Firewall overview
A system consisting of software and hardware that sits between a secure network and an unsecured network to filter data flows according to access control rules set by the system administrator
- Powerless against internal attacks and connections that bypass firewalls
How to deal with data flow
- Allow data flow through
- Deny the flow of data and reply a message to the sender that the flow has been rejected
- Discard the data stream, do not process these data packets, and will not send any prompt information to the sender
needs to be met
- All traffic entering and exiting the network must pass through the firewall
- Only authorized traffic is allowed through the firewall.
- The firewall itself is immune to intrusion
Types and Structure of Firewalls
- First Generation Packet Filtering Firewall
- Second-generation circuit-level gateway
- Three generations of application-level gateways
- Four generations of dynamic packet filtering
- Five generations of kernel agents/adaptive agents
Classification
- packet filtering firewall
- circuit level
- application level
design structure
- static packet filtering
- dynamic packet filtering
- circuit level gateway
- application-level gateway
- Stateful Inspection Packet Filtering
- switch proxy
- Air gap (physical separation)
Firewalls are usually built on the basis of the TCP/IP model, and there is no one-to-one correspondence between the OSI model and the TCP/IP model
Network Address Translation NAT
- Advantages of NAT: hide internal topology and improve network security
- Static NAT: During network address translation, there is a one-to-one correspondence between the internal network address and the external Internet IP address translation
- Dynamic NAT: Available Internet IP addresses are limited to a range
- PAT port address translation: When performing network address translation, not only the network address changes, but also the protocol port changes
- SNAT: Source Network Address Translation When an internal user uses a private address to access the Internet, the data source address in the IP header must be converted into a legal Internet address
- DNAT: Destination Network Address Translation