Information security: Principles and applications of firewall technology.

Firewall is an important technology for network security zone boundary protection. In order to deal with network threats, networked institutions or companies isolate their own networks from public untrustworthy networks. The method is to artificially divide a number of security areas based on the degree of security trust of the network and the objects that need to be protected. These security areas include : Public external network; Intranet; Extranet (an extended extension of the intranet, often used for communication between organizations and partners); Military buffer zone, referred to as DMZ; it is generally installed at the boundaries of different security areas, using thousands of networks Communication security control consists of dedicated hardware or software systems.

Firewall overview:

◆ A firewall is a network access controller composed of some software and hardware . It controls the network packets flowing through the firewall according to certain security rules, such as prohibiting or forwarding, and can shield the information, topology and operation inside the protected network. status, thereby acting as a network security barrier . Firewalls are generally used to isolate internal networks from the Internet or other external networks, restrict mutual network access, and protect the security of internal networks.

◆ There are two types of firewall security policies :

▶ Whitelist policy : Only packets that comply with security rules are allowed to pass through the firewall, and other communication packets are prohibited ;

▶ Blacklist policy : Packets that conflict with security rules are prohibited from passing through the firewall, and other communication packets are allowed ;

◆ The functions of firewall mainly include the following aspects:

▶ Filter non-secure network access: Set the firewall so that only pre-permitted services and users can pass through the firewall;

▶ Restrict network access : Used to restrict hosts in the protected network from accessing certain services on the external network, such as certain bad URLs.

▶ Network access auditing : The firewall is the only network channel between the external network and the protected network, and can record all access through it and provide statistics on network usage.

▶ Network bandwidth control : The firewall can control the allocation and use of network bandwidth to achieve partial network quality of service (QoS) guarantee.

▶ Collaborative defense : Firewalls and intrusion detection systems realize linkage through the exchange of information to enhance network security;

Firewall security risks:

(1) Network security bypass:

◆ The firewall can only control access to network communication packets that pass through it, but cannot do anything about network communication that does not pass through it ;

(2) Firewall function defects prevent some network threats from being blocked:

◆ Firewalls cannot completely prevent virus-infected software or file transfers because there are so many types of existing viruses, operating systems, and encrypted and compressed binaries;

◆ Firewalls cannot protect against data-driven attacks . Data-driven attacks occur when seemingly innocuous data is mailed or copied to a host and executed to launch an attack. Firewalls can't do anything about it;

◆ Firewalls cannot completely prevent backdoor attacks . Firewall is a coarse-grained network access control. Some backdoors based on network covert channels can bypass firewall control, such as http tunnel , etc .;

(3) The firewall security mechanism creates a single point of failure and privilege threats:

◆ The firewall is located between different network security areas. All communications between areas pass through the firewall and are controlled by it, thus forming security privileges. Once the security management of the firewall itself fails, it will cause a single point of failure in the network and a loss of network security privileges ;

(4) Firewalls cannot effectively prevent internal threats:

◆ Once internal network users protected by the firewall make mistakes , network attackers can use internal users to initiate active network connections, thereby evading the security control of the firewall ;

(5) Firewall effectiveness is limited by security rules:

◆ The firewall depends on the update of security rules ;

Firewall development:

(1) Firewall control granularity is continuously refined:

◆ The control rules extend from the previous IP packet address information to the content of the IP packet;

(2) Check the continuous enhancement of security functions:

◆ Detecting IP packet content is becoming more and more detailed, DPI (Deep Packet Inspection) is used in firewalls;

(3) Product classification is more refined:

◆ Special firewall devices appear according to the customized security requirements of the protected objects. Such as industrial control firewall, Web firewall, database/data firewall, etc.;

(4) Intelligent enhancement:

◆ Through the application of network security big data and artificial intelligence technology, firewall rules can be updated intelligently;

Firewall types and implementation technologies:

◆ According to the firewall implementation technology and protection objects, common firewall types can be divided into packet filtering firewalls, proxy firewalls, next-generation firewalls, Web application firewalls, database firewalls, and industrial control firewalls. Firewall implementation technologies mainly include packet filtering, stateful inspection, application service proxy, network address translation, protocol analysis, deep packet inspection, etc.;

(1) Packet filtering:

◆ Packet filtering is a firewall technology implemented at the IP layer. Packet filtering determines whether to allow the packet to pass based on the packet's source IP address, destination IP address, source port, destination port and packet transmission direction and other header information ;

◆ The typical filtering rule representation format consists of three parts: " rule number, matching condition, and matching operation ";

◆ There are three matching operations: reject, forward, and audit ;

