Hot Concern
- Firewall notchs rank
- The specific application of a
- Teach you to be Linux configur
- Configure Linux firewall with
- Look for the serial number SN
- Build Linux firewall install f
- Cisco releases early-warning f
- Use IPtables builds the regula
- Use Linux firewall
- A few firewall notched in July
- Identify strengths and weaknes
- Understanding Web applicati
Random Recommendation
Position:中国防火墙网>Secure Dynamic>
Identify strengths and weaknesses of several hardware firewall performance stand
From; Author:
Some of the problems that users often confused: the function of the product on a very similar description of the various vendors, a number of "rising star" and the well-known brands are very similar. Faced with this situation, how to identify? Describe very similar products, even if the same function, realization, in the availability and ease of use, individual differences are very obvious.
First, the network layer access control
All firewalls must have this feature, otherwise can not be called a firewall. Of course, most of the router ACL can also be achieved through its own feature.
1. Rule Editor
The network layer access control rules in the firewall mainly editorial, we must examine: the network layer access control is manifested by the rules? Granularity of access control is fine enough? As a rule, whether to provide a means of control at different times? Rules are configured to provide a friendly interface? It can easily reflect the will of network security?
2.IP/MAC address binding
Same IP / MAC address binding function, there are some details to be investigated, such as a firewall can implement MAC address IP address and automatically collect? In violation of the IP / MAC address binding rule is to provide appropriate access to the alarm mechanism? Since these features are very useful, if the firewall can not provide IP address and MAC address auto collection, network management may be forced to take other means of obtaining jurisdiction and MAC address of the user's IP, it will be a very tedious job.
3.NAT (network address translation)
The original function of the router has a firewall has gradually evolved into one of the standard features. But this a feature that the manufacturers realize the difference is very large, many manufacturers realize there is a big problem NAT function: difficult to configure and use, this will give network administrators a huge trouble. We must learn to NAT works to improve their knowledge of the network level, through analysis and comparison, to find a use in the NAT configuration and simple processing of the firewall.
Second, the application layer access control
The feature is the strength of the various firewall vendors Competition, and most places out of color. Because many based on free
Although the operating system can have a firewall implementation status monitoring module (as Linux, FreeBSD, etc. The kernel module to support condition monitoring), but the application layer control can not achieve "used" requires real programming.
The control of the application layer, the choice of a firewall can examine the following points.
1. Whether the HTTP protocol to provide content filtering
Currently an enterprise network environment, the main two applications are WWW access and e-mail. Fine-grained access to the WWW can control the technology reflects the strength of a firewall.
2. Whether the agreement to provide content filtering SMTP
More and more attacks on the e-mail: e-mail bombs, mail virus, leakage of confidential information, etc., can provide content filtering based on SMTP protocol and the thickness of the particle size filter into the user focus of attention.
3. Whether the FTP protocol to provide content filtering
When this feature in the study must be carefully careful, many manufacturers of firewalls that have the FTP information content filtering, but careful comparison will find that most of them realized the only two commands in the FTP protocol control: PUT and GET. A good firewall should be able to FTP commands to control all of the other, including CD, LS, etc., to provide class-based command control, to realize the access control directories and files, all filters were in support of wildcards.
Third, management and certification
This is a very important function of a firewall. Currently, the firewall management interface WUI into WEB-based management, graphical user interface GUI based management and CLI-based command-line management.
A variety of management methods, based on the CLI command-line mode is not suitable for most firewalls.
WUI and GUI management methods have advantages and disadvantages
The management of WUI simple, no special management software, as long as the browser with the line; the same time, WUI management interface is ideal for remote management, firewall configuration as long as one can reach the IP, can be realized in China in the United States branch firewall management.
WUI in the form of a firewall also has drawbacks: First, WEB interface is not suitable for complex, dynamic page display, general WUI interface is difficult to display rich statistical charts, so for
Auditing, statistical comparison demanding functional requirements of users, try not to choose WUI way; In addition, it will lead to increased security threats, firewall management, if the user management through a browser at home in the company's firewall, the trust relationship depends only on a simple user name and password, a hacker can easily guess the password, which increases the security threat.
GUI is the most widely used way firewall. This approach is characterized by a professional, can provide a wealth of management features, easy to configure the firewall administrator. But the disadvantage is the need of specialized management client software, while the lack of centralized management of remote and flexible management of WUI.
Fourth, auditing and logging, and storage
At present, most firewalls provide auditing and logging, the difference is the granularity of the audit of different thickness, log storage and memory are different.
Many firewalls weak auditing and logging, which is in those DOM, DOC, and other electronic disk (and do not provide support for network database) to reflect the storage media has been particularly evident in the firewall, and some did not distinguish between event logs and access logs. If you need extensive auditing and logging to need to look at the firewall is stored, if it is DOM, DOC, etc. Flash electronic disk storage, which may limit the function of auditing and logging results.
At present, most firewall audit log using hard disk storage means, the advantages of this approach is to store a large number of logs (a few tens of G to G), but in some extreme cases, such as abnormal power-down, hard drive damage often suffered serious damage than the electronic disk.
A good firewall should provide a variety of storage, user flexibility to choose and use.
Fifth, how to distinguish between packet filtering and condition monitoring
Some small companies to sell their firewall products, often claim to use the state monitoring; the surface, we tend to be easily confused. Here are a small distinction between the two technology skills.
1. Whether to provide real-time connection status view
Condition monitoring can provide a firewall function to view the current connection status and interfaces, and real-time broken the current connection, the connection should have a wealth of information, including connecting the two sides of the IP, port, connection status, connection time, etc., and simple packet filtering do not have this feature.
2. Whether they have dynamic rule base
Some applications use a connection agreement and not just a port, usually connected through a series of related operations to complete an application layer. Such as the FTP protocol, the user command is a connection on port 21, transfer, and data created by another temporary connection (the default source port is 20, in the PASSIVE mode, the port is temporarily assigned) transmission. For such applications, packet filtering firewall is difficult to set a simple safety rules, often have to open up all access to the source port is 20.
Condition monitoring can support dynamic firewall rules, application layer session by tracking the process of connecting automatically to allow legal access, session state ban does not meet the connection request.
For FTP, the only one pair of 21 set in the firewall port access rules can guarantee the normal FTP transfer, including the PASSIVE mode data transmission. This capability not only to make the rules easier, while eliminating the need to open the risk of all 20 ports.