Types of Firewalls

Firewall technology can be divided into many types according to the way of prevention and the focus, but generally can be divided into two categories: packet filtering, application agent.

Packet filtering (Packet filtering): Functions at the network layer and transport layer, which determines whether packets are allowed to pass, based on the packet header source address, destination address and port number, protocol type, and so on. Only packets that satisfy the filtering logic are forwarded to the corresponding destination exit, and the remaining packets are discarded from the data stream.

Application Agent (Application proxy): Also known as the Application Gateway (application Gateway), it functions in the application layer, which is characterized by a complete "block" of network traffic, through the development of a dedicated agent for each application service, to monitor and control the application layer of the role of communication flow. The actual application gateway is usually implemented by a dedicated workstation.

1. Packet filter Type Firewall

Packet filtering or packet filtering is a general, inexpensive and effective security method. It is generic because it does not take a special approach to individual network services; it is cheap because most routers provide packet filtering, which is effective because it can largely meet the security requirements of the enterprise.

Packet filtering works at the network layer and the Transport layer. It determines whether packet packets are allowed to pass, based on the packet's source, host address, port number and protocol type, and flag. The information is based on the IP, TCP, or UDP headers.

The advantage of packet filtering is that it does not have to change the client and host applications because it works at the network and transport levels, regardless of the application layer. But its weaknesses are obvious: based on the limited information of the network layer and the transport layer, the various security requirements can not be fully satisfied; In many filters, the number of filtering rules is limited, and as the number of rules increases, performance can be greatly affected; Due to lack of context association information, Can not effectively filter such as UDP, RPC class protocol; In addition, most filters lack of audit and alarm mechanism, and the management and user interface is poor, the quality of security management personnel requirements, the establishment of security rules, the Protocol itself and its role in different applications have a deeper understanding. Therefore, filters are usually used in conjunction with the application gateway to form a firewall system.

2. Apply Proxy Firewall

The application of proxy firewall is the isolation point between intranet and external network, which plays the role of monitoring and isolating the application layer communication flow. The function of the filter is also often combined. It works at the top level of the OSI model and holds all the information available in the application system for security decisions.

3. Composite Firewall

Because of the requirement of higher security, the method of packet filtering is combined with the method based on application agent to form a compound firewall product. This combination is usually the following two scenarios.

Shielding host Firewall Architecture: In this structure, a packet filter router or firewall is connected to the Internet, while a bastion machine is installed on the internal network, making the fortress machine the only node that can be reached by other nodes on the Internet by filtering the setting of the rules on the packet filtering router or firewall. This ensures that the internal network is not vulnerable to unauthorized external users.

Screened subnet firewall architecture: The fortress machine is placed in a subnet, creating a demilitarized zone, where two packet-filtering routers are placed at both ends of the subnet, separating the subnet from the Internet and the internal network. In the Shield subnet firewall architecture, the fortress host and the packet filtering router together constitute the security foundation of the whole firewall.

4. Firewall operating System

Firewalls should be built on a secure operating system, and the safe operating system from the security of the special operating system to strengthen and transform, from the existing many products, the core of the security operating system of the curing and transformation of the main from the following aspects: the elimination of dangerous system calls, limit the execution of the command authority; Check the interface of each packet, use random connection serial number, host packet filter module, cancel dynamic routing function, adopt multiple security kernel, etc.

5.NAT Technology

NAT technology can transparently transform all internal addresses, so that the external network can not understand the internal structure of the internal network, while using NAT network, the connection with the external network can only be initiated by the internal network, greatly improving the security of the internal network.

Another obvious use of NAT is addressing the lack of IP addresses.

6. Anti-attack capability of firewall

As a kind of safety protection equipment, the firewall is the target of many attackers in the network, so the ability of resisting attack is the necessary function of the firewall.

7. Limitations of Firewalls

There are security threats that firewalls cannot guard against, such as firewalls that do not protect against firewalls. For example, some users may form a direct connection to the Internet if they are allowed to dial out from within a protected network. In addition, firewalls are difficult to guard against attacks from within the network and threats from viruses.