◆ Matching conditions: source IP address, destination IP address, source port number, destination port number, protocol type (UDP TCP ICMP), communication direction, rule operator ;

◆ Advantages of packet filtering firewall technology: low load, high pass rate, transparent to users;

◆ Weaknesses of packet filtering technology: It cannot filter at the user level, such as identifying different users and preventing IP address theft. If the attacker sets the IP address of his host to that of a legitimate host, he can easily pass the packet filter;

(2) Status inspection technology:

◆ State-based firewalls implement network access mechanisms by utilizing the state information of TCP sessions and UDP "pseudo" sessions. Firewalls that use stateful inspection technology first establish and maintain a session table . When there are TCP connections or UDP flows that comply with the defined security policy, the firewall will create session entries, and then check the packets associated with these sessions based on the state table entries. only allowed through the firewall;

◆ The main steps of the stateful firewall processing packet process are as follows:

▶ Data packet received ;

▶ Check the validity of the data packet , if it is invalid, drop the data packet and audit it;

▶ Look for the session table ; if found, further check the sequence number and session status of the data packet. If valid, perform address translation and routing, and forward the data packet; otherwise, discard the data packet and audit;

▶ When there is no newly arrived data packet information in the session table, search the policy table . If it matches the policy table, add the session entry to the session table, perform address conversion and routing, and forward the data packet; otherwise, discard the data Package and audit;

(3) Application service agent:

◆ The application service proxy firewall plays the role of " middleman " in the network communication connection between the internal network host of the protected network and the external network host. The proxy firewall sends service requests to the external network on behalf of the protected network host and responds to the external service request. Results are returned to the host on the protected network ;

◆ A firewall that uses proxy service technology is referred to as a proxy server ;

◆ When protected internal users access the external network, they first need to be approved by the proxy server before they can make requests to the outside world. Users on the external network can only see the proxy server, thus hiding the internal structure of the protected network and the user's identity. Computer information. Therefore, proxy servers can improve the security of network systems.

◆ The main advantages of application service proxy technology are:

▶ Do not allow external hosts to directly access internal hosts ;

▶ Supports multiple user authentication schemes ;

▶ Can analyze the application commands inside the data packet ;

▶ Detailed audit records can be provided ;

◆ The disadvantages of application service proxy technology are:

▶ The speed is slower than packet filtering ;

▶ Not transparent to users ;

▶ Associated with specific application protocols, proxy servers cannot support all network protocols ;

(4) Network Address Translation Technology (NAT):

◆ The Chinese meaning of NAT is " Network Address Translation ". NAT technology mainly emerged to solve the shortage of public addresses . It can alleviate the contradiction between a small number of Internet IP addresses and a large number of hosts;

◆ A firewall based on NAT technology is configured with a legal public IP address set. When an internal user accesses the external network, the firewall dynamically selects an unassigned address from the address set and assigns it to the user. The user can then use this legal IP address. address for communication;

◆ The main ways to implement network address translation are:

▶ Static NAT: Each host in the internal network is permanently mapped to a legal address in the external network;

▶ NAT pool: Configure a legal address set in the external network and map it to the internal network using dynamic allocation;

▶ Port NAT (PAT): internal addresses are mapped to different ports of an IP address on the external network;

(5) Web firewall technology:

◆ Web application firewall is a network security mechanism used to protect Web servers and Web applications .

◆ Technical principle: According to the predefined filtering rules and security protection rules , HTTP protocol and content filtering is performed on all HTTP requests and server responses that access the Web server, thereby providing security protection functions for the Web server and Web applications;

◆ Typical attacks that Web application firewalls can resist : mainly SQL injection attacks, XSS cross-site scripting attacks, Web application scanning, Webshell Cookie injection attacks, CSRF attacks, etc .;

(6) Database firewall technology:

◆ Database firewall is a network security mechanism used to protect database servers;

◆ Main technical principles: Based on in-depth analysis of data communication protocols and virtual patches , secure access control of database access operations and communications is carried out according to security rules to prevent the database system from being attacked;

◆ In-depth analysis of database communication protocols: You can obtain information such as "source address, destination address, source port, destination port, SQL statement" of application data packets accessing the database server, and then monitor database risk behaviors based on this information and security rules to prevent Interrupt illegal SQL operations, block or allow legal SQL operations to be executed ;

◆ Virtual patch technology: By creating a security barrier layer outside the database, it monitors all database activities , thereby blocking suspicious sessions, operating procedures or isolating users, preventing database vulnerabilities from being exploited, so there is no need to apply patches from the database manufacturer or stop services. , which can protect database security .

