A. Boisterous: looknstop
Network firewall Choice has been the most headaches of many users, look at the current firewall market, a great crowded, but users will not because of the more and more firewall products and feel happy, on the contrary, More and more people are gradually discovering that they have entered a difficult choice: which firewall product is the safest and the most secure?
Although the firewall products are numerous, but users only hope to quickly find a suitable product, so many authoritative testing institutions were born, such as firewall leak tester, such as the testing agencies through a variety of simulation and real environment to strictly test the safety of the firewall products, The total score of a product is finally counted. Thus, we were able to quickly choose a reassuring product based on the results of the test.
It is Looknstop, who has long been ranked first in Flt, and it is the security of a firewall system that Swiss banks use to maintain their own security.
However, this powerful product is rarely found installed on the average user's machine, why?
Xiao Li, a company employee, stumbled upon the introduction of the product, holding a try mentality, he gave his machine installed a program, but he did not enjoy the top firewall to bring him security, instead, it brought him many nightmares: BitComet can not be used, Hao Fang on the Go, Thunder and FlashGet became disabled, Warcraft became a synonym for the crash ... Is this a guard or a rush? Xiao Li looked at some information, found that the product needs to be set up, so he opened the settings interface ... However, in the face of a lot of professional terminology, Xiao Li completely collapsed.
In the end, Xiao Li decided to give up looknstop and switch to homemade firewalls.
Admittedly, Looknstop is an excellent product that provides a powerful and comprehensive network protection capability, flexible custom intrusion detection rules, system resources and file resource footprint, or even, by setting rules, Looknstop can also replace part of the sniffer function to achieve network packet monitoring ...
But Looknstop makes the user pain and love: To use it, you must pass the most difficult one: firewall rule settings. This powerful product brings to the industry's most troublesome set of rules, allowing many users to face it as if faced with a boisterous that is hard to tame.
Is looknstop to the average user, that is so elusive?
Two. Principle: Rules and communication
Before we introduced the principle of the firewall, in which I mentioned the "Firewall Rules" (Firewall rules), the rules are the thinking of the firewall, they are in fact a description of the statement, used to set the firewall behavior, each rule corresponds to a specific behavior judgments, The firewall is able to intercept or pass data packets that match the conditions (port, protocol type, even packet data) according to the content of the rules, and of course can record data. The combination of many rules, firewall tools to bring us a strong and flexible security protection system.
Configuring firewall rules is often the biggest headache for network administrators, the efficiency of a firewall, interception release, the overall safety factor in addition to the requirements of the firewall engine powerful, it is all about the setting of the rules, if the firewall engine can not recognize the complex structure of the packet, then some description of the complex rules can not work properly, But the more powerful a firewall is, the more complex its rules are, and a good rule is more important to such a firewall than anything else.
Rules are not set casually, they are around a certain "security policy" implementation, when many firewall products are sold on the market, they already have the default rules, which are the entity objects of the vendor's "security Policy", and many users have not modified these rules since they installed or purchased a firewall product. Or do not know the existence of firewall rules, but they can still get the protection of the firewall, because the manufacturers have been applied to the vast number of groups "compatible" rule set, in other words, is the user in the acceptance of a firewall products, the manufacturers have been customized to the "security policy." But this approach to the public is not necessarily suitable for everyone, sometimes some users will feel that the default rules are not suitable for their actual environment, they will, according to their own requirements, modify the addition of this rule set, such as a Web server, The use of the firewall default rules to limit the external access to the lower 1024 low-end slogans, which clearly and do not need to open the site of the 80 port requirements conflict, so the network administrator will modify the firewall rules, remove this restriction rule or remove 80 ports from the rules of the conditions. Many users do not know that their deletion or addition of the rules of the behavior, in fact, is the implementation of their own "security policy" process.
But before we turn our security policy into a regular entity, we must think about one thing, the security architecture.
The so-called "security architecture", is the entire firewall ultimately for users of security effects, security policy can be one-sided, the administrator in thinking about the strategy does not necessarily have to take into account the overall effect, but when a security policy as a rule set appears before, it must first be converted to the overall "security architecture", This is a consideration of the global policy set, or the above example of the Web server, the administrator needs to open the basic 80 ports, if there is FTP, but also open 21 ports, or even SSL port 443, the security policy of this environment can be described as the following list:
1. Open 80 ports
2. Open 443 ports
3. Open 21 ports
But the light is not enough, the administrator must ensure that it does not conflict with the existing set of rules and the application efficiency in the actual environment, for example, in real life, the firewall in the open port while also monitoring the data to prevent SYN floods, etc. Also check the firewall default rule collection for conflicting descriptions. If you add an "open 80 port" rule, but there is a rule in the rule set that restricts all port connections, then one of the rules is invalidated and the administrator's expected vision is not properly implemented.
So the administrator, after doing his own security policy, also checks the existing set of rules, deletes the rules that lead to policy conflicts, and may make policy adjustments based on the actual application environment, and finally the final list of security policies, which is called the "Security Architecture":
1. Open 21, 80, 443 ports
2. Set the SYN count on port 80 to prevent Dos attacks
3. Continue to block other port access, such as 135, 139, etc.
4. Allow ICMP echo
5. Allows administrators to configure servers from internal network Telnet
6. More rules set list ...
The set description of these policy lists is the specific form of the "Security Architecture".
Once the administrator has decided on the overall security architecture, it is time to start implementing changes to the firewall rules, but before the "move" rule, there is one final note-"rule order."
"Rule order" is a configuration part that cannot be ignored because most firewall products are set by sequential read rules, and if a matching rule is found, the following other rule descriptions are ignored, so the order of the rules determines how the firewall works, Administrators must place rules that are special in nature and that are not easy to conflict with other existing rules to the top, preventing the firewall from matching common rules until a special rule is found, which invalidates the security rules carefully set by the administrator.
When all the preparations are in place, we will begin to turn the solution into an entity, which is the firewall rule setting.
I've said it before, firewall rules are used to describe what type of packets the firewall should do when the command statement, according to the core of the firewall can identify the depth of differences, different firewall rules are not the same definition, but basically are inseparable from these basic parameters: Packet direction, packet address, Scope, protocol type, port number, flag bit (TCP), package type and code (ICMP), as well as the firewall action (pass, Intercept, ignore, record) when satisfies the condition, it is these various collocation of these parameters constructs the rule which finally can protect the user from the network attack, becomes the user's security architecture, A firewall product core can identify more data types, the corresponding rules set more complex, this is a kind of fish and bear cake can not be both things, therefore, learning Firewall rule settings are every administrator or professional users are necessary.
The performance of the firewall depends on the final rule setting, a little bit wrong, and then a strong core can only play the entry level of defense.
For example, when a user sets the firewall rule to remove the low-end port access restrictions, but forget the 139 port potential harm, soon after the user machine was successfully connected to the intruder and planted the back door. 、
In this case, should we blame the firewall, or blame the user rules set too tight?
This is a problem.
Similarly, Looknstop brings a powerful defense to the user while also bringing the cost of the complexity of the rules difficult to set, many users first time to open its rule settings interface, silly-including me.
Because of this, many users opted for the next path, instead of the other firewall products. Is looknstop really so hard to tame?
Today, let us tame this good boisterous.