Firewall is a guarantee that the network safe way. Firewall can safely be in a separate router is used to filter doesn't want packets, also can be installed on a router and host, play a greater network security protection. Firewalls are widely used to let users in a safety barrier, after access to the Internet is used to crush a enterprise public network server and enterprise internal network separated. In addition, firewall can also be used to protect the enterprise internal network a certain part of the safety. For example, a research or accounting subnet could quite easily by from the inside of the enterprise internal network lurk.
Internet is a kind of safety measures, which protect information, prevent invasion, or that the user can cause harm to an important system, some network through the firewall machine connected to the Internet.
Firewall development
The first generation of firewall
The first generation of firewall technology almost simultaneously and router, adopt the Packet filter (Packet filter) technology. The following figure shows the firewall technology development history of simple.
The second and third generations of the firewall
In 1989, bell LABS Dave Presotto and Trickey Howard launched second-generation firewall, namely circuit layer firewall, and put forward the third generation firewall -- application-layer firewall (proxy firewall) preliminary structure.
The fourth generation firewall
In 1992, the USC information of the academy of sciences BobBraden developed based on Dynamic packet filter packet filter (Dynamic) technical fourth-generation firewall, later evolution is currently said state monitoring (Stateful I) techniques. In 1994, Israel's CheckPoint company developed first adopts the technology of commercial products.
The fifth generation firewall
In 1998, NAI company launched an Adaptive agent (Adaptive existent) technology, and in its products Gauntlet Firewall for NT be realized, give agent types of Firewall has entrusted with the brand-new significance, called "fifth-generation Firewall. Firewall working principle introduction
A firewall is a kind of filter plug (currently you so understanding's not wrong), you can let you like things through the cork and other gadgets are all filtered out. In the network world, by the firewall is carrying communication data filter bag of communication.
The firewall at least will say two words: Yes or No. Direct say is to accept or reject. The simplest firewall is etheric Bridges. But almost no one thinks this primitive firewall can tube how old. Most of the firewall technology and standards and sociolinguistics. These firewalls in a variety of forms: some replace system has been equipped with TCP/IP protocol stack, Some in the existing protocol stack establishes own software module; Some simply independent a set of operating system. There are some applied only to certain types of firewall network connection to provide protection (such as SMTP or HTTP protocol, etc.). There are some hardware based firewall products actually should be classified as safety router category. More products can be called firewall, because their way of working is always the same: to analysis discrepancy firewall packets, decided to release or put them to put aside.
All the firewall has IP address filtering functions. The task to check the IP baotou, according to its IP source address and target address to release/discarded decision. Look below the picture of the two network segment apart a firewall, firewall machine at one end, on the other side of the UNIX computer network segment is put the PC clients.
When the PC clients to UNIX computer launched Telnet request, PC Telnet client produce a TCP bag and pass it on to the local protocol stack ready to be sent. Next, the TCP protocol stack bag "plug" into an IP bag, and then through the PC TCP/IP stack defined path send it to UNIX computer. In this example, the IP packets must pass on the PC and the firewall to reach the UNIX computer UNIX computer.
Now we "commands" (in technical terms is dispensing) all send UNIX firewall computer packets are to refus, finish the work later, "heart" better firewall will notify the customer program one sound! Since the hair to target the IP data can't forwarding, so only and UNIX computer with a segment of the network users are able to access the UNIX computers.
Still have a kind of situation, you can order a firewall exclusively for that one poor PC find fault, others packets are once let is it not. This is the most basic functions: firewall based on IP address make forwarding judgment. But to a big condition the small trick will get along all right, because of hackers can use IP address deceive technology, disguised as a legal address of the computer can through trust this address firewall. But according to address the forwarding decision mechanism is still the most basic and necessary. In addition to note the point is, do not use DNS host name filter list, to establish DNS forged IP address to cheat than be easier.
Server TCP/UDP port filtering
Just rely on address data filtering in actual use is not feasible, and a reason why the target host on a wide variety of communication services often run, for example, we don't want to let the user using Telnet way connected to system, but it's not equal to we have to also banned them using SMTP/POP email server? Say so, in address outside we also need to server TCP/UDP port filtering.
