With the rapid development of computer network technology, network security issues have become increasingly prominent in front of various types of users. Information available only from the author that, at present about the Internet, nearly 20% of users have suffered hacker troubles. Although the hackers are so rampant, but the network security issues are still not able to attract much attention, more users that their network security problems are far from this point from about 40% of users, especially enterprise users do not install a firewall ( Firewall) can get a glimpse, and all the problems we prove to the fact that most hacking incidents were due to failure to properly install a firewall and triggered.
The concept and the role of the firewall
The original meaning of the firewall between the housing was originally an ancient people that built the wall, the wall can prevent the fire spreading to other housing when. The firewall is of course not mentioned here refers to the physical firewall, but to isolate the local network and external networks of a defense system, is the general term for this type of preventive measures. It should be said that in the Internet firewall is a very effective network security model, which allows Gelifengxian (ie the area of risk Yiding Internet or network) and security area (LAN) to connect while not compromising people's right risk areas visit. Firewalls can monitor access to network traffic, thus completing the seemingly impossible task; only to security, approved the information access, at the same time pose a threat to boycott the enterprise data. With security issues becoming more common mistakes and shortcomings, not only from the network intrusion superb means of attack, may also come from low-level configuration password error or inappropriate choice. Therefore, the firewall is to prevent unwanted, unauthorized access to protected communications network, forcing units to strengthen their own network security policy. General firewall can achieve the following purposes: First, can limit access to a internal network to filter out unsafe services and unauthorized users; second is to prevent intruders close to your defense facilities; Third, limited user access to specific sites; and fourth is monitoring Internet security with ease. Since assuming the network perimeter firewall, and services and therefore are more suitable for independent networks, such as the relative concentration of Intranet and other types of networks. Firewalls to control network systems is becoming a very popular way to visit. In fact, the Internet, the Web site, more than one third of the Web site by some form of firewall protection, this is the most serious against hackers and security is strong in a way, any material The servers are recommended on the firewall.
Firewall architecture and work
The network firewall allows users to program planning more clarity, a comprehensive data access permissions to prevent the cross (because some people log in first thing is to try to limit ultra vires). Without a firewall, you may receive many similar reports, such as Internal financial reports are tens of thousands of Email messages just fried rotten, or the user's personal home page was a malicious link to the Playboy, the report links has designated another porn site ...... a complete firewall system is usually shielded by the routers and proxy servers. Screening router is a multi-port IP router, which come through each set of rules based on IP packet inspection to determine whether the forwarding. Router to obtain information from the header screen, such as protocol number, send and receive packets IP address and port number to connect signs and even some other IP options, the IP packet filter. Proxy server is a server process firewall, it can replace the network user through a specific TCP / TP function. A proxy server is essentially an application layer gateway, a network of applications for a specific gateway to connect two networks. Users on a TCP / TP applications, such as Telnet or FTP, to deal with proxy servers, proxy servers require users to provide their name to access the remote host. When the user provides the correct answer and the user identity and authentication information, the proxy server connected remote host, two communication points to act as relay. Can win the whole process completely transparent to users. Provide the user identity and authentication information for user-level authentication. The simplest situation is that: it constitutes the user ID and password. However, if the firewall is accessible through the Internet, should be recommended to use a stronger authentication mechanism for users, such as one-time password or response-type systems.
Maximum advantage of shielding the router hardware is simple and low cost structure, but the disadvantage is difficult to set up packet filtering rules, plus the cost of shielding the management of the router and the lack of user-level authentication and so on. Fortunately, router manufacturers have recognized and begun to address these issues, they edit the packet filter rules are developing a graphical user interface, the development of standards for user-level authentication protocol to provide remote authentication dial In User Service (REDIUS).
Proxy server has the advantage of user-level authentication, logging and account management. Disadvantages related to the fact; To provide comprehensive security guarantees, would have established for each service corresponding to the application layer gateway. This fact severely limits the application of the adoption of the new outline.
