Is already a general corporate network firewall to protect the main mechanism for enterprise network security.However, the overall enterprise network security involves very broad level, the firewall can not solve all security problems, the firewall used by the control technology, ability to protect its own security, network infrastructure, security policies and other factors will affect the security of enterprise networks.
Among the many factors that affect the safety performance of the firewall, some managers can control, but some are in the choice of a firewall can not change the characteristics, which is a key used by the firewall access control technology.Control technology currently is probably the firewall can be divided into: packet filtering type (Packet Filter), packet inspection type (Stateful Inspection Packet Filter) and the application layer gate-channel type (Application Gateway).These three technologies are in the security or performance has its own characteristics, but most people tend to only pay attention to the neglect of the effectiveness of firewall security and efficiency of conflict.In this paper, these three technologies described the firewall, and compare the characteristics of a variety of ways and the potential security risks or performance loss.
Packet filtering type: type of control packet filtering all incoming and outgoing firewall will check the packet header contents, such as source and target to IP, use the protocol, TCP or UDP Port, and other information in the control and management.Now the router, Switch Router, and certain operating system already has the ability to use the Packet Filter control.Type of control packet filtering biggest benefit is efficiency, but there are several serious drawbacks: Managing complex to be connected for full control of the rules set by the order would seriously affect the result, difficult to maintain, and record low.
Packet Inspection type: packet inspection-based control mechanism is through a test module at all levels of the packet to do testing.Type of packet inspection and packet filtering type can be described as an enhanced version of the aim of increasing the packet filter-based security, increased control "connection" capability.However, due to packet inspection is still the main subject's individual packets, packets of different test methods may have great differences.Check the level of its more widely will be more secure, but its relative performance is also lower.
Packet inspection firewall in case of incomplete examination, may cause problems.Published last year on the Firewall-1 Fast Mode TCP Fragment of security vulnerabilities is one example.To increase the effectiveness of this design has become a security vulnerability.
Application Layer Gateway-channel type: the application layer gate-channel type of firewall blocking action using the connection, by a special agent to handle both ends of the connection between the manner and to analyze its content is consistent with the connection Application Protocol standard.In this way the control mechanism can effectively control the entire connection from start to finish the action, and will not be client side or server-side fraud, the management will not be as complicated as the type of packet filters.But it must be written for each application a dedicated agent, or a general-purpose agent to handle most of the connection.This mode of operation is the safest way, but also a way of minimum performance.
A firewall is designed to protect the security, the security should be their main consideration.Therefore, instead of blindly required performance, it is better to think about how the situation does not affect the performance to provide maximum security protection.
Although the three works differ in performance, but we evaluate the performance, we must consider whether this difference in performance will affect the actual operation.In fact, most are still using the following or future xDSL T1 and several Mbps "broadband" network is concerned, even using the Application Gateway will not really affect the use of network performance.In this application environment, the performance of the firewall should not be considered priority.However, when the firewall is across corporate networks between different departments, the enterprise must consider the expense of this performance is acceptable.