Keywords: Internet network security firewall filtering address translation
1. Introduction
Firewall technology is an application security technology based on modern communication network technology and information security technology, which is more and more used in the interconnection environment of private networks and public networks, especially the Internet. With the rapid development of the Internet, firewall products have sprung up in just a few years, and soon formed an industry: 1995, and the market volume of firewall technology products just listed is less than 10000; By the end of 1996, it had soared to 65438+ 10,000 sets; According to the forecast of authoritative international business survey institutions, the firewall market will grow at a compound growth rate of 1.73%, and will reach1.5000 units by the end of this year, and the market turnover will be from 1.995? 1.6? 10 billion dollars rose to 980 million dollars. ?
In order to fully understand the internet firewall and its development process, especially the technical characteristics of the fourth generation firewall, it is very necessary for us to make a detailed investigation on the development and evolution of firewall technology from the perspective of products and technologies. ?
2. Brief introduction of Internet firewall technology?
Firewall originally refers to the partition wall used by buildings to prevent the fire from spreading. Theoretically, Internet firewall services are similar to those used to prevent external intrusion. It can prevent
Prevent all kinds of dangers (virus, resource theft, etc.). ) spread to your network. In fact, the firewall is not like a firewall in real life, it is a bit like a moat used to protect the city in ancient times, serving the following purposes:
1) Restrict people from entering from specific control points; ?
2) Restrict people from leaving from certain points; ?
3) prevent intruders from approaching your other defense facilities; ?
4) Effectively prevent saboteurs from destroying your computer system. ?
In real life, Internet firewalls are usually installed on protected internal networks and connected to the Internet.
All information transmitted from the Internet or sent by you must pass through the firewall. In this way, the firewall plays a role in protecting the security of e-mail, file transfer, remote login and information exchange between specific systems. Logically speaking, the firewall plays the role of isolation, restriction and analysis, which can also be realized from figure 1 So, what is a firewall? Firewall is actually a system or a set of systems to strengthen the security defense between the Internet (intranet), which consists of a set of hardware devices (including routers and servers) and corresponding software. 3. Review of firewall technology and product development?
Firewall is an integral part of network security strategy. By controlling and monitoring the information exchange and access behavior between networks, network security can be effectively managed. Generally speaking, a firewall should have the following five basic functions:?
● Filter data in and out of the network; ?
● Manage access behavior inside and outside the network; ?
● Shielding some prohibited behaviors; ?
● Record the information content and activities passing through the firewall; ?
● Detect network attacks and give an alarm. ?
In order to realize the above functions, mature or advanced technologies and means such as network topology, computer operating system, routing, encryption, access control and security audit are widely used in the development of firewall products. Throughout the development of firewall in recent years, it can be divided into the following four stages (that is, four generations). ?
3. 1 router-based firewall?
Because most routers contain packet filtering function, network access control may be realized by path control, thus making routers with packet filtering function become the first generation firewall products. The characteristics of the first generation firewall products are:
1) uses the router itself to parse the packet and filter the packet by accessing the list; ?
2) The basis of filtering judgment can be: network characteristics such as address, port number and ip mark; ?
3) It only has the function of packet filtering, and the firewall and router are integrated. In this way, the network with low security requirements can adopt the method of router with firewall function, while the network with high security requirements needs to use router as firewall alone. ?
The shortcomings of the first generation firewall products are very obvious, as follows:
● The routing protocol is very flexible and has its own security loopholes, so it is very easy for the external network to probe the internal network. For example, when the Ftp protocol is used, an external server can easily connect to the intranet from port 20. Even if the filtering rules are set on the router, the port 20 of the internal network can still be externally detected. ?
● There are security risks in the setting and configuration of packet filtering rules on the router. Setting and configuring filtering rules in routers is very complicated, which involves the logical consistency of rules. The validity of the action port and the correctness of the rule set are difficult for the general network system administrator, and once a new protocol appears, the administrator has to add more rules to restrict it, which often brings many mistakes. ?
● The biggest hidden danger of router firewall is that attackers can "forge" addresses. Because information is transmitted in clear text on the network, hackers can fake false routing information on the network to deceive the firewall. ?
The essential defect of the router firewall is that the main function of the router is to provide dynamic and flexible routing for network access, while the firewall has to implement static and solid control over access behavior, which is a pair of contradictions that are difficult to reconcile. The rule setting of the firewall will greatly reduce the performance of the router.
It can be said that the firewall technology based on router is only an emergency measure of network security, and it is very dangerous to deal with hacker attacks with this expedient measure.
