Server network securityDeploy the newFirewallPolicy is a complex task. You need to consider many aspects comprehensively. Generally, a firewall has two working modes, namely the routing mode and the transparent mode. In the routing mode, a firewall is like a router that can route data packets.
The difference is that it can identify the information of the layer-4 protocol (Transport Layer) of the network, so it can filter based on TCP/UDP ports. In this mode, the firewall must be equipped with two or more network addresses, and your network structure will be changed. In transparent mode, a firewall is more like a bridge. It does not interfere with the network structure. In the topology, it seems to be non-existent (so it is called transparent ). However, the transparent firewall also provides the data packet filtering function. A transparent firewall does not have an IP address. Both firewalls provide network access control functions. For example, you can set a firewall to filter out access requests from the Internet to the server's NFS port.
Which firewall works in the network depends on your network environment. In general, if your server uses a real IP address (the address is usually allocated to you by the IDC), the firewall's transparent mode will be selected. In this mode, your server looks like you are directly facing the internet, and all access requests to the server are directly sent to the server. Of course, packets will pass the firewall detection before they arrive at the server, and packets that do not comply with the rules will be discarded (from the perspective of Server programming, it does not notice that the data packet has actually been processed ).
In fact, for the sake of security, many servers use private IP addresses (for example, 172.16.0.0/16 and 192.168.0.0/24 are both private IP addresses). If these servers do not need to provide external services, therefore, it is most secure. To provide external services, it is necessary to use the NAT (Network Address Translation) of the firewall to meet the access requirements from the Internet. NAT is a firewall function. It actually works in the routing mode.
Most firewalls distinguish between forward and reverse NAT. Forward NAT refers to data packets sent out of the Intranet. After the firewall passes, the packet header will be changed, the source IP address is changed to the IP address bound to the firewall (or address pool, which must be the real IP address of the public network). The source port also changes, and the returned data packets are also processed, this ensures that hosts with private IP addresses can communicate with the Internet. In the implementation of reverse NAT, the public IP address of the server is bound to the firewall at the exit, and the server uses only one private IP address, the firewall will establish a ing between its public IP address and the private IP address. When requests from the Internet to this server reach the firewall, the firewall will forward the requests to the server. Of course, the firewall rule set will be matched before forwarding, and packets that do not comply with the rules will be discarded.
Using Reverse NAT greatly improves server security. This is because access by any user is not directly directed to the server, but must be forwarded through the firewall. In addition, the server uses a private IP address, which is always safer than using a real address. In terms of anti-denial-of-service attacks, the effectiveness of this method is more obvious. However, compared with a transparent firewall, a reverse NAT firewall will affect the network speed. If your site has a high access traffic, do not use this method. It is worth mentioning that CISCO's PIX has exceptional performance in NAT processing.
In another case, the server uses the real IP address, and the firewall is configured as a routing mode without its NAT Function. Although this can be achieved, it will make your network structure very complex and it does not seem to bring about benefits.
Most IDC data centers do not provide Firewall Services. You need to purchase and configure your own firewalls. You can configure it in transparent mode or NAT mode. The configuration depends on your actual situation. Some IDC companies provide firewall services as a means to attract customers. In general, their firewall services are charged.
If your server is behind the public firewall provided by the IDC, it is necessary to carefully consider your intranet structure. If the IDC provides transparent mode for your firewall, that is, all your servers use real IP addresses, in this case, unless you have enough servers (as we have more than 500 servers in Beijing), there must be other companies' hosts in your logical network segment.
In this way, even with a firewall, your system management tasks will not be much easier, because you are threatened by hosts from other companies in the same network segment. For example, if the IP address segment of your server is 211.139.130.0/24 and you use several of them, there will be more than 200 hosts from other companies in this segment, after they are in the same firewall as your host, although the firewall can shield some access from the Internet, the mutual access between these hosts is not blocked. Therefore, malicious people in other companies can attack you through their hosts.
Alternatively, if a host on the network is hacked, all servers will face severe threats. In such a network, do not run dangerous services such as NFS, Sendmail, and BIND.
The solution to this problem is to purchase a firewall and configure the transparent mode. Do not use the transparent mode of the public firewall.
Some IDC companies will provide you with a NAT firewall. You need to set a private IP address on the server and then use the firewall to convert the server address. This situation is the same as the above situation, that is, there are other company hosts in the logical network segment of your server.
For example, if the CIDR Block 172.16.16.0/24 can accommodate 254 hosts, your server uses several IP addresses, there may be more than 200 hosts in other companies in the same network segment as your servers. In this way, although there is firewall protection, it cannot prevent attacks from the Intranet.
To solve this problem, you do not have to purchase a firewall. Since private IP addresses can be allocated at will, you can request a separate network segment from the IDC, for example, 172.16.19.0/24, and put all your servers in this network segment, do not have hosts from other companies. In this way, your intranet is also impeccable.
In fact, if you have a network for a large UNIX host, you do not have to open the login port on the firewall for each host. You can set up one or two hosts as the login portal. Access to other hosts must use the portal host as the springboard. This sacrifices the convenience of use, but brings stronger security. Of course, the premise is that you must manage the portal host.
An electronic token card is suitable for this application. It is a portable card that dynamically generates a password every few minutes or tens of seconds, you can only use this password to log on to the host, and the password will soon become invalid.
It is not only a UNIX host, but also a stepping stone for terminal management of Windows hosts. However, Windows terminals are much more troublesome than UNIX shells. If you do not want to sacrifice too much convenience, do not do so.
Network security is an important part of server security. I hope you have mastered the above content. In addition, I hope you will pay more attention to firewall knowledge to better understand server network security.