The network firewall plays an important role in the security protection, but we should also see its deficiencies.
Today, knowledgeable hackers can use the network firewall open ports, cleverly escaped the network firewall monitoring, directly targeted applications. They come up with complicated
Attack methods that can bypass traditional network firewalls. According to expert statistics, 70% of the current attack is occurring in the application layer, not the network layer. For this kind of attack, the traditional network firewall's protection effect, is not very ideal.
The traditional network firewall, there are the following deficiencies:
1, unable to detect the encrypted web traffic
If you are deploying a light key portal, you want all network and application layer vulnerabilities to be masked outside the application. This requirement, for the traditional network firewall, is a big problem.
Because the network firewall is not visible to the data in the encrypted SSL stream, the firewall cannot intercept the SSL data stream quickly and decrypt it, so it cannot prevent the application from attacking, even some network firewalls do not provide the function of data decryption at all.
2, the ordinary application encryption, can easily escape the firewall detection
What the network firewall cannot see is more than SSL-encrypted data. Data that is encrypted by the application is also not visible. In most network firewalls today, a static feature library is relied on, similar to the principle of the intrusion detection system (ids,intrusion detect systems). The firewall can recognize and intercept the attack data only when the characteristics of the attack behavior of the application layer exactly match the features already in the database in the firewall.
But today, with common coding techniques, malicious code and other attack commands can be hidden and converted into a form that can deceive both the front-end network security system and the backend server. This kind of encrypted attack code, as long as the rules in the firewall rule library is not the same, can evade the network firewall, successfully avoid feature matching.
3, for Web applications, the ability to prevent inadequate
The network firewall was invented in 1990, and the commercial Web server was published a year later. A firewall based on stateful detection, which is based on the TCP and IP address of the network layer, sets up and strengthens the state Access control list (acls,access controlling Lists). In this regard, the network firewall performance is indeed very good.