Screening routers and proxy servers are usually combined together to form hybrid systems, which is mainly used to prevent shield router IP spoofing attacks. Currently the most widely used configuration is Dualhomed firewall, host-based firewalls and blocked by firewall, subnet mask. ? Usually a firewall set up to several thousand or even million of investment, and the firewall needs to be run on a separate computer, so only one computer connected to the Internet users set up a firewall is unnecessary Moreover, even from the cost of doing respect is not worth talking too. Present perspective, the focus of the firewall, or to protect the composition of many large-scale computer network, which is really interested in hacking their local masters. Firewalls can be very simple filter, it may be well-configured gateway, but the principle is the same as they are to monitor and filter all to the outside network and the information coming from the external network, the firewall protecting the internal sensitive data is not stolen and destroyed, and note down the time and place operation of communication and so on, a new generation of firewalls can even prevent sensitive data from insiders deliberately transmitted to the outside world. When the user's local network connected to the Internal Internet, we certainly do not want to tell the world you are free to read Internal staff payroll, all kinds of documents or database, but even if there are data in the Internal attacks possibility. For example, a computer expert of some ulterior motives might modify the payroll and financial reporting. And by setting the firewall, administrators can restrict employee use Internal Email, WWW browsing and file transfer, but does not allow any outside access to Internal computer, while administrators can also prohibit units of mutual visits between the different departments. Will be placed on the local network behind a firewall can prevent attacks from outside. The firewall is usually run on a separate computer on a special software, which can identify and shielding illegal request. For example, a WWW proxy server, all requests are indirectly, by the proxy server address, this server is different from the normal proxy server, it does not directly deal with the request, it will verify the identity of the request sender, destination and request requested content. If everything meets the requirements, then the request will be sent to approved real WWW server. When the real WWW server processed the request and will not send the results directly to the requester, it will result sent to the proxy server, proxy server will check in accordance with the provisions of the result in advance whether a violation of safety regulations, when all this passed, returns the result will be sent to the requester's hands really. Firewall architecture.
1, shielding the router (ScreeningRouter)
Screening router can be produced by a manufacturer specialized router implementation, the host can also be used to achieve. Screening router as the only channel connecting inside and outside, require that all packets have to be in this by checking. Can be installed on the router based on IP layer packet filtering software, to achieve packet filtering. Many routers have built-in packet filter configuration options, but in general is relatively simple. Simple screening router by the danger posed by firewalls and routers, including router itself allows access to the host. The drawback is that once shielded the router is hard to find after the attack hidden and can not distinguish between different users.
2, double-homed host Gateway (DualHomedGateway)
Dual homed host gateway is a bastion host with two network cards to do the firewall. Two network cards each with a protected network and external network connected. Bastion host firewall software running, you can forward the application to provide services. Compared with the screening routers, dual-homed host gateway bastion host system software can be used for maintenance care system logs, hard copy log or remote log. But the weakness is more prominent once the bastion host and hacking it only has routing capabilities and any user can easily access the internal network.
3, was screened host gateway (ScreenedGatewy)
Shielding the host gateway is easy to implement and most secure. A bastion host is installed on the internal network, usually set up filtering rules in the router, and to the bastion host can be only from the external network directly to the host, which ensured the internal network from unauthorized external users of the attack. If the protected network is a virtual extension of the local network, subnets and routers that do not, then the change does not affect the internal network bastion hosts and the router's configuration screen. Bastion host with limited risk and screening routers. Gateway's basic control strategy by the software installed in the above decision. If an attacker can not log on to its top, the rest of the host within the network will be greatly threatened. This dual-homed host gateway similar situation when attacked.
4, were screened subnet (ScreenedSubnet)
Was screened subnet is the internal network and external networks to establish a quarantined subnet, packet filtering routers with two subnets will be the internal network and were separated from the external network. In many implementations, the two packet filtering routers on the subnet at both ends, in the subnet to form a DNS, the internal network and external network can access is screened subnet, but is shielded against them across subnets. Some screened subnet also has a bastion host as the only access point can support the interactive terminal or as an application gateway proxy. The risk of this configuration includes only the bastion host, subnet, and all connections within the network host, screened subnet outside the network and the router. If an attacker tries to completely destroy the firewall, he must re-configure the router to connect the three networks, not cut off the connection not to lock yourself out, without being found itself, so also are possible. However, if the prohibition of network access routers within the network, or only allow certain hosts to access it, then the attack will become very difficult. In this case, the attacker must first invade bastion host, then enter the host within the network, the router back to destroy the shield, and the whole process can not cause alarm.
The basic types of firewalls
The firewall on the market today there are numerous and diverse. Have the form of software running on ordinary computers, and also to the firmware in the router into the form of design. In general can be divided into three types: packet filtering firewall, proxy server and Status Monitor.