(7) Control firewall technology:

◆ Dedicated firewall for industrial control systems , referred to as industrial control firewall , is a network security mechanism used to protect industrial equipment and systems;

◆ Main technical principles: through in-depth analysis of industrial control protocols, monitor requests and responses to access industrial control equipment, prevent malicious attacks on industrial control equipment , and achieve safe isolation of industrial control networks and security protection of industrial control on-site operations;

◆ Industrial control firewalls are different from traditional network firewalls. Industrial control firewalls focus on analyzing industrial control protocols , including Modbus TCP protocol, IEC 61850 protocol, OPC protocol, Ethernet/IP protocol and DNP3 protocol, etc. At the same time, industrial control firewalls must adapt to the harsh environment of industrial sites and high real-time industrial control operation requirements ;

(8) Next-generation firewall technology:

◆ Compared with traditional network firewalls, next-generation firewalls not only integrate the packet filtering, stateful inspection, address translation and other functions of traditional firewalls, but also have application identification and control, can respond to the evolution of security threats, detect hidden network activities, and are dynamically fast. Respond to attacks, support unified security policy deployment, intelligent security management and other new functions;

▶ Application identification and control : It does not rely on ports. Through in-depth content analysis of network data packets, it achieves accurate identification of application layer protocols and applications, provides application-level function control, and supports application security protection;

▶ Intrusion Prevention (IPS) : Able to detect and protect against attacks based on vulnerability characteristics, such as SQL injection attacks;

▶ Data leakage prevention : Identify and filter transmitted files and content, accurately identify the true types of common files, such as Word, Excel, PPT, PDF, etc., and filter sensitive content;

▶ Malicious code protection : Using reputation-based malicious detection technology, it can identify malicious files and websites. Build a Web reputation database, conduct threat analysis and reputation rating on Internet website resources (IP URL, domain name, etc.), list website resources containing malicious code into the Web reputation database, and then use content filtering technology to prevent users from accessing websites with bad reputations. In order to achieve intelligent protection of end-user security;

▶ URL classification and filtering : Build a URL classification library that contains different types of URL information (such as bad remarks, online "phishing", forum chats, etc.) to achieve accurate and efficient identification of websites unrelated to work, bad information, and high-risk websites filter;

▶ Bandwidth management and QoS optimization : Through intelligent identification of business applications, effectively manage the bandwidth used by network users/IPs, ensure bandwidth for key businesses and key users, and optimize the use of network resources;

▶ Encrypted communication analysis : Monitor and analyze encrypted network traffic such as SSL SSH through technologies such as middleman proxy and redirection;

(9) Common key technologies for firewalls:

◆ Deep packet inspection:

▶ Deep Packet Inspection (DPI) is a technical method used to inspect and analyze the data content and header information of the packet . Traditional inspection only targets the header information of the packet , while DPI inspects the data content of the packet and conducts in-depth application layer analysis;

▶ DPI needs to continuously update and maintain in-depth inspection strategies to ensure that the firewall continues to be effective;

▶ Regarding DPI's own security issues , privacy protection technology limits DPI's detection capabilities , and search and matching of encrypted data becomes a technical difficulty for DPI . DPI needs to process the data content of the packet, which significantly increases the processing work of the firewall, which will directly affect the network transmission speed;

◆ Operating system:

▶ The operation of the firewall depends on the operating system, and the security of the operating system directly affects the security of the firewall itself ;

◆ Network protocol analysis:

▶ The firewall obtains the packets in the network, and then uses protocol analysis technology to extract the packet information, and then implements security policy inspection and subsequent packet processing;

Main firewall products and technical indicators:

◆ Firewall is a mainstream network security product. According to application scenarios, firewall product types include network firewalls, web firewalls, database firewalls, host firewalls, industrial control firewalls, next-generation firewalls, and home firewalls ;

(1) Main firewall products:

◆ Firewall is a widely used network security product, and its product forms include hardware entity mode and software mode . The main form of commercial products is physical hardware entities , and security function software is integrated into the hardware entities;

◆ Network firewall : Deployed between different security domains, it parses and filters the data flow passing through the firewall, and is a network security product with network layer access control and filtering functions;

◆ Web application firewall : performs HTTP protocol and content filtering on all HTTP requests and server responses that access the Web server;

◆ Database firewall : Based on database protocol analysis and control technology, it is a network security product that can control access behavior to the database and block dangerous operations;

◆ Host firewall : a network security product deployed on terminal computers to monitor and control network-level data flows and application access;

◆ Industrial control firewall : Deployed in an industrial control environment, based on in-depth analysis and control technology of industrial control protocols;

