1. What is a firewall?
Firewall, also known as protective wall, was invented by Gil Shwed, the founder of Check Point, in 1993 and introduced to the Internet (US5606668 (A) 1993-12-15). It is a network security system located between the internal network and the external network . An information security protection system that allows or restricts the transmission of data in accordance with specific rules. ——Sogou Encyclopedia
Through the firewall, the flow of information and data can be effectively viewed, and the upload and download speed of data information can also be grasped , which is convenient for users to have a good control judgment on the use of the computer. The internal situation of the computer can also pass through this firewall For viewing, it also has the function of starting and closing programs, and the log function in the computer system is actually a summary and sorting of the real-time security situation and daily traffic situation of the computer's internal system by the firewall. --Baidu Encyclopedia
Second, the classification of firewalls
1. Packet filtering firewall
Definition : In the Linux system, the packet filtering function is built into the core (as a core module, or built directly), and there are some techniques that can be applied to data packets, but the most commonly used is still to view the packet header To determine the fate of the package.
Working mechanism : The packet filtering firewall will make a decision to allow or deny each received packet. Specifically, it determines the header of each data packet according to the packet filtering rules, and the packets matching the rules are forwarded according to the routing information, otherwise it is discarded . Packet filtering (implemented at the IP layer) judges whether the packet is based on the source IP address, destination IP address, protocol type (TCP packet, UDP packet, ICMP packet), source port, destination port and other header information and data packet transmission direction. Allow data packets to pass. Its core technology is to control the access list
Advantages: faster speed, can handle more concurrent connections
Disadvantages: ①The relationship between data packets cannot be correlated, and additional rules need to be set (resulting in complicated and cumbersome setting and configuration of router filtering rules)
②Unable to adapt to multi-channel protocols, if additional connections are fixed ports, additional rules can be set
③Usually do not check the application layer data (cannot find the attack based on the application layer)
④Can't stop ip spoofing
⑤The implementation is static and fixed control, and TCP status cannot be tracked
⑥User authentication is not supported
2. Proxy firewall
Definition : This firewall participates in the whole process of a TCP connection through a proxy technology. After the internal data packet is processed by such a firewall, it is as if it originated from the external network card of the firewall, so as to hide the internal network structure. This type of firewall is recognized by network security experts and media as the most secure firewall.
Working mechanism : As a data forwarding channel that keeps users secret or breaks access restrictions, the proxy server is widely used on the network. We all know that a complete proxy device includes a server and a client. The server receives a request from a user, calls its own client to simulate a connection to the target server based on the user request, and then forwards the data returned by the target server to The user completes an agent work process. So, what if a filtering measure is connected between the server and the client of a proxy device? This kind of thinking has created an "application proxy" firewall, which is actually a small transparent proxy server with data detection and filtering functions (Transparent Proxy) , but it does not simply embed packets in a proxy device Filtering technology is a new technology called "Application Protocol Analysis".
The "application protocol analysis" technology works at the highest layer of the OSI model-the application layer. All the data that can be touched in this layer is in the final form, that is, the data "sees" by the firewall and what we see The data packets are the same instead of each packet with original content such as address port protocol, so it can achieve a more advanced data detection process . The entire proxy firewall maps itself as a transparent line. From the perspective of users and external lines, the connection between them is not hindered, but the data transmission and reception of this connection is actually redirected through the proxy firewall. When external data enters When proxying the client of the firewall, the "application protocol analysis" module processes the data according to the application layer protocol, and inquires whether the data is harmful through the preset processing rules (yes, it is a rule, the firewall cannot be separated from the rules). Since this layer is no longer a message protocol with limited combination, it can even identify data content similar to "GET> /sql.asp?id=1 and> 1", so the firewall can not only provide according to the data layer Information judging data can "see" content to identify hazards like an administrator analyzes server logs. And because it works at the application layer, the firewall can also achieve two-way restriction. While filtering harmful data on the external network, it also monitors the information on the internal network. The administrator can configure the firewall to implement an identity verification and connection time limit function to further prevent internal network information The hidden danger of leakage. Finally, because the proxy firewall adopts a proxy mechanism to work, the communication between the internal and external networks needs to be reviewed by the proxy server first, and then connected by the proxy server after passing, there is no opportunity for the computers on both sides of the internal and external networks to have a direct conversation. , Can prevent intruders from using "data-driven" attacks (a data message that can pass the firewall rules of packet filtering technology, but when it enters the computer for processing, it turns into malicious code that can modify system settings and user data) infiltration In the internal network, it can be said that "application proxy" is a more complete firewall technology than packet filtering technology.
Advantages: Working with a proxy mechanism, internal and external communications need to be reviewed by the proxy server, which can achieve a more advanced data detection process.
