Shulou(Shulou.com)06/01 Report--

The specialized stateful firewall has long been a thing of the past. All the next-generation firewalls today are evolved from stateful firewalls. It disappeared from the stage of history. It is also everywhere. This is the iterative update of technology. Writing here reminds me of a conversation between Zen master Lai Nhat Hanh and a little girl.

The little girl asked: I have a lovely dog, one day it died, how can I not be sad?

Zen master nhat hanh replied: you see beautiful clouds in the sky, you like this cloud, just like like your dog, suddenly this cloud disappeared, you think the cloud died, where did the cloud go? If you take the time to think about it, you will see that the cloud is not dead, it is not gone, it is only changed into rain, and if you see rain, you will see that cloud; when you see hot steam when you drink tea, you will also see that the cloud is not gone, it is alive in a new form, and so is the dog, and if you look deeper, you will see its new form.

When we learn a certain skill, sometimes there will be some "sparks," technology can also rise to the philosophical level, such as LINUX system design has a very clear philosophy. Sometimes there will be some "sparks" between similar technologies. For example, in the past, whether listening to teachers or reading books by myself, my understanding of single-arm routing and vlanif was relatively shallow, but I thought I really understood it. Until recently, when I wrote answers to my classmates, I found that I didn't really understand it. However, when I thought about it carefully, I suddenly figured it out. I thought that I understood it was not really understood. Only when I could explain it clearly, Writing clearly is the real understanding, that moment of feeling is really wonderful, I think this is why many gods insist on writing blogs.

Okay, back to business, let's talk about stateful firewall seriously!

State detection is a function of firewall, this function is very important, it is a milestone in the development process of firewall, after the firewall are integrated with this function. We first analyze how a firewall works without stateful inspection, and then analyze how a firewall with stateful inspection works.

without stateful firewall.

As shown in the above figure, PC and WEB server are located in different networks, respectively connected to the firewall, and the communication between PC and WEB server is controlled by the firewall.

When a PC needs to access a WEB server web page, a rule listed in the table below must be configured on the firewall: Allow the PC to access the message of the WEB server. The rules referred to here actually refer to the security strategy on the firewall. However, this section focuses on state detection and session mechanisms, and security policies are not the focus, so rules are used to simplify the description. We'll cover security policy in a later article.

number

source address

source port

destination address

destination port

action

1

192.168.0.1

ANY

172.16.0.1

80

allowed to pass through

In this rule, ANY at the source port indicates any port, because the port is randomly specified by the operating system when the PC accesses WEB, and is not determined, so it is set to any port here.

After configuring this rule, the message sent by the PC can smoothly pass through the firewall and reach the WEB server, and then the WEB server will send a response message to the PC. This message also needs to pass through the firewall. Before the stateful inspection firewall appears, the packet filtering firewall (packet filtering firewall) must also be configured with the rules in the following table to allow messages in the opposite direction to pass through the firewall.

number

source address

source port

destination address

destination port

action

2

172.16.0.1

80

192.168.0.1

any

allowed to pass through

In Rule 2, the destination port is not set to any port, because we cannot determine which port the PC uses to access WEB. In order to make the response message of WEB server pass through the firewall to reach the PC smoothly, the destination port in Rule 2 can only be set to any port.

Any port is actually all ports, so there will be great security risks, external malicious hackers disguised as WEB servers, you can pass through the firewall unimpeded, PC will face serious security risks.

Let's take a good look, in fact, the reason for the security risk is that the firewall does not know which source port the PC accesses the WEB server. In order to ensure communication, any port in the incoming direction must not be allowed. Then we can find a way to let the firewall know which port the PC uses to access the WEB server, and then let the WEB server automatically add rules to release the source IP before the response packet replies. The source IP is the destination IP of the PC, and the destination port is the source port of the PC. Of course, it can be realized. In fact, the state monitoring mechanism is realized in this way. So let's take a look at what the access process of the two is after the state detection mechanism?

After using stateful inspection firewall

Still taking the above network environment as an example, first of all, it is necessary to set Rule 1 in the firewall to allow the PC to access the WEB server message. When the message arrives at the firewall, the firewall allows the message to pass through, and at the same time, it also establishes a session for the behavior of PC accessing the WEB server, which contains the message information sent by the PC, such as address and port.

When the WEB server responds to the PC's message arriving at the firewall, the firewall compares the information in the message with the information in the session. If the information in the message matches the information in the session, and the message conforms to the specifications specified by the HTTP protocol, it is considered that the message belongs to the follow-up response message of the PC accessing the WEB server behavior, and the message is directly allowed to pass, as shown in the following figure:

For ease of explanation, in this section we will connect the PC and WEB server directly to the firewall. In the actual environment, if the PC, WEB server and firewall are connected across the network, it is necessary to configure routing on the firewall to ensure that the routing between the PC and WEB server is reachable. Even if the WEB server responds to the PC with a message that matches the session, the firewall must have a route to the PC to ensure that the response message is sent to the PC.

Malicious *** Even if disguised as a WEB server to initiate access to the PC, because such messages do not belong to the PC to access the WEB server behavior of the subsequent messages, the firewall will not allow these messages to pass, so that the PC can normally access the WEB server, but also to avoid the risk of a wide range of open ports.

To sum up, before the appearance of stateful inspection firewall, packet filtering firewall would only judge whether to allow packets to pass according to set static rules. It believed that packets were stateless isolated individuals and did not pay attention to the causes and consequences of packet generation. This required packet filtering firewall to configure a rule for packets in each direction, which was inefficient and easy to bring security risks.

And the appearance of stateful firewall just makes up for this defect of packet filtering firewall. Stateful inspection firewall uses a connection-state-based inspection mechanism to treat all messages belonging to the same connection that are exchanged between communication parties as a whole data flow. From the stateful firewall's point of view, messages in the same data stream are no longer isolated individuals, but interrelated. For example, if a session is established for the first packet of a data flow, subsequent packets in the data flow will directly match the session forwarding, and no rule detection is required, thus improving the forwarding efficiency.

Packet filtering firewalls consider packets to be fragmented individuals, making the network more vulnerable to attacks. The stateful monitoring firewall believes that there is a connection between messages, thus seeking "cooperative development" between data packets, and finally achieving high efficiency, high security and sustainable development. Now it is indeed the world of stateful monitoring firewall, but it is not that packet filtering firewall is not good, it still has its "use", we will elaborate later.

In today's social life, we also like firewall as appropriate to pursue cooperation, should not blindly pursue independence, will be closed. So is it good to pursue independence? Is it better to pursue cooperation? This question is similar to ability or connections? Is ideal important or wealth important? Our life has the concept of time, we only need to put the two into the appropriate time period, for example, we put independence into the relatively early time period, and cooperation placed after the independent time period, or independence and cooperation in parallel is not bad, a dedicated person can balance very well. At the end of the book, moderation comes again. I think it's appropriate to end with moderation, because there is no absolute answer, life is not black or white, and the test of first-class intelligence is the simultaneous existence of two diametrically opposed ideas in the brain and the ability to maintain normal behavior. If this is not moderation, what is it?

In LOG, one eye represents ideal, the other represents wealth, and between ideal and wealth is a smile.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.