Ames Internet Security Systems (China) Co., Ltd. Hong-Tao Xu
Along with the Internet as the representative of the global wave of rapid development of information technology, network security has become an important issue affecting network performance. Network firewall as the primary means to prevent hacking, network security has become a must-building equipment. At present the network firewall products on the market a lot, so how to choose to adapt to the needs of their businesses to achieve maximum effectiveness of security products? Here I think mainly the following aspects should be considered.
First of all, as a security device, the firewall has its own sensitivity. That is our choice of firewall products, must be relevant national authority of the department's certification and marketing approval, the certification, including the sale of Public Security and the Ministry of Information Industry licensing, certification of the national evaluation center.
Second, the firewall as a network device, the performance is to be the first consideration. If the firewall on the impact of the existing network bandwidth is too large, no doubt a huge waste of the original investment. Present a firewall in the type basically realized the transformation from software to hardware, the algorithm also has been greatly optimized, part of the performance of the firewall can be the performance of the original network had little effect. Specific to the user, to identify the merits of the performance of a firewall, you can see the main body or authority of evaluating media performance results, these results are based on international standards, standards of RFC2544, including: network throughput packet loss rate, delay, connections, etc., in which throughput is top priority. Also the addition of a firewall should not affect the existing business units in the premise of the original business if you have some special services such as video conferencing, IP phones and so on. That may have to be careful, and be sure to select the firewall to support these agreements.
Firewall function is now the most valued part of the user. Current firewall technology has progressed rapidly in the function to do all sorts, the user selects also more difficult. Personally think that the firewall as a security device, security, especially against attacks and anti-attack, or should be top priority on. Access control of particle size and strength are also important, now largely used by various manufacturers are based on state test packet filtering. Some other additional features can be determined depending on the actual needs, for example, for we have not fixed the host unit, the functions of authentication may be required, on the reasonable control of network resources, bandwidth management function may need to be divided into headquarters and Division of the circumstances, may require VPN communications functions; lack of internal IP addresses may need to address translation and much more.
On the firewall itself, it is only a single product, to rely on a firewall to implement network security is not realistic. To achieve network security, security policy or a major problem, a secure firewall configuration strategy is not a result of unsafe, safe strategy, including the network of other safety equipment, safety equipment and even how these same firewalls, etc. work together. So, buy a firewall should not be simply interpreted as buying a product should be safe to buy a set of services, manufacturers of technical strength and professional strength is not to be neglected.
These are I believe that the purchase of the major firewall products should pay attention to the problem, I hope these suggestions will help users to work simultaneously without affecting the network to better protect network security.
Contributing writer Noah
Market, the price of very poor firewall. Because the business user, not the same degree of safety, so manufacturers are promoting the products differ. But generally speaking, a firewall should be able to do the following things:
1, support "unless otherwise expressly permitted on the prohibition of" design strategy.
2, support for security policy itself, rather than add to their work.
3, support the new services added.
4, you can install a new advanced authentication methods.
5, if necessary, the use of filtering technology to allow and prohibit service.
6, you can use a variety of service agent, so that new authentication methods can be installed and running on the firewall.
7, has a friendly interface, easy programming of the IP filter language and the data packets according to the nature of packet filtering, packet, including the nature of the source and destination address, protocol type, source and destination port, TCP ACK packet bit, the station and inbound network interface.
In choosing a firewall, do not put too much weight firewall level. Because the level of selection, the firewall account for a large proportion of the speed, but for small and medium enterprises, the site connected to the Internet, speed is not fast, so most of the firewall can completely meet the site needs. So, buy a firewall, the more concerned about the following factors:
1, the firewall's own security
2, the stability of the firewall
The best way is through professionals or evaluation agencies about whether the firewall is as stable as propaganda said.
3, the performance of the firewall
Firewalls can not only better protect the internal network behind the firewall security, but should have better overall performance. Does not necessarily speed the higher the better, as some small local area network export rate of less than 1M / s, use 100M / s firewall is redundant.
4, ease of configuration
A good firewall should be strong functionality, but is very easy to configure. Buy a firewall, be sure to look at its configuration is easy to grasp, otherwise complex configuration for the network administrator will be a nightmare.
