A firewall is a system or a group of systems that implement access control policies between networks. The actual implementation of firewall is different, but in principle, firewall can be regarded as a pair of mechanisms: one mechanism is to block the transport stream, and the other mechanism is to allow the transport stream to pass through. Some firewalls focus on preventing transport streams from passing, while others focus on allowing transport streams to pass. Perhaps the most important concept to understand a firewall is that it implements an access control policy. If you are not sure what kind of access you need to allow or deny, you can ask others or some products to configure the firewall according to what they think they should do, and then they will comprehensively formulate access policies for your organization.

2. Why do you need a firewall?

Like any other society, the Internet is plagued by some boring people who like to do such things online, like spraying graffiti on other people's walls, knocking down other people's mailboxes or sitting in the street honking their car horns. Some people try to do some real work through the Internet, while others need to protect sensitive or proprietary data. Generally speaking, the purpose of a firewall is to keep those boring people out of your network, and at the same time, you can still finish your work.

Many traditional enterprises and data centers have formulated computing security policies and practices that must be followed. In the case that the company's security policy stipulates that data must be protected, the firewall is even more important, because it is the concrete embodiment of the company's security policy. If your company is a big enterprise, the most difficult job to connect to the Internet is often not the cost or the work to be done, but convincing the management that it is safe to surf the Internet. Firewall not only provides real security, but also plays an important role in putting on a layer of security coat for management.

Finally, the firewall can play the role of "ambassador" of enterprise Internet. Many enterprises use their firewall system as a place to save public information about their products and services, download files, fix errors and other files. Several of these systems have become an important part of the Internet service structure (such as UUnet.uu.net, whitehouse.gov and gatekeeper.dec.com) and have brought good influence to the sponsors of these institutions.

3. What can a firewall guard against?

Some firewalls only allow email to pass through, thus protecting the network from any attack except email service. Other firewalls provide less stringent protection measures and block some services that are known to be problematic.

Generally speaking, firewalls are configured to prevent unauthorized interactive logins from the "outside" world. This greatly helps to prevent saboteurs from logging on to computers in your network. Some more elaborate firewalls can prevent transport streams from the outside from entering the interior, but allow internal users to communicate freely with the outside. If you cut off the firewall, it can protect you from any attack on the network.

Another very important feature of firewall is that it can provide a single "blocking point" where security and audit checks can be set. Different from the situation that the computer system is attacked by people who use modems, the firewall can play an effective role of "telephone eavesdropping" and tracking tools. Firewall provides important recording and auditing functions; They can usually provide administrators with a summary of the situation, providing information about the type and quantity of traffic passing through the firewall and the number of attempts to invade the firewall.

4. What can't a firewall guard against?

Firewalls can't prevent attacks that don't pass through the firewall. Many enterprises connected to the Internet are very worried that company-specific data will be leaked through access paths. Unfortunately, for these reasons, magnetic tape can be effectively used to leak data. The management of many organizations is very afraid of internet access, and they have no consistent policy on how to protect dial-up access through modems. When you live in a wooden house and install a six-foot thick steel door, it will be considered stupid. However, many organizations buy expensive firewalls, but ignore several other back doors of the network. In order for the firewall to work, it must become an integral part of the security architecture of the whole organization. The strategy of firewall must be realistic and reflect the security level of the whole network. For example, a website that stores ultra-confidential or confidential data does not need a firewall at all: first, it should not be connected to the Internet at all, or the system that stores truly confidential data should be isolated from the rest of the corporate network.

Another danger that firewalls can't really protect you is traitors or idiots in your network. Although an industrial spy can send information through a firewall, he is more likely to use a telephone, fax machine or floppy disk to send information. Floppy disks are more likely to become a medium for revealing organizational secrets than firewalls! Firewalls can't protect you from stupid behavior. Users who leak sensitive information by telephone are a good goal of social engineering. If an attacker can find an internal employee who is "helpful to him" and trick him into the modem pool, it is possible for the attacker to completely bypass the firewall and break into your network.