3.2 Custom Firewall Toolkit?
In order to make up for the shortage of router firewall, many large users require to develop a firewall system to protect their own networks, thus promoting the emergence of user firewall toolkit. ?
As the second generation firewall product, the customized firewall toolkit has the following characteristics:?
1) separates the filtering function from the router and adds auditing and alarm functions; ?
2) Provide modular software packages according to user requirements; ?
3) Software can be sent through the network, and users can build their own firewalls; ?
4) Compared with the first generation firewall, the security is improved and the price is reduced. ?
Because it is a pure software product, the second generation firewall products put forward quite complicated requirements for system administrators in implementation and maintenance, and brought the following problems:
The process of configuration and maintenance is complicated and time-consuming; ?
High technical requirements for users; ?
Full software implementation, there are many mistakes in use. ?
3.3 Firewall based on common operating system?
The problems existing in the sales, use and maintenance of software-based firewalls force firewall developers to quickly launch commercial firewall products based on general operating systems. This generation of products has been widely used in the market in recent years, and they have the following characteristics:
1) is a special firewall product listed in batches; ?
2) Including packet filtering or borrowing the packet filtering function of the router; ?
3) Equipped with a special agent system to monitor the data and instructions of all protocols; ?
4) Protect user programming space and set user-configurable kernel parameters;
5) The safety and speed are greatly improved. ?
The third generation firewall is realized by pure software and hardware, which has been recognized by the majority of users. However, with the change of safety requirements and the delay of use time, there are still many problems, such as:
1) as the basic operating system, its kernel is often unknown to firewall managers, and its security cannot be guaranteed because of the confidentiality of the source code; ?
2) Because most firewall vendors are not vendors of general operating systems, general operating system vendors will not be responsible for the security of operating systems; ?
3) In essence, the third generation firewall should not only prevent attacks from external networks, but also prevent attacks from operating system vendors; ?
4) Functionally including packet filtering, application gateway and circuit-level gateway, with encryption and authentication functions; ?
5) Good transparency and convenient use. ?
4. What are the main technologies and functions of the fourth generation firewall?
The fourth generation firewall product combines the gateway and the security system into one, and has the following technical functions. ?
4. 1 Two-port or Three-port structure?
The new generation firewall products have two or three independent network cards. The internal and external network cards can be connected in series between the internal and external without ip conversion, and the other network card can be dedicated to the security protection of the server.
4.2 transparent access?
Previous firewalls either required users to log in to the system or modified client applications through library paths (such as socks). The fourth generation firewall adopts transparent proxy system technology, which reduces the inherent security risks and the error probability of system login. ?
4.3 flexible agent system?
A proxy system is a software module that transmits information from one end of a firewall to the other. The fourth generation firewall adopts two proxy mechanisms: one is used to proxy the connection between the internal network and the external network; The other is used to proxy the connection from the external network to the internal network. The former is solved by network address forwarding (nit) technology, while the latter is solved by non-confidential user-defined proxy or confidential proxy system technology. ?
4.4 Multistage filtration technology?
In order to ensure the security and protection level of the system, the fourth generation firewall adopts three-level filtering measures, supplemented by identification means. At the packet filtering level, all source routing packets and fake ip addresses can be filtered out; At the application-level gateway level, Ftp, smtp and other gateways can be used to control and monitor all general services provided by the Internet. At the level of circuit gateway, the transparent connection between internal host and external site is realized, and the access to services is strictly controlled. ?
4.5 Network address translation technology?
The fourth generation firewall can transparently convert all internal addresses by using nat technology, which makes the external network unable to understand the internal structure of the internal network and allows the internal network to use its own ip source address and private network. The firewall can record the communication of each host in detail to ensure that each packet is sent to the correct address. ?
4.6 Internet gateway technology?
Because it is directly connected in series in the network, the fourth generation firewall must support all services connected by users on the Internet, and at the same time, it must prevent security loopholes related to Internet services, so it should be able to realize gateway functions with various security application servers (including ftp, finger, mail, ident, news, www, etc.). ). In order to ensure the security of the server, all files and commands should be physically isolated through "change chroot system call". ?
In the domain name service, the fourth generation firewall adopts two independent domain name servers: one is the internal dns server, which mainly handles the internal network and dns information; The other is an external dns server, which is specially used to process some dns information provided to the Internet from within the organization. In anonymous ftp, the server only provides read-only access to a limited number of protected directories. In the www server, only static web pages are supported, and graphics or cgi codes are not allowed to run in the firewall. In finger server, for external access, the firewall only provides basic text information that internal users can configure, but does not provide any system information related to the attack. Smtp and pop mail servers should handle all mails entering and leaving the firewall, and use mail mapping and mail header stripping to hide the internal mail environment. Ident server handles the identification of user connections, while network news service provides special disk space for receiving news from isp.
