The rapid development of the Internet has brought unprecedented leaps to the production and life of modern people, greatly improving work efficiency, enriching people's lives, and making up for people's spiritual vacancy; at the same time, it has brought people an increasingly serious problem - network security. Network security has become one of the hottest topics today, and many companies have adopted firewalls to ensure the security of their own servers or data. With the development of technology, firewalls have gradually been accepted by the public. However, since firewalls are high-tech products, many people do not know this thoroughly. This article tells you how firewalls work, as well as the basic classification of firewalls, and discusses the advantages and disadvantages of each firewall.
1. Basic classification of firewalls
1. Packet Filter Firewall
The first generation firewall and the most basic form of firewall check each passing network packet, either discarding or releasing, depending on the set of rules established. This is called a packet filtering firewall.
Essentially, a packet filtering firewall is multi-access, indicating that it has two or more network adapters or interfaces. For example, a device that acts as a firewall may have two network cards (NICs), one connected to the internal network and the other connected to the public Internet. The task of the firewall is to act as a "communication policeman", guide packages and intercept those harmful packages.
The Packet Filter Firewall checks every incoming packet and views the basic information available in the packet (source and destination addresses, port numbers, protocols, etc.). Then, compare this information with the rules established. If a blocking telnet connection has been set up and the destination port of the packet is 23, the packet will be discarded. If incoming web connections are allowed and the destination port is 80, the packet will be released.
Combination of multiple complex rules is also feasible. If web connections are allowed, but only for a specific server, the destination port and destination address must match the rule before the packet can be passed.
Finally, it can be determined what will happen next if no rules are defined for a package when it arrives. Usually, for security reasons, packets that do not match the incoming rules are discarded. If there is a reason to get the package through, a rule is established to handle it.
An example of establishing a packet filtering firewall rule is as follows:
For packets from private networks, only packets from internal addresses are allowed to pass, because other packets contain incorrect packet header information. This rule prevents anyone inside the network from attacking through a spoofed source address. Moreover, if a hacker has access to machines inside a private network that doesn't know where to get it, this filtering method can prevent hackers from launching attacks from inside the network.
On public networks, only packets with destination address of port 80 are allowed to pass. This rule only allows incoming connections to be web connections. This rule also allows connections using the same port as web connections, so it is not very secure.
Discard packets coming in from the public network, and these packets have source addresses within your network, thereby reducing IP spoofing attacks.
Discard packets containing source routing information to reduce source routing attacks. Remember that in a source routing attack, incoming packets contain routing information, which overwrites the normal routing of packets through the network, which may bypass existing security procedures. By ignoring source routing information, a firewall can reduce attacks in this way.
2. Status/dynamic detection firewall
State/dynamic detection firewall attempts to track network connections and packets through the firewall, so that the firewall can use an additional set of criteria to determine whether communication is allowed and denied. It uses some techniques to do this in communications using basic packet filtering firewalls.
When the packet filtering firewall sees a network packet, the packet exists in isolation. It has no history or future that the firewall cares about. The decision to allow and reject a package depends entirely on the information contained in the package itself, such as the source address, destination address, port number, etc. If the packet does not contain any information describing its location in the information flow, the packet is considered stateless; it is only existence.
A stateful package checks a firewall tracks not only the information contained in the package. In order to track the status of the packet, the firewall also records useful information to help identify the packet, such as existing network connections, outgoing data requests, etc.
For example, if an incoming packet contains a stream of video data, and the firewall may have recorded the information about the application located at a particular IP address that recently requested a video signal from the source address of the packet. If the incoming packet is to be passed to the same system that issued the request, the firewall will match and the packet can be allowed to pass.
A state/dynamic detection firewall truncates all incoming communications while allowing all outgoing communications. Because the firewall tracks out requests from within, all incoming data are allowed to pass until the connection is closed. Only unsolicited incoming communications are truncated.
If a server is running within a firewall, the configuration becomes slightly more complicated, but status package checking is a powerful and adaptable technology. For example, a firewall can be configured to allow only communications entering from a specific port and only to a specific server. If the web server is running, the firewall sends only the incoming traffic from port 80 to the specified web server.
