Not only the network security displays in the network viral prevention aspect, moreover also displays ability aspect which invades in the system resistance external illegal hacker. Regarding the network virus, we may through kill the poisonous software to cope with, then what measure regarding guards against the hacker to invade us to be able to take? In such situation, the network firewall technology then arose at the historic moment. Then actually what is called the firewall? What does it have to affect? Asks everybody patience downward to look.
First, firewall's basic concept
Ancient times, the people often build a brick wall between the residence, once the fire occurs, it can prevent the fire intensity to spread to other residence. Now, if a network has received above Internet, its user may visit the outside world and with it correspondence. But simultaneously, the outside world also similarly may visit this network and with it alternately. For safety, may inserts a mediating system between this network and Internet, raises up together the safety barrier. This barrier's function is blocks from exterior through the network to this network threat and the invasion, provides holds this network security and the audit only checkpoint, its function and ancient times fire protection brick wall has the similarity, therefore we this barrier on named “firewall”.
In the computer, the firewall is one kind of equipment, it is becomes by the software or the hardware equipment combination, usually is between enterprise's internal local area network and Internet, limits the Internet user as well as manages the internal user visit outside visit to internal network the jurisdiction. In other words, the firewall is one located at was considered that is safe and the credible internal network with one was considered not that safe and the credible exterior network (usually is Internet) a between blockade tool. The firewall is one kind of passive technology, because of its supposition net boundary's existence, it has controlled effectively with difficulty visit to internal illegal. Therefore the firewall only suits in the relatively independent network, for example enterprise interior confined network and so on.
Second, firewall's basic maxim
1. filters the unsafe service
Based on this criterion, the firewall should block all information flows, then to hoped provides the safe service item by item opening, or possibly has the safe hidden danger service to the unsafe service to strangle in the seed. This is one very effective practical method, may create one kind of very safe and secure environment, because only then undergoes the careful choice the service to be able to permit the user use.
2. filtration illegal user and visit special stand
Based on this criterion, the firewall should permit all users and the stand first visit to internal network, then the network administrator the stand which or does not trust to authorization's user carries on according to the IP address shields item by item. This method constituted one kind of more nimble application environment, the network administrator has been possible to aim at the different service face the different user opening, was also can establish each user freely the different access authority.
Third, firewall's basic measure
The firewall security function realizes mainly uses two measures.
1. the agent server (is suitable for digit dialing surfer)
This way is the internal network and the Internet not direct communication, the interior network computer user and the agent server selects one communication method, namely provides the internal network protocol (NetBIOS, TCP/IP), what between the agent server and the Internet correspondence adopts is the standard TCP/IP network service agreement, the firewall inside and outside computer's correspondence is relays through the agent server realizes, the structure as follows shows:
Internal network -> agent server →Internet
This successfully has then realized inside and outside the firewall computer system's isolation, what because the agent server both sides use is the different protocol standard, can therefore prevent the outside direct illegal invasion effectively.
The agent server is usually good by the performance, the processing speed is quick, the capacity big computer acts as, is takes the internal network and the Internet connection in the function, it looks like a genuine server regarding the internal network to be the same, but regarding Internet's on server, it is also a client. After the agent server accepts the user the request, will inspect the stand which the user requested whether to meet the hypothesis requirement, if the permission user will visit this stand, the agent server with that stand connection, will bring back needs the information to retransmit again gives the user.
Moreover, the agent server can also provide a safer option, for example it may implement the strong data stream the monitoring, the filtration, the record and the report function, but may also provide the extremely good access control, to register ability as well as the address translation ability. But this kind of firewall measure, in internal network terminal many situations, the efficiency definitely will come under the influence, the agent server burden will be very heavy, and many will visit Internet the customer software to be unable in the interior network computer to visit Internet normally.
2. router and filter
This kind of structure completes together by the router and the filter to the outside computer visits the internal network the limit, may also assign or limit the internal network to visit Internet. The router only performs the route to on filter's specific port's data communication, filter's major function has choice passing in the network level to the data packet implementation, according to IP (Internet Protocol) package of information is the foundation, according to the IP source address, the IP goal address, the seal agreement port number, determined whether it does allow this data packet to pass. This kind of firewall measure biggest merit was it regarding the user is transparent, i.e. could not the user input account number and the password registers, therefore the speed was quicker than the agent server, and was not easy to present the bottleneck phenomenon. However its shortcoming is also very obvious, does not have user's note for use, like this we cannot discover the illegal invasion from the access record the attack record.
|
| |
| |
|
You are here: hacking technology
> firewall
> Content
Category: