With the development of China's routing industry, its application is also more extensive, especially the application of routers and firewalls. Here we mainly explain the security configuration of NetEye firewall and Cisco router. Firewall has become a key part of enterprise network construction. However, many users think that Cisco routers already exist in the network and some simple packet filtering functions can be implemented. So why should we use firewalls? The following is a security comparison between the NetEye firewall and the most widely used and representative Cisco router in the industry. We will explain why a user's network includes a Cisco router and a firewall.
One or two devices have different backgrounds.
1. The two devices have different origins
The router is generated based on the route of network packets. What a Cisco router needs to do is to effectively route data packets from different networks. As for why routing, whether routing should be done, and whether there is a problem after routing, it is not concerned about: whether or not data packets of different network segments can be routed for communication. Firewalls are produced by people's security requirements. Whether data packets can be correctly arrived, the arrival time, and the direction are not the focus of the firewall. The focus is on this series.) whether data packets should pass through and whether they will cause harm to the network.
2. Different fundamental purposes
The fundamental goal of a vro is to keep the network and data accessible ".
The fundamental purpose of the firewall is to ensure that any non-permitted data packets are "inaccessible ".
Ii. Differences in core technologies
The core ACL list of a Cisco router is based on simple packet filtering. From the perspective of firewall technology, NetEye firewall is an application-level information flow filtering based on status packet filtering. Is the most simple application: a host on the enterprise intranet, using a router to provide services over the Intranet, assuming that the port providing services is tcp 1455 ). To ensure security, you need to configure the vro to allow only the client to access the tcp port 1455 of the server. For the current configuration, the security vulnerabilities are as follows:
1. IP Address Spoofing causes abnormal Connection Reset)
2. TCP spoofing session replay and hijacking)
The cause of the above risks is that the router cannot monitor the TCP status. If the NetEye firewall is placed between the client and the vro in the Intranet, because the NetEye firewall can detect the TCP status and generate a TCP serial number randomly, this vulnerability can be completely eliminated. At the same time, the one-time password authentication client function of the NetEye firewall can implement user access control when the application is completely transparent, its Authentication supports the standard Radius protocol and local Authentication database. It can fully interoperate with third-party Authentication servers and implement role division. Although the "Lock-and-Key" function of the Cisco router can implement user authentication through the dynamic access control list, but this feature requires the Cisco router to provide the Telnet service, the user also needs to Telnet to the vrotelnet for use, which is inconvenient to use and the open port is not safe enough to create an opportunity for hackers ).
Iii. Security Policy Formulation complexity
The default configurations of routers do not have sufficient security considerations. Some advanced configurations are required to prevent attacks. Most security policies are based on command lines, the formulation of security rules is relatively complex, and the probability of configuration errors is high. The default configuration of the NetEye firewall not only prevents various attacks, but also ensures security. The security policy is developed based on a Chinese GUI management tool. The security policy is user-friendly, simple configuration and low error rate.
4. Different Effects on Performance
The router is designed to forward data packets, rather than specially designed as a full-feature firewall. Therefore, when used for packet filtering, the operation is very large, the CPU and memory of the vro are both very high, and the hardware cost of the vro is relatively high because of its high hardware cost.
NetEye firewall's hardware configuration is very high using a general INTEL chip, high performance and low cost), its software also provides special optimization for packet filtering, its main modules run in the kernel mode of the operating system. During the design, security issues are taken into special consideration, and its packet filtering performance is very high. Because routers are simple packet filtering, the number of packet filtering rules increases, the number of NAT rules increases, and the impact on the performance of Cisco routers increases accordingly, the NetEye Firewall uses status packet filtering, number of rules, and number of NAT rules, which have a performance impact close to zero.
V. great differences in audit functions
The vro itself does not have the storage medium for logs and events. It can only store logs and events by using external log servers such as syslog and trap. The vro itself does not have an audit analysis tool, logs and events are described in a language that is not easy to understand. Cisco routers are not completely responsible for attacks and other security events, for many attacks, scans, and other operations, it is impossible to generate accurate and timely events. The weakening of the audit function prevents administrators from responding to security events in a timely and accurate manner.
The NetEye firewall provides two types of log storage media, including hard disk storage and separate log servers. For these two types of storage, the NetEye firewall provides powerful audit analysis tools, the administrator can easily analyze various security risks. The timeliness of the NetEye firewall's response to security events is also reflected in its various alarm methods, including beep, trap, email, and log; the NetEye firewall also provides the real-time monitoring function. It can monitor connections through the firewall online and packets for analysis. It does not analyze network running conditions, but also provides convenience for eliminating network faults.
6. Different AttacK Defense Capabilities
For a Cisco router, its common version does not have the application layer protection function, and does not have real-time intrusion detection and other functions. If such a function is required, you need to upgrade IOS to a firewall feature set. In this case, you not only need to pay for software upgrades, but also need to upgrade hardware configurations because these functions require a large amount of computing, the cost is further increased, and vrouters of many manufacturers do not have such advanced security features. We can conclude that: