firewall, I cannot understand the specific situation of the protected network, so that the IP address of the protected network is not known by the external network .?
7. What is mailforwarding )?
When the Firewall uses the technologies mentioned above to make the external network only know the IP address and domain name of the firewall, emails sent from the external network can only be sent to the firewall. At this time, the firewall checks the email. Only when the source host that sends the email is allowed to pass the email can the firewall convert the destination address of the email and send it to the internal email server, it forwards the data .?
The proxy server is blocked between the internal user and the external user like a real wall. In particular, visitors from the outside can only see the proxy server but can't see any internal resources, such as the user's IP address. Internal Customers cannot feel the existence of the website and can access the site freely. The proxy can provide excellent access control, logon capabilities, and address translation functions, and record information of inbound and outbound firewalls, so that administrators can monitor and manage the system. However, the proxy server also has some shortcomings. In particular, it slows down network access because it does not allow users to directly access the network, and the proxy must process inbound and outbound traffic, therefore, each time a new media application is added, the proxy must be set. In terms of the design of a set of office application software, I have been tossing for a long time because of the proxy server. As a result, the problem of setup and fault tolerance is temporarily stranded .?
8. Status Monitor (statefulinspection ):
Status Monitor is the best security feature of firewall technology. It uses a software engine that executes network security policies on the gateway, which is called the detection module. Without affecting the normal operation of the network, the detection module uses the method of extracting relevant data to monitor each layer of network communication, and extracts some data, that is, the status information, and dynamically stored as a reference for future security decision-making. The detection module supports multiple protocols and applications, and can easily expand applications and services. Unlike other security solutions, status monitor extracts data for analysis before a user accesses the operating system of the gateway, accept, reject, authenticate, or encrypt the communication according to network configuration and security regulations. Once an access violates security regulations, the security alarm will reject the access and report the network status to the System Manager. Another advantage of status monitor is that it can monitor the port information of the remoteprocedurecall and user monitoring rqamprotocol classes. Of course there are also problems, that is, the configuration of the Status Monitor is very complicated and will reduce the speed of the network.
At present, the firewall has been widely used in the Internet, and because the firewall is not limited to the characteristics of the TCP/IP protocol, it has gradually become more active outside the internet. Objectively speaking, firewalls are not a panacea for solving network security problems, but are only an integral part of network security policies and policies, however, I understand the firewall technology and learn how to apply it in practice. I believe that in the new century's network life, every user will be benefited.