4.7 Secure Server Network (ssn)?
In order to meet the needs of more and more users to provide services on the Internet, the fourth generation firewall adopts the strategy of isolation and protection to protect the external servers where users surf the Internet. It uses the network card to treat the external server as an independent network. The external server is not only a part of the internal network, but also completely isolated from the internal gateway. This is the secure server network (ssn) technology. Hosts on ssn can be managed separately, or from the intranet through Ftp, tnlnet, etc. ?
The security provided by ssn is much better than the traditional "dmz" method, because there is a firewall between ssn and external network, and there is also a firewall between ssn and Buffon network, and dmz is only a firewall between internal and external network gateways. In other words, once the ssn is destroyed, the internal network will still be protected by the firewall, and once the dmz is destroyed, the internal network will face attacks. ?
4.8 User authentication and encryption?
In order to reduce the security risks of firewall products in tnlnet, ftp and other services and remote management, authentication function is essential. The fourth generation firewall uses one-time password system as a means of user authentication, which realizes the encryption of mail. ?
4.9 User-customized service?
In order to meet the specific needs of specific users, the fourth generation firewall provides many services and also provides support for user customization. These options include: general tcp, outbound udp, ftp, smtp, etc. If a user needs to set up a database agent, he can use these supports to facilitate the setting. ?
4. 10 audit and alarm?
The audit and alarm functions adopted by the fourth generation firewall products are very sound, and the log files include: general information, kernel information, core information, received mail, mail path, sent mail, received message, sent message, connection requirements, authenticated access, alarm conditions, management log, inbound agent, ftp agent, outbound agent, mail server, name server, etc. The alarm function will save every tcp or udp query, and it can alarm in many ways, such as sending e-mail, making sound, etc. ?
In addition, the fourth generation firewall has its own characteristics in network diagnosis and data backup security. ?
5. Implementation method of the fourth generation firewall technology
In the design and development of the fourth generation firewall products, security kernel, proxy system, multi-level filtering, security server, authentication and encryption are the key points. ?
5. 1 implementation of security kernel?
The fourth generation firewall is built on the secure operating system, which comes from the security reinforcement and transformation of the special operating system. Judging from many products now, the solidification and transformation of the secure operating system kernel are mainly carried out in the following aspects:
1) Cancel the dangerous system call; ?
2) Restrict the execution authority of the command; ?
3) Cancel the forwarding function of ip; ?
4) Check the interface of each data packet; ?
5) adopting a random connection serial number; ?
6) resident packet filtering module; ?
7) Cancel the dynamic routing function; ?
8) Adopt a variety of security kernels. ?
5.2 The establishment of agency system?
The firewall does not allow any information to pass directly, and all internal and external connections must be realized through the proxy system. In order to ensure the security of the whole firewall, all agents should change the root directory to exist in a relatively independent area for security isolation. ?
Before all connections pass through the firewall, all agents should check the defined access rules. The access rules control the agents' services to be grouped according to the following contents:?
1) source address; ?
2) destination address; ?
3) time; ?
4) Maximum number of servers of the same kind. ?
All external network connections to the firewall or ssn are handled by the inbound agent, which can ensure that the internal host can know all the information of the external host, while the external host can only see the addresses outside the firewall or ssn. ?
All connections from the intranet ssn to the external network through the firewall are handled by the external network agent. The external network agent must ensure that the intranet is completely connected to the external network address representing it, prevent the direct connection between the intranet and the external network, and also handle the connection of the intranet ssn. ?
5.3 Design of grouping filter?
As one of the core components of firewall, the design of filter should reduce the access to firewall as much as possible. Filters are downloaded to the kernel when they are called, and filtering rules are eliminated from the kernel when the service is terminated. All packet filtering functions run deep in the ip stack of the kernel, which is extremely safe. The packet filter includes the following parameters. ?
1) entrance interface; ?
2) outbound interface; ?
3) allowed connections; ?
4) source port range; ?
5) source address; ?
6) the scope of the destination port, etc. ?
The treatment of each parameter fully embodies the design principles and safety policies. ?
5.4 Design of security server?
There are two main points in the design of security server: first, all ssn traffic should be isolated, that is, the routing information flow from internal network and external network should be separated in mechanism; Second, ssn is similar to two networks. It looks like an intranet because it is transparent to the outside world, and it looks like an extranet because its access to the outside world from the intranet is very limited. ?
