Protect the network as the main safety equipment, after years of development, firewall technology has gradually matured. Even so, users still need to keep their eyes open when buying a firewall.
A firewall is a network deployed inside and outside the boundary of the access control device, used to prevent unauthorized access to protected internal communications network, by strengthening border controls within the network security policy. Firewall consists of a simple packet filter firewall, state / dynamic inspection firewall, application proxy firewalls are three.
For additional features like
Firewall Control is a network data object, through the implementation of the user for 2 to 7 layers of strategy to develop inspection, according to test results to accept, discard or limit traffic. Although in fact part of the firewall can replace the functions of routers and switches, but the result of too much emphasis on these features can only be bartering.
Since the introduction of a firewall in the network equipment, necessary requirement for a firewall to provide appropriate support, including management, ability to adapt to the environment, and have the switch / router interoperability, certain throughput and appropriate delays so that the firewall was not will become network bottlenecks. These features are in fact the additional requirements of the firewall, although necessary, but will not bring added value to the user, the overall requirement is "is the best fit."
Although the development of a longer period of firewall technology is relatively mature, but on the firewall, new concepts, new technology is still emerging. So how do the real evaluation of the firewall? Have to use from the user point of view in-depth analysis, functional / performance, management, stability of the three villages.
Functionality, performance can not be "two-skin"
Functionality and performance evaluation of the firewall has been the major users, particularly because of its performance can be quantified, it is the focus of comparison, but thoroughly understand these two issues is not easy.
To meet the needs of the user's complex environment and also to have "selling points", now generally has a lot of firewall features, these features alone are no problem to see, such as hot standby functionality has been tested, H.323 support is also testing dynamic applications adopted, but in a real environment, we may need to hot standby conditions to use H.323 video conferencing, and video without interruption when requested to switch, so that may have a firewall on to die, and a similar combination of features is the user really need. In addition, the firewall functionality and performance usually independent evaluation, functional testing and performance testing is divided into two parts, functional test concerned whether a single function, performance test concerned the second, a simple three-tier application performance, resulting in functional properties of "two layers of skin "can not truly reflect the firewall capabilities: high performance test, but many functions can not be used, in actual use, when the commonly used features are turned on, the performance becomes very low. Therefore, assessment of performance and functionality must be combined to evaluate the real firewall. Evaluation of specific aspects from the following:
● 2 ~ 7 layer access control features, in particular, the depth of the application layer filtering. This function should be able to, and address mapping, port mapping, VLAN Trunk support, user authentication, dynamic packet filtering, traffic control and other functions in any combination.
● security features, with emphasis on anti-Synflood. Currently, "hacker" in the attacks, the use of most, the most effective is the DDoS (distributed denial of service attack), it is the result of a server denial of service. Firewall as a network of single-channel, to ensure the security of the protected network, security features need to focus on study the possibility of attacks while maintaining normal filtering to visit, whether the source address forgery attacks and attack the real source address and effectively, can protect the server from shock. This function should be able to, and address mapping, port mapping, VLAN Trunk support, user authentication, dynamic packet filtering, traffic control at the same time or in any combination.
● practical performance. Performance tests typically include six main areas: throughput, delay, packet loss rate, back to back, the number of concurrent connections, new connection rate, practical performance is investigated in close to the user under actual use of the performance.
● new connection rate. As with the volatility of a large network application, which visits at different times very different characteristics and requirements of a firewall can also adapt to this situation, the corresponding indicators in the new connection rate. Taking into account the user the complexity of networks and applications, also need to open frequently used functions, such as: packet filtering, content filtering, anti-attack and so on to test the new connection rate.
Management is the key
User to use a secure firewall system, you need to implement a secure firewall policy, which the actual operators of the firewall made higher demands. As different there are differences in the management of the firewall, so ease of management, the administrator may cause the error configuration so that the network create security problems. Because they can not require each network administrator are network security experts, the management of network security. Remove rights management, communication encryption, but also need to focus on single administration study convenience and centralized management in these two areas.
Management on stand-alone convenience, the firewall should be able to provide a variety of management for the administrator to use on different occasions, such as: serial command line for the higher level of overall management of the firewall administrator; SSH for remote maintenance and management methods ; Web method for remote configuration; GUI for remote configuration and monitoring methods. Which, Web form without having to install client software, more convenient and flexible; GUI install is too much trouble, but the strong flexibility.
In addition, the firewall's large customers, industry clients a lot of management costs can be very high, whether centralized firewall management is also important, including Anquancelue focus on customization and issued, centralized log management and analysis, management and real-time monitoring Shebei cascade and so on. Among them, the strategy of centralized management of the most important because of the need to ensure consistency across the enterprise and security strategy.
Stability comprehensive survey
Cascaded in the network firewall as soon as failure will lead to network outages, therefore, stability is an important index for evaluation of the firewall. For various reasons, some systems are not the final shape or a large number of rigorous tests to be pushed to the market, its stability can be imagined. But stability is difficult to directly test, in general, a number of proven stability of the system have some assurance that if the new software or hardware system, need to be continuously improved in the application of stability. User evaluation by the authority of certification bodies, the actual investigation, trial, and many other aspects of power companies be judged.