For example, the default Telnet service connection port is 23. If we are not allowed to build on UNIX PC client computer (when we when it is server) Telnet connection, so we just need to send command firewall check target is UNIX server packets, among them with 23 goals socket packet-filtering went. So, we put the IP address and target server TCP/UDP port combine can not as filter standards to achieve quite reliable firewall? No, not so simple.
The client has TCP/UDP port
TCP/IP is a kind of end-to-end agreement, each network node has unique address. Network nodes of application layer also is such, in application layer each application and service has its own corresponding "address", namely socket. Address and port had the client and the server can be established between the various applications of effective communication connection. For example, Telnet server in the port 23 protected reliably against detective inbound links. Meanwhile Telnet client also has a socket, otherwise the client IP stack how know a packet is belong to which application?
Because of historical reasons, almost all of the TCP/IP customer program is used more than 1023 random distribution socket. Only UNIX on the computer can access the root of ports, and below 1024 for still retain these ports on the server service USES. So, unless we let all having more than 1023 socket packets into the network, otherwise various network connecting all can not work normally.
The firewall speaking introuble, if obstruction of all inbound port, then all the clients all can not use of network resources. Because the server response to external connection request issued the inbound (firewall mean) is into packets can't go through a firewall inbound filtering. Conversely, open all higher than 1023 port is feasible? Not exactly. Since many service ports are greater than 1023, such as X-ray are, based on RPC NFS services and numerous the UNIX IP products (NetWare/IP) is such. Then let reach 1023 port standard packets are into the network words can say security network? Even these client all dare not say they are enough safe.
Two-way filtering
OK, let's change your way of thinking. We give a firewall such orders: known service packets can come in, all other block outside the firewall. For example, if you know the user to access Web server, then let only has the source port 80 packets into the network:
But the new problem appeared again. First of all, how do you know that you want to visit the server, which have running socket? Such as HTTP server was originally aleatoric configuration, adoption of port can also optional configuration. If you so setting up a firewall, you can't visit didn't adopt standard socket's web site! In turn, you can't guarantee into the network packets has port 80 it from Web server. Some hackers is the use that make their own intrusion tools, and let it run in the port 80!
Check the ACK bits
The source address we don't believe, the source port also believe impending, this had to dance with hackers crazy world what deserves our trust? Well, things haven't to post23 point. Countermeasures or some, but this method can only be used for TCP protocol.
TCP is a reliable communication protocol, "reliable" this word means agreement is including error correction mechanism, some special properties. In order to realize its reliability, every TCP connection should pass a "handshake" process to exchange connection parameters. Also, every send out bag in a subsequent other packages are sent out before must obtain a confirmation response. But not for every TCP packages are must adopt special ACK packet to response, but actually only on TCP baotou setting on a special bits can be completed this function. So, as long as produced response packet will set the ACK bits. Connect session of the first packet is not used for confirmation, so it's not set ACK bits, follow-up session exchange TCP package will set the ACK bits.
For example, PC to a distant Web server initiating a link, it generates a not set ACK bits connection request packet. When the server response the request, the server returned a set up an ACK packet, while in a bag marks from client receives bytes. Then client we use our own response packet again answered the packets, the packet also set the ACK bits and marks the received from the server bytes. By monitoring the ACK bits, we can put into the network data restrictions on response packet range. Hence, remote system couldn't initiate a TCP connection but may respond to receive packets.
This mechanism will not be unbeatable, simply as an example, suppose we have a internal Web server, then port 80 have to be open to external request may into the network. Also, on UDP packets speaking, he can't surveillance ACK, because a UDP packets at no ACK bits. There are some TCP applications, such as FTP, connection, you must by these server program had launched.
The FTP brings difficulties
General to all communications Internet service only use a pair of socket, FTP program during the connection is used two pairs of socket. The first pair socket for FTP "commands passage" provide login and carrying out orders communication link, and the other pair socket is used in the "data channel" FTP client and server providing between the file transfer.
