Although it is a hardware firewall, almost all work is software work. Software is the core of the hardware firewall.
Before development, you must first know what type of firewall you need. The same as the hardware firewall, can be roughly divided into high-end main fire wall represented by Gigabit, mid-range MB Enterprise Firewall, as well as low-end home-small office firewall (SOHU-SMB ). The development methods of these three levels of firewalls are quite different. Representative products of high-end Gigabit firewalls include netscreen 5000 Series firewalls and nodia-Checkpoint ip720 or above. These firewalls can adapt to gigabit-required jobs with a throughput of at least MB. As a domestic manufacturer, it is very difficult to launch a real gigabit firewall. For details, see: Why is it difficult to implement a gigabit firewall?
As a firewall for low-end household-small office products, it is mainly subject to the pressure of hardware costs. Such products include netscreen's 50/25/5x series, FortiGate's fg200 and fg300, and some dial machines and broadband routers on the market can all belong to this firewall. Most of the work features are single-in-one and single-out, which is mainly used for the control of small LAN access to the Internet. Considering that the average company's Internet access is only a few megabytes at best, even for LAN users or cable modem, public outlets are still several megabytes. Therefore, adaptive single-entry and small firewall with 10 Mbit/s and Mbit/s can basically meet the requirements. In fact, some hundreds of companies use WIN98 + sysgate to dial, which is also a good feeling. It can be seen that the performance requirements of this level of Internet firewall are not high; the price is also maintained below 20 thousand yuan. However, for Firewalls using the X86 architecture, the requirement for a lower hardware cost is also several thousand yuan; the cost of connecting to the software is simply unable to maintain the 20 thousand yuan. Therefore, the main development method of this level of firewall is to choose a suitable embedded system, usually Linux, with a complete set of hardware and software, and add firewall applications. The main system development work of this firewall is completed by the suppliers of embedded systems, and the system functions are weak, leaving little space for the software to be used by the manufacturer, so it is more like a hardware procurement project. Together with the minimum purchase quota (usually one thousand) and software development, you can get the next product at around 1 million. Although such a firewall is also a "Hardware firewall", it is not the focus of this article.
This document describes how to develop a mid-range enterprise-level MB firewall. This level of firewall is the main target of enterprise procurement and the most necessary product type. Domestic firewalls are basically concentrated in this range. Generally, open-source Linux or BSD is used for operating systems. In contrast, BSD applications are not upgraded quickly, so most firewalls use Linux.
To develop a MB firewall, You need to select a suitable server motherboard or an industrial computer. In addition, you need to select a good Nic, usually a dedicated Nic for the server. Although operating systems such as Linux can automatically adapt to different mainboards (as long as they comply with standards such as pc2000), the latest Linux kernel can always support the performance of newer mainboards, (such as piII hyper-threading); but there is a little difference between each motherboard and the CPU; As a firewall, unless the requirements for extreme performance are not too strict, you need to modify and optimize the kernel based on the characteristics of the motherboard and CPU, such as registers, SMP, and hyper-threading. Otherwise, the default kernel can only use the most basic components of these boards/CPUs. For example, the firewall has an important performance indicator called the maximum session rate, or the maximum number of sessions generated per second. If you use a universal Kernel on the p3cpu, the maximum value is approximately several thousand. However, after optimization of the motherboard design (which can be obtained from the motherboard and the CPU manufacturer), the performance can be improved to about 3-5 thousand. Similarly, simply upgrading the motherboard and CPU does not necessarily improve performance, like upgrading the firewall from P3 to P4. If it does not support the special performance of P4, such as hyper-threading, the maximum session capability is no different from that of P3. It is better to not appreciate, but to reduce the cost. With special optimization, the performance can reach 0.5 million, which is also the limit that can be achieved by the use of Intel architecture motherboard for such firewalls. The Optimization of the Selected hardware is independent of the main software work developed by the firewall. In general, it does not show its necessity. However, when the firewall performs extreme use or evaluation environments, the gap shown is very large. In addition to optimizing the performance, the driver for Nic development also aims to bind the firewall with the gateway to avoid piracy. This driver, together with the customized firewall kernel, makes piracy much more difficult.
The main body of firewall software development is the development of firewall management software. In this regard, the architect should understand what kind of firewall he wants to develop and what is the Management Idea of the firewall. A few years ago, this kind of development was simple, that is, some web-called programs. (another method is to use dephi to write Windows programs, control firewalls through specific port services, and call preset programs, the principle is the same.) directly call the firewall management tool of Linux, such as ipchains. The other work is to compile the default configurations of several classes in advance (equivalent to template ). Therefore, development is not very difficult, and it is always possible to complete the development for more than a decade and a half. A large number of domestic firewalls are developed in this way. This type of firewall is unnecessary for those familiar with Linux firewalls. You can use ipchains to achieve the same purpose. Therefore, today, such firewalls are no longer on the shelf. Today's firewall is mainly designed to facilitate management, focusing on the Administrator's ability to maintain a large number of complicated and mostly-owned policies. This requires the development of an "object-oriented management firewall ". In this way, it is not enough to use ipchains/iptables in PHP or Delphi graphics alone. In fact, it is difficult to use iptables alone to meet the requirements, developers often have to develop their own firewall management tools like iptables. This part of work is very huge.