Every server on ssn is hidden in the internet, and the service provided by ssn seems to be a firewall function to the external network. Because the address is already transparent, there are no restrictions on various network applications. The key to realize ssn lies in:
1) to solve packet filtering and ssn connection; ?
2) Support access to ssn through fire prevention;
3) Support proxy service.
5.5 Consideration of authentication and encryption
Authentication and encryption are effective means for firewall to identify users, verify access and protect information. Authentication mechanism not only provides security protection, but also has security management function. At present, token authentication is widely used in foreign firewall products, and there are two specific methods: one is cryptocard and the other is security id, both of which are tools for generating one-time surnames and passwords.
The encryption and authentication of information content involves encryption algorithm and digital signature technology. At present, there is no better mechanism for foreign firewall products except pem, pgp and kerberos. Because encryption algorithms involve national security and sovereignty, countries have different requirements.
6. Anti-attack ability of the fourth generation firewall
As a kind of security protection equipment, firewall is naturally the target of many attackers in the network, so the ability to resist attacks is also an essential function of firewall. In the Internet environment, there are many attacks against firewalls. This paper evaluates the anti-attack ability of the fourth generation firewall from several main attack methods.
6. 1 Anti-ip impersonation attack
Ip impersonation means that an illegal host impersonates an internal host address to cheat the "trust" of the server, so as to attack the network. Because the fourth generation firewall hides the actual address in the network, it is difficult for external users to know the internal ip address, so it is difficult to be attacked.
6.2 Anti-Trojan attacks
Trojan horses can introduce viruses or destructive programs into computer networks, and usually hide these malicious programs in normal programs, especially popular programs or games. Some users download the program and execute it, and the virus will break out. The fourth generation firewall is built on a secure operating system, and the downloaded program cannot be executed in its kernel, so it can prevent Trojan horses. It must be pointed out that just because a firewall can resist Trojan attacks does not mean that the hosts it protects can also prevent such attacks. In fact, internal users can download programs through the firewall and execute the downloaded programs.
6.3 Anti-password search attack
There are many ways to find passwords in the network, the most common ones are password sniffing and password decryption. Sniffing is to monitor network communication, intercept the password transmitted by users to the server, and record it for use; Decryption refers to the use of violent attacks, guessing or intercepting files containing encrypted passwords and trying to decrypt them. In addition, attackers often use some common passwords to log in directly.
The fourth generation firewall can effectively prevent password attacks by adopting one-time password and prohibiting this kind of direct login to the firewall.
6.4 Anti-network security analysis
Managers use network security analysis tools to analyze network security. Once such tools are used as a means to attack the network, the security defects and weaknesses of the internal network can be easily detected. At present, sata software can be obtained free of charge from the Internet, and Internet scanners can also be purchased from the market. These analysis tools pose a direct threat to network security. The fourth generation firewall uses landlord conversion technology to hide the internal network, which makes the network security analysis tools unable to analyze the internal network from the outside.
6.5 Anti-mail fraud attack
Mail fraud is also an increasingly prominent attack method. The fourth generation firewall does not receive any mail, so it is difficult to attack it in this way. In addition, it is worth mentioning that the firewall does not receive mail, which does not mean that mail is not allowed to pass. In fact, users can still send and receive emails. The ultimate solution for internal users to prevent mail fraud is to encrypt mail.
7. Prospect of firewall technology
With the rapid development of the Internet, the pace of updating firewall technology products will inevitably be strengthened, and it is almost impossible to comprehensively look forward to the development of firewall technology. But some trends and trends can be seen from the products and functions. The following points may be the next direction and choice:
1) firewall will develop from the current subnet or intranet management mode to the centralized management mode of remote internet access.
2) The filtering depth will be continuously strengthened, from the current address and service filtering to url (page) filtering, keyword filtering, activex and java filtering, and there will be virus scanning function gradually.
3) For a long time, using firewalls to build private networks has been the mainstream of users. The demand for ip encryption is getting stronger and stronger, and the development of security protocols is a hot spot. ?
4) One-way firewall (also called network diode) will appear as a product category. ?
5) Detecting network attacks and various alarms will become an important function of the firewall.
6) The security management tools are constantly improved, especially the movable log analysis tools, which will become a part of firewall products. ?
In addition, it is worth mentioning that with the continuous development of firewall technology, people's criteria for choosing firewalls will mainly focus on easy management, transparent application, authentication and encryption functions, operating environment and hardware requirements, vpn functions and ca functions, number of interfaces, cost and so on.