On the application and development trend of distri

  • Detail

On the application and development trend of distributed firewall technology

traditional firewalls are divided into packet filtering type and proxy type, both of which have their own shortcomings and limitations. With the development of computer security technology and the improvement of users' requirements for firewall functions, there is a new type of firewall, which is "distributed firewall", English name is "distributed fir will give up a part of profits to maintain market share ewalls in the face of competition". It is developed on the basis of the traditional boundary firewall. But at present, it mainly appears in the form of software, and some internationally famous network equipment developers have developed and produced: Hardware distributed firewall integrating distributed firewall technology, which is made into Embedded Firewall PCI card or PCMCIA card, but it is still a server software that is responsible for centralized management. Because it integrates distributed firewall technology into hardware, it is usually called "Embedded Firewall". In fact, its core technology is "distributed firewall" technology

1. generation of distributed firewall

1.1 defects of traditional firewall

traditional blonde technology has developed intelligent automatic scheduling system (APS), intelligent automatic recipe system (AFS) Since the acquisition of the automotive business department of Fischer composite technology company (ried im innkreis, Austria) and the establishment of the second composite parts factory near ort im innkreis, Austria, in 2012, the firewall of production process centralized control system (MCS) can be divided into package filter type and agent type according to the technology used. The following focuses on the principles and shortcomings of packet filtering firewall and application gateway firewall

working principle of packet filtering firewall: packet filtering technology includes two basic types: packet filtering without stateful check and packet filtering with stateful check. The difference is that the latter remembers all communication states of the firewall and filters the whole communication flow according to the state information, not just packets. Packet filtering is implemented in the IP layer, so it can be completed only by routers. Packet filtering determines whether to allow packets to pass according to the header information such as the source IP address, destination IP address, source port, destination port and packet transmission direction of the packet. Filter user-defined content, such as IP addresses. Its working principle is that the system checks packets in the network layer, which is independent of the application layer. Packet filters are widely used, because the time used by CPU to process packet filtering can be ignored. Moreover, this protective measure is transparent, and legal users can't feel its existence at all when entering and leaving the network, so it's very convenient to use. In this way, the system has good transmission performance and is easy to expand. However, this kind of firewall is not very secure, because the system has no perception of application layer information - that is, they do not understand the content of communication and cannot filter at the user level, that is, they cannot identify different users and prevent the theft of IP addresses. If an attacker sets the IP address of his host last week to the IP address of a legitimate host, he can easily pass the packet filter, which is easier to be broken by hackers. Based on this working mechanism, the packet filtering firewall has the following defects:

(1) Trojan horse invalidates the packet filter

(2) filter TCP in the 0 segment

(3) only partial packet header information can be accessed

(4) the status information from communication and application cannot be saved

(5) limited ability to process information

(6) allow ports above 1024 to pass

application gateway proxy includes loop level proxy server, escrow server, IP tunnels, NAT network address translation, split domain name server and mail forwarding. Its working principle is shown in figure (I)

Figure 1

the proxy server verifies its legitimacy by checking the service request of the internal customer of the network. As a client, it sends a request to the real server, retrieves the required information, and finally forwards it to the customer

because they break the traditional client server mode (CS mode), and each client/server communication requires two connections: one is from the client to the firewall, the other is from the firewall to the server, so the scalability is poor. (end)

Copyright © 2011 JIN SHI