//ok, I will change it
//Packet filtering firewall is the simplest, you can specify to let the data packets of a certain IP or a certain port or a certain network segment pass [ or do not pass], it does not support application layer filtering and does not support packet content filtering.
//The stateful firewall is a bit more complicated. According to the state-based characteristics of TCP, the status of each connection is recorded on the firewall. This can make up for the shortcomings of the packet filtering firewall. For example, if you allow the IP address 1.1.1.1 The data packet passes through the firewall, but if a malicious person forges an IP address, he or she can get through the packet filtering firewall without passing the TCP three-way handshake.
//Application proxy gateway firewall completely blocks direct communication between the internal network and the external network. The internal network users' access to the external network becomes the firewall's access to the external network, and then the firewall forwards it to the internal network users. All communications must be forwarded by the application layer proxy software. Visitors cannot establish a direct TCP connection with the server at any time. The protocol session process of the application layer must comply with the security policy requirements of the agent.
The advantage of the application proxy gateway is that it can check the protocol characteristics of the application layer, transport layer and network layer, and has a strong ability to detect data packets.
//
1. Current firewall technology classification
Firewall technology has gone through three stages: packet filtering, application proxy gateway, and then state detection.
1.1 Packet filtering technology
Packet filtering firewall works at the network layer and has the function of identifying and controlling the source and destination IP of data packets. For the transport layer, it can only identify data packets. Is it TCP or UDP and the port information used, as shown in the figure below. Today's routers, Switch Routers and some operating systems already have the ability to use Packet Filter control.
Because only the IP address, TCP/UDP protocol and port of the packet are analyzed, packet filtering firewalls are faster and easier to configure.
Packet filtering firewalls have fundamental flaws:
1. There is no protection against hacker attacks. The work of the packet filtering firewall is based on the premise that the network administrator knows which IP addresses are trusted networks and which IP addresses are untrusted networks. However, with the emergence of new applications such as remote office, it is impossible for network administrators to distinguish the boundaries between trusted networks and untrusted networks. For hackers, they only need to change the source IP packet to a legal IP to easily pass through the packet filtering firewall and enter. Intranet, and any junior hacker can perform IP address spoofing.
2. Application layer protocols are not supported. If an intranet user puts forward such a request, only intranet employees are allowed to access web pages on the external network (using the HTTP protocol), and they are not allowed to download movies from the external network (usually using the FTP protocol). Packet filtering firewalls are powerless because they do not understand the application layer protocols in data packets and the access control granularity is too coarse.
3. Unable to deal with new security threats. It cannot track TCP state, so control of the TCP layer is vulnerable. For example, when it is configured to only allow TCP access from inside to outside, some attacks from the outside to the internal network in the form of TCP response packets can still penetrate the firewall.
To sum up, it can be seen that the technology of packet filtering firewall is too rudimentary, just like a security guard can only judge whether to allow the visitor to enter based on which province or city he comes from, and it is difficult to protect the security of the intranet. responsibilities.
1.2 Apply proxy gateway technology
Apply proxy gateway firewall to completely isolate the direct communication between the internal network and the external network. The access of internal network users to the external network becomes the access of the firewall to the external network, and then Then the firewall forwards it to intranet users. All communications must be forwarded by the application layer proxy software. Visitors cannot establish a direct TCP connection with the server at any time. The protocol session process of the application layer must comply with the security policy requirements of the agent.
The advantage of the application proxy gateway is that it can check the protocol characteristics of the application layer, transport layer and network layer, and has a strong ability to detect data packets.
The disadvantages are also very prominent, mainly including:
· Difficult to configure. Since each application requires a separate proxy process, this requires the network administrator to understand the weaknesses of each application protocol and configure security policies reasonably. Because the configuration is cumbersome and difficult to understand, configuration errors are prone to occur, which ultimately affects the security of the intranet. Prevention ability.
· Processing speed is very slow. Disconnecting all connections and having the firewall re-establish the connections can theoretically make the application proxy firewall extremely secure. However, it is not feasible in actual applications, because for each Web access request on the intranet, the application proxy needs to open a separate proxy process, which needs to protect the intranet's Web server, database server, file server, mail server, and business Programs, etc., you need to establish service proxies one by one to handle client access requests. In this way, the processing delay of the application proxy will be very large, and the normal web access of intranet users cannot be responded to in time.
In short, application proxy firewalls cannot support large-scale concurrent connections, which is a disaster when using such firewalls in speed-sensitive industries. In addition, the firewall core requires pre-built-in proxies for some known applications, causing some emerging applications to be ruthlessly blocked within the proxy firewall and unable to support new applications well.
In the IT field, new applications, new technologies, and new protocols are emerging one after another, and it is difficult for proxy firewalls to adapt to this situation. Therefore, proxy firewalls are gradually being alienated from core business applications in some important fields and industries.
