Shulou(Shulou.com)06/03 Report--

What is a firewall?

Firewall refers to the protective barrier formed by the combination of software and hardware, between the intranet and the extranet, and between the local area network and the extranet. Like a wall, it can build a secure gateway between networks to protect the intranet from illegal users.

Friends who are familiar with the Internet must be no stranger to firewalls, whether it is the computer's own firewall or the general software firewall, or hardware firewall, more or less understand. In this day and age, computer viruses are the norm, how to prevent external access to your system and sensitive data? The easiest way is to go through the firewall.

What is the difference between a hardware firewall and a software firewall?

Hardware firewall, the "software firewall" is embedded in the hardware, the "firewall program" is added to the chip, and the hardware performs these functions, so as to reduce the CPU burden of the computer or server. The "hardware firewall" provided by the general "software security manufacturer" is to customize the hardware in the "hardware server manufacturer", and then embed the "Linux system" with its own software system.

Software firewall, generally developed based on an operating system platform, installs and configures the software directly on the computer. Due to the diversity of operating systems among customers, software firewalls need to support a variety of operating systems, such as "Unix, Linux, SCO-Unix, Windows" and so on.

Hardware firewall is to achieve the purpose of isolating internal and external networks through the combination of hardware and software, while software firewall is to achieve the purpose of isolating internal and external networks through pure software.

I. Stability

The advantages and disadvantages of stable performance mainly come from the running platform of the firewall, that is, the "operating system".

The hardware firewall generally uses the Linux system compiled by the kernel. With the high reliability and stability of the Linux system itself, it ensures the overall stability of the firewall.

The Linux system will never crash, and its stability is due to the fact that the kernel is not as large and flawed as other operating systems. The stability of the system mainly depends on the structure of the system design. The structure of computer hardware has not changed much since it was designed in 1981, and the continuous backward compatibility makes those applications with very poor programming style barely transplanted to the latest version of Windows. This "makeshift software development mode" has greatly hindered the development of system stability.

The open source development model of Linux, which is of concern, ensures that any system vulnerabilities can be found and corrected in time. Linux system adopts many security technical measures, including "access control of read and write", "subsystem with protection", "audit tracking", "core authorization" and so on, which provides necessary security guarantee for users in the network multi-user environment.

Software firewall, generally installed on the windows platform, is easy to implement, but at the same time, due to the loopholes and instability of the windows operating system itself, it also brings the security and stability of the software firewall. Although Microsoft (Microsoft) is also trying to make up for these problems, but compared with the Linux operating system, there are still many vulnerabilities.

In terms of virus damage, there has been almost no virus infection since the development of linux system. There is no need to say much about viruses based on vulnerabilities in the Windows operating system, as long as they have used PC (personal computers) for a long time, they all have a general feeling.

II. Main indicators

"Throughput" and "message forwarding rate" are the main indicators of firewall applications.

Throughput: the data in the network is composed of packets, and the firewall consumes resources to process each packet. Throughput refers to the number of packets passing through the firewall per unit time without packet loss. This is an important indicator to measure the performance of firewalls.

The hardware equipment of the hardware firewall is customized by professional manufacturers, and the problem of "throughput" is fully considered at the beginning of the customization, which is far better than the software firewall on this point, because the hardware of the software firewall is selected and configured by the user when purchasing a computer, and in many cases the problem of "throughput" is not considered, and the windows system itself consumes hardware resources. Its throughput and ability to handle large data streams are far less than those of hardware firewalls.

If the throughput is too small, the firewall will become the bottleneck of the network, which will bring problems such as "slow network speed, insufficient Internet bandwidth" and so on.

Third, working principle

Software firewall, generally "packet filtering mechanism", filtering rules are simple, can only check to the third layer "network layer", only check the source or destination IP, the ability of the firewall is far less than the hardware firewall, even the most basic * means: "IP camouflage", can not be solved, and to check all the packets passed, so the speed is relatively slow.

The hardware firewall mainly adopts the fourth generation "state detection mechanism". When the communication initiates the connection, the "state detection" checks whether the rules allow the establishment of the connection, and then adds a record to the cached state detection table, so that there is no need to check the rules in the future. As long as you look at the state detection table, OK, the speed has been greatly improved.

Because the level of work has been improved, the defense function of the hardware firewall is much stronger than that of the software firewall. The "state detection mechanism" of the hardware firewall tracks not only the information contained in the "packet", but also records useful information to help identify the "packet" in order to track the status of the "packet". For example, "existing network connections, outgoing requests for data" and so on.

For example, if the incoming packet contains a video data stream, and the firewall may have recorded the relevant information and matched it, the packet can be allowed to pass.

There is a great difference between hardware firewall and software firewall in the implementation mechanism, so it also brings a great difference in the anti-hack ability of software and hardware firewalls.

IV. Intranet control

Because of its own working principle, the software firewall does not have the concrete control and management of the intranet. For example, "QQ cannot be prohibited, viruses cannot be well prevented, and Internet access control cannot be done for specific IP and MAC." its main function is external.

In the hardware firewall, based on the mechanism of "state detection", security manufacturers can develop "application layer" filtering rules according to the different needs of the market to meet the control of the intranet, so that they can filter at the high level. achieve a lot of things that software firewalls can't do. Especially for the popular ARP virus, the hardware firewall makes corresponding strategies according to its principle, which completely removes the harm of ARP virus.

Firewalls are not only limited to external prevention, but also to more internal networks, such as "slow Internet access, intermittent, abnormal email sending and receiving" and other problems.

The analysis of the main reason lies in the use of intranet users. For example, many users use BT to download and browse some informal websites during office hours, which will cause a lot of intranet insecurity, such as viruses, and many virus transmission is caused by the bad behavior of users. Therefore, the control and management of intranet users is very necessary.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.