5. Can a firewall prevent virus attacks?

Firewalls can't effectively prevent things like viruses from invading. There are too many coding methods, different structures and viruses for transmitting binary files on the network, so it is impossible to find out all the viruses. In other words, it is impossible for a firewall to give users a sense of security. In a word, firewall can't prevent data-driven attacks: that is, attacks by mailing or copying something to an internal host and then running it on the internal host. In the past, different versions of mail senders, ghost scripts and free PostScript readers have all been attacked by this kind of attack.

Organizations that are very worried about viruses should take virus control measures throughout the organization. Don't try to keep the virus out of the firewall, but make sure that every fragile desktop system is equipped with virus scanning software, and the computer scans the virus as soon as it is turned on. Using virus scanning software to protect your network will prevent virus attacks from spreading through floppy disks, modems and the Internet. Trying to keep viruses out of the firewall can only stop viruses from the Internet, and most viruses are infected through floppy disks.

However, more and more firewall manufacturers are providing "virus detection" firewalls. This firewall is only useful for inexperienced users who exchange documents between Windows-on-Intel executors and malicious macro applications. Don't expect this feature to play any preventive role against attacks.

6. What basic design decisions need to be made in firewall design?

In front of the lucky person who is responsible for firewall design, making engineering scheme and implementing or supervising installation, there are many basic design problems waiting for him to solve.

First of all, the most important issue is that it should reflect the strategy of how your company or organization intends to run this system: the firewall installed is to explicitly reject all services except those necessary to connect to the network, or the firewall installed is to provide a non-threatening way to measure and audit "queued" access. There is a certain degree of paranoia in these choices; The ultimate function of firewall may be a management result, not an engineering decision.

The second question is: What level of monitoring, redundancy and control do you need? By solving the first problem and determining the acceptable risk level (such as how paranoid you are), you can list which transmissions must be monitored, which transmissions must be allowed and which transmissions should be rejected. In other words, you list your overall goal at the beginning, and then combine demand analysis with risk assessment to pick out the demand that is always contrary to risk and add it to the list of planned work.

The third issue is finance. Here, we can only discuss this problem vaguely, but it is very important to try to quantify the proposed solution through the cost of purchasing or implementing the solution. For example, the high-end product of a complete firewall may be worth $654.38 million, while the low-end product may be free. Free choices like making some wonderful configurations on Cisco or similar routers won't cost you a penny, just staff time and a few cups of coffee. It may take several man-months to build a high-end firewall from scratch, which may be equal to the salary and profit of employees worth $30,000. System management overhead is also a problem to be considered. It's good to build a self-developed firewall, but it's important to make it without expensive constant intervention. In other words, when evaluating the firewall, we should not only evaluate it according to its current cost, but also consider the subsequent costs, such as support services.

For practical purposes, we discuss the static transport stream routing service between the router and your internal network provided by the network service provider. Therefore, based on this fact, several technical decisions need to be made. Transport stream routing services can be implemented at the IP layer through filtering rules (such as routers) or at the application layer through proxy gateways and services.

The decision to be made is whether to put the exposed PC on the external network to run proxy services such as telnet, ftp and news. , or whether to set up a shielded router like a filter to allow communication with one or more internal computers. These two methods have their own advantages and disadvantages. Agents can provide a higher level of auditing and potential security, but at the cost of increasing configuration costs and reducing possible service levels (because agents need to develop for each required service). For a long time, the balance between convenience and security has troubled us again.

7. What are the basic types of firewalls?

Conceptually, there are two types of firewalls:

1, network-level firewall

2. Application layer firewall

The difference between these two types is not as big as you think. The latest technology blurs the difference between them, making which one is "better" or "worse" less obvious. As always, you need to carefully choose the type of firewall that meets your needs.

Network-level firewalls usually make decisions based on the source address and destination address, and input a single IP packet. A simple router is a "traditional" network-level firewall, because it can't make complicated decisions, nor can it judge the actual meaning of a packet or the actual source of the packet. Modern network-level firewalls have become more and more complex, which can retain access status, the contents of some data streams and other related information flowing through them. An important difference between many network-level firewalls is that the firewall can let the transport stream pass directly, so it is usually necessary to allocate an effective IP address block to use such a firewall. Network-level firewalls are usually fast and transparent to users.