In usually FTP client first session process, to the server port 21 (command channels) sends a TCP connection requests and then executed LOGIN, DIR wait for all sorts of command. Once the user requests the server sends data, FTP server with its 20 ports (data channel) to the client's data port launched connection. The issue came, if the server to the client launched transmits data connection, it will send not set ACK bits of data packets, firewall criterion according to the rules of reject the packets just now also means that data transfer was out. Usually only a high level, also is smart enough to see the firewall client just told server port, then allowed to the port of inbound links.
UDP port filtering
Okay, now we look back on how to solve the UDP problem. Just mentioned, UDP packets without ACK bits so cannot undertake ACK bits filtering. UDP is sent regardless of "not reliable" communication, this type of service is usually used to broadcast, routing, multimedia broadcasting form of communications tasks. NFS, DNS, WINS, NetBIOS - over - TCP/IP and NetWare/IP use UDP.
The most seemingly simple feasible solution is not allowed established inbound UDP connections. Firewall Settings for forwarding from internal interface of repetitions, UDP packets from external interface of UDP packets are not forwarding. The question now is, for example, DNS name analytical request you use the UDP, if you provide DNS services, at least get allow some internal request through the firewall. And IRC client also use such UDP, if you let the user use it, it will also make their UDP packets into the network. We can do is to those from local to trusted sites the connection between the limit. But, what is the trusted! If the hacker take address beguiling method not beaten up again?
Some new routers can "memory" six-foot-tall UDP packets to solve this problem: if inbound UDP packets matching recently six-foot-tall UDP packets target address and port let it come in. If in the memory cannot find matching UDP packets had refused to it! But, how can we be sure of external host generated packet is internal clients hope communication server? If the hacker cheat says DNS server addresses, then he theoretically certainly from attachment DNS UDP port attack. As long as you allow DNS query and feedback bag into the network this problem is inevitable existence. Method is to use a proxy server.
So-called proxy server, just as its name implies is to represent your network and the outside world of dealing with the server. Proxy server does not allow any network inside and outside the direct connection. It themselves provide public and special DNS, mail server functions. Proxy server rewrite packet instead of simply the forwarding settles. The sense that gives a person is network internal host stood on the edge of the network, but the fact is that they are hiding behind the agency, appearing however is acting the masks.
Firewall is a guarantee that the network safe way. Firewall can safely be in a separate router is used to filter doesn't want packets, also can be installed on a router and host, play a greater network security protection. Firewalls are widely used to let users in a safety barrier, after access to the Internet is used to crush a enterprise public network server and enterprise internal network separated. In addition, firewall can also be used to protect the enterprise internal network a certain part of the safety. For example, a research or accounting subnet could quite easily by from the inside of the enterprise internal network lurk.Internet is a kind of safety measures, which protect information, prevent invasion, or that the user can cause harm to an important system, some network through the firewall machine connected to the Internet.Firewall developmentThe first generation of firewallThe first generation of firewall technology almost simultaneously and router, adopt the Packet filter (Packet filter) technology. The following figure shows the firewall technology development history of simple.The second and third generations of the firewallIn 1989, bell LABS Dave Presotto and Trickey Howard launched second-generation firewall, namely circuit layer firewall, and put forward the third generation firewall -- application-layer firewall (proxy firewall) preliminary structure.The fourth generation firewallIn 1992, the USC information of the academy of sciences BobBraden developed based on Dynamic packet filter packet filter (Dynamic) technical fourth-generation firewall, later evolution is currently said state monitoring (Stateful I) techniques. In 1994, Israel's CheckPoint company developed first adopts the technology of commercial products.The fifth generation firewallIn 1998, NAI company launched an Adaptive agent (Adaptive existent) technology, and in its products Gauntlet Firewall for NT be realized, give agent types of Firewall has entrusted with the brand-new significance, called "fifth-generation Firewall. Firewall working principle introductionA firewall is a kind of filter plug (currently you so understanding's not wrong), you can let you like things through the cork and other gadgets are all filtered out. In the network world, by the firewall is carrying communication data filter bag of communication.The firewall at least will say two words: Yes or No. Direct say is to accept or reject. The simplest firewall is etheric Bridges. But almost no one thinks this primitive firewall can tube how old. Most of the firewall technology and standards and