Understand the Firewall

The so-called Firewall (Firewall), is to establish inside and outside the network boundary on the filtering blocking mechanism, it thinks that the internal network is safe and reliable, and that the external network is not safe and reliable.

The function of the firewall is to prevent unwanted and unauthorized data packets from entering and leaving the protected internal network, and strengthen the security policy of the internal network through border control. At the network layer, the firewall is used to handle the flow of information between the internal and external network boundaries. It determines which addresses the information from which hosts can pass through or which destination addresses can be blocked.

At the transport layer, this connection can be encrypted end-to-end, that is, process-to-process encryption.

In the application layer, it can perform user level identity authentication, logging and account management.

Therefore, firewall technology is simply a set of identity authentication, encryption, digital signature and content check integration as one of the security measures. All traffic from the Internet and traffic from the internal network passes through the firewall and is analyzed by the firewall to ensure that it complies with the security policies set by the site to provide a security barrier between the internal nodes or the network and the Internet. \

Classification of firewalls

Firewall technology has gone through three development stages: packet filtering, application proxy gateway and state detection. \

1. Packet filtering firewall

Packet filtering firewall generally has a packet check fast (usually called packet filter), which filters packets by defining a set of static rules. If the rules are met, packets are forwarded. If not, the packet is discarded. The packet filtering firewall is located between the network layer and the transport layer. Advantages: The firewall provides low-level control over every packet coming into and out of the network. Fields of each IP packet are checked, such as source address, destination address, protocol, port, etc. The firewall can identify and discard packets with fraudulent source IP addresses. The packet-filtering firewall is the only source of access between the two networks; Packet filtering is usually included in the router’s packets, so no additional system is required to handle this feature.

Disadvantages: Can not guard against hacker attacks, because the network management can not distinguish between trusted network and untrusted network boundaries; It does not support application-layer protocols because it does not recognize application-layer protocols in packets and the granularity of access control is too rough. Unable to handle new security threats. \

2. Proxy gateway firewall

The proxy gateway firewall completely blocks the communication between the Intranet and the Internet. The access from the Intranet to the Internet is changed to the access from the firewall to the Internet, and then the firewall forwards the access to the Intranet. All communication must be forwarded by the application layer agent software. The visitor cannot establish a direct TCP connection with the server at any time. The application layer protocol session must meet the security policy requirements of the agent. Advantages: Can check the protocol characteristics of the application layer, transport layer, and network layer, and has strong data packet detection capability. Disadvantages :(1) difficult to configure. Difficult to understand (2) Very slow processing. \

3. State detection firewall

The stateful firewall combines the security of proxy firewall with the high speed of packet filtering firewall, and improves the performance of proxy firewall by 10 times without losing security.

It abandonsthe disadvantage that the packet filter firewall only inspects several parameters such as the IP address of the packet, but does not care about the change of the packet connection state. It establishes the state connection table in the core part of the firewall, and regards the data entering and leaving the network as one session, and uses the state table to track the state of each session. State detection Checks each packet based not only on the rule table, but also on whether the data table matches the state of the session, thus providing complete control over the transport layer.

The stateful firewall not only improves the security defense ability but also improves the traffic processing speed. Because it adopts a series of optimization techniques, the performance of firewall is greatly improved, and it can be applied in all kinds of network environment, especially in some large networks with complex rules. \

Typical firewall architecture

1. Packet filtering router

The Ethernet is connected to the Internet through a packet filtering router. When the Internet accesses the Intranet, it is filtered by a packet filtering firewall. The whole process is based on a set of static filtering rules. \

2. Dual host



Dual host is also called host fortress. It is composed of at least two network interfaces, which completely isolate the direct communication between Intranet and extranet. Both internal and external networks of double host host can communicate with double host host. In addition, the host fortress does not forward TCP/IP communication packets, and all services in the network must be supported by the host’s response proxy. However, when the dual host is invaded, the Intranet is no longer secure, so the routing function at the network layer should be disabled.

\

3. Mask the host gateway



The host fortress belongs to the Intranet. When the extranet wants to access the Intranet, the packet filtering router first passes the packet filtering packet to the host fortress, and then the host fortress forwards the packet to the hosts on the Intranet. Among them, the routing table of the packet filtering router should be strictly protected, once broken, it is difficult to forward packets to the host fortress.

\

4. Masked subnet



The green area in the figure is called the DMZ, which stands for exclusion zone. This is probably the most secure structure available, and the intruder must breach three different devices: the external router, the host fortress, and the internal router. The internal router can directly forward packets to the internal network, eliminating the need for a dual host. However, the internal router can support higher packet throughput than the dual host when it acts as the last line of defense for the external network to access the internal network. Because the DMZ is a different network from the Intranet, NAT can be installed directly in the DMZ to avoid the need for the Intranet to be resubnetted or addressed.