Introduction of main firewall products

Information security has always been a key topic in computer application. Today, with the increasing expansion and popularization of computer network, the demand for information security of computers is higher and the coverage is wider.

The main research of computer information security is the prevention and control of virus and the security of the system. Not only requires the prevention of viruses, but also to improve the system to resist the ability of foreign illegal hackers, but also to improve the confidentiality of remote data transmission, to avoid illegal theft in transit.

In the prevention of network viruses, the main prevention in the download executable software such as: *.exe, *.zip, and other documents, the virus latent and replication transmission.

For the system itself security, mainly consider the stability of the server itself, health-like, enhance their own resistance, to eliminate all possible hacker intrusion channels, to avoid the threat of the system. For important business applications, firewalls and data encryption techniques must be added to protect them.

In data encryption, it is more important to continuously improve and improve data encryption technology, so that has evil intentions people in the network difficult to have an opportunity.

The computer information security is a very big research category, this article mainly discusses to protect the network information security, as the firewall user how to evaluate own business demand, how to through the product comparison selection, chooses the appropriate own firewall product.

As we all know, the main means to protect the information security of computer systems is to deploy and apply firewalls. However, we encounter many problems when using firewalls, the most representative of the following three:

First, firewall is a hardware firewall, or a software firewall? This is difficult for many people to determine. Hard, software firewall, each has its own advantages, but who has a greater advantage, as a common user, it is difficult to understand deeply.

Secondly, how to choose the firewall? There are so many kinds of firewall products, and the technical level of each firewall manufacturer is uneven, which is the choice? You know, if you choose the wrong product, the return on investment is trivial, if the system is attacked, leading to the disclosure of important information or damage, the user's loss is big.

Third, if the selection of a software firewall, it and the user's current operating system compatibility, there is no integration advantages? This is also a problem that firewall users often ask.

The following is a list of some of the main firewall products, from their respective characteristics, functions, processing performance and operational complexity and other aspects of the comparison, and the actual use of some of the problems encountered in the proposed for everyone to learn from.

1. Cisco PIX

CISCO Pix is the most representative hardware firewall, belongs to the state detection type. Because it employs its own real-time embedded operating system, it reduces the likelihood of hackers exploiting operating system bug attacks. In terms of performance, Cisco Pix is the best of its kind of hardware firewall products, with a 100BaseT speed. Therefore, for high data traffic requirements of the occasion, such as large ISPs, should be preferred.

However, its advantages in front of the software firewall will not appear less obvious. Its fatal wound mainly has three: one price is expensive, the second escalation difficulty, its three management cumbersome complex.

Similar to the Microsoft ISA Server Firewall Management module, Cisco also provides a centralized firewall management tool, Cisco Security Policy Manager. PIX can block the potentially harmful SMTP commands, which impresses us, but in FTP it does not control upload and download operations like most products. In terms of log management, event management, and so on, the ISA Server firewall management module is so robust and easy-to-use that it is especially inadequate for third-party vendor product support.

It's a lack of management function modules, is the worst of all the products we've tested: the vast majority of the PIX management is done through the command line, without the beautiful management GUI, which makes it less user-friendly, and for users unfamiliar with the instructions, using the PIX firewall is a difficult task. In addition, users can configure the PIX via command-line or web-based command-line mode, but this does not support centralized management mode and must be configured individually for each device. Also, configuring complex filtering rules is cumbersome, especially when you need to plug in a security rule before all the filtering rules are erased and rewritten.

In addition, we find that using the command line to set up NAT is not easy, and there is no greater convenience than using most GUIs. But we also find that, in addition to simple security policies, PIX is very difficult to set up for service-based access, hosts, and networks. We have the biggest problem in modifying the security policy, which requires reordering the rules and deleting the original list of rules before inserting a new one. This is a not-so-useful feature inherited from a Cisco router.

PIX itself brings a management application, but requires a WINDOWS nt/windows 2K server to run the software specifically, and we can access the program through the Web. If you use the Web interface to manage pix, we can only use it for some very simple modifications when we configure it. Cisco says it will develop a new software early next year to improve the management capabilities of the PIX.

PIX has less logging and monitoring capabilities than other products, it does not have real-time logging, and all log information is sent to another machine running syslog. In any case, alerts can be made based on the system log.

Or that sentence, if you can tolerate all the shortcomings of PIX, just fancy its speed, then you might as well try.