Location: Home Page > Article Article

"Computer Knowledge": What are technical classifications and basic principles of firewalls?


Today I will introduce you to classification and basic principles of firewall technology. Let's see!


A firewall is a combination of a number of components installed between different networks (for example, trusted intranets and untrusted public networks) or network security domains. It is only entry and exit of information between different networks or network security domains. By monitoring, restricting and modifying flow of data through firewall, it maximally protects information, structure and operational state of network from outside world. optionally and selectively accepts external access Strengthen internal control of devices, control access to servers and external networks, and establish a barrier between secure network and external networks to prevent unpredictable and potentially destructive intrusions. There are two types of firewalls, hardware firewalls and software firewalls, both of which can protect and screen out intruders on a network.

Classification of firewall technologies

Firewall technology has gone through three phases: packet filtering, application gateway proxy, and status checking.

Packet filtering technology is a simple and effective security control technology. It allows and denies specific source addresses, destination addresses, and TCP port numbers from specific source addresses, destination addresses, and TCP port numbers by booting connected devices. online. u> and other rules inspect data packets passing through device and restrict data packets from entering and exiting internal network. The biggest advantage of packet filtering is that it is transparent to users and has a high transmission performance. However, since security control layer is at network layer and at transport layer, strength of security control is limited to source address, destination address, and port number, so only preliminary security control can be performed. memory overlay attacks or viruses, etc. High-level attack methods are helpless.

Status checking is a more effective method of security control than packet filtering. For a newly created connection to application, when a state is found, predefined security rules are checked, connection that matches rules is allowed to pass, and corresponding connection information is stored in memory to create a state table. Subsequent data packets for this connection may pass if they match state table. The advantage of this method is that since there is no need to check rules for each data packet, and subsequent data packets of connection (usually a large number of data packets) are checked directly by hashing algorithm, so that performance is greatly improved, in addition, sinceBecause state table is dynamic, ports above #1024 can be opened selectively and dynamically, so that security is further enhanced.

1. Packet filtering technology

Packet filtering firewalls are typically installed on routers to filter user-defined content such as IP addresses. How a firewall with packet filtering works: system checks data packets at network layer, which has nothing to do with application layer. Thus, system has good transmission performance and high scalability. However, security of a packet filtering firewall has certain drawbacks because system does not understand application layer information, that is, firewall does not understand content of message, so it can be hacked by hackers.

The packet filtering firewall works at network layer and has function of identifying and controlling IP address of source and destination of a data packet. At transport layer, it can only determine if data packet is TCP or UDP and port information used. Current routers, switch routers, and some operating systems can already be controlled by packet filter.

Because only IP address, TCP/UDP protocol, and data packet port are parsed, processing speed of packet filtering firewall is relatively fast and easy to configure.

Packet filtering firewalls have fundamental drawbacks:

Does not protect against hacking. The operation of a packet filtering firewall is based on assumption that network administrator knows which IP addresses are trusted networks and which are untrusted network IP addresses. However, with advent of new applications such as remote work, network management cannot distinguish between trusted and untrusted networks, it is enough for hackers to change original IP packet to a legitimate IP address to easily get through packet. filtering firewall and enter network. Intranet, and any low-level hacker can spoof IP addresses. Application layer protocols are not supported. If intranet users make this request, only intranet employees are allowed to access web pages on extranet (using HTTP protocol) and are not allowed to download movies from extranet (usually using FTP protocol). A packet filtering firewall is powerless because it does not understand application layer protocol in data packet, and granularity of access control is too coarse. Unable to deal with new security threats. It cannot keep track of state of TCP, so control at TCP level is vulnerable. For example, when it is configured to only allow inside-out TCP access, some attacks on internal network from outside in form of TCP response packets can still get through firewall.

It can be seen from above that technical aspect of firewallThe packet filtering era is too simple, just like a security guard can judge whether to let him/her in based on which province or city visitor is from. , and it is difficult to fulfill responsibilities of protecting intranet security.

2. Application Gateway Firewall

The Application Gateway Firewall inspects all application-layer information packets and uses verified content information in its decision making process, thereby improving network security. However, application gateway firewalls are implemented by breaking client/server model. Each client/server interaction requires two connections: one from client to firewall and one from firewall to server. In addition, each agent needs a separate application process or service program running in background, and service program for this application must be added for each new application, otherwise service cannot be used. Therefore, disadvantage of application gateway firewall is poor scalability.