As the carrier of the firewall, the operating system and the firewall kernel are also the focus of work. As the first line of defense of the network, the firewall cannot use the default Operating System. Everything except the most necessary services must be deleted. Therefore, enterprise-level firewalls use embedded operating system development methods. Generally, they form a secure operating system running in memory, just like a diskless workstation. The firewall must be fault-free for a long time and be able to cope with sudden power outages. Therefore, it is generally prohibited to connect to the system hard disk to avoid power failure or damage. Firewall fixed storage is generally not large, 16 m to 32 m is more than enough. Some Firewall vendors do not have the ability to do this. Therefore, it is very dangerous to use flash as a system disk. The reason is that the Write Performance of Flash is poor, and the number of writes is only a thousand times, while the Unix File System reads and frequently, so it is easy to cause data loss in flash. In addition, once a power failure occurs, if the system is still installed in a directory, it is likely to cause damage to the file system. The final result is that even if the system can be rescued, the quality of the user's firewall will not be enough.
The firewall kernel is also an indispensable task. At present, most firewalls use netfilter as the firewall kernel, and require a certain number of anti-attack performance. Refer to the in-depth application example of Netfilter. However, some firewall products have extended this work and want the kernel to complete work such as IDS and anti-virus. Although this can be done, it will cause serious damage to the basic performance of the firewall.
Enterprise-level firewalls require multiple remote management tools, including SSL + HTTP, remote secure shell, or dedicated client tools. Either of them is based on the same user management program scheduled on the firewall. After these management programs are called, they are connected to the interface management program of the firewall (such as iptables, or a self-compiled interface program, such as the totem objectmgr), to manage the firewall. This part of work is also relatively large. Like a firewall that allows users to log on via SSH, it is impossible to directly return the root shell (too dangerous). Therefore, a secure shell must be developed as the first interface, the developer has developed a bash-type interpreter. Security Control over remote access is a key aspect of the firewall. It is often combined with management machine restrictions, IP/MAC restrictions, passwords, certificates, and other security measures. Otherwise, no one may attempt to log on to the firewall. The firewall itself is very dangerous, and network security is not guaranteed.
After completing the above work, complete the web-SSL management interface first mentioned, or the client management tool of Delphi (or C ++. The firewall is basically formed. The difference is that users don't think your management tools are easy to use. (Many Programmers think that the firewall project is not big. In fact, they think that only this graphic management interface is available for firewall R & D ). However, even so, the R & D project as a firewall is far from complete. Developers often have to add a VPN to the firewall (this is also a huge project), proxy server (if you want to add, you need to write a variety of protocol proxy servers), such as pppoe dialing, whether session authentication is required, HA and load balancing, transparent access, external account management, and so on.
The above work has finally been completed. Can I give my homework in one breath? This is indeed the case. If you don't mind your firewall's bug! Otherwise, at most half of the project is completed. The following task is to compile a test instance for testing. Hardware firewalls have high requirements on the quality of software because they work hard for a long period of time without interruption. The tester should write at least three test instances for testing: 1) check whether there are memory objects in the program that are not cleared; it is common to check whether there is clear or not in the program, this problem occurs in programs like windows, so after Windows is started for a period of time, it is necessary to restart to free up the memory. In the firewall, this requirement is much stricter, A half object residue is no big deal for common software projects, but it is fatal to the firewall. The system resources of the firewall will be completely swallowed up by this bug in a short time. (2) whether or not to allow the released package or not when the specified policy instance is generated using the firewall management tool; (3) the maximum working conditions of the firewall; this is not a test such as the maximum session. These require specialized testing tools such as smartbit. High-Performance firewalls also require outsourcing testing because the devices are too expensive. If the firewall integrates functions such as VPN, IDs, and anti-virus, you must further write test instances to test other firewall performance degradation when these functions are enabled.
Testing of the firewall software system is the most time-consuming and labor-consuming task, which accounts for at least half of the development cost. If any test fails, you must re-Debug and re-test it, until the test passes completely. If a module is tested and reworked three times, the programmer must be excellent. If it passes six or seven times, it is normal. Even if it passes ten times, it is not a shame. In this work, developers will find that, as mentioned above, programs are divided into several independent layers for separate development, test, and complete documents, which has unparalleled advantages. Otherwise, such a development project will not be able to be completed by one thousand people for one hundred years.
The firewall passes the test only after the test is completed. If 100 people can finish the project within one year, thank you. Developing an enterprise-level firewall requires tens of millions of RMB. do you understand it now? Similarly, a few years ago, a management interface called ipchains, of course, was also a firewall, and it did not resort to fraud. It is only the choice of various vendors.