Packet filter firewall (IPFiltingFirewall):
Packet Filter (PacketFilter) is the network layer packets through the implementation of a choice, based on preset filtering system logic, checking the data stream according to each packet, according to the packet source address, destination address, and package by using the port to determine whether to allow such packets. Such information on the Internet packet-switched network, all information is divided into many transactions of a certain length packets, packet includes the sender's IP address and IP address of the recipient. When these packets are sent to the Internet, the router reads the receiver IP and select a physical line to send out information packets may be different routes arrival, when all the packets arrive at the destination will reassemble reduction. Packet filter firewall will check all the IP addresses through the information package and follow the system administrator to set packet filtering rules filter. If the firewall settings if an IP is dangerous, come from this address, all information will be blocked by a firewall. Many use this firewall, such as state departments through packet filtering firewall to ban domestic users to visit those who violate the relevant provisions of China or the "problem" of foreign sites, such as www.playboy.com, www.cnn.com and so on. Packet filtering router's biggest advantages is that it is transparent to the user, that does not require a user name and password to login. This fast and easy to maintain firewall, usually as the first line of defense. Packet filtering router is also very obvious defects, usually it does not have the user record, so that we can not access records from hackers records found. To attack a simple packet filter anti-inflammatory wall is relatively easy for hackers, and they have been active in this respect a great deal of experience. "Packet shock" is commonly used as a hacker attack methods hackers packet filtering firewall on a series of packets sent, but the IP address of these packets have been replaced a (FakeIP), replaced by a string sequence of IP addresses. Once a packet through a firewall, hackers can use this IP to 10 to disguise their messages. In other cases, hackers some of their prepared using a router exploit, a procedure using the Router Protocol (RoutingInformationProtcol) to Fasong forged the routing information, it will be all the Bao re-routed to an intruder by the designated special address. Another deal with this router technology called "synchronous inundated," which is actually a network of bombs. Attacker's computer to be attacked many a false issue "sync request" signal packet, when the server response to this request signal packet sender will wait for the answer, but the attacker without any response. If the server has not received in 45 seconds in response to the signal, then it will cancel the request. But when the server is treated as a known tens of thousands of false requests, it will not have time to deal with the normal user requests, the server is under attack and the deadlock is no different. Disadvantage of such a firewall is very clear, often it does not have the user record, so that we can not access records from hackers records found. In addition, the configuration is complicated as a packet filtering firewall shortcomings. It blocked entry to the internal network, but not tell you how to enter your system, or any internal access from the Internet. It can prevent external access to private networks, but can not access the internal records. Another key weakness of packet filtering is not in the user level filtering, that can not identify different users and to prevent IP address theft. Packet filter-based firewall is a sense of absolute security system.
Proxy Server (ProxyServer):
Proxy server is often referred to as application-level firewall. IP packet filtering firewall can follow the address to prohibit unauthorized access. But it does not fit within the unit used to control access to the outside of the network staff for such enterprises, application-level firewall is the better choice. The so-called proxy service, that is, inside and outside the firewall application layer of computer systems in two end link is a link on the agency services to achieve, so we successfully achieved both inside and outside the firewall computer system of segregation. Agent service is set in the application of Internet firewall gateway is in network manager or deny permission, application-specific or specific services, can also be used to implement strong data flow control, filtering, recording and reporting function. Under normal circumstances can be applied to specific Internet services, such as Hypertext Transfer (HTTP), remote file transfer (FTP) and so on. Proxy server typically has a high-speed cache, the cache there Users often visit the site content, the next user to access the same site, the server need not grab the same content repeatedly, which saves time and saves network resources.
Here I briefly introduce to netizens the proxy server design and implementation of several ways:
1, application proxy servers (ApplicationGatewayProxy)
Application proxy server can provide authorization in the network application layer inspection and agency services. When a host attempts to access external (such as Telnet) protected network, it must be through the firewall authentication. After the adoption of authentication, firewall, run a program designed specifically for Telnet to connect an external host and the internal host. In this process, the firewall can restrict user access to the host, access time and access ways. Similarly, the protected internal network users to access external networks, also need to be logged in to the firewall, and through verification before they can use Telnet or FTP, effective command. Application gateway proxy has the advantage of both the internal IP address can be hidden, it can give a single user license, even if the attacker steals a legitimate IP address. He also pass the strict authentication. Internet-related packet filtering is more than security. But this certification makes the application gateway opaque, the user should be each time you connect, "interrogation", which brings much inconvenience to users. And that the agent technology needs for each application gateway to write a special program.
