Firewall has become a key component in the construction of enterprise network. But there are a lot of users, that the network has a router, you can achieve some simple packet filtering function, so why use a firewall? The following is a comparison of the security aspects of the Neteye firewall and the most representative Cisco routers in the industry to explain why there are routers in the user network and firewalls are needed.
The background of the emergence and existence of two kinds of equipment is different
1, the two kinds of equipment produced by different sources
The generation of routers is based on the routing of Network packets. Routers need to do is to the different network packets for efficient routing, as to why the route, whether it should be routed, whether there is a problem after the route does not care, is concerned: whether the different network segments of the packet routing to communicate.
Firewalls are the result of people's need for security. Whether the packet can be the correct arrival, arrival time, direction, etc. is not the focus of the firewall, the focus is whether this (a series of) packets should be passed, through the network will cause harm.
2, the fundamental purpose is different
The fundamental purpose of routers is to keep the network and data "through".
The fundamental purpose of a firewall is to ensure that any packets that are not allowed are "not".
Ii. Differences in Core technology
Cisco router core ACL list is based on simple packet filtering, from the perspective of firewall technology implementation, Neteye Firewall is based on State packet filtering application-level information flow filtering.
The following figure is one of the simplest applications: a mainframe in the intranet that provides services through routers (assuming that the port providing the service is TCP 1455). In order to ensure security, the router needs to be configured on the "outside-" to allow only client access to the server's TCP 1455 port, and other rejections.
For today's configuration, the security vulnerabilities are as follows:
1, IP address spoofing (so that the connection is not normal reset)
2. TCP Spoofing (Session replay and hijacking)
The reason for these pitfalls is that routers cannot monitor TCP status. If the Neteye firewall is placed between the client and the router in the intranet, the vulnerability can be completely eliminated because the Neteye firewall can detect TCP status and can randomly generate the TCP serial number. At the same time, the Neteye Firewall's one-time password Authentication client function, can realize in the application completely transparent situation, realizes to the user the access control, its authentication supports the standard RADIUS protocol and the local authentication database, may carry on the interoperability with the third party authentication server completely, and can realize the role division.