Example of network-level firewall: In this example, a firewall called "Shielded Host Firewall" is given.

Firewall) network-level firewall. In a firewall that shields hosts, access to and from a single host is controlled by a router running at the network layer. This single host is the bridgehead host, which is a highly fortified security fortress and can (hopefully) resist attacks.

Example of network-level firewall: In this example, the so-called "shielded subnet firewall" is given. In a shielded subnet firewall, access to and from the network is controlled by a router running at the network layer. It is similar to a shielded host, except that it is actually a network composed of shielded hosts.

The application layer firewall is generally the host running the proxy server, and the transport stream is not allowed to be directly transmitted between networks, so the transport stream passing through it is recorded and audited. Because the proxy application is a software component running on the firewall, it is an ideal place to realize recording and access control. The application-level firewall can be used as a network address translator, because by effectively shielding the application that initially visited the original site, the transport stream comes in from one side and goes out from the other. In some cases, setting up an application-level firewall may affect performance and make the firewall less transparent. Early application-level firewalls, such as those built by TIS firewall toolkit, are not very transparent to end users and need training. Compared with network-level firewalls, application-level firewalls usually provide more detailed audit reports and implement more conservative security models.

Example of application layer firewall: In this example, an application layer firewall called "dual home gateway" is given. The bidirectional local gateway is a highly secure host running proxy software. It has two network interfaces, and there is one interface on each network, which blocks all transmission streams passing through it.

The future positioning of firewall should be somewhere between network-level firewall and application-level firewall. Network-level firewalls may know more and more about the information flowing through them, while application-level firewalls may become more "low-level" and transparent. The end result will be a fast packet screening system, which can record and audit the passed data streams. More and more firewalls (network and application layer) include encryption mechanism, which enables them to protect the transport streams flowing between them on the Internet. Organizations that use multipoint Internet access can use firewalls with end-to-end encryption. These organizations can use the Internet as a "private backbone" without worrying about their data or passwords being peeked.

8. What is a "single point of failure"? How to avoid this failure?

Security depends on the mechanism that its structure has a single point of failure. Error in running the software of bridgehead host. There is an error in the application. There is an error in the software controlling the router. It makes sense to use all these components to build a secure network and use them in a redundant way.

If your firewall structure is a shielded subnet, then you have two packet filtering routers and a bridgehead host. (See question 2 in this section) Internet access routers do not allow transport streams to enter your private network from the Internet. However, if this rule is not implemented by any other mechanism on the bridgehead host and/or the choke router, as long as one component in this structure fails or is destroyed, the attacker will enter the firewall. On the other hand, if there are redundancy rules on the bridgehead host and redundancy rules on the blocking router, then the attacker must deal with three mechanisms.

In addition, if this bridgehead host or blocking router uses rules to prevent external access to the internal network, you may need to let it trigger some kind of alarm because you know that someone has entered your access router.

9. How to keep all malicious transmissions out?

For firewalls that focus on security rather than connectivity, you should consider blocking all transmissions by default and allowing only the services you need to pass according to the specific situation.

If you exclude everything except a specific service set, your task becomes very simple. You don't have to worry about the safety of every product and service around you, you just need to pay attention to the safety of specific products and services. :-)

Before starting the service, you should consider the following questions:

* Is the agreement of this product a well-known public agreement?

* Are the applications of the applications that provide services for this Agreement available for public inspection?

* Is this service and product widely known?

* How will using this service change the structure of the firewall? Will attackers look at this problem from different angles? Can an attacker use it to access my internal network? Or will it change things on the mainframe in my DMZ?

When considering the above problems, please keep in mind the following advice:

* "Unknown security is not safe at all. Many undisclosed agreements have been cracked by the bad guys.

* No matter what marketers say, not all agreements or services are designed with security in mind. In fact, the number of protocols or services that really consider security is very small.

* Even if safety is considered, not all institutions have qualified personnel to be responsible for safety. In those institutions that have no qualified personnel to take charge of safety, not all institutions are willing to invite qualified consultants to participate in engineering projects. In this way, other capable and kind developers will design unsafe systems.

