Key technology and function application of Intelligent firewall technology

This article puts forward the intelligent firewall, this kind of firewall is smarter and smarter, overcomes the traditional firewall's "one tube to die, one puts on the chaos" condition, the revision above firewall's important assumption is "refuses to guarantee the security, releases also must guarantee the security". The new smart firewall changes the concept of "exit" to the concept of "gateway", and all packets passing through the "gateway" must be inspected by the firewall. In contrast to the data matching inspection techniques used in traditional firewalls, the new intelligent firewall uses AI recognition technology to determine access control. Intelligent firewalls are more secure and more efficient than traditional firewalls.

Firewalls have been widely accepted by users and are becoming a major network security device. Firewalls delineate a range of protection and assume that the firewall is the only exit, and then the firewall decides whether to release or block incoming packets. The traditional firewall has a major theoretical assumption that if a firewall rejects the passage of some packets, it must be safe because the packets have been discarded. But in fact the firewall does not guarantee that the approved packets are secure, and the firewall cannot tell the difference between a normal service packet and a malicious packet, so the administrator is required to ensure that the packet is secure. The administrator must tell the firewall what to pass, and since the administrator says it must be passed, the firewall allows the package to pass according to the rules you set, so that the administrator must assume the security responsibility of the policy error. However, this assumption of the traditional firewall is not appropriate for network security, and the security effect is not good. Handing security responsibility to the security administrator does not actually solve the security issue. A new generation of firewalls should enhance the security of the release data, because the real demand for network security is to ensure security, but also to ensure the normal application.

First, the traditional firewall technology introduction

The current firewall, both technically and product development process, has experienced five stages of development. The first generation of firewall technology is almost simultaneous with routers, using packet filtering (Packet filter) technology. In the 1989, Dave Presotto and Howard Trickey of Bell Labs introduced a second-generation firewall, the circuit-layer firewall, and presented a preliminary structure of the third generation firewall, the application-layer firewall (proxy firewall). The third generation firewall is accurate, the U.S. Department of Defense believes that the first and second generation of firewalls are not enough security, hoping to check the application, and then funded the development of the famous ' tis firewall suite. The fourth generation Firewall was 1992, the Bobbraden of the USC Information Academy developed a fourth generation firewall based on dynamic packet filtering (dynamical packet filter) technology, which later evolved into the current state monitoring (Stateful inspection) technology. In 1994, Israel's checkpoint company developed the first commercially available product to adopt this technology. Fifth generation Firewall is 1998, NAI introduced an adaptive proxy (adaptive proxy) technology, and in its product Gauntlet Firewall for NT, to give the proxy type of firewall given a new meaning. The research of Advanced application agent (Advanced application proxy) overcomes the contradiction between speed and security, which can be called the fifth generation firewall.

The former five Dynasties firewall technology has a common feature, is to adopt one-way matching method, the computation amount is too big. Packet filtering is the matching check of IP packets, the state detection packet filtering in addition to the package to match the check of the state information to carry out matching check, application agent to the application protocol and application data matching check. Therefore, they all have a common flaw, the higher the security, the more the inspection, the lower the efficiency. Using a law to describe, is the firewall security and efficiency is inversely proportional.

Ii. main security issues left over by traditional firewalls

No one suspects that the firewall occupies the first place in all security device purchases. But the traditional firewall does not solve the network main security problem. The three main problems of network security today are network attacks with denial of access (DDOS) as the primary purpose, virus propagation with worm (worm) as its main representative, and content control based on spam e-mail (SPAM). These three security issues occupy more than 90% of the network security issues. And these three big problems, not smart firewall can do nothing.

According to a joint report by the Federal Bureau of Investigation (FBI) and the Computer Crime Investigation Agency (CSI) in 2003, more than 50% of respondents admitted being subjected to a denial of access attack and 80% of respondents were attacked by the virus. Spam emails are more rampant, and IDC estimates that by 2006, the world will send more than 20 billion spam messages a day.

Can the traditional firewall solve the above three problems? The answer is in the negative. The reason has three, one is the traditional firewall's computational ability limit. The traditional firewall is at the cost of high strength inspection, the higher the strength of the inspection, the greater the cost of calculation. The second is the traditional firewall access control mechanism is a simple filtering mechanism. It is a simple conditional filter that does not have intelligent capabilities to resolve complex attacks. The third is that traditional firewalls cannot distinguish between good and malicious behavior. This feature determines that the traditional firewall does not resolve malicious attack behavior.

Traditional firewall manufacturers argue that these three issues should not be resolved by firewalls. But user surveys show that more than 80% of users advocate firewalls to help them solve these three major problems.

Third, the next generation of intelligent firewall

The smart Firewall is relative to the traditional firewall, as the name suggests, smarter and more intelligent. Many users are very receptive to the concept of intelligent firewall, in their eyes, not smart is not reliable insecure, find a smart bodyguard, you feel safe? The traditional firewall exists many problems, the user is often difficult to understand. Users often ask why firewalls do not prevent hackers from attacking. Security experts use recorded data to analyze, at a glance to find the hacker's attack, why firewall not? The reason is that the traditional firewall is a simple mechanism for the implementation of mechanical security policy.

The intelligent firewall from the technical characteristic, is uses the statistical, the memory, the probability and the decision intelligent method to identify the data, and achieves the access control the goal. The new mathematical method eliminates the massive computation required by the matching inspection, discovers the characteristic value of the network behavior efficiently, and directly carries on the access control. Because these methods are mostly used in the artificial intelligence discipline, it is also called the Intelligent firewall.