Disadvantages: ①The processing speed is relatively slow, and the number of concurrency that can be processed is relatively small ②The upgrade is difficult
3. Stateful inspection firewall
Definition : The stateful inspection firewall has an inspection engine at the network layer to intercept data packets and extract information related to the state of the application layer, and use this as a basis to decide whether to accept or reject the connection . This technology has good adaptability and scalability. Stateful inspection firewall overcomes the limitations of packet filtering firewalls and application proxy servers. It not only detects "to" and "from" addresses, and does not require a proxy for every application accessed.
Working mechanism : This is the third-generation firewall technology, which can detect all layers of network communication. Like packet filtering technology, it can detect incoming and outgoing data packets by detecting IP addresses, port numbers, and TCP tags . It allows trusted clients to establish direct connections with untrusted hosts. It does not rely on agents related to the application layer, but instead relies on certain algorithms to identify incoming and outgoing application layer data. These algorithms use known legitimate data packet patterns To compare incoming and outgoing data packets, it can theoretically be more effective than application-level agents in filtering data packets. The monitoring module of the state monitor supports a variety of protocols and application programs, which can facilitate the expansion of applications and services. In addition, it can also monitor RPC and UDP port information, but packet filtering and proxy do not support such ports. In this way, by monitoring each layer, the status monitor achieves the purpose of network security. At present, state monitoring firewalls are mostly used, which are transparent to users, encrypt data at the highest level of OSI, without modifying the client program, and without adding an additional agent for each service that needs to run on the firewall.
Advantages:
① Good safety
The state detection firewall works between the data link layer and the network layer. It intercepts data packets from here, because the data link layer is the real location of the network card, and the network layer is the first layer of the protocol stack, so the firewall ensures the interception and Check all original data packets passing through the network. The firewall intercepts the data packets and processes them. First, it extracts useful information from the data packets according to the security policy and saves it in the memory; then combines the relevant information and performs some logical or mathematical operations to obtain the corresponding conclusions and perform the corresponding operations. Such as allowing data packets to pass, rejecting data packets, authenticating connections, encrypting data, etc. Although the stateful inspection firewall works at the lower layer of the protocol stack, it detects all application layer data packets and extracts useful information, such as IP addresses, port numbers, etc., so that security is greatly improved.
②. High performance
The state detection firewall works at the lower layer of the protocol stack, and all data packets passing through the firewall are processed at the lower layer, without the upper layer of the protocol stack processing any data packets, which reduces the overhead of the high-level protocol header and improves the execution efficiency a lot; In addition, once a connection is established in this kind of firewall, there is no need to do more work on this connection. The system can handle other connections, and the execution efficiency is significantly improved.
③ Good scalability
State inspection firewalls are not like application gateway firewalls. Each application corresponds to a service program, so the services that can be provided are limited, and when a new service is added, a corresponding service program must be developed for the new service. The scalability of the system is reduced. The state inspection firewall does not distinguish each specific application, but processes the data packet according to the information extracted from the data packet, the corresponding security policy and filtering rules. When there is a new application, it can dynamically generate new applications. There is no need to write code separately, so it has good scalability and scalability.
④Easy configuration and wide application range
Stateful inspection firewall not only supports TCP-based applications, but also supports connectionless protocol-based applications, such as RPC, UDP-based applications (DNS, WAIS,
Archie, etc.). For connectionless protocols, there is no difference between connection requests and responses. Packet filtering firewalls and application gateways either do not support such applications, or open a large range of UDP ports, which exposes the internal network and reduces security. Stateful inspection firewall realizes the security of UDP-based applications by maintaining a virtual connection on top of UDP communication. The firewall saves the state information of each connection through the gateway, and allows UDP request packets to pass through the firewall to be recorded. When the UDP packet passes in the opposite direction, it determines whether the UDP packet is authorized according to the connection state table, if it is authorized , Then pass, otherwise reject. If the response data packet does not arrive within a specified period of time and the connection times out, the connection is blocked, so all attacks are blocked. Stateful inspection firewall can control the connection time of invalid connections and avoid a large number of invalid connections occupying too much Network resources can reduce the risk of DOS and DDOS attacks.
Disadvantages:
①The backhaul data packet can be released directly without setting additional rules
② The traffic only detects the first packet, and the subsequent packets are directly forwarded if they hit the session, and the subsequent packet processing speed is fast
4. Common firewall deployment structure
5. The security zone of the firewall
The firewall is divided into 4 types of areas. Each type of area has its own priority. The higher the priority, the more secure.
1. Local zone, priority 100, the firewall's own zone
2. Trust zone, priority 85, generally connected to trusted networks
3. Untrust zone, priority 5, generally connected to untrusted networks
4. dmz zone, priority 50. Quarantine area, servers that must be exposed (such as web servers, FTP servers, etc.)