* The less manufacturers want to tell you how their systems work, the more likely they are to have security (or other) problems. Only manufacturers who have something to hide have reason to hide their own design and implementation.

10. What are the common attacks? How to protect the system from their attacks?

The attack type of each site is slightly different from other sites. But there are still some similarities.

SMTP session hacker (SMTP session hacker)

In this attack, spammers copy thousands of messages and send them to a large number of e-mail addresses. Because these address lists are usually bad, and in order to speed up the operation of spammers, many spammers adopt the practice of sending all their emails to SMTP server, which is responsible for actually sending these emails.

Of course, rebound news, complaints against garbage makers, curse emails and poor public relations have flooded into this website that was once used as a transit point. This will really cost this website, and most of it will be used to pay people who will clear this information later.

The Email Abuse Prevention System Transmission Security Initiative describes this problem in detail and how to configure each sender to prevent this attack.

Take advantage of errors in the application.

There are various errors in different versions of web servers, mail servers and other Internet service software. Therefore, remote (Internet) users can use these errors to do all kinds of things, from controlling computers to paralyzing applications.

Running only the necessary services, patching with the latest patches and using products that have been used for some time can reduce the possibility of encountering this risk.

Take advantage of errors in the operating system

Such attacks are usually initiated by remote users. Compared with IP networks, newer operating systems are more prone to problems, while mature operating systems have enough time to find and clear existing errors. Attackers usually restart, crash, lose the ability to communicate with the network, or replace files on the computer.

Therefore, running operating system services as little as possible helps to prevent attacks on the system. In addition, installing packet filtering in the front end of the operating system can also greatly reduce the number of such attacks.

Of course, choosing a stable operating system will also help. When choosing an operating system, don't believe the saying that "good goods are not cheap". Free software operating systems are usually more robust than commercial operating systems.

1 1. Do I have to meet all the requirements of the users?

It is entirely possible that the answer to this question is "no". Every website has its own strategy, knowing what it needs and what it doesn't need, but it is important to remember that as a gatekeeper of an institution, one of its main tasks is education. Users need streaming video, real-time chat, and provide services to external customers who request interactive query of real-time database on the internal network.

This means that the completion of any such thing will bring risks to the organization, and the risks caused are often higher than the return of the "value" you imagine going along this road. Most users don't want to put their institutions at risk. They only look at trademarks and advertisements and are willing to do those things. It is important to know what users really want to do and help them understand that they can achieve their real goals in a safer way.

You won't always be popular. You may even find yourself receiving incredibly stupid orders to do something like "open all your mouths", but don't worry about it. At this moment, it is wise to save all your exchange data, so that when a twelve-year-old child breaks into the network, you can at least keep yourself away from chaos.

12. how to run Web/HTTP through your own firewall?

There are three ways to do this:

1. If a shielded router is used, the "established" connection is allowed to access the outside of the firewall through the router.

2. Use a Web client that supports SOCKS and run SOCKS on the bridgehead host.

3. Run the Web server with proxy function on the bridgehead host. Some alternative proxy servers in the TIS firewall toolkit include Squid, Apache, Netscape Proxy and connections. Basically all network clients (Mozilla, Internet Explorer, Lynx, etc. ) has built-in support for proxy servers.

13. How to use DNS when using a firewall?

Some organizations want to hide DNS names from the outside world. Many experts believe that hiding DNS names is of little value, but it is a known and feasible method if the policies of websites or enterprises force hiding. Another reason why you may have to hide the domain name is whether there is a non-standard addressing scheme in your internal network. Don't delude yourself that if you hide your DNS name, it will make it more difficult for attackers to break into your firewall. Information about your network can be easily obtained from the network layer. If you are interested in confirming this, you might as well "ping" the subnet broadcast address on the local area network and then execute "arp -a". It should also be noted that hiding domain names in DNS cannot solve the problem of "exposing" host names from mail headers, news articles, etc.

This method is one of many methods and is very useful for organizations that want to hide their host names on the Internet. The success of this method depends on the fact that the DNS client on one machine does not have to communicate with the DNS server on the same machine. In other words, because there is a DNS server on one machine, it is not wrong (and usually beneficial) to redirect the DNS client activities of this machine to a DNS server on another machine.

