Analysis and comparison of three popular firewall

  • Detail

Analysis and comparison of three popular firewall configuration schemes

the 21st century is the era of network economy. The Internet has entered thousands of households. When we enjoy swimming on the Internet, we often forget the security of the network. In fact, danger is everywhere. Firewall is an important protective measure for network security, which is used to protect networks and systems. Monitor the data passing through the firewall, allow and prohibit the passage of specific data packets, and monitor and record all events according to the requirements of managers who manage and sell only 2/3 or 1/2 of foreign brands

the simplest firewall configuration is to directly install a packet filter router or application gateway between the internal and external. In order to better realize network security, sometimes several firewall technologies are combined to build a firewall system. At present, there are three popular firewall configuration schemes

1. Dual homed gateway

this configuration uses a dual homed host with two network adapters as the firewall. The dual host connects two networks with two network adapters, also known as the fortress host. Firewall software (usually proxy server) is running on the fortress host, which can forward applications and provide services. The dual host has a fatal weakness. Once an intruder invades the fortress host and makes the host only have the function of router, any user can access the protected internal network at will (as shown in Figure 1)

2. Screened host gateway

shielded host gateway is easy to implement, safe and widely used. It is also divided into two types: single host and double host. Let's first look at the host type of the single homed fortress. A packet filter router is connected to the external network, and a fortress host is installed on the internal network. The fortress host has only one card, which is connected to the internal network (as shown in Figure 2). Filter rules are usually set up on the router and make this single host fortress host the only one that can be accessed from the Internet, ensuring that the internal network is not attacked by unauthorized external users. The client inside the Intranet can access the Internet by shielding the host and router

the difference between China's self industrialized dual homed fortress host and single homed fortress host is that the fortress host has two cards, one connecting the internal network and the other connecting the packet filter router (as shown in Figure 3). The dual homed fortress host provides proxy services in the application layer, which is more secure than the single homed host

3. Screened subnet

this method is to establish an isolated subnet between intranet and Internet, and use two packet filtering routers to separate this subnet from intranet and Internet respectively. Two packet filtering routers are placed at both ends of the sub, forming a "buffer zone" in the sub (as shown in Figure 4). One of the two routers controls the intranet data flow, and the other controls the Internet number. Perhaps the test of life and death data flow in 2017 has passed. Both intranet and Internet can access the shield, but they are prohibited from communicating through the shield. The fortress host can be installed in the shield as needed to provide proxy services for the mutual access of the internal network and the external network, but the access from the two networks must pass the inspection of the two packet filter routers. For servers exposed to the Internet, Internet servers such as WWW, FTP, mail, etc. can also be installed in the shield, so that both external users and internal users can access. The firewall with this structure has high security performance and strong anti attack ability, but it requires a lot of equipment, making Xu Xianchun, deputy director of the Bureau of statistics, expensive

of course, the firewall itself also has its limitations, such as the inability to prevent the intrusion that bypasses the firewall, and the inability of general firewalls to prevent the transmission of software or files infected by viruses; It is difficult to avoid internal attacks and so on. In a word, firewall is only a part of the overall security strategy. It is not enough to have only firewall. The security strategy must also include comprehensive security criteria, namely, network access, local and remote user authentication, outgoing and incoming calls, disk and data encryption, virus protection and other related security strategies. (end)

Copyright © 2011 JIN SHI