The Application Gateway firewall completely cuts off direct communication between internal network and external network. Internal network user access to external network becomes firewall access to external network, and then firewall gives internal network users. All communication must go through application layer proxy, and visitor cannot establish a direct TCP connection to server at any time, and application layer protocol session process must comply with proxy server's security policy.

The advantage of Application Gateway Proxy is that it can check characteristics of application layer, transport layer and network layer protocols, and has relatively strong data packet detection capabilities.

The disadvantages are also very noticeable, mainly:

Difficult to set up. Because each application requires a separate agent process, this requires network administrator to understand each application's protocol weaknesses and to set security policies judiciously. ultimately affects security of internal network. Processing is very slow. Disabling all connections and re-establishing connections by firewall could theoretically make application proxy firewall extremely secure. However, this is not feasible in practical applications because for each intranet web access request, application agent must open a separate agent process that must protect web server, database server, file server, mail server, and business process. for intranet programs, etc., service proxies need to be set up one by one to handle client access requests. Thus, processing delay of application agent will be very large, and normal web access of intranet user will not be able to respond in time.

In short,application proxy firewalls cannot support large scale concurrent connections and it is a disaster when such firewalls are used in speed sensitive industries. In addition, firewall core requires pre-built agents of some well-known applications, so that some emerging applications are mercilessly blocked in agent firewall, which cannot support new applications well.

With new applications, new technologies, and new protocols emerging one after other in IT industry, it is difficult for proxy firewalls to adapt to this situation. Therefore, in some important areas and core business applications, proxy firewalls are being phased out.

However, advent of adaptive proxy technology has brought about a new turning point in application of firewall proxy technology. It combines security benefits of proxy firewalls with high-speed packet filtering. improved 10 times.

3. Stateful Firewall

The State Inspection Firewall basically retains advantages of a simple packet filtering firewall, with better performance and transparency for applications. On this basis, security has been greatly improved. This type of firewall overcomes shortcomings of a simple packet filtering firewall that only inspects data packets in and out of network and does not care about state of data packets, and establishes a stateful connection in main body of firewall. The table maintains connection and processes data , incoming and outgoing from network as separate events. We can say that a stateful packet filtering firewall regulates behavior of network layer and transport layer, while an application proxy firewall regulates behavior of specific application protocols.

We know that data transmitted over Internet must follow TCP/IP protocol. According to TCP protocol, each reliable connection must go through three stages: "client synchronization request", "server response", and "client response". The first stage, our most used browsing web, downloading files, sending and receiving emails, etc., must go through these three stages. This reflects that data packets are not independent, but have a close relationship of state between front and back. Based on this state change, state detection technology is introduced.

The status inspection firewall overcomes disadvantage that packet filtering firewall only examines a few parameters, such as IP address of data packet, and does not care about changing connection state of data packet. As a session, use a state table to keep track of state of each session. Status monitoring checks each packet not only against rules table, but also considers whether data packet matches statesession, thus providing full control over transport layer.

One problem with gateway firewalls is amount of traffic that can be handled. The statefulness technology greatly improves security protection capabilities and also improves speed of traffic processing. The state monitoring technology uses a number of optimization technologies to greatly improve firewall performance and can be applied in a variety of network environments, especially some large networks with complex rules.

Any high performance firewall will use stateful technology.

4. Composite firewall

Composite firewall is a new generation of firewalls that combine statefulness and a transparent proxy. In addition, it is based on ASIC architecture and integrates an anti-virus program and content filtering into firewall. It also includes IDS features and integrates several modules. A new breakthrough. Conventional firewalls cannot prevent attacks hidden in network traffic. Application layer scanning at network interface, which combines antivirus, content filtering and firewalls, reflects a new understanding of network and information security. It implements OSI Layer 7 content scanning at network edge, and also implements Application service measures such as antivirus protection and real-time network edge content filtering.

Comparison of four types of firewalls. Packet filtering firewall: Packet filtering firewall does not check data area, packet filtering firewall does not create a connection state table, front and back messages do not matter, and application layer control is very weak. Application Gateway Firewall: Doesn't check IP and TCP headers, doesn't create a connection state table, and network layer security is relatively weak. Stateful firewall: does not check data area, creates a connection state table, and front and back messages are linked, and application layer control is very weak. Composite firewall: It can inspect contents of entire data packet and create a connection state table if necessary. It has strong network-level security, precise application-level control, and weak session control.

Well, the acquaintance with today's editor has come to an end, I hope it will be useful to everyone! If you liked it, don't forget to share it with your friends!