Disclaimer: This article is a blogger original article, follow the CC 4.0 BY-SA copyright agreement, reproduced, please attach the original source link and this statement.
This link: https: //blog.csdn.net/u014209205/article/details/83070305
a firewall concept of
a firewall (Firewall), also known as protective wall, founded by Check Point's Gil Shwed invented and introduced in 1993 International Internet (US5606668 (A) 1993-12-15).
This link: https: //blog.csdn.net/u014209205/article/details/83070305
a firewall concept of
a firewall (Firewall), also known as protective wall, founded by Check Point's Gil Shwed invented and introduced in 1993 International Internet (US5606668 (A) 1993-12-15).
It is a network security system located between the internal network and the external network. It is an information security protection system, in accordance with certain rules that allow or restrict the transmission of data.
(Photo from Internet)
In the network world, by the firewall to filter communication packet bearer is communicating data.
In the network, the so-called "firewall" refers to a method for the internal network and the public access network (eg Internet) separate, it is actually an isolation technology. A firewall is implementation of an access control in two networks communicate scale, it allows you to "agree" to enter your network and the data, while you "disagree" shut out people and data to maximize prevent network hackers to access your network. In other words, if not through the firewall, people within the company can not access the Internet, people on the Internet can not communicate with people inside the company.
Second, the development process of the firewall
firewall start from birth, it has gone through four stages of development:
firewall start from birth, it has gone through four stages of development:
Router-based firewalls
customized firewall tool set
built on a common operating system firewall
Firewall with secure operating system
at this stage belong to common firewall Firewall with secure operating system, such as NETEYE, NETSCREEN, TALENTIT and so on.
customized firewall tool set
built on a common operating system firewall
Firewall with secure operating system
at this stage belong to common firewall Firewall with secure operating system, such as NETEYE, NETSCREEN, TALENTIT and so on.
Third, firewalls basic types of
network layer firewalls
Network layer firewalls may be regarded as an IP packet filters, operate on the underlying TCP / IP protocol stack. May allow only way to enumerate the packet matches a particular rule to pass through the firewall to prohibit all the rest (except for viruses, firewalls can not prevent viruses). These rules often via administrator-defined or modified, but some equipment may only apply the built-in firewall rules.
network layer firewalls
Network layer firewalls may be regarded as an IP packet filters, operate on the underlying TCP / IP protocol stack. May allow only way to enumerate the packet matches a particular rule to pass through the firewall to prohibit all the rest (except for viruses, firewalls can not prevent viruses). These rules often via administrator-defined or modified, but some equipment may only apply the built-in firewall rules.
Application layer firewall
application layer firewall is on the "Application Layer" TCP / IP stack operation, when you use the browser generated data stream or data flow when using FTP belong to this layer. The application layer firewall can block all packets in and out of an application, and block other packets (usually directly discards the packet). In theory, this type of firewall can completely block the external data stream into a protected machine.
application layer firewall is on the "Application Layer" TCP / IP stack operation, when you use the browser generated data stream or data flow when using FTP belong to this layer. The application layer firewall can block all packets in and out of an application, and block other packets (usually directly discards the packet). In theory, this type of firewall can completely block the external data stream into a protected machine.
Database Firewall
database firewall is a security system based on database database protocol analysis and control technology. Based on active defense mechanism to implement the access control database behavior, dangerous operation to block suspicious behavior audit.
SQL database firewall protocol analysis, so that based on predefined prohibitions and licensing policy valid SQL operation by blocking illegal illegal operations, forming a perimeter defense circles database for proactive prevention of SQL dangerous operation, real-time audit.
Database firewall face from outside intrusion, providing SQL injection and database virtual ban patch function.
database firewall is a security system based on database database protocol analysis and control technology. Based on active defense mechanism to implement the access control database behavior, dangerous operation to block suspicious behavior audit.
SQL database firewall protocol analysis, so that based on predefined prohibitions and licensing policy valid SQL operation by blocking illegal illegal operations, forming a perimeter defense circles database for proactive prevention of SQL dangerous operation, real-time audit.
Database firewall face from outside intrusion, providing SQL injection and database virtual ban patch function.
Four, Linux firewall
Linux firewall is very useful in enterprise applications, for example as follows:
Linux firewall is very useful in enterprise applications, for example as follows:
SMEs and Internet cafes have iptables NAT router as a business, it can be used instead of traditional routers, and cost savings.