Some other additional services that the State/Dynamic Detection Firewall can provide are:
Redirect certain types of connections to the audit service. For example, a connection to a dedicated web server may be sent to a SecutID server (used with a one-time password) before the web server connection is allowed.
Reject network communications carrying certain data, such as incoming electronic messages with additional executable programs, or web pages containing ActiveX programs.
The way connection status is tracked depends on the type of packet passing through the firewall:
TCP packet. When a TCP connection is established, the first packet passed is marked with the SYN flag of the packet. Typically, the firewall discards all external connection attempts unless a specific rule has been established to handle them. For internal connections, attempts to connect to external hosts, the firewall states the connection packets, allowing responses and subsequent packets between the two systems until the connection is over. In this way, the incoming packet is only allowed to pass if it is in response to an established connection.
UDP package. UDP packets are simpler than TCP packets because they do not contain any connection or sequence information. They only contain data carried by the source address, destination address, checksum. This lack of information makes it difficult for the firewall to determine the legitimacy of the packet, as there are no open connections available to test whether the incoming packet should be allowed to pass. However, if the firewall tracks the status of the packet, it can be determined. For an incoming packet, if the address it uses and the protocol carried by the UDP packet matches the outgoing connection request, the packet is allowed to pass. Like the TCP packet, no incoming UDP packet will be allowed to pass unless it is in response to an outgoing request or has established a specified rule to handle it. For other types of packages, the situation is similar to that of UDP packages. The firewall carefully tracks outgoing requests, records the address, protocol and packet type used, and then checks incoming packets against the saved information to ensure that these packets are requested.
3. Application Proxy Firewall
Application proxy firewall does not actually allow direct communication between the networks it connects to. Instead, it accepts communication from the internal network specific user application and then establishes a separate connection on the public network server. Users inside the network do not communicate directly with external servers, so the server cannot directly access any part of the internal network.
In addition, if agent code is not installed for a specific application, such a service will not be supported and no connections can be established. This way of setting up rejects any connections that are not explicitly configured, thus providing additional security and control.
For example, a user's web browser may be on port 80, but often on port 1080, connected to the HTTP proxy firewall of the internal network. The firewall will then accept this connection request and transfer it to the requested web server.
This connection and transfer is transparent to this user because it is handled entirely automatically by the proxy firewall.
Some common applications commonly supported by proxy firewalls are:
HTTP
HTTPS/SSL
SMTP
POP3
IMAP
NNTP
TELNET
FTP
IRC
Application proxy firewall can be configured to allow any connection from the internal network, and it can also be configured to require user authentication before establishing the connection. The way in which authentication is required is the limitation of establishing connections only for known users, providing additional security guarantees. If the network is compromised, this feature greatly reduces the possibility of attacks from within.
4.NAT
When discussing the topic of firewall, it is necessary to mention that there is a router, although it is not a firewall at all. Network Address Translation (NAT) protocol converts multiple IP addresses of the internal network into a public address and sends them to the Internet.
NAT is often used in small offices, homes and other networks. Multiple users share a single IP address and provide some security mechanisms for Internet connections.
When an internal user communicates with a public host, NAT tracks which user makes the request and modify the outgoing packet, so that the packet is like coming from a single public IP address and then opening the connection. Once a connection is established, communications flowing back and forth between the internal computer and the Web site are transparent.
When an unsolicited incoming connection comes from a public network, NAT has a set of rules to decide how to deal with it. Without predefined rules, NAT simply discards all unsolicited incoming connections, just like the packet filtering firewall does.
However, just like a packet filtering firewall, you can configure NAT to accept incoming connections from certain specific ports and send them to a specific host address.
5. Personal firewall
Now there are many personal firewall software circulating on the Internet, which is application-level. A personal firewall is a software that can protect the security of a personal computer system. It can run directly on the user's computer, protecting a computer from attacks in the same way as a state/dynamic detection firewall. Typically, these firewalls are installed at a lower level of computer network interfaces, allowing them to monitor all network communications incoming and outgoing network cards.
