Latest firewall technology
Author: Wang da
1. Overview of firewall technology development
Traditional firewalls usually filter packets based on the access control list (ACL) and are located at the entrance of the internal private network. Therefore, they are also known as "border firewall ". With the development of the firewall technology, the firewall technology has also been developed, and some new firewall technologies have emerged, such as the hierarchical gateway technology, application gateway technology, and dynamic packet filtering technology. In practical use, these technologies differ greatly, some work at the OSI reference mode network layer, some work at the transmission layer, and some work at the application layer.
Among these existing firewall technologies, static packet filtering is the worst security solution, and its applications have some insurmountable restrictions, the most obvious manifestation is that it cannot detect Address Spoofing data packets based on user identity, and is vulnerable to hacker attacks such as DoS (Denial of Service) and IP address fraud. Currently, no firewall vendor has used this technology independently. Application-layer gateways and consumer-level gateways are good security solutions that check data packets at the application layer. However, we cannot run such a proxy server for every application, and some application gateway technologies require clients to install special software. These two solutions have significant performance limitations. Dynamic packet filtering checks data packets based on the connection status. Because dynamic packet filtering solves the security restrictions of static packet filtering and greatly improves the performance of Agent technology, therefore, most Firewall vendors currently adopt this technology. However, as the number of active attacks increases, the State packet filtering technology is also facing huge challenges, and more needs the assistance of other new technologies.
In addition to the access control function, most firewall manufacturers now integrate other security technologies, such as Nat, VPN, and virus protection, on their own devices.
Ii. Future technical development trends of firewalls
With the emergence of new network attacks, firewall technology also has some new development trends. This can be reflected in packet filtering technology, firewall architecture, and firewall system management.
1. Development Trend of firewall packet filtering technology
(1) Some Firewall vendors extend user authentication and services used on the AAA system to the firewall so that they can support security policy functions based on user roles. This function is required in wireless network applications. Firewalls with user identity authentication usually adopt application-level gateway technology, while firewalls with packet filtering technology do not. The stronger the user authentication function, the higher the security level, but the greater the negative impact it has on network communication, because user authentication takes time, especially encrypted user authentication.
(2) Multi-Level Filtering Technology
The so-called multi-level filtering technology refers to the use of multi-level filtering measures by the firewall, supplemented by identification means. At the packet filtering (Network Layer) level, all source route groups and counterfeit IP addresses are filtered out. At the transport layer level, filter rules are followed, filters out all prohibited or/or inbound protocols and harmful data packets, such as the nuke package and Christmas tree package. At the application gateway (Application Layer) level, various gateways such as FTP and SMTP can be used, controls and monitors general services provided by the Internet. This is a comprehensive Filtering Technology Based on the shortcomings of the above various existing firewall technologies. It can make up for the shortcomings of the above various separate filtering technologies.
This filtering technology is very clear in terms of layering. Each filtering technology corresponds to different network layers. Starting from this concept, there is a lot of content that can be expanded to lay the foundation for the future development of firewall technology.
(3) Enable the firewall to provide virus protection. It is usually referred to as "virus firewall". Of course, it is mainly embodied in the personal firewall, because it is purely software and easier to implement. This firewall technology can effectively prevent the spread of viruses in the network, more active than waiting for attacks. Firewalls with virus protection can greatly reduce the company's losses.
2. Firewall Architecture Development Trend
With the increase of network applications, higher requirements are put forward for network bandwidth. This means that the firewall must be able to process data at a very high rate. In addition, multimedia applications will become more and more common in the next few years. It requires that the latency caused by data passing through the firewall be small enough. To meet this need, some firewall manufacturers have developed ASIC-based firewalls and network processor-based firewalls. From the perspective of execution speed, the network processor-based firewall is also a software-based solution, which depends largely on the Performance of software, however, this type of firewall has some engines dedicated to processing data-layer tasks, which reduces the CPU burden. The performance of this type of firewall is much better than that of traditional firewalls.
Compared with ASIC-based hardware firewalls, network processor-based firewalls have more flexibility because of their software colors. ASIC-Based Firewalls use dedicated hardware to process network data streams, which provides better performance than the first two types of firewalls. However, hardware-only ASIC firewalls lack programmability, which makes them less flexible and unable to keep up with the rapid development of firewall functions. The ideal solution is to increase the programmability of the ASIC chip so that it can better work with the software. Such a firewall can meet both the flexibility and operational performance requirements.