IDC room generally do not have a hardware firewall, IDC server room can be replaced with a hardware firewall Linux firewall.
iptables can be combined with squid as a transparent proxy access to the Internet within the enterprise. Traditional agents need to configure proxy server information in the browser, and iptables + squid transparent proxy, you can put the client's request to redirect the port to the proxy server. Clients do not make any setting, and do not feel the presence of the agent.
The iptables NAT router as a business, you can use iptables extension module shield P2P traffic, you may also prohibit illegal web page.
iptables may be used in the external network IP network IP mapping inwardly.
iptables can easily prevent the lightweight DOS attacks, such as ping attacks and SYN flood attacks.
Review, Iptables has two modes: host firewall, NAT router.
IDC room generally do not have a hardware firewall, IDC server room can be replaced with a hardware firewall Linux firewall.
iptables can be combined with squid as a transparent proxy access to the Internet within the enterprise. Traditional agents need to configure proxy server information in the browser, and iptables + squid transparent proxy, you can put the client's request to redirect the port to the proxy server. Clients do not make any setting, and do not feel the presence of the agent.
The iptables NAT router as a business, you can use iptables extension module shield P2P traffic, you may also prohibit illegal web page.
iptables may be used in the external network IP network IP mapping inwardly.
iptables can easily prevent the lightweight DOS attacks, such as ping attacks and SYN flood attacks.
Review, Iptables has two modes: host firewall, NAT router.
V. the basic principles of the firewall
corresponding to the byte transfer flow diagram can be divided into the following layers:
corresponding to the byte transfer flow diagram can be divided into the following layers:
Packet Filter (Packet filtering): work in the network layer, determines whether to allow only data packets through the data in the header of the IP address, port number, protocol type flag.
Application proxy (Application Proxy): Working in the application layer, by writing different applications agents, to achieve detection and analysis of application-layer data.
State detection (Stateful Inspection): 2 to 4 layers work, the same access control and 1, but the processing of the object is not a single packet, but the entire connection through the connection state table and the rule table, determines whether to allow the packet integrated by .
Complete content inspection (Compelete Content Inspection): work in 2 to 7 layers, not only analyze packet header information, status information, and application layer protocol analysis and content reduction, effectively preventing hybrid security threats.
Application proxy (Application Proxy): Working in the application layer, by writing different applications agents, to achieve detection and analysis of application-layer data.
State detection (Stateful Inspection): 2 to 4 layers work, the same access control and 1, but the processing of the object is not a single packet, but the entire connection through the connection state table and the rule table, determines whether to allow the packet integrated by .
Complete content inspection (Compelete Content Inspection): work in 2 to 7 layers, not only analyze packet header information, status information, and application layer protocol analysis and content reduction, effectively preventing hybrid security threats.
(Photo from Internet)
(Photo from Internet)
Six, Netfilter and iptables
Netfilter is the Linux 2.4 kernel firewall framework proposed by Rusty Russell, the framework for both simple and flexible, enabling security policies in a number of functions such as packet filtering, packet processing, address masquerading, transparent proxy, dynamic network address Translation (network address Translation, NAT), and based on the user and a media access control (media access Control, MAC) address filtering and filtering based on the state of the packet rate limiting. Iptables / Netfilter these rules can be flexibly combined to form a lot of features, covering all aspects, all thanks to its outstanding design. Netfilter / Iptables packet filtering system as a whole, netfilter kernel module is implemented, iptables operation tool is the upper layer.
Netfilter is the Linux 2.4 kernel firewall framework proposed by Rusty Russell, the framework for both simple and flexible, enabling security policies in a number of functions such as packet filtering, packet processing, address masquerading, transparent proxy, dynamic network address Translation (network address Translation, NAT), and based on the user and a media access control (media access Control, MAC) address filtering and filtering based on the state of the packet rate limiting. Iptables / Netfilter these rules can be flexibly combined to form a lot of features, covering all aspects, all thanks to its outstanding design. Netfilter / Iptables packet filtering system as a whole, netfilter kernel module is implemented, iptables operation tool is the upper layer.
If it is not a strict distinction in Linux netfilter and iptables can be taken to mean that Linux firewall.
Iptables is actually a management kernel packet filtering tool that can be used to configure the core packet filtering rules table. Run in user space.
