The increasing popularity of the Internet, browse the Internet access not only to increase data transmission capacity, the network was the possibility of increased attacks, but also because of the open Internet, network security the way there have been fundamental changes in security issues more complicated . The traditional emphasis on a unified and centralized network security management and control can be taken by encryption, authentication, access control, audit logs, as well as many other technical means, and the implementation of their communications by the two sides together; because the Internet is an open global network , The complex structure of the network, the security ways. Internet security technologies involved in traditional network security technology and distributed network security technology, and is mainly used to resolve how to use the Internet for communications security, while protecting the internal network from external attacks. Under such circumstances, the firewall technology came into being. Firewall technology based on the precautionary approach and the focus is divided into many different types, but the whole package can be divided into the filter, application-level gateway and proxy servers, such as several types.
1. Packet-filtering firewall
Packet filter (Packet Filtering) technology in the network layer packets to choose, the choice is based on the system set up to filter logic, known as Access Control List (Access Control Table). By examining the flow of data in each packet source address, destination address, port number used, such as the status of the agreement, or a combination of them to determine whether to allow the packets through. Packet filtering firewall logic simple, cheap, easy to install and use, network performance and transparency, it is usually installed on the router. Router is the internal network and Internet connection are essential equipment in the existing network firewall to increase this kind of almost do not need any additional costs. Packet filtering firewall there are two drawbacks: First, once the illegal visit to a breakthrough firewall can be host of software and configuration vulnerabilities to attack; Second, the packet source address, destination address, as well as the IP port number in the packet Head, is likely to be counterfeit or eavesdropping. Packet filtering or packet filtering is a common, cheap and effective means of security. The reason why GM, as it is not targeted at any specific network services to take special treatment; was cheap, since most routers offer packet filtering; was effective because it can to a large extent to meet the Safety requirements. According to the information derived from IP, TCP or UDP header. Packet filtering is not the merits of changes to the client and host applications, as it work in the network layer and transport layer, has nothing to do with the application layer. But its weakness is obvious: It is the only judge to filter network layer and transport layer of the limited information, a variety of safety requirements and therefore can not be fully satisfied; in many filters, the number of filter rules is limited, and with the The increase in the number of rules, the performance will be greatly affected; e to the lack of context-related information, can not effectively filter such as UDP, RPC for a class of the agreement; In addition, most of the filters in the lack of audit and alarm mechanisms, and management and user interface Poor; the security requirements of high-quality managers, the establishment of safety rules, it is important to the agreement itself and its various applications in the role of a more profound understanding. As a result, the filter is usually used in conjunction with gateway and application of common components of a firewall system.
2. Application-level gateway firewall
Application-level Gateway (Application Level Gateways) in the network application layer protocol on the establishment of filtering and forwarding functions. Its application-specific network services agreement specified the use of the data filtering logic and filtering, packets of the necessary analysis of registration and statistics, the formation of the report. The actual application is usually installed in the gateway dedicated system workstations. Packet filtering and application gateway firewall have a common characteristic is that they rely on only a specific logic to determine whether or not allowed through the packet. Once the logic meet, both within and outside the firewall computer system to establish direct contacts, the external firewall may direct the user to understand the firewall's internal network structure and operation of the state, which is concive to the implementation of unauthorized access and attacks.
3. Firewall-agency services
Agency services (Proxy Service), also known as link-level gateway or TCP channel (Circuit Level Gateways or TCP Tunnels), it was also attributable to a class of application-level gateway. It is for packet filtering and application gateway technology shortcomings and the introction of firewall technology, characterized by a firewall across all network communication link is divided into two sections. Computer systems inside and outside the firewall between the application layer of the "link", by the termination of the two proxy server on the "link" to achieve internal and external computer
Web links can only reach the proxy server, which has played an isolated computer systems inside and outside the firewall. In addition, the agency services in the past also the packet analysis, the registration form of the report, at the same time when the attack was discovered signs will alert to the network administrator, and retain traces of the attack. Application-based firewall is the agent intranet and extranet isolation, surveillance and isolation plays an application layer traffic. At the same time, often combined into the filter. It's the work of the OSI model at the highest level, holds the applications can be used in all of the information security decision-making.
4. Composite firewall
As a result of higher security requirements, often based on packet filtering method and application of agent-based approach, so as to form a complex firewall procts. This is usually combined with the following two programs. Shielding host firewall architecture: the structure, or router packet filtering firewall connected with the Internet and at the same time a bastion of machines are installed on the internal network through a router or a packet filtering firewall filtering rules set up so that the fortress Machine on the Internet become the other nodes can only reach the nodes, which ensured that the internal network from unauthorized users outside of the attack. Subnet mask firewall architecture: a fortress on a sub-machine network, the formation of the demilitarized zone, division of the two sub-filtering routers on the network at both ends so that the subnet and the Internet and internal networks Separation. Subnet mask in the firewall architecture, the bastion host and packet filtering routers together form the basis for the safety of a firewall as a whole.
本文如未解决您的问题请添加抖音号:51dongshi(抖音搜索懂视),直接咨询即可。
热心网友
回答时间:2022-04-14 17:52
