Today we are in the Information Age, which can also be said to be the age where viruses and hackers are prevalent. This is indeed a bit pessimistic, but today's network is indeed so, from the Internet to the enterprise intranet, from personal computers to mobile phone platforms that can access the Internet, there is nothing safe. Every cyber-virus attack will make home users, enterprise users, 800 hotlines, and even operators feel a headache.
However, after the virus crisis again and again, people have begun to think about network security. Now any enterprise will consider buying a firewall to build a network, and more home users will add a firewall on their own computers or even broadband access terminals. I believe that in the near future, we can see that the firewall will also appear on the mobile phone.
However, a firewall is not a barrier for psychological comfort. Only a firewall can block threats. For many small and medium-sized enterprises, firewall configuration often does not reflect the business needs of enterprises. If the firewall protection settings are not fully defined based on internal requirements of the enterprise, the security filtering rules added to the firewall may allow insecure services and communications to pass through, this brings unnecessary risks and troubles to the enterprise network. A firewall can act as a data filter. If a reasonable Filtering Rule is set in advance, it can intercept irregular data packets and filter data packets. On the contrary, incorrect rules are counterproductive.
What functions should the SME firewall have:
How can we reasonably configure the firewall? First, let's take a look at what functions should be provided by the SME Firewall:
1. Dynamic packet filtering technology, dynamic maintenance through all the firewall communication status (connection), connection-based filtering;
2. it can be used as a location for deploying NAT (Network Address Translation). Using NAT technology, the limited IP addresses can be dynamically or statically mapped to internal IP addresses, used to alleviate address space shortage;
3. You can set policies for inbound and outbound data between trust domains and untrusted domains;
4. You can define a rule plan so that the system can automatically enable or disable the policy at a certain time;
5. provides detailed log functions, provides records of firewall rule message information, system management information, and system fault information, and supports log server and log export;
6. Provides the IPSec VPN function to achieve secure remote access across the Internet;
7. With the email notification function, you can send system alarms to the network administrator by email;
8. The attack protection function is used to discard irregular IP addresses, TCP reports, or TCP semi-connections that exceed the empirical threshold values, UDP packets, and ICMP packets;
9. Filter Java, ActiveX, Cookie, URL keyword, and Proxy in the Web.
The above are some of the protection features that SMBs Firewalls should possess. Of course, with the development of technology, SME firewalls will become more and more rich in functions. However, if there are more functional firewalls without proper configuration and management, this is just an IT decoration.
How to implement firewall configuration
How to implement firewall configuration? We will discuss the following aspects:
Rule implementation
Rule implementation seems simple. In fact, it can be implemented only after detailed information statistics. In the process, we need to know the company's internal and external applications, the corresponding source address, Destination Address, TCP or UDP port, the Countermeasure rate is sorted in the rule table based on the execution frequency of different applications before configuration can be implemented. The reason is that the firewall performs rule search in sequence. If common rules are put first, the efficiency of the firewall can be improved. In addition, virus warnings should be obtained from the virus Monitoring Department in a timely manner, and firewall policies should be updated as necessary for policy formulation.
Rule enabling Plan
Generally, some policies must be enabled or disabled at special times, such as a.m. The Network Manager may be sleeping at this time. To ensure the normal operation of the policy, you can use the rule enabling plan to set the enabling time for the rule. In addition, some enterprises usually put some applications at night or early morning to avoid peak Internet traffic and attack peaks, such as remote database synchronization and remote information collection, when these requirements are met, the network administrator can automatically maintain system security by developing detailed rules and activation plans.
Log monitoring
Log monitoring is a very effective security management method. Many administrators often think that as long as the log information can be collected, for example, for all alarms or all traffic that matches or does not match the policy, the log information seems to be perfect, but you can think about how to analyze the information you need in the data packets that are sent to or from the firewall every day? Although some software can obtain graphics or statistical data by analyzing logs, these software often needs to be developed or developed twice, which is expensive. Therefore, only the most critical logs are actually useful.
Generally, it is necessary to record the system's alarm information, but there should be a choice for the traffic information. Sometimes, to check a problem, we can create a policy that matches the problem and observe it. For example, if a worm is detected in the Intranet, the virus may attack a UDP port of the host system. Although the network administrator has cleared the virus, to monitor whether other hosts are infected, we can add a policy for the port and perform logs to detect the traffic in the network.
In addition, Enterprise Firewall can respond to packets exceeding the empirical threshold, such as discarding, alerting, and logging. However, all alarms or logs must be carefully analyzed, system alarms are determined based on experience values. For example, the number of sessions generated by workstations and servers is completely different, so sometimes the system tells an email server to initiate an attack on a port, which may be caused by the server's continuous resending of some unresponsive emails.
Device management
For enterprise firewalls, device management can usually be achieved through remote Web management interface access and Internet port Ping, but this method is not safe, because it is possible that the firewall's built-in Web server will become the target of attacks. Therefore, we recommend that you use IPsec VPN to manage the Intranet port network management address.