Once a personal firewall is installed, it can be set to "learning mode". In this way, for every new network communication encountered, the personal firewall will prompt the user to ask how to deal with that kind of communication. Then the personal firewall remembers the response method and applies it to the same kind of network communication you encounter later.
For example, if the user has installed a personal web server, the personal firewall may flag the first incoming web connection and ask the user whether to allow it to pass. The user may allow all web connections, connections from certain IP address ranges, etc., and the personal firewall then applies this rule to all incoming web connections.
Basically, you can think of a personal firewall as establishing a virtual network interface on the user's computer. It is no longer the computer's operating system that communicates directly through the network card, but uses the operating system to communicate with the personal firewall, carefully check network communication, and then communicate through the network card.
2. Advantages and disadvantages of various firewalls
1. Packet Filter Firewall
The advantages of using packet filtering firewalls include:
The firewall implements low-level control of each incoming and outgoing network packet.
The fields of each IP packet are checked, such as source address, destination address, protocol, port, etc. The firewall will apply filtering rules based on this information.
The firewall can identify and discard packets with spoofed source IP addresses.
Packet filtering firewall is the only source of access between two networks. Because all communications must pass through a firewall, bypassing is difficult.
Packet filtering is usually included in router packets, so no additional system has to deal with this feature.
Disadvantages of using package filtering firewalls include:
Difficult to configure. Because the packet filtering firewall is complex, people often ignore the establishment of necessary rules, or misconfigure existing rules, leaving vulnerabilities on the firewall. However, in the market, many new versions of firewalls are improving this drawback, such as developers implementing graphical user interface (GUI)-based configurations and more direct rule definitions.
Ports open to specific services are dangerous and may be used for other transmissions. For example, if the default port of the web server is 80 and RealPlayer is installed on the computer, it will search for ports that can be allowed to connect to the RealAudio server. Regardless of whether this port is used by other protocols, RealPlayer will search for port 80. Inadvertently, RealPlayer utilizes the port of the web server.
There may be other ways to bypass the firewall into the network, such as a dial-in connection. But this is not the disadvantage of the firewall itself, but the reason why it should not rely solely on the firewall in network security.
2. Status/dynamic detection firewall
The advantages of state/dynamic detection firewall are:
Check the capability of each field of the IP packet and follow filtering rules based on information in the packet.
The ability to identify IP address packets with spoofed source.
Packet filtering firewall is the only source of access between two networks. Because all communications must pass through a firewall, bypassing is difficult.
The ability to verify the status of a packet based on application information, for example, based on an established FTP connection, allowing the returned FTP packet to pass.
The ability to verify a packet status based on application information, for example, allows a previously authenticated connection to continue communicating with the granted service.
The ability to record detailed information about each package passed. Basically, all the information used by the firewall to determine the status of the packet can be recorded, including the application's request for the packet, the duration of the connection, the connection request made by internal and external systems, etc.
Disadvantages of state/dynamic detection firewall:
The only disadvantage of the state/dynamic detection firewall is that all this recording, testing and analysis work can cause some hysteresis in the network connection, especially when many connections are activated at the same time, or when there are a large number of rules for filtering network communications. However, the faster the hardware speed, the less noticeable this problem is, and firewall manufacturers have been working to speed up their products.
3. Application Proxy Firewall
The advantages of using application proxy firewalls are:
Specifies control over the connection, such as allowing or denying access based on the server IP address, or allowing or denying access based on the IP address of the connection requested by the user.
Reduce unnecessary services in the network by restricting outgoing requests from certain protocols.
Most proxy firewalls are able to record all connections, including address and duration. This information is useful for tracking attacks and events that occur without authorization.
Disadvantages of using application proxy firewalls are:
The user's system must be customized within a certain range, depending on the application used.
Some applications may not support proxy connections at all.
4.NAT
The advantages of using NAT are:
All internal IP addresses are hidden to people outside. For this reason, no one outside the network can directly attack any specific computer within the network by specifying an IP address.