Shouxin CF-2000 series EP-600 and CG-600 high-end gigabit firewall that uses a powerful programmable proprietary ASIC chip as a dedicated Security Engine, a good balance of flexibility and performance needs. They can process network traffic at a wire speed, and their performance is not affected by the number of connections, package size, and the policies they adopt. This firewall supports QoS, resulting in a latency of microseconds and meeting the requirements of various interactive multimedia applications. Zhe dawang also officially released three ASIC-based netshile Gigabit gateway firewalls in Hangzhou. It is said that its es4000 firewall speed has reached 4 Gbps and the 3DES speed has reached 600 Mbps. The yishang series Gigabit firewalls also adopt the latest security gateway concept and integrate multiple functions such as firewall, VPN, IDs, anti-virus, content filtering, and traffic control,
3. Firewall System Management Development Trend
Firewall System Management also has some development trends, mainly reflected in the following aspects:
(1). The first is centralized management. The distributed and hierarchical security structure is the future trend. Centralized management can reduce management costs and ensure consistency of security policies in large networks. A centralized management system is also required for fast response and quick defense. At present, this distributed firewall has already been developed in Cisco, 3Com, and other large network equipment developers, that is, the so-called "distributed firewall" and "embedded firewall ". This new technology is described in detail below.
(2). Powerful auditing and automatic log analysis functions. These two applications can detect potential threats earlier and prevent attacks. The log function can also help administrators effectively discover Security Vulnerabilities stored in the system and adjust security policies in a timely manner. However, firewalls with such features are generally relatively advanced, and earlier static packet filtering firewalls do not.
(3) Systematize network security products. With the development of network security technology, there is now a term called "Building a firewall-centric network security system ". In reality, we find that only the existing firewall technology is difficult to meet the current network security requirements. By establishing a firewall-centered security system, you can deploy multiple security defense lines for the internal network system. Various security technologies perform their respective duties to defend against external intrusions.
For example, the IDS Device can work with the firewall. Generally, to ensure that the communication performance of the system is not greatly affected by security devices, IDS devices cannot be placed at the network entrance like firewalls, but only at the bypass location. In actual use, IDS tasks are often not only for detection. In many cases, IDS also need to immediately stop intrusion after detecting intrusion. Obviously, it is too difficult for IDs in the bypass listener to complete this task, and the primary link cannot be connected to too many similar devices. In this case, if the firewall can work together with IDs, virus detection, and other related security products, give full play to their respective strengths and cooperate with each other to establish an effective security defense system, the security of the system network can be significantly improved.
At present, there are two main solutions: one is to directly "do" the IDs and virus detection part into the firewall so that the firewall has the functions of IDs and virus detection devices; the other is the separation of various products. A communication method is used to form a whole. Once a security event is detected, the firewall is immediately notified to complete filtering and reporting by the firewall. Currently, the latter solution is more important because it is easier to implement than the previous one.
Iii. Distributed Firewall Technology
As mentioned above, a new firewall technology, that is, distributed firewall technology, has gradually emerged and has been implemented by some large network equipment developers outside China, as its superior security protection system conforms to future development trends, this technology has been recognized and accepted by many users. Next we will introduce this new firewall technology.
1. Generation of Distributed Firewall
Because traditional firewalls are set at network boundaries and between the Intranet and the Internet, they are called "border firewall (Perimeter Firewall )". As people have higher requirements for network security protection, the border firewall obviously feels powerless, because not only external networks but also internal networks pose security threats to the network. However, the border firewall cannot effectively protect the internal network, unless a firewall is installed on each host, this is impossible. Based on this, a new type of firewall technology, which is generated by the distributed firewall (Distributed firewils) technology. It can well solve the above limitations of the border firewall, of course, not to install a firewall for each pair of hosts, but to extend the firewall's security protection system to the various hosts in the network. On the one hand, it effectively ensures that users' investment is not high, and on the other hand, it provides comprehensive security protection for the network.
We all know that traditional border firewalls are used to restrict information access and transmission between the protected internal network and external network (usually the Internet, it is located between the internal network and the external network. In fact, all the different types of firewalls that have appeared before, from simple packet filtering at the application layer proxy to adaptive proxy, are based on a common assumption, that is, the firewall regards users on one end of the internal network as trustworthy, while users on the other end of the external network are treated as potential attackers. The Distributed Firewall is a host-resident security system. It is a host-protected object. Its design philosophy is that access by any user outside the host is untrusted, all must be filtered. Of course, in actual application, it is not required to install such a system for every host on the network, which will seriously affect the network communication performance. It is usually used to protect key node servers, data, and workstations in the enterprise network from illegal intrusion.
The distributed firewall is responsible for security protection between network boundaries, subnets, and nodes in the network. Therefore, the distributed firewall is a complete system rather than a single product. Based on the functions required, the new firewall architecture includes the following parts:
· Network Firewall: some companies use pure software, while others can provide corresponding hardware support. It is used for protection between the Intranet and the external network, as well as between the Intranet subnets. Compared with the traditional border firewall, it provides a security protection layer between internal subnets, so that the entire network security protection system is more comprehensive and reliable. However, the functions are similar to those of traditional border firewalls.
