There are several types of firewalls.

Classification: Computer/Network >> Anti-virus

Problem description:

Trouble! Very anxious! ! thank you

Analysis:

Look at this.

Firewall classification 1

If divided into software and hardware forms, firewalls can be divided into software firewalls, hardware firewalls and chip-level firewalls.

The first type: software firewall

The software firewall runs on a specific computer and needs the support of the computer operating system pre-installed by the customer. Generally speaking, this computer is the gateway of the whole network. Commonly known as "personal firewall". Software firewall, like other software products, needs to be installed on the computer before it can be used. Among firewall manufacturers, Checkpoint is the most famous one to do online software firewall. Using this firewall requires network administrators to be familiar with the operating system platform on which they work.

The second type: hardware firewall

The hardware firewall mentioned here refers to the "so-called hardware firewall". The reason why the word "so-called" is added is aimed at the chip-level firewall. The biggest difference between the two is whether it is based on a dedicated hardware platform. At present, most firewalls on the market are so-called hardware firewalls, which are based on PC architecture, which is not much different from ordinary home PCs. Running some simplified operating systems on these PC-based computers, the most commonly used are the old Unix, Linux and FreeBSD systems. It is worth noting that because this firewall still uses other people's kernels, it will still be affected by the security of the OS itself.

The traditional hardware firewall should generally have at least three ports, which are connected to the intranet, the extranet and the DMZ area (demilitarized zone) respectively. Nowadays, some new hardware firewalls often expand the ports. Common four-port firewalls generally use the fourth port as the configuration port and management port. Many firewalls can further expand the number of ports.

The third type: chip-level firewall

Chip-level firewall is based on a special hardware platform and has no operating system. Proprietary ASIC chips make them faster, more powerful and have higher performance than other kinds of firewalls. The most famous manufacturers of this kind of firewall are NetScreen, FortiNet, Cisco, etc. Because this firewall is a dedicated OS (operating system), the firewall itself has fewer loopholes, but the price is relatively high.

Although there are many firewall technologies, they can be generally divided into two categories: "packet filtering" and "application proxy". The former is represented by Israel's Checkpoint firewall and Cisco's PIX firewall, while the latter is represented by the Gauntlet firewall of NAI in the United States.

(1). Packet filtering type.

Packet filtering firewall works in the network layer and transport layer of OSI network reference model, and it decides whether to pass according to the source address, destination address, port number and protocol type of the packet header. Only packets that meet the filtering conditions will be forwarded to the corresponding destination, and the rest will be discarded from the data stream.

Packet filtering is a universal, cheap and effective security means. The reason why it is universal is that it does not adopt a special treatment method for each specific network service and is applicable to all network services; It is cheap because most routers provide packet filtering function, so most of these firewalls are integrated by routers; It is effective because it can meet the security needs of most enterprises to a great extent.

In the development of firewall technology, two different versions of packet filtering technology have appeared, which are called "first generation static packet filtering" and "second generation dynamic packet filtering" respectively.

● First generation static packet filtering firewall

This kind of firewall is almost produced at the same time as the router. It examines each packet according to the defined filtering rules to determine whether it matches the specific packet filtering rules. Filtering rules are formulated according to the header information of the packet. Header information includes IP source address, IP destination address, transmission protocol (TCP, UDP, ICMP, etc. ), TCP/UDP destination port, ICMP message type, etc.

● Second generation dynamic packet filtering firewall

This firewall adopts the method of dynamically setting packet filtering rules to avoid the problem of static packet filtering. This technology later developed into a state detection technology. The firewall adopting this technology keeps track of every connection established through it, and can dynamically add or update entries in the filtering rules as needed.

The advantage of packet filtering is that it does not need to change the application programs on the client and the host, because it works in the network layer and the transport layer, and has nothing to do with the application layer. But its weakness is also obvious: the basis of filtering discrimination is only the limited information of network layer and transport layer, so it can not fully meet all kinds of security requirements; In many filters, the number of filtering rules is limited. With the increase of the number of rules, the performance will be greatly affected. Due to the lack of context-related information, UDP, RPC and other protocols can not be effectively filtered; In addition, most filters are vulnerable to "address spoofing" attacks because they lack auditing and alarm mechanisms and can only rely on header information, but cannot verify the identity of users. The quality of safety managers is high, so when establishing safety rules, we must have a deeper understanding of the protocol itself and its role in different applications. Therefore, filters are usually combined with application gateways to form a firewall system.

(2) Application agent type

The application proxy firewall works at the highest level of OSI, that is, the application layer. Its characteristic is to completely "block" the network communication traffic, and realize the monitoring function of the application layer communication traffic by writing a special agent program for each application service. Its typical network structure is shown in the figure.

In the development process of proxy firewall technology, it has also experienced two different versions, namely, the first generation application gateway proxy firewall and the second generation adaptive proxy firewall.

The first generation application gateway firewall.