2, circuit-level proxy server
Circuit-level proxy server, also known as a general proxy server, it applies to multiple protocols, but can not explain the application protocol, need to get information through other means. Therefore, the circuit-level proxy server usually requires modified user program. Among them, the socket server (SocketsServer) is the circuit-level proxy server. Sockets (Sockets) is a network application layer of international standards. When the protected network and external network clients need to interact with information, a socket server on the firewall checks the customer UserID, IP source address and IP destination address, after confirmation, set the server before the server with the external section of the connection. For users, the protected network and external network of information exchange is transparent, can not feel the presence of a firewall, it is because Internet users do not need to log on to the firewall. However, client applications must support "SocketsifideAPI" protected network users to access the public network IP addresses used by the firewall's IP addresses are.
3, hosting server
In other words, hosting server technology is to secure services, such as FTP, Telnet, etc. into the firewall, it also acts as a server, to answer to external requests. Compared with the application layer proxy implementation, hosting server technology without special written procedures for each service. Moreover, within the protected network users to access external networks, they must first log on to the firewall, and then out the request, so that net inward from the outside can only see the firewall, which hides the internal address and improve safety sex.
4, IP channel (IPTunnels)
If a company affiliated far apart the two subsidiaries, to communicate through the Internet, you can use IPTunnels to prevent the Internet, hackers intercept information to the Internet, corporate networks to form a fiction.
5, network address translator (NetworkAddressTranslate)
When the protected network when connected to the Internet, protected network users to access Internet, you must use a valid IP address. However, legal InternetIP address limited, and the protected networks often have their own set of IP address planning. Network address translator is a legitimate IP address of the firewall set to upload. When the internal a user to access Internet, the firewall state to choose a focus from the address of the unallocated address assigned to the user, the user can use the legitimate addresses to communicate. Meanwhile, for some servers, such as the internal Web server, network address translation allows for the lawful distribution of a fixed address. External network users can access through the firewall to the internal server. This technique not only alleviate a small amount of IP addresses and hosts a large number of conflicts between, but also hidden within the host's external IP address and improve security.
6, isolated domain name server (SplitDomainNameSever)
This technology is protected by a firewall to the network and external network domain name server domain name server separation, so that the external network domain server only see the IP address of the firewall can not know the specific circumstances of the protected network, so that can guarantee protection network IP addresses are not aware of the external network.
7 Mail Forwarding (Mailforwarding)
When the firewall using several technologies mentioned above, makes the external network only know that the firewall IP address and domain name, from mail sent outside the network, it can only be sent to the firewall. Then check the firewall on the e-mail, send messages only when the source host is allowed through the firewall Caidui to convert the message destination address, sent to internal mail server, by forwarding.
Wall as a proxy server like really get in between internal users and outside, especially to visitors from the outside can see only the proxy server and can not see any internal resources, such as the user's IP, etc.. The internal customers simply do not feel its presence, are free to access the external site. Agents can provide excellent access control, login capabilities and address translation function, record the information out of the firewall for easy monitoring and management system administrator. But the proxy server at the same time, there are some deficiencies, particularly its access to the network will slow down, because it does not allow direct access to networks, agents have to deal with in and out of Tong Xin Liang, thus adding a new Meiti each application, you must set the proxy. The author of a design office applications, because the reasons for tossing the proxy server for a long time, the result was due to set and fault-tolerant aspects of being grounded.
8, Status Monitor (StatefulInspection):
Status monitor the safety features as the best firewall technology, which uses a gateway software, network security policy implementation engine, called the detection module. Detection module without affecting the normal operation of the premise of the network, Cai Yong data extraction method of implementation of the network layers of communications monitoring, allocating part of the data, ie States 信息, and dynamically Baocun up Zuo Wei Zhi Ding security Juece after the reference. Detection module supports multiple protocols and applications, and can easily achieve the expansion of applications and services. And other security schemes, when the user reaches the gateway to access the operating system before the Status Monitor to analyze the data collected, combined with network configuration and security requirements can be accepted, rejected, or to identify the decision of the communication encryption. Once a visit to violation of safety regulations, security alarm system will reject the visit, and records its report to the System Manager network status. Another advantage is that the state monitor to monitor RemoteProcedureCall and User DatagrqamProtocol class port information. Problem, of course there are, the state monitors the configuration is complex and will reduce the speed of the network.
Internet at present firewall has been widely used, and because of the firewall are not limited to TCP / IP protocol characteristics, but also to gradually more vitality than in the Internet. Objectively speaking, the network firewall does not solve the security problems of universal prescriptions, but only the network security policy and strategy as an integral part, but the understanding of firewall technology and to learn practical application of firewall technology, I believe the network will be living in the new century in so that every users will benefit undone.