However, the emergence of adaptive proxy technology has brought a new turn to application proxy firewall technology. It combines the security of proxy firewalls and the high speed of packet filtering firewalls without losing security. Basically, the performance of the proxy firewall is improved by 10 times.
1.3 State Detection Technology
We know that data transmitted on the Internet must comply with the TCP/IP protocol. According to the TCP protocol, the establishment of each reliable connection requires "client synchronization" There are three stages: "request", "server response" and "client response". Our most commonly used web browsing, file downloading, sending and receiving emails, etc. all go through these three stages. This reflects that data packets are not independent, but have close status connections between them. Based on this status change, status detection technology is introduced.
The stateful detection firewall abandons the shortcomings of the packet filtering firewall which only examines a few parameters such as the IP address of the data packet and does not care about changes in the data packet connection status. It establishes a stateful connection table in the core part of the firewall and Data entering and leaving the network is treated as a session, and the state table is used to track the status of each session. State monitoring not only checks each packet based on the rule table, but also considers whether the data packet conforms to the state of the session, thus providing complete control over the transport layer.
One of the challenges of gateway firewalls is the amount of traffic they can handle. Stateful detection technology not only greatly improves security prevention capabilities, but also improves traffic processing speed. State monitoring technology uses a series of optimization technologies to greatly improve firewall performance and can be applied in various network environments, especially on large networks with complex rules.
Any high-performance firewall will use stateful detection technology.
Since 2000, well-known domestic firewall companies, such as Beijing Tianrongxin and other companies, have begun to adopt this latest system architecture. On this basis, Tianrongxin NGFW4000 has innovatively launched the core firewall Detection technology simulates typical application layer protocols in the operating system kernel, and implements filtering of application layer protocols in the kernel, achieving extremely high performance while achieving security goals.
Currently supported protocols include HTTP/1.0/1.1, FTP, SMTP, POP3, MMS, H.232 and other latest and most commonly used application protocols.
2. New technology trends in firewall development
2.1 Technological trends caused by new demands
The development of firewall technology is inseparable from changes in social needs and focuses on the future , we noticed the following new requirements.
· The growth of telecommuting. This time, major cities across the country have been attacked by the SARS virus, which directly prompted a large number of enterprises and institutions to work from home. This requires firewalls to not only resist external attacks, but also allow legal remote access and achieve more fine-grained access control. The VPN (Virtual Private Network) technology launched by some manufacturers is a good solution. Only data packets encrypted in a specified way can pass through the firewall, which ensures the confidentiality of information and serves as a means of identifying intrusions.
· Internal network “compartmentalizing”. People usually think that the intranet protected by a firewall is trustworthy, and only the Internet is untrustworthy. Since hacker attack techniques and tools are readily available on the Internet, the potential threats to internal networks have greatly increased. Such threats can be either personnel on the external network or users on the internal network. There is no longer a trusted network environment.
Due to the rapid application of wireless networks and the continued existence of traditional dial-up methods, intranets are under unprecedented threats. Previous cooperation between enterprises has incorporated partners into the enterprise network, and branches across the country have shared a forum, which has blurred the concept of a trusted network. The solution is to subdivide the intranet into "boxes" and implement independent security policies for each "box".
2.2 Technological trends caused by hacker attacks
Firewalls serve as personal bodyguards of the intranet, and the characteristics of hacker attacks also determine the technological trends of firewalls. 8?5 Port 80 is closed. Judging from the attacked protocols and ports, the first one is the HTTP protocol (port 80).
According to the SANS survey, IIS and Apache, which provide HTTP services, are the most vulnerable to attacks, which shows that port 80 poses the most threats.
Therefore, whether it is future firewall technology or currently applied firewall products, port 80 should be closed as much as possible.
· Deep inspection of data packets. Gartner, an authoritative organization in the IT industry, believes that proxies are not the key to preventing future hacker attacks, but firewalls should be able to identify and block malicious behaviors in data packets. The technical solution for packet inspection needs to add new functions such as signature inspection to find existing ones. attack, and distinguish which data flows are normal and which are abnormal data flows.
· Synergy. From the analysis of hacker attack incidents, servers that provide external applications such as Web are the focus of protection. It is difficult to prevent all attacks by relying on firewalls alone. This requires effective collaboration of firewall technology, intrusion detection technology, and virus detection technology to complete the task of protecting network security. As early as 2000, Beijing Tianrongxin Company had realized the necessity and urgency of collaboration, launched the TOPSEC protocol, linked with other security equipment such as IDS, and cooperated with other security equipment to form an organic and scalable security system platform . Currently, it mainly supports linkage with IDS and authentication servers. For example, it supports more than a dozen well-known domestic IDS, security management systems, security audits, other certification systems, etc. to form a complete TOPSEC solution. In September 2002, Nortel, Cisco and Check Point jointly announced the joint launch of security products, which also reflected the trend of complementary advantages and interoperability between manufacturers.