The difference is: netfilter is a Linux kernel version 2.4 introduces a new packet filtering engine, called Netfilter. Refers to the internal structure of the Linux kernel firewall packet filtering, no form of a program or file is present, a "kernel mode" firewall function system. refers iptables command program is used to manage Linux firewall, usually located in / sbin / iptables, are "user mode" firewall management system. Netfilter is iptables tool control, is the Linux 2.2 kernel ipchains command older brother.
Netfilter rule set is located in the kernel memory, and iptables application is an application layer, which is to be modified is stored in the kernel memory XXtables (Netfilter configuration table) Netfilter emitted by the interface. The XXtables Table tables, chain, chains, rules of composition rules, iptables responsible for modifying the rules file in the application layer. Similar applications also firewalld.
iptables and netfilter contact?
A lot of people mention firewall iptables immediately think of is, in fact, not iptables firewall, he's just a software or a tool, this software can write some rules to save the written rules from the database in netfilter. Thus, the real play "Fire" function is netfilter, not iptables. netfilter kernel is a frame, the frame which contains four tables 5 and chains, these chains in turn comprise a number of rules. The packet rules than the rules of this chain is defined.
A lot of people mention firewall iptables immediately think of is, in fact, not iptables firewall, he's just a software or a tool, this software can write some rules to save the written rules from the database in netfilter. Thus, the real play "Fire" function is netfilter, not iptables. netfilter kernel is a frame, the frame which contains four tables 5 and chains, these chains in turn comprise a number of rules. The packet rules than the rules of this chain is defined.
In the following content, we will be called to iptables Linux firewall.
(Photo from Internet)
Seven Firewall Performance
Throughput: This metric directly affect the performance of the network, the throughput
delay: the inlet of the last input frame to the arrival time of a bit at the outlet of the first output frame output with a bit interval
loss ratio: in under steady state load, network transmission equipment shall, for lack of resources but the percentage of frames being dropped
back to back: beginning from the idle state, the transmission medium in order to achieve the smallest legal frame transmission rate limit interval of transmission of a considerable number of fixed length, when when a frame loss occurs first, the number of frames transmitted
concurrent links: refers to the maximum number of concurrent connections between a number of connections through the firewall between the host or host and firewall can simultaneously established
Throughput: This metric directly affect the performance of the network, the throughput
delay: the inlet of the last input frame to the arrival time of a bit at the outlet of the first output frame output with a bit interval
loss ratio: in under steady state load, network transmission equipment shall, for lack of resources but the percentage of frames being dropped
back to back: beginning from the idle state, the transmission medium in order to achieve the smallest legal frame transmission rate limit interval of transmission of a considerable number of fixed length, when when a frame loss occurs first, the number of frames transmitted
concurrent links: refers to the maximum number of concurrent connections between a number of connections through the firewall between the host or host and firewall can simultaneously established
Eight firewall limitations
firewall to protect the network, although the basic facilities, but it also has some security threats is not easy to prevent: the
first firewall through the firewall can not prevent or not to bypass the firewall attacks. For example, if allowed to dial out from inside the protected network, some users may form a direct connection to the Internet.
Based on packet inspection firewall blocking the way header information, mainly on the host or service requested access control, can not block harmful traffic flows through an open port, not the solution to a worm or hacker attacks.
In addition, the firewall is difficult to prevent attacks from the internal network or abuse.
----------------
Disclaimer: This article is the original article CSDN bloggers "Stone Master pages", and follow CC 4.0 BY-SA copyright agreement, reproduced, please attach the original source and link this statement.
Original link: https: //blog.csdn.net/u014209205/article/details/83070305
firewall to protect the network, although the basic facilities, but it also has some security threats is not easy to prevent: the
first firewall through the firewall can not prevent or not to bypass the firewall attacks. For example, if allowed to dial out from inside the protected network, some users may form a direct connection to the Internet.
Based on packet inspection firewall blocking the way header information, mainly on the host or service requested access control, can not block harmful traffic flows through an open port, not the solution to a worm or hacker attacks.
In addition, the firewall is difficult to prevent attacks from the internal network or abuse.
----------------
Disclaimer: This article is the original article CSDN bloggers "Stone Master pages", and follow CC 4.0 BY-SA copyright agreement, reproduced, please attach the original source and link this statement.
Original link: https: //blog.csdn.net/u014209205/article/details/83070305