Firewall has become a key part of enterprise network construction. However, many users think that there are already routers in the network and some simple packet filtering functions can be implemented. So why should we use firewalls? The following is a security comparison between the NetEye firewall and the most widely used and representative Cisco router in the industry. We will explain why a user's network includes a router and a firewall.
One or two devices have different backgrounds.
1. The two devices have different origins
The router is generated based on the route of network packets. What the router needs to do is to effectively route data packets of different networks. As for why routing, whether routing should be done, and whether there is a problem after routing, the router is not concerned at all. The concern is: can data packets of different network segments be routed for communication.
Firewalls are derived from people's security requirements. Whether data packets can be correctly arrived, the arrival time, and the direction are not the focus of the firewall. The focus is on this series.) whether data packets should pass through and whether they will cause harm to the network.
2. Different fundamental purposes
The fundamental goal of a vro is to keep the network and data accessible ".
The fundamental purpose of the firewall is to ensure that any non-permitted data packets are "inaccessible ".
Ii. Differences in core technologies
The core ACL list of a Cisco router is based on simple packet filtering. From the perspective of firewall technology, NetEye firewall is an application-level information flow filtering based on status packet filtering.
Is the most simple application: a host on the enterprise intranet, using a router to provide services over the Intranet, assuming that the port providing services is tcp 1455 ). To ensure security, you need to configure the vro to allow only the client to access the tcp port 1455 of the server.
For the current configuration, the security vulnerabilities are as follows:
1. IP Address Spoofing causes abnormal Connection Reset)
2. TCP spoofing session replay and hijacking)
The cause of the above risks is that the router cannot monitor the TCP status. If the NetEye firewall is placed between the client and the vro in the Intranet, because the NetEye firewall can detect the TCP status and generate a TCP serial number randomly, this vulnerability can be completely eliminated. At the same time, the one-time password authentication client function of the NetEye firewall can implement user access control when the application is completely transparent, its Authentication supports the standard Radius protocol and local Authentication database. It can fully interoperate with third-party Authentication servers and implement role division.
Although the "Lock-and-Key" function of a vrotelnet can authenticate users through the dynamic access control list, the vrotelnet must provide the Telnet service, the user also needs to Telnet to the vrotelnet for use, which is inconvenient to use and the open port is not safe enough to create an opportunity for hackers ).
Iii. Security Policy Formulation complexity
The default configurations of routers do not have sufficient security considerations. Some advanced configurations are required to prevent attacks. Most security policies are based on command lines, the formulation of security rules is relatively complex, and the probability of configuration errors is high.
The default configuration of the NetEye firewall not only prevents various attacks, but also ensures security. The security policy is developed based on a Chinese GUI management tool. The security policy is user-friendly, simple configuration and low error rate.
4. Different Effects on Performance
The router is designed to forward data packets, rather than specially designed as a full-feature firewall. Therefore, when used for packet filtering, the operation is very large, the CPU and memory of the vro are both very high, and the hardware cost of the vro is relatively high because of its high hardware cost.
NetEye firewall's hardware configuration is very high using a general INTEL chip, high performance and low cost), its software also provides special optimization for packet filtering, its main modules run in the kernel mode of the operating system. During the design, security issues are taken into special consideration, and its packet filtering performance is very high.
Because vrouters are simple packet filtering, the number of packet filtering rules increases, the number of NAT rules increases, and the impact on vro performance increases accordingly, the NetEye Firewall uses status packet filtering, number of rules, and number of NAT rules, which have a performance impact close to zero.
V. great differences in audit functions
The vro itself does not have the storage medium for logs and events. It can only store logs and events by using external log servers such as syslog and trap. The vro itself does not have an audit analysis tool, logs and events are described in a language that is not easy to understand. vro's corresponding information on security events such as attacks is incomplete, for many attacks, scans, and other operations, it is impossible to generate accurate and timely events. The weakening of the audit function prevents administrators from responding to security events in a timely and accurate manner.
The NetEye firewall provides two types of log storage media, including hard disk storage and separate log servers. For these two types of storage, the NetEye firewall provides powerful audit analysis tools, the administrator can easily analyze various security risks. The timeliness of the NetEye firewall's response to security events is also reflected in its various alarm methods, including beep, trap, email, and log; the NetEye firewall also provides the real-time monitoring function. It can monitor connections through the firewall online and capture data packets for analysis. It does not analyze network running conditions, but also provides convenience for eliminating network faults.
6. Different AttacK Defense Capabilities
For a vro like Cisco, its common version does not have the application layer protection function, and does not have real-time intrusion detection and other functions. If such a function is required, you need to upgrade IOS to a firewall feature set. In this case, you not only need to pay for software upgrades, but also need to upgrade hardware configurations because these functions require a large amount of computing, the cost is further increased, and vrouters of many manufacturers do not have such advanced security features. We can conclude that:
· Vro cost with firewall features> firewall + vro
· Router functions with firewall features <firewall + Router
· Vro scalability with firewall features <firewall + vro
In conclusion, we can conclude that the simplicity and complexity of the user's network topology and the difficulty of the user's applications do not determine whether to use the firewall, A fundamental condition for determining whether a user uses a firewall is the user's need for network security!
Even if the user's network topology and applications are very simple, using the firewall is still necessary and necessary. If the user's environment and applications are complex, the firewall will bring more benefits. The firewall will be an indispensable part of network construction. For a general network, the router will be the first entry to protect the Intranet, the firewall will be the second and most rigorous gateway.(