A typical example can illustrate how important smart firewalls are to network security. The traditional firewall to check the package, just like the recognition of human appearance, using image recognition. Converts a person's appearance into an image, remembers each pixel of the image, and then checks for a match. By checking on thousands of pixels, tell you who this is. That's not how people recognize their looks. Who can identify you in real time with little calculation? This is intelligent recognition. The intelligent firewall can easily find the characteristic value of network behavior to identify the network behavior without massive computation, so it is easy to perform the access control.

Four, the key technology of Intelligent firewall

1. Anti-attack technology

Intelligent firewall can intelligently identify malicious data traffic and effectively block malicious data attacks. The intelligent firewall can effectively resolve the SYN Flooding,land ATTACK,UDP flooding,fraggle attack,ping flooding,smurf,ping of death,unreachable of the attack. Anti-attack technology can also effectively cut off the malicious virus or Trojan traffic attacks.

2, anti-scan technology

Smart firewalls can intelligently identify hackers ' malicious scans and effectively block or deceive malicious scanners. For currently known scanning tools such as ISS,SSS,NMAP scan tools, smart firewalls can prevent being scanned. Anti-scan technology can also effectively solve the representative or malicious code of malicious scan attacks.

3. Anti-Deception Technology

Intelligent Firewall provides MAC based access control mechanism, can prevent MAC spoofing and IP spoofing, support MAC filtering, support IP filtering. Extend the access control of the firewall to the second layer of OSI.

4. Intrusion Prevention Technology

In order to solve the security of the permitted release packets, the intelligent firewall provides intrusion detection to the permitted release data and offers the protection of intrusion prevention. Intrusion prevention technology uses a variety of detection techniques, feature detection can accurately detect known attacks, feature library covers the current popular network attacks, anomaly detection based on the monitoring network self-learning ability, can effectively detect new attacks, the detection engine also integrates specific attacks such as buffer overflow detection. The intelligent firewall completes the deep packet monitoring and can block the application layer attack.

5, package scrubbing and protocol normalization technology

The intelligent firewall supports the package scrubbing technology, cleans the IP,TCP,UDP,ICMP and other protocols, realizes the normalization of the protocol, eliminates the potential protocol risks and attacks. These methods have a significant effect on eliminating the defects of TCP/IP protocol and the application of protocol vulnerabilities.

6. AAA Technology

A major flaw in the IP V4 version is the lack of identity authentication, so it is added to the IP V6 version. The problem is that the promotion of IP V6 is still a long time, IP V4 will continue to exist for a considerable period. Smart firewalls increase the authentication of the IP layer. Based on identity to achieve access control.

Five, the function characteristic of the intelligent firewall

The intelligent firewall successfully solves the widespread denial of service attack (DDOS) problem, the problem of virus spread and the behavior of advanced application intrusion, which represents the mainstream development direction of firewall. The new generation of intelligent firewall own security than the traditional firewall has greatly improved, in the privilege minimization, system minimization, kernel security, system reinforcement, system optimization and network performance maximization, compared with the traditional firewall, a qualitative leap.

Smart firewalls perform full access control, not simple filtering strategies. Based on the identification of behavior, according to what person, what time, where (network layer), what behavior (OSI7 layer) to perform access control, greatly enhance the security of the firewall, smarter and more intelligent.

The high availability of smart firewalls is also a big highlight. Support for the latest international RFC dual-Machine hot standby standard VRRP, support for flow sharing, support for parallel firewalls, support for dual fault tolerance, support load balancing, support for multiple export routing. Traffic sharing and parallel firewall technology have great practical significance to realize the wire-speed firewall.

Intelligent Firewall also has a wide range of application support. Support the kernel-level FTP,H.323,IGMP (multicast) and other special application support, support the centralized network management based on SNMP, support the special application gateway customization.

The intelligent firewall has the centralized network management platform, has the configuration management, the performance management, the fault management, the security management, the audit management five big management domains.

The intelligent firewall provides the real-time monitoring function of the network. Support the monitoring of firewall performance such as CPU, memory, network and hard disk usage information. Support the monitoring of the state of the firewall, and real-time alarm. Support real-time monitoring, including performance monitoring, interface flow monitoring and so on.

Intelligent Firewall provides monitoring of the log, automatic Processing, manual or automatic export, database import, view, query, display, alarm and other functions. Supports conditional queries.

Vi. Typical applications of smart firewalls

In addition to the traditional firewall application, the Intelligent firewall also has the following special application occasions.

Protect your network and site from hackers ' attacks. Because of the current numerous firewalls can not withstand DDoS attacks, so that the site and the network frequently subjected to hacker attacks. The use of Intelligent firewall, can effectively resolve the denial of service attacks.

Block the malicious spread of the virus. Intelligent firewall can identify virus malicious scan and traffic attack, effectively cut off the transmission of malicious virus. Because the intelligent firewall is from the traffic anomaly to judge the transmission of the virus, avoids each new virus the outbreak to bring the disaster.

Effective monitoring and management of internal LAN. The traditional firewall only to prevent external, cause internal LAN speed slow, malicious virus and Trojan prevalence. Intelligent firewall and Mac control function, effectively detect internal malicious traffic, help the security administrator to find the source of the attack.

Protect the required application security. The intrusion protection function of the intelligent firewall, the deep application data detection can effectively discover the malicious attack to the application and stop it.

Provide a strong authentication authority and audit management. It is one of the elements of the network security to optimize the authentication authorization and audit, which is based on human rather than IP, and it can effectively manage the network security. It also provides anti repudiation function for network forensics.

The use of parallel firewalls to increase the high availability of the network, to achieve traffic sharing, load balancing, dual-machine hot standby, to achieve a wire-speed firewall. Greatly reduce the cost of the system, but also flexible, keep the system high security.