· Host firewall: there are also pure software and hardware products used to protect servers and desktops on the network. This is what traditional border firewalls do not possess. It is also a perfect security system for traditional border firewalls. It is used between workstations and servers in the same internal subnet to ensure the security of internal network servers. In this way, the firewall is used not only for internal and external network protection, but also for Intranet subnets, the same internal subnet workstation and server. It can be said that the security protection at the application layer is more thorough than that at the network layer.
· Central Management: This is a firewall server management software responsible for the planning, management, distribution, and log collection of overall security policies. This is a new firewall management function and is not available in traditional border firewalls. In this way, the firewall can be intelligently managed, improving the security protection flexibility and manageability of the firewall.
2. Main Features of Distributed Firewall
In combination, this new firewall technology has the following main features:
(1) host resident
The main feature of this distributed firewall is host resident, so it is called "host firewall" (traditional border firewall is usually called "network firewall "). Its important feature is that it resides on a protected host. Networks other than the host, whether inside or outside the network, are considered untrusted, therefore, you can set targeted security policies for specific applications running on the host and external services. The outstanding contribution of host firewall to the distributed firewall architecture is to make the security policy not only stay between the network and the network, but also extend the security policy to each network end.
(2). embed the operating system kernel
This is mainly for the current pure software-based distributed firewall. The operating system itself has many security vulnerabilities, which are currently well known and the application software running on it is well-known ,. The distributed host firewall also runs on the host, so its operating mechanism is one of the key technologies of the host firewall. For its own security and thorough blocking of operating system vulnerabilities, the security monitoring core engine of the host firewall should run in the form of an embedded operating system kernel and take over the NIC directly, after checking all data packets, submit them to the operating system. In order to implement such a mechanism, apart from the development technology of the firewall manufacturer itself, technical cooperation with the operating system vendor is also necessary because some operating systems do not disclose internal technical interfaces. The host firewall that cannot implement this distributed operation mode has obvious security risks due to the security constraints of the operating system.
(3). Similar to a personal firewall
A Personal Firewall is a software firewall product used to protect a single host system. A Distributed Firewall is similar to a personal firewall. But there is a fundamental difference between them.
First, their management methods are quite different. The security policy of the Personal Firewall is set by the System user. All functions and management are implemented on the local machine. Its goal is to prevent any external user attacks outside the host; the host firewall security policies for desktop applications are arranged and set by the administrator of the entire system. In addition to protecting the desktop, you can also control the external access to the desktop, in addition, this security mechanism is invisible and unchangeable for desktop users.
Secondly, unlike the individual firewall, which is directly targeted at individual users, the host firewall for desktop applications is oriented to enterprise-level customers. It and other Distributed Firewall Products form an enterprise-level application solution, the formation of a security policy center for unified management, so it also faces the entire network to a certain extent. It is an integral part of the entire security protection system, and the security inspection mechanism of the entire system is scattered in the entire distributed firewall system.
(4) applicable to server hosting
The development of Internet and e-commerce has promoted the rapid rise of Internet Data Centers (iDCs). One of its main businesses is the server hosting service. For a server hosting user, the server is logically part of its enterprise network, but physically not within the enterprise. For such applications, the border firewall solution is far-fetched. As we have mentioned earlier, for such users, the firewall scheme is usually a virtual firewall scheme, but this configuration is quite complicated and not the average network administrator is competent. The host firewall solution for servers is a typical application. For a software-only distributed firewall, you only need to install the host firewall software on the server and set security policies based on the application of the server, you can also use the central management software to remotely monitor the server without any additional space to place the border firewall. The hardware-based distributed firewall usually uses the PCI Card type, and usually takes into account the NIC function, so it can be directly inserted into the server chassis, so there is no need to separately renew the space, it is more cost-effective for enterprises.
3. Main advantages of Distributed Firewall
Under the new security architecture, distributed firewall represents the trend of the new generation of firewall technology. It can set barriers at any junction and node of the network, thus forming a multi-level, multi-protocol, comprehensive Security System for both internal and external protection. The main advantages are as follows:
(1) enhanced system security: added Host Intrusion detection and protection functions, enhanced defense against internal attacks, and implemented comprehensive security policies.
