Is already a general corporate network firewall to protect the main mechanism for enterprise network security. However, the overall security of enterprise network involves an extensive firewall not only can not solve all security problems, control the use of firewall technology, ability to protect its security, network infrastructure, security policies and other factors will affect the enterprise network security.
Among the many factors affecting the safety performance of the firewall, some are managers can control, but some are choosing a firewall features can not be changed, which is a critical firewall access control technologies used. Control technology at present firewall probably can be divided into: packet filter type (Packet Filter), packet inspection type (Stateful Inspection Packet Filter) and the application layer gate-channel type (Application Gateway). These three technologies are in the security or performance on its own characteristics, but most people only pay attention to the firewall's effectiveness often ignore the safety and efficiency of conflict. In this paper, three techniques shows the firewall, and compare the characteristics of a variety of ways and the potential security risks or performance loss.
Packet filter type: packet type filter control method will check all incoming and outgoing firewall packet header contents, such as the source and purpose to IP, use agreements, TCP or UDP, Port and other control and management information. Now the router, Switch Router, and certain operating system already has the ability to use the Packet Filter control. Packet filtering based Control biggest benefit is efficiency, but there are several serious drawbacks: managing complex, unable to connect to full control, the rules set in the order would seriously affect the results, easy maintenance, and record low.
Packet Inspection type: packet inspection-based control mechanism is a test module of the packet to do at all levels of testing. Packet inspection-based packet filter type can be called an enhanced version of the aim is to increase the packet filter-based security, increase control "connected" capability. However, packet inspection is still the main subject's individual packets, packets of different test methods may produce significant differences. The level of the more extensive inspection would be more secure, but also lower relative performance.
Packet inspection firewall, checking the case of incomplete may cause problems. Was published last year, the Firewall-1 for Fast Mode TCP Fragment of security vulnerabilities is one example. To increase the effectiveness of this design has become a security vulnerability.
Application layer gate-channel-type: application layer gate-channel type of firewall used to connect actions to intercept, by a special agent to handle both ends of the connection between the manner and to analyze whether the application of agreements to connect content standards. In this way the control mechanism can effectively control the entire connection from beginning to end action, which will not be client side or server-side cheating, not like in the management of packet filtering type less complicated. However, each application must be written for an exclusive agent, or a general-purpose agents to handle most of the connection. This mode of operation is the safest way, but it is also a form of minimum performance.
Firewall is designed to protect the safety, security should be their main consideration. Therefore, instead of blindly demands performance as to think about how the situation does not affect the performance to provide maximum security.
Although the three works differ in performance, but we evaluate the performance, we must consider whether this difference in performance will affect the actual operation. In fact, most are still using the following or future xDSL T1 for several Mbps, "broadband" network run, even using the Application Gateway will not really affect the use of the network performance. In this application environment, the firewall's effectiveness should not be considered a priority. However, when the firewall is the frame in the enterprise network, between different departments, the enterprise must consider the effectiveness of the sacrifice that is acceptable.