Since I opened this series last time, I will simply introduce all the mainstream technologies of this information security. The previous blog talked about cryptography, and today I will talk about firewall technology.
Firewall technology
Firewall technology is a combination of software or hardware devices located between two networks with different levels of newcomers. It is essentially a control isolation technology. It requires:
- All data flows entering and leaving the network should pass through it, and all data flows passing through it must pass the audit and authorization of the security policy.
- Record information about connections and server traffic.
- Record any attempts by the intruder for the administrator's detection and tracking.
The firewall itself is not a separate computer program or device, but a complete system that can provide security policies and implementation methods.
The main function of the firewall
- Restrict people from entering from a specific point
- Prevent intruders from approaching other defense facilities
- Restrict people from leaving from a characteristic point
The purpose of setting up a firewall is to set up a unique channel between the internal network and the external network, preventing those redundant unauthorized information from the unprotected network from entering the private network, while still allowing users on the local network Access the Internet, and can simplify the security management of the network.
Classification of firewall technology
1. Technical classification
The technologies currently used by firewalls mainly include packet filtering , application gateways, and proxy services .
-
Data packet filtering technology
Data packet filtering is the earliest firewall technology used. It works at the network layer and the transport layer , and uses the data of these two layers as the monitoring object. Packet filtering intercepts all IP packets that flow through , and obtains relevant information required for filtering from its IP data packet header information, transport layer protocol header and application layer protocol data. The system is equipped with an access control list packet filtering firewall, according to the filtering rules of the control list , applying these rules to each received and sent IP packet, and then decides whether to transmit the packet or discard the packet. The firewall is generally configured as bidirectional filtering , and the filtering rules are based on the information contained in the network packet , such as source IP address, destination IP address; destination port number, source port number; IP protocol stack and interface.
Attack methods that can be resisted: One type of IP spoofing can be prevented , that is, the external host masquerades the IP of the internal host .
In practical applications, the packet filtering firewall is usually the first line of defense for the network!
advantage:- For a small, less complex site, packet filtering is easier to implement.
- Because the filtering router works at the IP layer and the TCP layer, it processes packets faster than a proxy server .
- Filtering routers provide users with a transparent service, users do not need to change any client applications, nor do they need to learn any new things.
- Filter routers are generally cheaper than proxy servers in price .
Disadvantages:
- Some packet filtering gateways do not support valid user authentication.
- The rule table quickly becomes large and complex, and the rules are difficult to test. As the table grows and its complexity increases, the possibility of loopholes in the rule structure increases.
- The biggest flaw of this kind of firewall is that it relies on a single component to protect the system. If there is a problem with this component, it will open the door to the network, and the user may not even know it.
- In general, if an external user is allowed to access the internal host, it can access any host on the internal network.
- The packet filtering firewall can only prevent one type of IP spoofing, that is, the external host masquerading as the IP of the internal host. It is impossible to prevent the IP spoofing of the external host masquerading as the external host, and it cannot prevent DNS spoofing.
-
Application gateway The
application gateway firewall completes the protocol filtering and forwarding functions at the application layer of the network . It uses specified data filtering logic for specific network application protocols, and performs necessary registration, statistics and analysis of data packets while filtering, and forms log reports. The common point of packet filtering firewall and application gateway firewall is that it only depends on specific logic to determine whether to allow data packets to pass . Once the logic is satisfied, the computers inside and outside the firewall will directly establish contact , and users outside the firewall may directly understand the structure and operating status of the intranet. Therefore, this method cannot effectively organize illegal access and attacks. Attack methods that can be resisted : It can prevent some disallowed network services and infrequently used applications from establishing contact with the internal network, causing the leakage of sensitive information on the internal network.
-
Proxy service
Proxy service is introduced for the shortcomings of packet filtering firewall and application gateway firewall. It divides all network communication links across the firewall into two sections, and then uses a proxy server to implement the application layer connection between the computer systems inside and outside the firewall in software.
Lower attack methods: It can effectively prevent illegal access and attacks.
Generally, ideal firewalls do not rely on one technology, but combine packet filtering technology and proxy server technology to achieve the complementary advantages of the two in terms of network security, performance, and transparency. In order to obtain higher network security performance and system performance.
Two, structure classification
From the perspective of the application architecture, the firewall can be divided into a dual-homed host structure , the shield host architecture and screened subnet architecture .
- Dual-homed host architecture The
dual-homed host has two interfaces: one interface is connected to the internal network; the other interface is connected to the external network. The internal and external networks cannot communicate directly, but they can communicate through the application layer proxy (running the proxy server in the host ). The dual-homed host firewall has a simple structure and is easy to implement. But it is also very fragile. Once invaded, the internal network opens the door to the intruder .
- Shielded host architecture The
shielded host architecture uses a shielded router and a bastion host to form a firewall. A bastion host is a computer that is fortified to defend against attacks . The shielding router should ensure that all input information must be sent to the bastion host first, and only receive output information from the bastion host. Other sites on the internal network can only access the bastion host. If the shielded router is passed through, the entire network will be open to intruders .
- Shielded subnet architecture The
shielded subnet architecture adds a peripheral network (also called demilitarized zone, DMZ) that isolates the intranet from the Internet , thereby further enhancing the security of the bastion host. It can weaken external network attacks on the bastion host by using the peripheral network to isolate the bastion host .
The demilitarized zone DMZ is a measure taken by network administrators to ensure network security while maintaining communication with the outside world. The DMZ is part of the company network, but it is placed outside the firewall and is the entrance to the network. We usually place those servers that often need to connect to the outside Internet to provide external access, such as web servers and E-mail servers, in the DMZ. This can not only ensure external access requirements, but also avoid security problems caused by frequent external network access to the internal network.
Advantages of firewall
- The firewall defines a containment point to prevent unauthorized users from outside the protected network, prevent potential security threats from entering or leaving the network, and provide various protections against IP spoofing attacks and routing attacks. The use of containment points simplifies security management because the security of a single system or multiple systems is consolidated.
- The firewall provides a place to monitor security-related events. The firewall system can perform audits and warnings.
- The firewall is a convenient platform that can be used for some Internet functions that are not related to security.
- The firewall can be used as an IPsec platform.
Disadvantages of firewalls
- The firewall cannot prevent attacks that bypass the firewall.
- Firewalls cannot completely prevent insider threats.
- An improperly secured wireless LAN may be accessed from outside the system.
- Laptops, handheld computers (PDAs), or handheld storage devices may be used and infected outside the network in use, and then be connected to and used in the intranet.
- The firewall cannot prevent the transmission of virus-infected software or files.
- Firewalls cannot prevent data-driven attacks.
Finally, there is a small question: draw a picture and briefly describe the symmetric key distribution process using public key encryption
[Analysis] The
topic means to distribute the symmetric key. In order to ensure the security of the symmetric key, the public key is used to encrypt the symmetric key to prevent the symmetric key from leaking. The distribution process is shown in the figure below:
When Bob communicates with Alice,
- Prepare the message, the symmetric key that needs to be transmitted
- Use a one-time traditional session key to encrypt the symmetric key to be transmitted
- Use Alice's public key to encrypt the session key using public key encryption
- Attach the encrypted session key to the message and send it to Alice in one piece
Welcome to follow WeChat public account: Honey Orange! You can talk about electronic products and postgraduate entrance examinations. Welcome to come and play with me!