In traditional border firewall applications, the internal network of an enterprise is very vulnerable to targeted attacks. Once a computer has been connected to the local area network of an enterprise, it can gain control of the computer, they can use this machine as a stepping stone to intrude into other systems. The latest distributed firewall distributes firewall functions across subnets, desktop systems, laptops, and server PCs. Distributed firewalls distributed across the company allow users to conveniently access information without exposing other parts of the network to potential illegal intruders. With this end-to-end security performance, the interconnection between users through Intranets, external networks, virtual private networks, or remote access is no longer different from that of enterprises. The distributed firewall can also prevent enterprises from spreading to the entire network due to the intrusion of an endpoint system, at the same time, users who log on to the network through a public account cannot access the computer systems that restrict access. To address the limitations of the border firewall in preventing internal network security,
In addition, because the Distributed Firewall uses the IP security protocol, it can well identify the end-to-end network communication between hosts under various security protocols, the communication between hosts is well protected. Therefore, distributed firewalls are capable of preventing various types of passive and active attacks. Especially when we use password creden in the IP Security Protocol to mark internal hosts, these flag-based policies are undoubtedly more credible for hosts.
(2) Improved system performance: eliminated structural bottlenecks and improved system performance.
Because traditional firewalls have a single access control point, they have adverse effects on both network performance and network reliability. Although some research in this area has also provided some corresponding solutions, from the perspective of network performance, adaptive Firewall is a solution to seek balance between performance and security; from the perspective of network reliability, using multiple firewall redundancy is also a feasible solution, but they not only introduce a lot of complexity, but also do not fundamentally solve the problem. Distributed Firewall removes a single access point, which can solve the problem. On the other hand, the distributed firewall can be configured to meet the different needs of servers and terminal computers. The application running on these hosts can be fully considered during configuration, this greatly improves network operation efficiency while ensuring network security.
(3) system scalability: the distributed firewall provides unlimited security protection capability as the system expands.
Because distributed firewalls are distributed across the entire enterprise network or server, they have unlimited scalability. As the network grows, their processing load is further distributed in the network, so their high performance can be maintained continuously. Instead, it will not be overwhelmed by the increasing network size like the border firewall.
(4) Implementing host policies: provides more secure protection for each node in the network.
At present, most firewalls do not understand the intention of the host. Generally, they can only filter and control data packets based on their external characteristics. Although the proxy firewall can solve this problem, it needs to write each protocol separatelyCodeAnd its limitations are also obvious. In the absence of context, it is difficult for the firewall to distinguish attack packets from valid data packets, so it cannot implement filtering. In fact, attackers can easily pretend to be a valid package to launch an attack. The attack package can be identical to the valid package except for its content. The distributed firewall is implemented by the host to implement policy control. There is no doubt that the host has a sufficient understanding of its intention. Therefore, the distributed firewall can naturally solve this problem by making a proper decision on the host.
(5) more widely used, supporting VPN Communication
In fact, the most important advantage of distributed firewall is that it can protect hosts on physical topologies that do not belong to internal networks, but are logically "internal" networks, with the development of VPN, this demand is increasing. The traditional solution to this problem is to isolate remote "internal" hosts from external hosts through firewalls to control access, the remote "internal" host and firewall adopt the "Tunnel" technology to ensure security. In this way, both parties that can directly communicate with each other must bypass the firewall, it is not only inefficient, but also makes it more difficult to Set firewall filter rules. In contrast, the establishment of a distributed firewall is the concept of a basic logical network. Therefore, there is no difference between a remote "internal" host and a physical internal host, it fundamentally prevents this situation.
4. Main Functions of Distributed Firewall
The features and advantages of the distributed firewall are described above. What functions does the firewall have? Because the software form is adopted (some adopt the software + hardware form), the function configuration is more flexible and has full intelligent management capabilities. In general, it can be reflected in the following aspects:
(1) Internet Access Control
Use "Internet access rules" based on properties such as the workstation name and device fingerprint ", controls whether the workstation or Workstation Group allows/disables access to the Internet Web server specified in the template or URL list within the specified time period. Can a user access the WWW server based on a workstation, at the same time, when a workstation/user reaches the specified traffic, determine whether the network is disconnected.
(2) Application access control
Through layer-by-layer packet filtering and intrusion monitoring on the link layer, network layer, transmission layer, and application layer of network communication based on Source Address, target address, port, and Protocol, application service requests from LAN/Internet are controlled, such as SQL database access and IPX protocol access.
(3) Network Status Monitoring
Reports all user logon, Internet access, Intranet access, and network intrusion events on the current network in real time.
(4) hacker attack defense
It can defend against nearly types of attacks, including Smurf DoS attacks, ARP flood attacks, Ping attacks, and trojan Trojan attacks, from inside the network and from the Internet.
(5) log management
Records and queries and analyzes wks Protocol Rule logs, user login Event Logs, user Internet access logs, fingerprint verification rule logs, and intrusion detection rule logs.
(6) System Tools
This includes backup and recovery of system-layer parameter settings, rules, and other configuration information, traffic statistics, template settings, and workstation management.