Packet filtering technology is simple but security is not high, high security status monitoring technology, but they need more resources for computing. The above two are unable to provide security protection for specific applications.
Application proxy technology can provide security protection for specific applications.
Proxy firewall technology
(1) agents and agent technology
-
Agent (proxy)
who is someone else to obtain a service or agency. For example, insurance agents, legal and other agents. -
Agent technology (proxy services)
to help an application to obtain a service to another application. For example, users can delegate A host B to help it to download a file from an external or visit certain
websites. -
Proxy Server (Proxy)
provides agency services server called a proxy server, also known as application proxy firewall, which allows some users do not have permission rights.
(2) Application of Agent Technology
Application Proxy Agent (Application proxies) to provide a proxy service application in an application layer proxy agent technology by having access to the application, so that the user does not have access to a service that can access the network proxy service technology.
For example, the user A itself does not have permission to access external FTP services, but there is a host B not only have access to external FTP, but also provides agency services, the proxy-based application technology, user A can help by means of the host B obtained access external FTP services.
Application proxy technology is working at the application layer, which means that the need for data packets at the application layer analysis was that the packet can pass through the firewall
Execution (3) application proxy
when internal users access external services when needed, without the appropriate permissions, you need to use a proxy server application to send information to the outside, if the external response to internal but also through a proxy server. In this process, the internal user access to external users, appears to be transparent, but all application information is converted by application proxy to achieve.
The advantages and disadvantages (4) application proxy technology
- Advantage of using agent technology
1, application proxy technique provides higher security level
2, easily audit
3, help to improve the access speed
4, with granular filtration assay
5, more covert - Disadvantage of using agent technology
1, a large processing overhead
2, extended weak
3, inconvenience
Bastion host firewall system
Architecture firewall, that is, how to deploy a firewall, bastion host structure contains, shielding the host structure and screened subnet structure.
(1) bastion host structure
- Bastion host (Bastion Host)
is a kind of defense can be enhanced network, is a special kind of computer, their own security is relatively high, can effectively prevent attacks outside attackers from topology point of view, often a bastion host exposed to the outside, computer directly facing the external attacker attacks
from a network topology point of view, the bastion host are usually exposed to the Internet, it becomes a check of all external traffic, security, external network to the internal network a checkpoint firewall and packet misplaced routers can be seen as a bastion host.
(2) bastion host security requirements
must itself have a relatively high security, there are ways to improve safety
- Turn off all unnecessary services, protocols, and network ports
- You must enable security auditing capability to record all security events log
- Trust can not share any information between the bastion host and interior host
Bastion host art often used packet filtering technology, so called a bastion host firewall packet filtering firewall packet filtering firewalls. So we can use a firewall with routing capabilities or to play the role of the firewall packet filtering routers a packet filtering firewall system
(3) topology bastion host firewall
bastion host positioned between the internal network and the external network, act as connecting the internal and external networks.
(4) the advantages and disadvantages
- Advantages
1, low cost
since only one station is provided with a packet filtering router or firewall packet filtering can be performed, and therefore inexpensive.
2, simple management
structure is simple, does not require complex configuration, easy to manage and maintain. - Shortcomings
1, security is low
if the packet filtering router is the only safety equipment, then hackers will attack very easily
broken system, do whatever they want in the LAN.
2, simple filtering rules
can only be filtered through the network layer information, we can not provide the complex filtering rules. In addition, as the number of filtering rules to increase the performance of the firewall itself will be affected.
3, the lack of mechanisms for audit and alarm
audit and alarm system is missing most of the filter.
4, the difference hidden
behind a firewall system such a configuration, IP addresses of the internal network, and not be hidden, and it does not have to monitor, track and record functions.
Shield structure host firewall system
Bastion host firewall, but using low cost range is very limited, the bastion host will become the bottleneck of the whole system. Shield the host structure firewall also known as single-homed Fort host firewall (Single-Homed Host Firewall)
single-homed bastion host is only a bastion host network interface, because only one network interface, the host computer can not connect internal and external networks, to help with work together to complete the firewall between the firewall functions, usually single-homed bastion host application proxy technology.
(1) topology
can be seen from the figure, the internal network bastion host, the router is connected to internal and external networks. Therefore, the external data needs to be forwarded through the router, a bastion host is received, it is determined that the packet is dropped or released according to the rules of the firewall.
Data sent from the internal network to the external network through the router also need to be forwarded to the bastion host, and then to determine whether the packet can reach the external network based on firewall filtering rules. Do not need a firewall to protect other data, it can be forwarded directly through the router to complete. As can be seen, a firewall is a system composed of routers and firewalls in such a system.
(2) Data processing system screened host firewall configuration
above, there are mentioned, in general:
- Inbound external data:
packet filtering router after receiving the external data, either directly discarded or forwarded to the main bastion
machine
data received via the bastion host security checks, and in accordance with a predetermined schedule policy
strategy to process the packet - Outbound internal data
for outbound data, certain data network (e.g., HTTP) through the bastion host may not be
directly transmitted to the packet-filtering router.
For other data (such as FTP, TELNET, etc.) need to be tightly controlled by the configuration of
proxy access to all internal clients, we will send out data to the bastion host.
Visible, routers routing rules correctness, accuracy is very important for the protection of screened host firewall functions. If the router is configured correctly routing rules, all security protected data can be forwarded to the bastion host
can be seen, all data sent to the internal, will be forwarded to the bastion host through a router, that is, all the data within the network can be subject to protection.
If the routing table is not correct, external network traffic likely will not be forwarded to the bastion host
as shown above, the routing rules router, because the internal data network to be sent to due forwarded to the non-bastion host, data from the entire internal network can not protection
Advantages and disadvantages
- Advantages:
1, relatively low cost
2, high security
3, there is a certain hidden internal network - Disadvantages:
1, the router is a security bottleneck
2, the lack of internal capacity to prevent deception