This firewall participates in the whole process of TCP connection through proxy technology. After being processed by such a firewall, the packets sent from the inside look like the external network card from the firewall, thus achieving the function of hiding the internal network structure. This kind of firewall is recognized by network security experts and media as the safest firewall. Its core technology is proxy server technology.

Second generation adaptive proxy firewall

It is a new type of firewall that has been widely used in recent years. It can combine the security of proxy firewall with the high speed of packet filtering firewall, and improve the performance of proxy firewall by more than 10 times without losing security. This type of firewall has two basic elements: adaptive proxy server and dynamic packet filtering.

There is a control channel between adaptive proxy server and dynamic packet filtering. When configuring the firewall, users only need to set the required service type, security level and other information through the management interface of the corresponding agent. Then, according to the user's configuration information, the adaptive proxy can decide whether to use proxy service to proxy requests from the application layer or forward packets from the network layer. If it is the latter, it will dynamically inform packet filtering to increase or decrease filtering rules to meet the dual requirements of users for speed and security.

The most prominent advantage of proxy firewall is security. Because it works at the highest level, it can filter and protect data communication at any layer of the network, instead of just filtering data at the network layer like packet filtering.

In addition, the proxy firewall is a proxy mechanism, which can establish a special proxy for each application service, so the communication between the internal and external networks is not direct, but needs to be audited by the proxy server first, and then connected by the proxy server, so that there is no chance of direct dialogue between the internal and external network computers, thus avoiding intruders from invading the internal network by using data-driven attacks.

The biggest disadvantage of proxy firewall is its slow speed. When users have high requirements for the throughput of internal and external network gateways, proxy firewall will become the bottleneck between internal and external networks. That's because firewalls need to establish special proxy services for different network services, and it takes time for their own proxy programs to establish connections for internal and external network users, which brings some negative effects to the system, but it is usually not obvious.

Firewall classification 3

From the perspective of firewall structure, there are three kinds of firewalls: single host firewall, router integrated firewall and distributed firewall.

Single host firewall is the most traditional firewall, which is independent of other network devices and located at the network boundary.

In fact, this firewall is similar to a computer structure (as shown below), and it also includes basic components such as CPU, memory and hard disk. Of course, the motherboard is indispensable, and there are also South Bridge and North Bridge chips on the motherboard. The main difference between it and the general computer is that the general firewall integrates more than two Ethernet cards, because it needs to connect more than one internal and external network. Hard disk is used to store basic programs used by firewalls, such as packet filtering and proxy server programs, and some firewalls also record logs on this hard disk. Even so, it can't be said that it is just like our ordinary PC, because its working nature determines that it should have very high stability, practicability and very high system throughput performance. Because of this, the configuration that seems to be similar to PC is far from the price.

With the development of firewall technology and the improvement of application requirements, many changes have taken place in the firewall of single host in the past. The most obvious change is that many high-end routers integrate firewall functions, and some firewalls are no longer an independent hardware entity, but a system composed of multiple software and hardware. This kind of firewall is commonly known as "distributed firewall".

The original firewall of a single host is very expensive and only a few large enterprises can afford it. In order to reduce the network investment of enterprises, many high-end routers have integrated firewall functions. Such as Cisco IOS firewall series. But this kind of firewall is usually low-level packet filtering type. In this way, enterprises do not need to buy routers and firewalls at the same time, which greatly reduces the purchase cost of network equipment.

Distributed firewall is no longer just located at the boundary of the network, but penetrates into every host of the network to protect the hosts of the whole internal network. In the network server, a software for firewall system management is usually installed, and a PCI firewall card with integrated network card function is installed on the server and each host, so that a firewall card has the dual functions of network card and firewall. Such a firewall system can completely protect the internal network. Each host regards any communication connection sent by other hosts as "untrusted" and needs strict filtering. Instead of the traditional border firewall, it just "distrusts" the communication request sent by the external network.

Firewall classification 4

According to the deployment position of firewalls, they can be divided into three categories: border firewalls, personal firewalls and mixed firewalls.

Border firewall is the most traditional firewall. They isolate the internal and external networks and protect the internal network at the border. This kind of firewall is generally hardware type, which is more expensive and has better performance.

The personal firewall is installed in a single host, and it only protects the single host. This kind of firewall is applied to a large number of individual users, usually a software firewall, which is the cheapest and has the worst performance.

Hybrid firewall can be said to be "distributed firewall" or "embedded firewall". It is a complete firewall system, which consists of several software and hardware components, distributed between the internal and external network boundaries and the internal host. It not only filters the communication between internal and external networks, but also filters the communication between hosts in the network. It is one of the latest firewall technologies, with the best performance and the most expensive price.

Firewall classification 5

According to the performance of firewall, it can be divided into two categories: 100 megabit firewall and gigabit firewall.

Because the firewall is usually located at the boundary of the network, it can't be just ten megabytes. This mainly refers to the channel bandwidth of fire prevention, or throughput. Of course, the wider the channel bandwidth, the higher the performance, the smaller the delay caused by packet filtering or application proxy, and the smaller the impact on the performance of full netcom.