By filtering unsafe services, the firewall can greatly improve network security and reduce the risk of hosts in the subnet.
For example, a firewall can prohibit NIS and NFS services from passing, and a firewall can reject both source routes and ICMP redirected packets.
Control system access
A firewall can provide access control to the system. For example, some hosts are allowed to access from outside, while others are forbidden. For example, a firewall allows external access to specific mail servers and Web servers.
Centralized safety management
The firewall realizes the centralized security management of the intranet, and the security rules defined in the firewall can be applied to the whole intranet system without setting security policies on every machine in the intranet. For example, you can define different authentication methods in the firewall without installing specific authentication software on each machine. External users only need to be authenticated once to access the intranet.
Enhanced confidentiality
Firewalls can prevent attackers from obtaining useful information to attack network systems, such as Finger and DNS.
Record and count network usage data and illegal usage data.
Firewall can record and count the network communication through firewall, and provide statistical data about network usage. Firewall can provide statistical data to judge possible attacks and detection.
Policy implementation
Firewall provides a method to formulate and implement network security policies. When there is no firewall, network security depends on the users of each host. Network strategy
Network policies that affect the design, installation and use of firewall systems can be divided into two levels. Advanced network policies define the allowed and prohibited services and how to use them. The low-level network policy describes how the firewall restricts and filters the services defined in the high-level policy.
Service access policy
Service access strategy focuses on Internet access services and external network access (such as dial-in strategy, SLIP/PPP connection, etc. ).
The service access policy must be feasible and reasonable. A feasible strategy must strike a balance between preventing known network risks and providing services to users. The typical service access strategy is: if necessary, allow users with enhanced authentication to access some internal hosts and services from the Internet; Allow internal users to access designated Internet hosts and services.
Firewall design strategy
The firewall design strategy is based on a specific firewall and defines the rules for completing the service access strategy. There are usually two basic design strategies:
Allow any service unless explicitly prohibited;
No services are allowed unless explicitly allowed.
The second design strategy is usually adopted. Virtual patch
Virtual patches, also known as VPatch, are designed to change or eliminate vulnerabilities by controlling the input or output of affected applications. These vulnerabilities open the door for intruders, and database vendors will regularly introduce database vulnerability patches. Due to the complexity of database patch and the consideration of application stability, most enterprises can't update the patch in time. Database firewall provides virtual patching function, and creates a security layer on the network layer outside the database, so that users can complete database vulnerability protection without patching. DBFirewall supports more than 460 virtual patches in 22 categories.
Packet filtering type
Packet filtering product is the primary product of firewall, and its technical basis is packet transmission technology in the network. The data on the network is transmitted in the form of packets. The data is divided into packets of a certain size, and each packet contains some specific information, such as the source address and destination address of the data. TCP/UDP source port and destination port, etc. The firewall can read the address information in the data packets to determine whether these data packets come from trusted security sites. Once packets from dangerous sites are found, the firewall will reject the data. System administrators can also flexibly formulate judgment rules according to the actual situation.
The advantages of packet filtering technology are simple and practical, and low implementation cost. In the case of simple application environment, the security of the system can be guaranteed to a certain extent at a small cost.
However, the shortcomings of packet filtering technology are also obvious. Packet filtering technology is a security technology based entirely on the network layer, which can only be judged according to the network information such as the source, destination and port of the packet, and can not identify malicious intrusions based on the application layer, such as malicious Java applets and viruses attached to emails. Experienced hackers can easily forge IP addresses and fool the packet filtering firewall.
Network address translation (NAT)
Is a standard for converting IP addresses into temporary, external and registered IP addresses. It allows internal networks with private IP addresses to access the Internet. This also means that users do not need to obtain the registered IP address of every machine in the network.
When the internal network accesses the external network through the security network card, a mapping record will be generated. The system maps the outgoing source address and source port into a disguised address and port, which is connected to the external network through an unsecured network card, thus hiding the real internal network address. When the external network accesses the internal network through the insecure network card, it does not know the connection of the internal network. But only through open IP addresses and ports. OLM firewall judges whether the access is secure according to the predefined mapping rules. When the rules are met, the firewall considers the access safe, and can accept the access request or map the connection request to different internal computers. When the rules are not met, the firewall considers the access unsafe and unacceptable, and the firewall will block the external connection request. The process of network address translation is transparent to users and unnecessary.
Agent type
Proxy firewall can also be called proxy server, which is more secure than packet filtering products and has begun to develop to the application layer. The proxy server is located between the client and the server, which completely blocks the data exchange between them. From the client's point of view, the proxy server is equivalent to a real server. From the server's point of view, the proxy server is a real client. When the client needs to use the data on the server, it first sends a data request to the proxy server, and then the proxy server requests the data from the server according to this request, and then the proxy server transmits the data to the client. Because there is no direct data channel between the external system and the internal server, it is difficult for external malicious infringement to harm the internal network system of the enterprise.
The advantage of proxy firewall is high security, which can detect and scan the application layer, and it is very effective for applications-based intrusions and viruses. Its disadvantage is that it has a great influence on the overall performance of the system, and proxy servers must be set for all application types that may be generated by the client, which greatly increases the complexity of system management.
Monitoring type
Firewall is a new generation product, and this technology has actually surpassed the original definition of firewall. The monitoring firewall can actively monitor all levels of data in real time. Based on the analysis of these data, monitoring firewall can effectively judge illegal intrusion at all levels. At the same time, this kind of firewall products generally have distributed detectors, which are placed in various application servers and other network nodes. It can not only detect attacks from outside the network, but also have a strong preventive effect on malicious damage from inside. According to the statistics of authoritative organizations, a considerable proportion of attacks against network systems come from within the network. Therefore, the monitoring firewall not only goes beyond the definition of traditional firewall, but also goes beyond the previous two generations of products in terms of security.
Although the security of monitoring firewall has surpassed that of packet filtering firewall and proxy server firewall, the second generation proxy firewall product is still the main product in practice due to the high implementation cost and difficult management, but the monitoring firewall has been applied in some aspects. Based on the comprehensive consideration of system cost and security technology cost, users can selectively use some monitoring technologies, which can not only ensure the security requirements of the network system, but also effectively control the total cost of ownership of the security system.
In fact, as the mainstream trend of firewall products, most proxy servers (also called application gateways) also integrate packet filtering technology, and the mixed application of these two technologies obviously has greater advantages than the single use. Because the product is application-based, the application gateway can provide filtering for the protocol. For example, the PUT command in FTP connection can be filtered out, and the application gateway can effectively avoid the information leakage in the intranet through proxy application. It is precisely because of these characteristics of application gateway that the contradictions in the application process mainly focus on the effective support of various network application protocols and the impact on the overall performance of the network. Analyze security and service requirements
The following questions help to analyze security and service requirements:
√ What Internet services do you plan to use (such as services (local network, dial-up, remote office)).
√ Increased demand, such as encryption or dial-up access support.
√ Risks of providing the above services and visits.
√ While providing network security control, the cost of system application services is sacrificed.
Strategic flexibility
Generally speaking, Internet-related network security policies should be flexible for the following reasons:
√ With the rapid development of the Internet itself, organizations may need to constantly use new services provided by the Internet to conduct business. The emergence of new protocols and services has brought new security problems, and security policies must be able to respond and deal with these problems.
√ The risks faced by institutions are not static, and changes in institutional functions and network settings may change risks.
Remote user authentication strategy
√ Remote users cannot access the system through an unauthenticated modem behind a firewall.
√ PPP/SLIP connection must be authenticated by firewall.
√ Train remote users in identity authentication methods.
Dial-in/dial-out strategy
√ Dial-in/dial-out capability must be considered and integrated when designing firewall.
√ External dial-in users must pass the authentication of firewall.
