防火墙(Firewall)是信任网络与不信任网络之间的一个安全门,跟踪与控制着网络信息的传输,决定信息是否需要通过(pass),拒绝(reject),加密(encrypt)或记录(log)。
Prevent attacks from untrusted networks.
Protect data integrity of critical information.
Preserve customer and partner confidence.
保护内部网络不受外部不信任网络的攻击。
针对关键的信息保护其完整性。
维护客户与企业之间的信任。(避免企业网络作为攻击跳板)
防火墙所保护的有:
Data Proprietary corporate information.(所有者信息)Financial information.Sensitive employee or customer data. Resources Computer resources.Time resources.Bandwidth resources. Reputation Loss of confidence in an organization.Intruder(侵入者) uses an organization’s network to attack other sites.Analyzes each datagram going through it; makes drop decision based on:
source IP address;destination IP address;source port;destination port;TCP flag bits, SYN or ACK;TCP or UDP or ICMP(Firewalls often configured to block all UDP);direction;router interface(网卡).特性:
Packets examined at the network layer.Commonly deployed on routers.Simple accpet or reject decision model.No awareness of higher protocol layers.案例:
Access control list(ACL)Apply rules from top to bottom(priority):
actionsource addressdest addressprotocolsource portdest portflag bit注释deny140.114/16outside of 140.114/16TCP>102380any拒绝访问外网allowoutside of 140.114/16140.114.44.2TCP>102380SYN允许访问指定网络140.114.44.2allowoutside of 140.114/16140.114/16UDP>102353—允许DNS查询allowoutside of 140.114/16140.114/16UDP53>1023—允许DNS查询denyallallallallallall拒绝所有不满足上述条件的封包Each router/firewall interface can have its own ACL.
Advantages:
One router can protect entrie network.Can be efficient if filtering rules are kept simple.Widely available. Almost any router, even Linux boxes.Disadvantages:
Can possibly be penetrated(入侵).Cannot enforce some policies. For example, permit certaion users.Rules can get complicated and difficlut to test.Converts a network’s private IP address to public IP address. - Hides the true addresses of individual hosts, protecting them from attack. - Allow more devices to be connected to the network.
Application proxies, provide the most secure type of data connection.(提供了最安全的信息连接)
Examine every layer of the communication, including the application data.(检查至应用层)
The connection from a client to a server is intercepted by the proxy.(位于服务器与客户端之间)
因为在应用层做检查,所以可以根据内容过滤封包。
特性:
If the proxy determines that the connection is allowed, it opens a second connection to the server from itself.
The data portion of each packet must be stripped off, examined, rebuilt, and sent again on the second connection.
This thorough examination and handling of packets means that proxy firewalls are very secure and generally slow.
Proxies must understand the application layer. As new protocols are developed, new proxies must be written and implemented to handle them.
应用:
Web Proxy Servers.Application Proxy Servers: A mail server.Second Generation(第二代) Firewall Technology: **Makes connections on behalf of the client, but not flexible.SOCKS Proxy protocol is a Generic proxy procotol, Don’t have to redo all of the code when proxifying an application.
Can be used by HTTP, FTP, telent SSL, etc. So it provides Independent of application layer protocol.
Includes authentcation(认证机制),restricting(限制) which users/apps/IP addresses can pass through firewall.
For example, let’s assume that browser request a page.SOCKS Library is a collection of procedures. It translates requests into a specific(具体的,明确的) format and sends them to SOCKS Daemon(守护进程).The SOCKS Daemon runs on the firewall host. The daemon authenticates the user and forwards all the data to the server.The server receives requests as ordinary(普通的)HTTP. It does not need a SOCKS library.Advantages:
Proxy can log all connections, activity in connections.Proxy can provide caching.Proxy can do intelligent filtering based on content.Proxy can perform user-level authentication.Disadvantages:
Not all services have proxied versions.(service和proxy是强相关的)May need different proxy server for each service.Requires modification of client.Performance.(效率低)Stateful filter: State tables are created to maintain connection context.(Stateful = remember past packets)
Stateful filters log each TCP connection initiated through firewall: SYN segment. Timeout entries which see no activity for, say, 60 seconds. If rule table indicates(指示) that stateful table must be checked: check to see if there is already a connection in stateful table.
案例:
Stateful Filters Check filtr table actionsource addressdest addressprotosource portdest portflag bitcheck connectionsdeny140.114/16outside of 140.114/16TCP>102380any—allowoutside of 140.114/16140.114/16TCP80>1023ACK√allow140.114/16outside of 140.114/16UDP>102353——allowoutside of 140.114/16140.114/16UDP53>1023—√denyallallallallallall— Check stateful table: Connection is listed in connection table->whether to let packet through想了解更多关于计算机网络架构与网络安全:计算机网络架构与网络安全专栏