If for some reason the public IP address resources are relatively short, NAT can make the entire internal network share an IP address.
The basic packet filtering firewall security mechanism can be enabled, because all incoming packets will be discarded if they are not specifically configured to NAT. Computers with internal networks cannot directly access external networks.
Disadvantages of using NAT:
The disadvantages of NAT are the same as those of packet filtering firewalls. Although it can ensure the security of the internal network, it is also some similar situations.
limit. In addition, the intranet can use the * program that is currently circulating widely, which can be used to connect externally through NAT, just as easy as it can pass through packet filtering firewalls.
Note: There are many firewalls developed by manufacturers now, especially state/dynamic detection firewalls, which also provide NAT functions in addition to the functions they should have.
5. Personal firewall
The advantages of personal firewalls are:
Added protection level and no additional hardware resources are required.
In addition to resisting external attacks, personal firewalls can also resist internal attacks.
A personal firewall provides protection to a single system in a public network. For example, a home user uses Modem or ISDN/ADSL to access the Internet. Perhaps a hardware firewall is too expensive or too troublesome for him. The personal firewall has been able to cover up information exposed to users on the network, such as information such as IP addresses.
Disadvantages of personal firewalls:
The main disadvantage of personal firewall is that it has only one physical interface to the public network. Remember that a real firewall should monitor and control both
communication between one or more network interfaces. In this way, the personal firewall itself may be vulnerable to threats, or it may have such a weakness that network communication can bypass the rules of the firewall.
OK, above we have introduced several types of firewalls and discussed the advantages and disadvantages of each type of firewall. Remember that any kind of firewall only provides more secure security for network communication or data transmission, but we cannot rely entirely on firewalls. In addition to relying on firewalls to ensure security, we must also strengthen the security of the system and improve our own security awareness. In this way, data, communications and web sites will be more secure.
Finally, some suggestions for the system and network administrator:
1. Contact some security product providers in a timely manner and install firewalls.
2. Pay attention to some powerful security sites in China to get news about the latest system vulnerabilities.
3. Interested readers can communicate with us through IRC (use IRC client software to log in to: 6667 server and enter the #isbase channel), and you will get more information.
Special thanks for providing some technical information for this article. Article entry: aaadxmm Editor in charge: aaadxmm
1. Basic classification of firewalls
1. Packet Filter Firewall
The first generation firewall and the most basic form of firewall check each passing network packet, either discarding or releasing, depending on the set of rules established. This is called a packet filtering firewall.
Essentially, a packet filtering firewall is multi-access, indicating that it has two or more network adapters or interfaces. For example, a device that acts as a firewall may have two network cards (NICs), one connected to the internal network and the other connected to the public Internet. The task of the firewall is to act as a "communication policeman", guide packages and intercept those harmful packages.
The Packet Filter Firewall checks every incoming packet and views the basic information available in the packet (source and destination addresses, port numbers, protocols, etc.). Then, compare this information with the rules established. If a blocking telnet connection has been set up and the destination port of the packet is 23, the packet will be discarded. If incoming web connections are allowed and the destination port is 80, the packet will be released.
Combination of multiple complex rules is also feasible. If web connections are allowed, but only for a specific server, the destination port and destination address must match the rule before the packet can be passed.
Finally, it can be determined what will happen next if no rules are defined for a package when it arrives. Usually, for security reasons, packets that do not match the incoming rules are discarded. If there is a reason to get the package through, a rule is established to handle it.
An example of establishing a packet filtering firewall rule is as follows:
For packets from private networks, only packets from internal addresses are allowed to pass, because other packets contain incorrect packet header information. This rule prevents anyone inside the network from attacking through a spoofed source address. Moreover, if a hacker has access to machines inside a private network that doesn't know where to get it, this filtering method can prevent hackers from launching attacks from inside the network.
On public networks, only packets with destination address of port 80 are allowed to pass. This rule only allows incoming connections to be web connections. This rule also allows connections using the same port as web connections, so it is not very secure.