First, set up a DNS server on the bridgehead host that can communicate with the outside world. You set up this server so that it can claim access to your domain name. In fact, what this server knows is what you want the outside world to know: the name and address of your gateway, your wildcard MX record and so on. This server is a "public server".

Then, set up a DNS server on the internal machine. This server also requires the rights of your domain name; Unlike public servers, this server "tells the truth". It is your "ordinary" naming server, and you can put all your "ordinary" DNS names on this server. You set up this server again so that it can forward unsolvable queries to a public server (for example, using /etc/

"repeater line" in named.boot).

Finally, set all DNS clients (for example, the file /etc/resolv.conf on Unix) to use the internal server, including the DNS clients on the machine where the public server is located. This is the key.

An internal client requesting internal host information asks an internal server questions and obtains an answer; The internal client inquiring about external host information inquires about the internal server, the internal client inquires about the public server, and the public server inquires about the Internet, and then gradually returns the obtained answer. Clients on public servers work in the same way. However, the external client can only get a "limited" answer from the public server when inquiring about the information of the internal host.

This method assumes that there is a packet filtering firewall between two servers, which allows servers to pass DNS to each other, but restricts DNS between other hosts.

Another useful trick is to use the wildcard PTR record in ADDR. AROA domain name. This will cause any address-to-name lookup of non-public hosts to return information similar to "unknown". Instead of returning an error. This meets the requirements of anonymous FTP sites, such as ftp.uu.net. Such websites need the name of the computer with which they communicate. This method does not work when communicating with sites that cross-check DNS. In cross-checking, the host name should match its address and the address should also match the host name.

14. How to use FTP through the firewall?

Generally speaking, FTP can pass through the firewall by using a proxy server such as ftp-gw in the firewall toolkit, or allowing access to the network within a limited port range (using "established" shielding rules and other rules to restrict access beyond the above ports). Then, modify the FTP client to connect the data port to the port within the allowed port range. To do this, you need to be able to modify.

FTP client application.

In some cases, if FTP download is what you want to support, you might as well consider declaring FTP a "death protocol" to allow users to download files through the Web. If you choose FTP-via-Web mode, users will not be able to transfer files using FTP, which may cause problems, but it depends on the task you are trying to complete.

A different method is to use the FTP“PASV "option to instruct the remote FTP server to allow the client to start connecting. PASV mode assumes that the FTP server on the remote system supports this operation. (Please refer to RFC 1579 for details.)

Other websites prefer to build client-side versions of FTP programs linked according to SOCKS libraries.

15. How to use telnet through the firewall?

Telnet can usually be supported by using an application proxy such as tn-gw in the firewall toolkit, or simply configuring the router to allow outgoing by using policies such as "established" filtering rules. The application proxy can exist in the form of independent proxy running on the bridgehead host, or in the form of SOCKS server and modified client.

16. How to use RealAudio through the firewall?

RealNetworks contains some instructions on how to get RealAudio through the firewall. It is unwise to change your firewall without knowing what changes to make and what risks the new changes will bring.

17. How can the web server become the front end of the database on the private network?

The best way to achieve this is to establish a very limited connection between the web server and the database server through a specific protocol. Specific protocols only support the level of functionality you will use. Generally speaking, it is not a good idea to allow the original SQL or anything that an attacker can use for custom extraction.

Suppose an attacker can access your web server and query it in the same way as a web server. Isn't there a mechanism to extract sensitive information like credit card information that web servers don't need? Can't an attacker make a SQL selection and then extract your entire private database?

Like all other applications, "e-commerce" applications have security issues in mind from the beginning, rather than "adding" security later. Your structure should be strictly examined from the attacker's point of view. Suppose the attacker knows every detail of your structure. Now, ask yourself what you should do if you want to steal your data, make unauthorized changes or do anything else you don't want to do. You may find that you don't need to add any functions, just make some design and implementation decisions, which can greatly increase security.

Here are some ideas on how to do this:

As a general principle, extract the data you need from the database, so that you don't have to query the whole database containing the information that the attacker is interested in. Strict restrictions and audits are imposed on the streams that are allowed to be transmitted between the web server and the database.