Learn about the "fat" and "kick" of the firewall

The firewall "grows fat" fast.

Because the firewall is in the network place important position, therefore, people to the firewall can say is the high expectation. Now that the firewall is adding a variety of new features, the firewall is "growing fat".

Increasing access control tools

The firewall is now from the initial simple Ip/port judgment control, developed to the Communication message protocol header, and the Application Layer command, user rules, flow control, agent control, address conversion control, connection quantity control and historical state control (state detection) and so on.

Increasing access control capabilities

The user to the firewall new access control function unceasingly puts forward the new request, because these functions are implemented in firewalls and are simpler, and economically, this means low cost, so many functions of network interconnection appear on the firewall, such as NAT, address mapping, bandwidth management, billing function.

VPN is becoming a new bright spot

VPN can provide a secure platform for the internal communication across public networks and become a bright spot in the Internet application. Firewalls bear the brunt of this feature, and many firewalls can implement this feature and publish it as a standard feature.

Intrusion detection becomes a legitimate requirement for users

Many users are pinning their safety on the firewall, naturally requiring firewalls to successfully detect a variety of threats to the internal network

Aggressive behavior and expect to prevent further attacks, such as Dos/ddos attacks.

Auditing is an important security measure.

Audit management can monitor communication behavior and improve security strategy, which is an effective deterrent to intruders. Powerful, efficient and convenient audit function in the development of the function of the firewall can deduce a lot of content, forming a variety of audit interface and audit form.

The firewall itself to continue to develop, at the same time, but also to adapt to the running of various types of different uses, different structures and different configuration of the network environment, which makes the firewall more and more "fat."

Is the firewall "fat" easy to use?

Firewalls have made great efforts in many ways, enriching a lot in function, it is carrying the many expectations of users to "all-inclusive" growth. Many network systems have also used firewalls, and effective management, it seems that the firewall is becoming the king of the network security. But what about the truth?

"51" during the Sino-American Hacker War, a large number of Web sites were invaded, the homepage was changed beyond recognition. As a shield, the firewall is the first. In fact, many of the previous users have pinned their hopes on the fire wall, but the firewall overwhelmed, seems to disgrace the mission. In the case of firewall protection, the analysis of this intrusion site, from the main logging and monitoring content, almost all take advantage of the HTTP service itself vulnerabilities or vulnerabilities, which use the most is for Windows nt/2000 Unicode vulnerability attacks, Firewalls prohibit access in fact do not find any breakthrough. For Unicode attacks, the firewall can be used to control the URL request in HTTP communication by defining the HTTP URL filtering policy on the fire wall. Just need to define a lot of rules on the fire wall.

In principle, to resist these attacks on the firewall implementation is not complex, but in the management of firewalls will add a lot of work, managers need to constantly upgrade the identification library, to identify the maintenance of the library is a need for a lot of work.

For the firewall itself, facing more and more large identification library, requires the performance of the firewall gradually increased, or set aside a large processing capacity. However, the above implementation requires that the firewall can find the attack behavior in the usual packet buffer queue, and the packet buffer queue can not be too long, otherwise, the user will show a long delay, this kind of processing is not feasible. such as virus monitoring, can not cache a mega-level file on the firewall to successfully check and handle the virus, if there is a virus, users may also understand, but if the final inspection results are no virus, the user must not accept.

To "kick" to the firewall as the core to build a security system!

Obviously, if the firewall and IDs, virus detection and other related security systems to unite, give full play to their strengths, synergy, we can jointly establish an effective security protection system. In short, the relevant professional testing system is dedicated to the detection of a certain class of security events, notify the firewall immediately when a security event is found; on the fire wall, to prohibit a certain communication behavior, can be said to be simple and accurate, therefore, give full play to the professional manufacturers of technical advantages, the formation of an organic overall security system, Such a security system is not only effective, but also has a certain degree of automatic intelligence.

The development direction of firewall system is to form the open security application system with firewall as its core. Firewall in this system as the main role, at the same time it is also a service center, will get other security products strong support, truly become a veritable firewall system.