sociolinguistics. These firewalls in a variety of forms: some replace system has been equipped with TCP/IP protocol stack, Some in the existing protocol stack establishes own software module; Some simply independent a set of operating system. There are some applied only to certain types of firewall network connection to provide protection (such as SMTP or HTTP protocol, etc.). There are some hardware based firewall products actually should be classified as safety router category. More products can be called firewall, because their way of working is always the same: to analysis discrepancy firewall packets, decided to release or put them to put aside.All the firewall has IP address filtering functions. The task to check the IP baotou, according to its IP source address and target address to release/discarded decision. Look below the picture of the two network segment apart a firewall, firewall machine at one end, on the other side of the UNIX computer network segment is put the PC clients.When the PC clients to UNIX computer launched Telnet request, PC Telnet client produce a TCP bag and pass it on to the local protocol stack ready to be sent. Next, the TCP protocol stack bag "plug" into an IP bag, and then through the PC TCP/IP stack defined path send it to UNIX computer. In this example, the IP packets must pass on the PC and the firewall to reach the UNIX computer UNIX computer.Now we "commands" (in technical terms is dispensing) all send UNIX firewall computer packets are to refus, finish the work later, "heart" better firewall will notify the customer program one sound! Since the hair to target the IP data can't forwarding, so only and UNIX computer with a segment of the network users are able to access the UNIX computers.Still have a kind of situation, you can order a firewall exclusively for that one poor PC find fault, others packets are once let is it not. This is the most basic functions: firewall based on IP address make forwarding judgment. But to a big condition the small trick will get along all right, because of hackers can use IP address deceive technology, disguised as a legal address of the computer can through trust this address firewall. But according to address the forwarding decision mechanism is still the most basic and necessary. In addition to note the point is, do not use DNS host name filter list, to establish DNS forged IP address to cheat than be easier.Server TCP/UDP port filteringJust rely on address data filtering in actual use is not feasible, and a reason why the target host on a wide variety of communication services often run, for example, we don't want to let the user using Telnet way connected to system, but it's not equal to we have to also banned them using SMTP/POP email server? Say so, in address outside we also need to server TCP/UDP port filtering.For example, the default Telnet service connection port is 23. If we are not allowed to build on UNIX PC client computer (when we when it is server) Telnet connection, so we just need to send command firewall check target is UNIX server packets, among them with 23 goals socket packet-filtering went. So, we put the IP address and target server TCP/UDP port combine can not as filter standards to achieve quite reliable firewall? No, not so simple.The client has TCP/UDP portTCP/IP is a kind of end-to-end agreement, each network node has unique address. Network nodes of application layer also is such, in application layer each application and service has its own corresponding "address", namely socket. Address and port had the client and the server can be established between the various applications of effective communication connection. For example, Telnet server in the port 23 protected reliably against detective inbound links. Meanwhile Telnet client also has a socket, otherwise the client IP stack how know a packet is belong to which application?Because of historical reasons, almost all of the TCP/IP customer program is used more than 1023 random distribution socket. Only UNIX on the computer can access the root of ports, and below 1024 for still retain these ports on the server service USES. So, unless we let all having more than 1023 socket packets into the network, otherwise various network connecting all can not work normally.The firewall speaking introuble, if obstruction of all inbound port, then all the clients all can not use of network resources. Because the server response to external connection request issued the inbound (firewall mean) is into packets can't go through a firewall inbound filtering. Conversely, open all higher than 1023 port is feasible? Not exactly. Since many service ports are greater than 1023, such as X-ray are, based on RPC NFS services and numerous the UNIX IP products (NetWare/IP) is such. Then let reach 1023 port standard packets are into the network words can say security network? Even these client all dare not say they are enough safe.Two-way filteringOK, let's change your way of thinking. We give a firewall such orders: known service packets can come in, all other block outside the firewall. For example, if you know the user to access Web server, then let only has the source port 80 packets into the network:But the new problem appeared again. First of all, how do you know that you want to visit the server, which have running socket? Such as HTTP server was originally aleatoric configuration, adoption of port can also optional configuration. If you so setting up a firewall, you can't visit didn't adopt standard socket's web site! In turn, you can't guarantee into the ne
