Security issues of NetEye firewall and Cisco Router

Maybe many people do not know the actual application of the NetEye firewall and the Cisco router. Next we mainly analyze the security problems of the NetEye firewall and the Cisco router. Firewall has become a key part of enterprise network construction. However, many users think that there are already routers in the network and some simple packet filtering functions can be implemented. So why should we use firewalls? The following is a security comparison between the NetEye firewall and the most widely used and representative Cisco router in the industry. We will explain why the NetEye firewall is needed when a vro is available in the user network.

One or two devices have different backgrounds.

1. The two devices have different origins

The router is generated based on the route of network packets. What a Cisco router needs to do is to effectively route data packets from different networks. As for why routing, whether routing should be done, and whether there is a problem after routing, it is not concerned about: can data packets of different network segments be routed for communication. The NetEye firewall comes from people's security requirements. Whether data packets can be correctly arrived, the arrival time, and the direction are not the focus of the NetEye firewall. The focus is on this series.) whether data packets should pass through and whether they will cause harm to the network.

2. Different fundamental purposes

The fundamental goal of a vro is to keep the network and data accessible ". The fundamental purpose of the firewall is to ensure that any non-permitted data packets are "inaccessible ".

Ii. Differences in core technologies

The core ACL list of a Cisco router is based on simple packet filtering. From the perspective of firewall technology, NetEye firewall is an application-level information flow filtering based on status packet filtering. Is the simplest application: a host on the enterprise intranet, using a Cisco router to provide services over the Intranet, assuming that the port providing services is tcp 1455 ). To ensure security, you must configure the vro to allow only the client to access the Tcp port 1455 of the server from the external server.

The cause of the above risks is that the router cannot monitor the TCP status. If the NetEye firewall is placed between the client and the vro in the Intranet, because the NetEye firewall can detect the TCP status and generate a TCP serial number randomly, this vulnerability can be completely eliminated. At the same time, the one-time password authentication client function of the NetEye firewall can implement user access control when the application is completely transparent, its Authentication supports the standard Radius protocol and local Authentication database. It can fully interoperate with third-party Authentication servers and implement role division. Although the "Lock-and-Key" function of a vrotelnet can authenticate users through the dynamic access control list, the vrotelnet must provide the Telnet service, the user also needs to Telnet to the vrotelnet for use, which is inconvenient to use and the open port is not safe enough to create an opportunity for hackers ).

Iii. Security Policy Formulation complexity

The default configurations of routers do not have sufficient security considerations. Some advanced configurations are required to prevent attacks. Most security policies are based on command lines, the formulation of security rules is relatively complex, and the probability of configuration errors is high. The default configuration of the NetEye firewall not only prevents various attacks, but also ensures security. The security policy is developed based on a Chinese GUI management tool. The security policy is user-friendly, simple configuration and low error rate.

4. Different Effects on Performance

The router is designed to forward data packets, rather than specially designed as a full-feature firewall. Therefore, when used for packet filtering, the operation is very large, the CPU and memory of the vro are both very high, and the hardware cost of the vro is relatively high because of its high hardware cost. NetEye firewall's hardware configuration is very high using a general INTEL chip, high performance and low cost), its software also provides special optimization for packet filtering, its main modules run in the kernel mode of the operating system. During the design, security issues are taken into special consideration, and its packet filtering performance is very high. Because routers are simple packet filtering, the number of packet filtering rules increases, the number of NAT rules increases, and the impact on the performance of Cisco routers increases accordingly, the NetEye Firewall uses status packet filtering, number of rules, and number of NAT rules, which have a performance impact close to zero.

V. great differences in audit functions

Vrouters do not have storage media for logs and events. They can only store logs and events by using external log servers such as syslog and trap. Cisco vrouters do not have audit and analysis tools, logs and events are described in a language that is not easy to understand. Cisco routers are not completely responsible for attacks and other security events, for many attacks, scans, and other operations, it is impossible to generate accurate and timely events. The weakening of the audit function prevents administrators from responding to security events in a timely and accurate manner.

The NetEye firewall provides two types of log storage media, including hard disk storage and separate log servers. For these two types of storage, the NetEye firewall provides powerful audit analysis tools, the administrator can easily analyze various security risks. The timeliness of the NetEye firewall's response to security events is also reflected in its various alarm methods, including beep, trap, email, and log; the NetEye firewall also provides the real-time monitoring function. It can monitor connections through 

6. Different AttacK Defense Capabilities

For a vro like Cisco, its common version does not have the application layer protection function, and does not have real-time intrusion detection and other functions. If such a function is required, you need to upgrade IOS to a firewall feature set. In this case, you not only need to pay for software upgrades, but also need to upgrade hardware configurations because these functions require a large amount of computing, in addition, Cisco routers of many manufacturers do not have such advanced security features.

In conclusion, we can conclude that the simplicity and complexity of the user's network topology and the difficulty of the user's applications do not determine whether to use the firewall, A fundamental condition for determining whether a user uses a firewall is the user's need for network security!