◆ Next-generation firewall : Deployed between different security domains, it parses and filters data flows passing through the firewall, and integrates multiple security functions such as application identification and control, malicious code protection, intrusion prevention, and event correlation;

◆ Home firewall : The product feature of the home firewall is that the firewall function module is integrated in the smart router, and it is a network security product with functions such as IP address control, MAC address restriction, bad information filtering control, network fraud prevention, and smart home protection;

(2) Main technical indicators of firewall:

◆ Firewall evaluation indicators can be divided into four categories , namely security function requirements, performance requirements, security assurance requirements, and environmental adaptability requirements ;

Firewall defense architecture types:

◆ The firewall defense architecture mainly includes: dual-homed host firewall, proxy-based firewall, and shielded subnet-based firewall ;

(1) Based on dual-host firewall structure:

◆ The dual-homed host structure is the most basic firewall structure. This system is essentially a host system with at least two network interface cards. In this structure, an internal network and an external network are generally connected to different network cards, so that the internal and external networks cannot communicate directly .

(2) Proxy-based firewall structure:

◆ In the proxy structure, a host is connected to the external network, and the host acts as an agent for communication between the internal network and the external network ;

◆ The proxy structure also uses router filtering, and the proxy server and router jointly build a network security boundary defense architecture ;

◆ Generally, filtering routers can be configured according to the following rules :

▶ Allow other internal hosts to establish direct connections to the external network for certain types of service requests ;

▶ Any host on the external network can only establish a connection with the proxy host on the internal network ;

▶ Any operation by an external system on the internal network must go through the proxy host ;

◆ The main disadvantage of the proxy structure : As long as the attacker manages to break through the proxy host , there will be no obstacle between the entire internal network and the proxy host for the attacker. The attacker becomes a legitimate internal user, which is completely fine. Listen to all information on the internal network ;

(3) Firewall structure based on shielded subnets:

◆ The shielded subnet structure is a security mechanism that adds a layer of peripheral network to the proxy structure, so that there are two layers of isolation zones between the internal network and the external network. The perimeter network isolates the bastion host from the internal network, reducing the impact of attackers on the internal network when they breach the bastion host. Even if the attacker breaks through the bastion host, he cannot intercept the information of the internal network and cannot directly operate the internal network;

◆ The characteristics of the firewall structure based on shielded subnets are as follows:

▶ The application agent is located in a blocked subnet, and the servers exposed to the internal network are also placed in the blocked subnet. The external network can only access the blocked subnet and cannot directly enter the internal network ;

▶ The functions and configurations of the two packet filtering routers are different. The function of packet filtering router A is to filter access from external networks to the blocked subnet. The function of packet filtering router B is to filter the access of the blocked subnet to the internal network. All external network access to the internal network via the blocked subnet must be inspected and authenticated by the application proxy server;

◆ Advantages : Highest security level ;

◆ Disadvantages : high cost, complex configuration ;

Firewall technology applications:

(1) Firewall application scenario types:

◆ Internet protection : Use the access control and content filtering functions of the firewall to protect the security of the intranet and Internet computers, prevent Internet hackers from directly attacking the internal network, filter malicious network traffic, and cut off access to bad information;

◆ Website protection : Proxy all requests from Internet clients to the Web server through the Web application firewall, clean abnormal traffic, and effectively control various security threats to government website applications;

◆ Data protection : Deploy firewalls at the boundaries of protected data areas to perform security checks on all requests and responses from database servers or data storage devices, filter malicious operations, and prevent data from being threatened;

◆ Network boundary protection : Deploy firewalls between security domains, use firewalls for access control, limit network communications between different security domains, and reduce sources of security domain risks;

◆ Terminal protection : install a firewall on the terminal equipment, use the firewall to block bad websites, and prevent the terminal equipment from being infringed;

◆ Network security emergency response : Use firewalls to block malicious attack sources and network communications, filter malicious traffic, and prevent the expansion of the impact of network security incidents;

(2) Firewall deployment base method:

Step 1: Divide the network into several security areas according to the security policy requirements of the organization or company ;

Step 2: Set up access control points for network communications between security zones ;

Step 3: According to the communication service requirements of different access control points, formulate corresponding boundary security policies ;

Step 4: Based on the boundary security policy of the control point , adopt appropriate firewall technology and prevention structure;

Step 5: On the firewall, configure and implement the corresponding network security policy ;

Step 6: Test and verify whether the boundary security policy is executed normally ;

Step 7: Run and maintain the firewall;

Study books: Information security engineer tutorial...