Discard packets coming in from the public network, and these packets have source addresses within your network, thereby reducing IP spoofing attacks.
Discard packets containing source routing information to reduce source routing attacks. Remember that in a source routing attack, incoming packets contain routing information, which overwrites the normal routing of packets through the network, which may bypass existing security procedures. By ignoring source routing information, a firewall can reduce attacks in this way.
2. Status/dynamic detection firewall
State/dynamic detection firewall attempts to track network connections and packets through the firewall, so that the firewall can use an additional set of criteria to determine whether communication is allowed and denied. It uses some techniques to do this in communications using basic packet filtering firewalls.
When the packet filtering firewall sees a network packet, the packet exists in isolation. It has no history or future that the firewall cares about. The decision to allow and reject a package depends entirely on the information contained in the package itself, such as the source address, destination address, port number, etc. If the packet does not contain any information describing its location in the information flow, the packet is considered stateless; it is only existence.
A stateful package checks a firewall tracks not only the information contained in the package. In order to track the status of the packet, the firewall also records useful information to help identify the packet, such as existing network connections, outgoing data requests, etc.
For example, if an incoming packet contains a stream of video data, and the firewall may have recorded the information about the application located at a particular IP address that recently requested a video signal from the source address of the packet. If the incoming packet is to be passed to the same system that issued the request, the firewall will match and the packet can be allowed to pass.
A state/dynamic detection firewall truncates all incoming communications while allowing all outgoing communications. Because the firewall tracks out requests from within, all incoming data are allowed to pass until the connection is closed. Only unsolicited incoming communications are truncated.
If a server is running within a firewall, the configuration becomes slightly more complicated, but status package checking is a powerful and adaptable technology. For example, a firewall can be configured to allow only communications entering from a specific port and only to a specific server. If the web server is running, the firewall sends only the incoming traffic from port 80 to the specified web server.
Some other additional services that the State/Dynamic Detection Firewall can provide are:
Redirect certain types of connections to the audit service. For example, a connection to a dedicated web server may be sent to a SecutID server (used with a one-time password) before the web server connection is allowed.
Reject network communications carrying certain data, such as incoming electronic messages with additional executable programs, or web pages containing ActiveX programs.
The way connection status is tracked depends on the type of packet passing through the firewall:
TCP packet. When a TCP connection is established, the first packet passed is marked with the SYN flag of the packet. Typically, the firewall discards all external connection attempts unless a specific rule has been established to handle them. For internal connections, attempts to connect to external hosts, the firewall states the connection packets, allowing responses and subsequent packets between the two systems until the connection is over. In this way, the incoming packet is only allowed to pass if it is in response to an established connection.
UDP package. UDP packets are simpler than TCP packets because they do not contain any connection or sequence information. They only contain data carried by the source address, destination address, checksum. This lack of information makes it difficult for the firewall to determine the legitimacy of the packet, as there are no open connections available to test whether the incoming packet should be allowed to pass. However, if the firewall tracks the status of the packet, it can be determined. For an incoming packet, if the address it uses and the protocol carried by the UDP packet matches the outgoing connection request, the packet is allowed to pass. Like the TCP packet, no incoming UDP packet will be allowed to pass unless it is in response to an outgoing request or has established a specified rule to handle it. For other types of packages, the situation is similar to that of UDP packages. The firewall carefully tracks outgoing requests, records the address, protocol and packet type used, and then checks incoming packets against the saved information to ensure that these packets are requested.
3. Application Proxy Firewall
Application proxy firewall does not actually allow direct communication between the networks it connects to. Instead, it accepts communication from the internal network specific user application and then establishes a separate connection on the public network server. Users inside the network do not communicate directly with external servers, so the server cannot directly access any part of the internal network.
In addition, if agent code is not installed for a specific application, such a service will not be supported and no connections can be established. This way of setting up rejects any connections that are not explicitly configured, thus providing additional security and control.
For example, a user's web browser may be on port 80, but often on port 1080, connected to the HTTP proxy firewall of the internal network. The firewall will then accept this connection request and transfer it to the requested web server.