twork packets has port 80 it from Web server. Some hackers is the use that make their own intrusion tools, and let it run in the port 80!Check the ACK bitsThe source address we don't believe, the source port also believe impending, this had to dance with hackers crazy world what deserves our trust? Well, things haven't to post23 point. Countermeasures or some, but this method can only be used for TCP protocol.TCP is a reliable communication protocol, "reliable" this word means agreement is including error correction mechanism, some special properties. In order to realize its reliability, every TCP connection should pass a "handshake" process to exchange connection parameters. Also, every send out bag in a subsequent other packages are sent out before must obtain a confirmation response. But not for every TCP packages are must adopt special ACK packet to response, but actually only on TCP baotou setting on a special bits can be completed this function. So, as long as produced response packet will set the ACK bits. Connect session of the first packet is not used for confirmation, so it's not set ACK bits, follow-up session exchange TCP package will set the ACK bits.For example, PC to a distant Web server initiating a link, it generates a not set ACK bits connection request packet. When the server response the request, the server returned a set up an ACK packet, while in a bag marks from client receives bytes. Then client we use our own response packet again answered the packets, the packet also set the ACK bits and marks the received from the server bytes. By monitoring the ACK bits, we can put into the network data restrictions on response packet range. Hence, remote system couldn't initiate a TCP connection but may respond to receive packets.This mechanism will not be unbeatable, simply as an example, suppose we have a internal Web server, then port 80 have to be open to external request may into the network. Also, on UDP packets speaking, he can't surveillance ACK, because a UDP packets at no ACK bits. There are some TCP applications, such as FTP, connection, you must by these server program had launched.The FTP brings difficultiesGeneral to all communications Internet service only use a pair of socket, FTP program during the connection is used two pairs of socket. The first pair socket for FTP "commands passage" provide login and carrying out orders communication link, and the other pair socket is used in the "data channel" FTP client and server providing between the file transfer.In usually FTP client first session process, to the server port 21 (command channels) sends a TCP connection requests and then executed LOGIN, DIR wait for all sorts of command. Once the user requests the server sends data, FTP server with its 20 ports (data channel) to the client's data port launched connection. The issue came, if the server to the client launched transmits data connection, it will send not set ACK bits of data packets, firewall criterion according to the rules of reject the packets just now also means that data transfer was out. Usually only a high level, also is smart enough to see the firewall client just told server port, then allowed to the port of inbound links.UDP port filteringOkay, now we look back on how to solve the UDP problem. Just mentioned, UDP packets without ACK bits so cannot undertake ACK bits filtering. UDP is sent regardless of "not reliable" communication, this type of service is usually used to broadcast, routing, multimedia broadcasting form of communications tasks. NFS, DNS, WINS, NetBIOS - over - TCP/IP and NetWare/IP use UDP.The most seemingly simple feasible solution is not allowed established inbound UDP connections. Firewall Settings for forwarding from internal interface of repetitions, UDP packets from external interface of UDP packets are not forwarding. The question now is, for example, DNS name analytical request you use the UDP, if you provide DNS services, at least get allow some internal request through the firewall. And IRC client also use such UDP, if you let the user use it, it will also make their UDP packets into the network. We can do is to those from local to trusted sites the connection between the limit. But, what is the trusted! If the hacker take address beguiling method not beaten up again?Some new routers can "memory" six-foot-tall UDP packets to solve this problem: if inbound UDP packets matching recently six-foot-tall UDP packets target address and port let it come in. If in the memory cannot find matching UDP packets had refused to it! But, how can we be sure of external host generated packet is internal clients hope communication server? If the hacker cheat says DNS server addresses, then he theoretically certainly from attachment DNS UDP port attack. As long as you allow DNS query and feedback bag into the network this problem is inevitable existence. Method is to use a proxy server.So-called proxy server, just as its name implies is to represent your network and the outside world of dealing with the server. Proxy server does not allow any network inside and outside the direct connection. It themselves provide public and special DNS, mail server functions. Proxy server rewrite packet instead of simply the forwarding settles. The sense that gives a person is network internal host stood on the edge of the network, but the fact is that they are hiding behind the agency, appearing however is acting the masks.
No comments:
Post a Comment