Information server strategy
√ The security of public * * * information servers must be integrated into the firewall.
√ The public information server must be strictly controlled, otherwise it will become a gap in system security.
√ Defining compromise security policies for information servers allows the provision of public services.
√ Distinguish public information services from commercial information (such as e-mail) through security policies.
Basic characteristics of firewall system
√ The firewall must support the design strategy of "No service unless explicitly allowed".
√ The firewall must support the actual security policy, rather than changing the security policy to adapt to the firewall.
√ Firewalls must be flexible to adapt to changes in security policies brought about by new services and changes in institutional intelligence.
√ Firewall must support enhanced authentication mechanism.
√ Firewall should use filtering technology to allow or deny access to specific hosts.
√ IP filtering description language should be flexible and user-friendly, supporting source IP and destination IP, protocol type, source and destination TCP/UDP ports, and arrival and departure interfaces.
√ Firewall should provide proxy services for FTP and TELNET to provide enhanced centralized authentication management mechanism. If other services (such as NNTP, rlogin, etc. ), but the authentication process is not encrypted, that is, the password is easy to be monitored and decrypted.
Authentication using digest algorithm
Radius (Dial-in Authentication Protocol), OSPF and SNMP security protocols all use the security key shared by * * * and Digest Algorithm (MD5) for authentication. Because the digest algorithm is an irreversible process, in the authentication process, it is impossible to calculate the * * * shared security key from the digest information, and sensitive information will not be transmitted on the network. The main summarization algorithms used in the market are MD5 and SHA- 1.
Authentication based on PKI
Use public key system for authentication and encryption. This method has high security, and comprehensively adopts digest algorithm, asymmetric encryption, symmetric encryption, digital signature and other technologies, which combines security and efficiency well. The basic principle of PKI-based authentication will be described later. This authentication method is used in e-mail, application server access, customer authentication, firewall verification and other fields.
This authentication method has high security, but it involves heavy certificate management tasks. 1, the demand of enterprises for VPN technology
The headquarters and branches of the company are connected through the Internet. Because the Internet is a public network, its security must be guaranteed. We call the private network realized by public network Virtual Private Network (VPN).
Because VPN uses public network, its biggest weakness is the lack of sufficient security. When an enterprise network is connected to the Internet, two main dangers are exposed:
Unauthorized access to the intranet from the internet.
When enterprises communicate through the Internet, information may be eavesdropped and illegally modified.
A complete and integrated enterprise VPN security solution provides secure two-way Internet communication and transparent encryption scheme to ensure data integrity and confidentiality.
Comprehensive security requirements of enterprise network;
Confidentiality-the communication process is not eavesdropped.
Confirm the authenticity of the communication subject-computers on the network will not be impersonated.
2. Digital signature
Digital signature is used as the basis to verify the identity of the sender and the integrity of the message. Public * * * key systems (such as RSA) are based on private/public * * * key pairs as the basis for verifying the identity of the sender and the integrity of the message. CA uses the private key to calculate its digital signature, and anyone can verify the authenticity of the signature with the public key provided by CA. Forging digital signatures is not feasible in computing power.
In addition, if a message is sent with a digital signature, any modifications to the message will be found when the digital signature is verified.
The two communication parties securely obtain the * * shared key through the Diffie-Hellman key system, and use this key to encrypt the message. The Diffie-Hellman key is verified by CA.
The use of similar technologies
Basic session key DES encrypts communication.
The encryption key Deff-Hellman generates the session key.
Authentication key RSA verifies the encryption key
Based on this encryption mode, the number of keys to be managed is linearly related to the number of communicators. Other encryption modes need to manage the number of keys proportional to the square of the number of communication parties.
3、IPSEC
As an encrypted communication framework on IP v4 and IP v6, IPSec has been supported by most manufacturers, and it is expected to be determined as IETF standard in 1998, which is the Internet standard realized by VPN.
