4. Transparency
The transparency of the firewall means that the firewall is transparent to the user, when the firewall is connected to the network, the network and the user do not need to do any setup and the change, also do not realize the firewall existence at all.
Firewall as a physical device, if you want to put into the existing network without any impact on the network, you must be in the way of Network Bridge. In the traditional way, firewall installation, more like a router or gateway, the original network topology often needs to change, network equipment (including host and router) settings (IP and gateway, DNS, routing table, etc.) also need to change. However, if the firewall uses transparent mode, that is, to run like a network bridge, users will not have to reset and modify the route, and do not need to know the location of the firewall, the firewall can be installed directly and put into the network to use.
The biggest advantage of transparent mode is that there is no need to make any changes to the existing network, which is convenient for many customers, moreover, it is easy to switch from transparent mode to non-transparent mode, and the applicability is obviously wider. Of course, at this time the firewall only acts as a firewall, other gateway location functions such as NAT, VPN function no longer applicable, of course, other functions such as transparent agent can continue to use.
At present, the implementation of transparent mode can be implemented by ARP Proxy and routing technology. At this point the firewall is equivalent to the function of an ARP proxy. Intranet (which can still contain routers or subnets, and so on), firewalls, routers are located roughly as follows:
Intranet ――――― Firewall ――――― router
(To be explained, this is the most campus network to achieve the network level)
Intranet host to achieve transparent access, must be able to transparently transfer between the intranet and router ARP packet, and at this time because of the fact that the intranet and routers can not connect, the firewall must be configured as an ARP proxy (ARP proxy) between the network host and routers to pass the ARP packet. What the firewall has to do is when the router sends an ARP broadcast packet to ask the hardware address of a host in the intranet, the firewall uses the MAC address of the interface of the router to send the ARP packet; When a host in the intranet sends an ARP broadcast packet to ask the router's hardware address, Firewall and intranet connected interface of the MAC address loopback ARP packet, so routers and intranet hosts think that the packet sent to the other side, but is actually sent to the firewall forwarding.
Obviously, the firewall must also implement routing forwarding, so that packets between the internal and external network can be transparently forwarded. In addition, the firewall to play a role in the firewall, obviously also need to pass the packet to the Application layer processing (at this time to implement the application layer agent, filtering and other functions), at this time need port forwarding to achieve (?) This place is not very clear, also did not find the relevant information. The biggest difference between transparent and non-transparent modes on the network topology is: Transparent mode of two network cards (connected to the router and connected to the intranet) in a network segment (also and subnet in the same network segment), while the non-transparent mode of two network cards belong to two network segments (intranet may be an internal routing address, The extranet is the legal address).
This process is as follows:
1. Use ARP proxy to realize the transparent connection between router and subnet (network layer)
2. Implement packet delivery (IP layer) in IP layer with routing forwarding
3. Use port redirection to implement IP packet upload to Application layer (IP layer)
We discussed the transparent proxy in the front, and the transparent mode of the firewall described here is two concepts. Transparent proxy is mainly for the realization of intranet host can be transparent access to the extranet, without regard to whether they are not routable address or routable address. Intranet host in the use of internal network address can still use the transparent proxy, at this time the firewall serves as a gateway to the role of the proxy server (obviously not transparent mode at this time).
The point to be clarified is that there is no inevitable connection between the translation of the internal and external network addresses (that is, NAT, the transparent proxy is also a special address conversion) and the transparent mode. Transparent mode of the firewall to achieve transparent proxy, opaque mode of the firewall (at this point it must be a gateway) can also achieve transparent proxy. What they have in common is that they can simplify the setup of intranet clients.
At present, most of the domestic firewall has achieved transparent proxy, but the transparent mode of implementation is not much. These firewalls can be clearly seen from their ads: If a firewall has a transparent mode, its advertising will certainly be separate from the transparent proxy area.
5. Reliability
The firewall system is in the key part of the network, its reliability is obviously very important. A product with frequent breakdowns and poor reliability is clearly unlikely to be reassuring, and the firewall in the internal and external network of the key location, once the firewall problems, the entire intranet will not be able to access the external network, this is even more than the router fault (router topology is generally redundant design) more people can not afford.
The reliability of firewalls is also shown in two aspects: hardware and software.
The reliability of the hardware of the firewall product of the foreign mature manufacturer is generally higher, with a dedicated hardware architecture and needless to say, the PC architecture of its hardware is also more specialized design, the various parts of the system from the network interface to the storage equipment (generally electronic hard disk) integrated together (a board), so naturally improve the reliability of the product.
Domestic is obviously uneven, very different, mostly direct use of PC architecture, and more for industrial PC, using off-the-shelf network card, doc/dom as storage equipment. Although the reliability of industrial PC is much higher than that of ordinary PC, but it is still patchwork, the parts of the equipment are separated, from the point of view of reliability is obviously not as integrated (the famous bucket principle).
Some of the domestic manufacturers have realized this problem, and began to design their own hardware. But most manufacturers still consider using the generic PC architecture from a cost perspective.
On the other hand, the improvement of software reliability is the main difference between the pros and cons of the firewall. And the whole domestic software industry reliability system is not mature, software reliability testing is mostly at an extremely primary level (reliability testing and bug testing are completely two concepts). On the one hand, the reliability system can not be established, on the one hand, in order to meet the needs of users and follow the continuous development of network applications, most firewall manufacturers have been in constant expansion and modification, its reliability is not to be flattering.