This connection and transfer is transparent to this user because it is handled entirely automatically by the proxy firewall.
Some common applications commonly supported by proxy firewalls are:
HTTP
HTTPS/SSL
SMTP
POP3
IMAP
NNTP
TELNET
FTP
IRC
Application proxy firewall can be configured to allow any connection from the internal network, and it can also be configured to require user authentication before establishing the connection. The way in which authentication is required is the limitation of establishing connections only for known users, providing additional security guarantees. If the network is compromised, this feature greatly reduces the possibility of attacks from within.
4.NAT
When discussing the topic of firewall, it is necessary to mention that there is a router, although it is not a firewall at all. Network Address Translation (NAT) protocol converts multiple IP addresses of the internal network into a public address and sends them to the Internet.
NAT is often used in small offices, homes and other networks. Multiple users share a single IP address and provide some security mechanisms for Internet connections.
When an internal user communicates with a public host, NAT tracks which user makes the request and modify the outgoing packet, so that the packet is like coming from a single public IP address and then opening the connection. Once a connection is established, communications flowing back and forth between the internal computer and the Web site are transparent.
When an unsolicited incoming connection comes from a public network, NAT has a set of rules to decide how to deal with it. Without predefined rules, NAT simply discards all unsolicited incoming connections, just like the packet filtering firewall does.
However, just like a packet filtering firewall, you can configure NAT to accept incoming connections from certain specific ports and send them to a specific host address.
5. Personal firewall
Now there are many personal firewall software circulating on the Internet, which is application-level. A personal firewall is a software that can protect the security of a personal computer system. It can run directly on the user's computer, protecting a computer from attacks in the same way as a state/dynamic detection firewall. Typically, these firewalls are installed at a lower level of computer network interfaces, allowing them to monitor all network communications incoming and outgoing network cards.
Once a personal firewall is installed, it can be set to "learning mode". In this way, for every new network communication encountered, the personal firewall will prompt the user to ask how to deal with that kind of communication. Then the personal firewall remembers the response method and applies it to the same kind of network communication you encounter later.
For example, if the user has installed a personal web server, the personal firewall may flag the first incoming web connection and ask the user whether to allow it to pass. The user may allow all web connections, connections from certain IP address ranges, etc., and the personal firewall then applies this rule to all incoming web connections.
Basically, you can think of a personal firewall as establishing a virtual network interface on the user's computer. It is no longer the computer's operating system that communicates directly through the network card, but uses the operating system to communicate with the personal firewall, carefully check network communication, and then communicate through the network card.
2. Advantages and disadvantages of various firewalls
1. Packet Filter Firewall
The advantages of using packet filtering firewalls include:
The firewall implements low-level control of each incoming and outgoing network packet.
The fields of each IP packet are checked, such as source address, destination address, protocol, port, etc. The firewall will apply filtering rules based on this information.
The firewall can identify and discard packets with spoofed source IP addresses.
Packet filtering firewall is the only source of access between two networks. Because all communications must pass through a firewall, bypassing is difficult.
Packet filtering is usually included in router packets, so no additional system has to deal with this feature.
Disadvantages of using package filtering firewalls include:
Difficult to configure. Because the packet filtering firewall is complex, people often ignore the establishment of necessary rules, or misconfigure existing rules, leaving vulnerabilities on the firewall. However, in the market, many new versions of firewalls are improving this drawback, such as developers implementing graphical user interface (GUI)-based configurations and more direct rule definitions.
Ports open to specific services are dangerous and may be used for other transmissions. For example, if the default port of the web server is 80 and RealPlayer is installed on the computer, it will search for ports that can be allowed to connect to the RealAudio server. Regardless of whether this port is used by other protocols, RealPlayer will search for port 80. Inadvertently, RealPlayer utilizes the port of the web server.
There may be other ways to bypass the firewall into the network, such as a dial-in connection. But this is not the disadvantage of the firewall itself, but the reason why it should not rely solely on the firewall in network security.