IPSec mainly provides encrypted communication function at the IP network layer. This standard adds a new header format, authentication header (AH) and encapsulated security payload (ESP) to each IP packet. IPsec uses ISAKMP/ oakley and SKIP for key exchange, management and security association.
Ipsec has two parts:
(1) IP security protocol attribute, which defines the Ipsec message format.
(2)ISAKMP/ oakley, responsible for encryption communication negotiation.
Ipsec provides two encrypted communication methods:
Ipsec tunnel: the whole IP is encapsulated in IPSec message. Provides Ipsec- gateway communication.
Ipsec transmission: Encrypt the data in IP packets with the original source address and destination address.
Ipsec tunnel does not need to modify the equipment and applications, network hackers can't see the actual communication source address and destination address, and can provide encrypted transmission channels for private networks through the Internet, so most of them adopt this mode.
ISAKMP/ oakley uses X.509 digital certificate, so VPN can be easily extended to enterprise level. (easy to manage).
In the client of remote dial-up service, Ipsec client can also be implemented to provide encrypted network communication for dial-up users.
Because Ipsec is about to become the Internet standard, firewall (VPN) products provided by different manufacturers can realize interoperability. Due to the complexity of the application system, the security of the application platform is the most complicated part of the whole security system. The following section lists the security issues and related technologies of the main application platform services in Internet/Intranet.
1, domain name service
Internet domain name service provides great flexibility for Internet/Intranet applications. Almost all network applications use domain name services.
However, domain name service usually provides useful information for hackers to invade the network, such as the IP of the server, operating system information and possible network structure.
At the same time, newly discovered security vulnerabilities against BIND-NDS have also been discovered, and most domain name systems have similar problems. For example, because DNS query uses connectionless UDP protocol, the predictable query ID can trick the domain name server into giving the wrong hostname -IP correspondence.
Therefore, when using domain name service, we should pay attention to the above security issues. The main measures are:
(1) Intranet and extranet use different domain name servers to hide internal network information.
(2) The domain name server and the domain name lookup application install corresponding security patches.
(3) In order to deal with denial of service attacks, a backup domain name server should be designed.
2.Web server application security
Web server is an important base for enterprises to publicize and carry out business. Because of its importance, it has become one of the first choice targets of hacker attacks.
Web server often becomes one of the channels for Internet users to access the internal resources of companies, such as accessing the host system through middleware, accessing the database through database connection components, and accessing other resources in the local file system or network system through CGI.
However, Web servers have become more and more complex, and more and more security vulnerabilities have been discovered. In order to prevent the Web server from becoming a victim of attack or a springboard to the internal network, we need to pay more attention to:
(1) The web server is protected by a firewall.
(2) Install real-time security monitoring software on the Web server.
(3) Install a network-based real-time intrusion monitoring system on the network path leading to the Web server.
(4) Regularly check the configuration and running logs of the Web server.
(5) Before running a new application, conduct a safety test. Such as the new CGI application.
(6) The authentication process adopts encrypted communication or X.509 certificate.
(7) Carefully set the access control table of the Web server.
3. E-mail system security
E-mail system is also a service system that must be open to the outside world. Due to the complexity of e-mail system, there are many security loopholes and great harm.
In order to strengthen the security of e-mail system, there are usually the following methods:
(1) Set an e-mail server located in the ceasefire zone as a relay station for internal and external e-mail communication (or use the e-mail relay function of the firewall). All incoming and outgoing emails are sent through this transfer station.
(2) To install and implement a monitoring system for this server.
(3) As a dedicated application server, the mail server does not run any other business (cut off communication with the intranet).
(4) Upgrade to the latest security version.
4. Operating system security
Almost all operating systems in the market have found security vulnerabilities, and the more popular the operating system, the more problems it finds. For the safety of the operating system, in addition to constantly adding security patches, you also need:
(1) Check the system settings (storage mode of sensitive data, access control, password selection/update).
(2) System-based safety monitoring system.