Introduction to Firewall .

SPOTO focus on IT certification training for 16 years. Over 16 years, SPOTO helped tens of thousands of candidates achieve their Cisco CCNA, CCNP, CCIE, CISSP certification. Subscribe us and get the more news.

The principle of the hardware firewall

The software firewall only has the function of packet filtering. The hardware firewall may have other functions besides the software firewall, such as CF (content filtering) IDS (intrusion detection) IPS (intrusion prevention) and VPN.

That is to say, the hardware firewall means that the firewall program is implemented in the chip, and the hardware performs these functions, which can reduce the burden on the CPU and make the route more stable. The hardware firewall is an important barrier to the security of the internal network. Its security and stability are directly related to the security of the entire internal network. Therefore, routine checks are very important to ensure the security of the hardware firewall. Many hidden dangers and failures in the system will appear in one way or another before the outbreak. The task of routine inspection is to discover these safety hazards and locate the problem as much as possible to facilitate the solution of the problem.

(1) packet filtering firewall

Packet filtering firewalls are typically implemented on routers to filter user-defined content, such as IP addresses. The working principle of the packet filtering firewall is that the system checks the data packets at the network layer, regardless of the application layer. In this way, the system has good transmission performance and strong scalability. However, the security of the packet filtering firewall has certain defects, because the system has no perception of the application layer information, that is, the firewall does not understand the content of the communication, so it may be attacked by the hacker.

(2) Application gateway firewall

The application gateway firewall checks the packets of all application layers and puts the checked content information into the decision process, thereby improving the security of the network. However, the application gateway firewall is implemented by breaking the client/server model. Each client/server communication requires two connections: one from the client to the firewall and the other from the firewall to the server. In addition, each agent needs a different application process, or a service program running in the background. For each new application, a service program for this application must be added, otherwise, the service cannot be used. Therefore, the application gateway firewall has the disadvantage of poor scalability.

3) Stateful inspection firewall

The stateful inspection firewall basically maintains the advantages of a simple packet filtering firewall. The performance is relatively good and transparent to the application. On this basis, the security has been greatly improved. This kind of firewall abandons the simple packet filtering firewall. It only examines the data packets entering and leaving the network, does not care about the shortcomings of the packet status, establishes a state connection table in the core part of the firewall, maintains the connection, and treats the data entering and leaving the network as one event. deal with. It can be said that the stateful inspection packet filtering firewall regulates the network layer and transport layer behavior, while the application proxy firewall regulates the behavior of specific application protocols.

(4) Composite firewall

The composite firewall refers to a new generation of firewalls that integrate stateful inspection and transparent proxy. Based on the ASIC architecture, anti-virus and content filtering are integrated into the firewall. The VPN and IDS functions are also integrated into one. A new breakthrough. Conventional firewalls do not prevent attacks that are hidden in network traffic. Scanning the application layer on the network interface, combining antivirus, content filtering and firewalls, this reflects the new idea of network and information security. It implements OSI Layer 7 content scanning at the network boundary and implements application layer service measures such as virus protection and content filtering on the network edge in real time.