Table of contents
2.2. Application Gateway Firewall
3.3. Conduct monitoring and auditing
3.4. Prevent leakage of internal information
5.1 Switching mode (Layer 2 mode):
5.2 Routing mode (three-layer mode):
In our daily life, we often hear the Internet over the wall, so do you know what this wall refers to? In fact, this wall refers to the National Firewall of China. "Over the wall", also known as "breaking the network", refers to the use of virtual private network (VPN) technology to evade national network supervision, break through IP blocking, content filtering, domain name hijacking, traffic restrictions, etc., and illegally access overseas websites prohibited by the state. In short, "over the wall" is to bypass national network supervision and access those blocked websites.
Having said so much, our protagonist today is obviously the "firewall". Let's take a look at this firewall today.
1. Background
In ancient times, people often built a brick wall between apartments. Once a fire broke out, it could prevent the fire from spreading to other apartments. If a network is connected to the Internet, its users can access and communicate with the outside world. But at the same time, the outside world can also access and interact with the network. For security reasons, an intermediary system can be inserted between the network and the Internet to erect a security barrier. The function of this barrier is to block threats and intrusions to the network from the outside through the network, and provide a checkpoint for guarding the security and auditing of the network. Its function is similar to that of the ancient firewall, so we call this barrier It's called a "firewall".
There are two basic principles that firewalls follow.
First, it rejects all commands not explicitly allowed. The review of the firewall is based on item-by-item review. Any service request and application operation will be reviewed one by one to comply with the allowed command before it can be executed. This method of operation provides a practical way to ensure the security of the internal computer. Conversely, the services and the number of services that users can apply for are limited, which improves security while weakening usability.
Second, it allows all commands that were not explicitly denied. When the firewall transmits all information, it executes according to the agreed command, that is, it will check each item and eliminate potentially harmful commands. The defect of this point is that usability is superior to security, but it increases the difficulty of security.
2. Type
Firewalls can be divided into the following four categories according to different usage scenarios.
2.1. Filtering firewall
Filtering firewall, as the name suggests, is to play a filtering role in the computer network. This kind of firewall will filter the data packets flowing in the network according to the preset filtering rules. The first generation of firewalls are filtering firewalls.
2.2. Application Gateway Firewall
The application gateway firewall mainly works at the top application layer. Not only that, but compared with filtering-based firewalls, the biggest feature of application gateway firewalls is that they have their own logic analysis. Based on this logical analysis, the application gateway server filters dangerous data on the application layer, analyzes the usage protocol of the internal network application layer, and analyzes all data packets inside the computer network. If the data packets do not have application logic, they will not be released. through the firewall.
2.3. Service Firewall
Both of the above-mentioned firewalls are used in computer networks to prevent malicious information from entering the user's computer.
2.4. Monitoring Firewall
If the firewalls introduced before are all passive defenses, then the monitoring firewalls are not only defensive, but also proactive. This kind of firewall can filter internally and monitor externally. Technically speaking, it is a major upgrade of traditional firewalls.
3. Function
3.1. Network security barrier
The firewall greatly improves the security of the internal network environment. It acts as a blocking point and a control point to filter those potentially dangerous services, thereby reducing the risk of the internal network environment. Because all the information entering the network content is carefully filtered by the firewall, the internal environment of the network is very safe and reliable.
3.2. Network Security Policy
If the network security configuration is centered on the firewall, security software such as passwords, encryption, identity authentication, and auditing can be configured on the firewall.
3.3. Conduct monitoring and auditing
The firewall has a very good log recording function, it will record all the records accessed through the firewall, and it can also summarize and analyze the data of network usage, so as to obtain the statistical data of network access.
3.4. Prevent leakage of internal information
The firewall can isolate the internal network into several segments, and strengthen the monitoring of local key or sensitive networks, so that the security of the global network will not be implicated by a segment of the local network.
A firewall is like an anti-theft door, which can provide security protection and is an indispensable part in network planning and deployment.
Four or five security domains
The inbound direction is when packets flow from a low-level security zone to a high-level security zone, and the outbound direction is when packets flow from a high-level security zone to a low-level security zone.
untrust (do not trust the domain) : low-level security zone, the security priority is 5
It is usually used to define insecure networks such as the Internet, and is used for the access of network entrance lines.
dmz (isolation zone): a medium-level security zone with a security priority of 50
Usually used to define the network where the internal server is located
The function is to connect WEB, E-mail, and other servers that allow external access to the port of this area, so that the entire internal network that needs to be protected is connected to the port of the trusted area, and no access is allowed, so as to realize the separation of internal and external networks and meet user needs. DMZ can be understood as a special network area different from the external network or intranet, and some public servers that do not contain confidential information are usually placed in the DMZ, such as Web, Mail, FTP, etc. In this way, visitors from the external network can access the services in the DMZ, but it is impossible to access company secrets or private information stored in the internal network. Even if the server in the DMZ is damaged, it will not cause damage to the confidential information in the internal network. Influence.
trust (trust domain) : advanced level security zone, security priority is 85
It is usually used to define the network where internal users are located, and it can also be understood as the area with the strictest protection.
local (local) : the top-level security zone, with a security priority of 100
Local is the area of the firewall itself. For example, the reply of Internet control protocols such as ping commands requires the authority of the local domain.
All packets actively sent by the firewall can be considered as sent from the Local area
All packets that need to be responded and processed (rather than forwarded) by the firewall can be considered to be received by the Local area
management (management) : top-level security zone, security priority is 100
In addition to the console control interface to configure the device, if the firewall device can be configured through the web interface, a twisted pair cable is required to connect to the management interface, and enter the user name and password for configuration.
Five, three working modes
It is nothing more than the difference between whether each interface of the firewall is in routing mode or switching mode. The three pictures are clear.
5.1 Switching mode (Layer 2 mode):
5.2 Routing mode (three-layer mode):
5.3 Hybrid mode:
The firewall is a very important part of the network engineering knowledge system. Interested friends can go to a lot of information, and welcome to communicate with each other.
Thank you for your attention!