Chapter 8 Principles and Applications of Firewall Technology
Firewall overview
- Firewall concept
- According to the security trust level of the network and the objects to be protected, a number of security zones are artificially divided
- Public external network, internet
- Intranet, a company’s private network, network access is restricted to the organization
- Extranet, used for communication between organizations and partners
- Military buffer zone, DMZ, between the internal network and the external network, where public service equipment is placed to provide services to the outside
- According to the security trust level of the network and the objects to be protected, a number of security zones are artificially divided
- How firewalls work
- Control the network packets flowing through the firewall according to certain security rules, (prohibit or forward), and act as a network security barrier
- Two security strategies:
- Whitelist policy: Only allow packets that meet the security rules to pass, and prohibit other communication packets
- Blacklist policy: Prohibit packets that conflict with security rules from passing, and allow other packets
- Features:
- Filter non-secure network access
- Restrict network access: only allow access to specified hosts or network services
- Network access audit
- Network bandwidth control
- Coordinated defense
- Firewall security risks
- Network security bypass. Only access control to network communication packets through it
- The firewall function is flawed, causing some network threats to be unable to block
- Can not completely prevent virus-infected software or file transfer
- Can't prevent data-driven attacks
- Cannot completely prevent backdoor attacks, such as covert passages
- The firewall security mechanism forms a single point of failure and privilege threats, and its own loss is extremely harmful
- Firewall cannot effectively prevent internal threats and internal network penetration
- Firewall effectiveness is limited by security rules
- Firewall development
- Firewall control granularity continues to be refined
- Check security features continue to be enhanced
- More detailed product classification
- Intelligent enhancement
Firewall type and implementation technology
-
Classification based on firewall product form
- Software firewall
- Hardware firewall
-
Based on firewall application field classification
- Internet Firewall
- Web firewall
- Industrial firewall
-
Firewall implementation technology
-
Packet filtering
- The firewall technology implemented at the IP layer (network layer) determines whether the packet is allowed to pass through according to the packet header information such as the source IP address, destination IP address, source port, destination port, and packet transfer direction .
- Control basis: rule set. The filtering rule representation format consists of three parts: "rule number, matching condition, and matching operation".
- Advantages: low load, high pass rate, transparent to users
- Weaknesses: Can not filter at the user level, IP masquerading bypass
-
Condition checking technology
-
A mechanism for network access by using the state information of TCP sessions and UDP "pseudo" sessions
-
-
Application Service Agent
-
Instead of the host of the protected network, send a service request to the external network and return the response result. Provide network security access control at the application level
-
advantage:
- Do not allow external hosts to directly access internal hosts
- Support multiple user authentication schemes
- Can analyze the application commands inside the data packet
- Can provide detailed audit records
Disadvantages:
- Slower than packet filtering
- Opaque to users
- Associated with specific application protocols, the proxy server cannot support all network protocols
-
-
Network address translation technology
- There are three main ways to achieve network address translation:
- Static NAT : Each internal host is permanently mapped to a legal address on the external network
- NAT pool : use dynamic allocation method to map the internal network
- Port NAT (PAT) : Map internal addresses to different ports of an IP address on the external network
- There are three main ways to achieve network address translation:
-
Web firewall technology
- A network security mechanism used to protect Web servers and Web applications.
- Principle: According to the pre-defined rules, the HTTP protocol and content are filtered for all Web servers and servers that you want to use.
-
Database firewall technology
- A network security mechanism for users to protect database servers
- Principle: Based on in- depth analysis of data communication protocols and virtual patch technology , secure access control to database access operations and communications
-
Industrial firewall technology
-
A network security mechanism for protecting industrial equipment and systems
-
Principle: Through the in- depth analysis of the industrial control protocol , the request and response of access to the industrial control equipment are monitored to realize the safety isolation of the industrial control network and the safety protection of the on-site operation
-
Industrial control protocol: Modbus TCP, IEC61850, OPC, Ethernet/IP and DNP3 protocol
-
-
Next-generation firewall technology
- In addition to traditional firewall functions, it also has:
- Application identification and control
- Intrusion Prevention (IPS)
- Data leakage prevention
- Malicious code protection
- URL classification and filtering
- Bandwidth management and Qos optimization
- Encrypted communication analysis
- In addition to traditional firewall functions, it also has:
-
Common key technologies of firewalls
- Deep Packet Inspection (DPI): Check and analyze the data content and header information of the packet, and use methods such as pattern (feature) matching and protocol anomaly detection
- operating system
- Network protocol analysis
-
Main technical indicators and products of firewall
-
Main firewall products
- Network firewall, Web application firewall, database firewall, host firewall, industrial control firewall, next-generation firewall, home firewall
-
Main technical indicators of firewall
-
Safety function requirements
-
Performance requirements: maximum throughput, maximum connection rate, maximum number of rules, number of concurrent connections
-
Safety assurance requirements: mainly including development, guidance documents, life cycle support, testing, vulnerability assessment
-
Environmental adaptability requirements
-
Firewall's own security requirements
-
Firewall technology application
- Firewall application scenario type
- Internet protection , website protection , data protection, network boundary protection , terminal protection, network security emergency response
- Basic method of firewall deployment
- According to security policy requirements, divide the network into several security areas
- Set up access control points for network traffic between security zones
- According to the communication business requirements of different access control points, formulate corresponding border security strategies
- According to the border security strategy of the control point, adopt appropriate firewall technology and defense structure
- On the firewall, configure the corresponding network security strategy
- Test to verify whether the border security policy is executed normally
- Run and maintain the firewall
- Case
- Refer to P176-P82 for IPtables firewall application reference, Web application firewall application reference, packet filtering firewall application reference, and industrial control firewall application reference