5, it can be filtered against the user identity
This has two advantages: First, users can easily find a machine, log on to the firewall, the firewall can be carried out under its authority the right filter; Second, the user can log back to the company when traveling within your own server, without encryption means or encryption costs are high, this is more practical.
6, scalability, and scalability
7, useful log
Firewall log on the network administrator is critical. Firewall logs should be readable, the firewall should have the ability to streamline the logs to help administrators quickly retrieved from the log useful information.
8, anti-drug functions
Most firewalls can be achieved with the anti-virus software with anti-drug functions.
In addition, there can not but say that the test question about the firewall. Not only in the firewall to buy only the beginning of testing necessary. In general, there are three situations should be tested the firewall: After installation, test is normal; a major change in the network, test its performance; periodic testing of the firewall, to ensure its continued work. In some small and medium enterprises, due to little change in the general network environment, the situation is relatively stable, often overlooked in the periodic testing of firewalls. But this is very dangerous. For example, sometimes may be appropriate to change the firewall in order to obtain a temporary access, but may ignore this change affect the entire security system. Although the test can not guarantee that the firewall is not weakness, but the purpose of testing is to at least the walls will not fold, gate has been properly closed, and the moat has been filled with water.
Information Industry Co., Ltd. Yang Qinghua Eastern Longma
Buy a firewall, we should first know the basic properties of the firewall. General should have the following properties:
1, the firewall should be faithful to support their security strategy and the flexibility to accommodate new services and institutions necessary to change the security policy.
2, except the firewall contains advanced identification measures should also use as many advanced technologies such as packet filtering, encryption technology, reliable information technology. Such as identification and authentication, confidentiality of information protection, information integrity verification, system access control mechanism, authorization management technologies.
3, firewall filtering language should be flexible, user friendly programming, but also have a number of possible filtering properties, such as source and destination IP address, protocol type, source and destination TCP / UDP port and into the interface.
4, the firewall should include centralized SMTP access, to simplify local and remote system's SMTP connection, to achieve the local E-mail to focus, concentrate and filter should also have the ability to dial-up access.
5, if a firewall required to Unix like operating system, version of the system's security should be a part of the firewall, as with other security tools, to ensure the integrity of the firewall host, and the whole system should be able to install. Firewalls and operating system should be updated and can use simple methods to solve system problems.
Mentioned above, the firewall is only part of the basic common properties, and can not concentrate in one or several firewall products body. Therefore, the need to choose according to their needs firewall product.
Before choosing a firewall should be carefully developed security policy, that is, to develop a careful plan.
Security policy requires that someone or something which allows people to connect to something or what, if a plan provides that only directors, senior executives and research and development team members can receive research and development of local area network. That is, network management and network experts, policy makers should consider in advance which of the firewall on the network a position to meet the needs of your company or organization, wishing to purchase the firewall to determine the acceptable level of risk.
In short, buy a firewall strategy must be realistic and consider that it can meet the network security level. Network security must be considered, must be met, but the ideal of 100% of the security technology does not exist, it is difficult to achieve. Therefore, the objective should be to minimize the costs to be reduced to the level of risk to an acceptable level.
In meeting the practical, on the basis of security, but also consider the economy, it is to buy all the equipment to be encountered in practical problems.
All users want to buy affordable products, that is, high cost performance products. In accordance with the purchase or funding needed to achieve a firewall to quantify all the proposed solutions is very important. Some firewall products can not spend money or spend very little money, some will have to spend a million or more money. Specifically, in addition to considering the sale price of the firewall, but also consider its management costs, maintenance costs and consumption of material costs. The economic strength of the company or large organization, the general to meet the needs first, the economic cost of second place, but also puts the product into account the cost of replacement needs. The authority of the general school years, because of general economic conditions, product prices in an important position to consider only willing to meet the current cost of funds urgently needed products purchased, the development of future network expansion and updating of little consideration.
Understand the major firewall vendors and their products, which wants to buy firewall products, users, should be carried out investigation and study.
Large companies and manufacturers generally firewall product has a certain appeal to users because of their strong technical strength, economic strength, and technical support and after-sales service are reliable. Buy brand-name products is the so-called mean, for fake and shoddy products, low prices and then do not interested, otherwise deceived.