2. Status/dynamic detection firewall
The advantages of state/dynamic detection firewall are:
Check the capability of each field of the IP packet and follow filtering rules based on information in the packet.
The ability to identify IP address packets with spoofed source.
Packet filtering firewall is the only source of access between two networks. Because all communications must pass through a firewall, bypassing is difficult.
The ability to verify the status of a packet based on application information, for example, based on an established FTP connection, allowing the returned FTP packet to pass.
The ability to verify a packet status based on application information, for example, allows a previously authenticated connection to continue communicating with the granted service.
The ability to record detailed information about each package passed. Basically, all the information used by the firewall to determine the status of the packet can be recorded, including the application's request for the packet, the duration of the connection, the connection request made by internal and external systems, etc.
Disadvantages of state/dynamic detection firewall:
The only disadvantage of the state/dynamic detection firewall is that all this recording, testing and analysis work can cause some hysteresis in the network connection, especially when many connections are activated at the same time, or when there are a large number of rules for filtering network communications. However, the faster the hardware speed, the less noticeable this problem is, and firewall manufacturers have been working to speed up their products.
3. Application Proxy Firewall
The advantages of using application proxy firewalls are:
Specifies control over the connection, such as allowing or denying access based on the server IP address, or allowing or denying access based on the IP address of the connection requested by the user.
Reduce unnecessary services in the network by restricting outgoing requests from certain protocols.
Most proxy firewalls are able to record all connections, including address and duration. This information is useful for tracking attacks and events that occur without authorization.
Disadvantages of using application proxy firewalls are:
The user's system must be customized within a certain range, depending on the application used.
Some applications may not support proxy connections at all.
4.NAT
The advantages of using NAT are:
All internal IP addresses are hidden to people outside. For this reason, no one outside the network can directly attack any specific computer within the network by specifying an IP address.
If for some reason the public IP address resources are relatively short, NAT can make the entire internal network share an IP address.
The basic packet filtering firewall security mechanism can be enabled, because all incoming packets will be discarded if they are not specifically configured to NAT. Computers with internal networks cannot directly access external networks.
Disadvantages of using NAT:
The disadvantages of NAT are the same as those of packet filtering firewalls. Although it can ensure the security of the internal network, it is also some similar situations.
limit. In addition, the intranet can use the * program that is currently circulating widely, which can be used to connect externally through NAT, just as easy as it can pass through packet filtering firewalls.
Note: There are many firewalls developed by manufacturers now, especially state/dynamic detection firewalls, which also provide NAT functions in addition to the functions they should have.
5. Personal firewall
The advantages of personal firewalls are:
Added protection level and no additional hardware resources are required.
In addition to resisting external attacks, personal firewalls can also resist internal attacks.
A personal firewall provides protection to a single system in a public network. For example, a home user uses Modem or ISDN/ADSL to access the Internet. Perhaps a hardware firewall is too expensive or too troublesome for him. The personal firewall has been able to cover up information exposed to users on the network, such as information such as IP addresses.
Disadvantages of personal firewalls:
The main disadvantage of personal firewall is that it has only one physical interface to the public network. Remember that a real firewall should monitor and control both
communication between one or more network interfaces. In this way, the personal firewall itself may be vulnerable to threats, or it may have such a weakness that network communication can bypass the rules of the firewall.
OK, above we have introduced several types of firewalls and discussed the advantages and disadvantages of each type of firewall. Remember that any kind of firewall only provides more secure security for network communication or data transmission, but we cannot rely entirely on firewalls. In addition to relying on firewalls to ensure security, we must also strengthen the security of the system and improve our own security awareness. In this way, data, communications and web sites will be more secure.
Finally, some suggestions for the system and network administrator:
1. Contact some security product providers in a timely manner and install firewalls.
2. Pay attention to some powerful security sites in China to get news about the latest system vulnerabilities.
3. Interested readers can communicate with us through IRC (use IRC client software to log in to: 6667 server and enter the #isbase channel), and you will get more information.
Special thanks for providing some technical information for this article. Article entry: aaadxmm Editor in charge: aaadxmm