1 traditional firewall and Defects
Firewall means disposed between different networks or network security domains, according to some security policy to the implementation of a communication network between the combination of a series of components of access control.
Firewall in the traditional sense refers to the border firewall, the network will be divided into internal networks and the Internet in two parts. It is the only entrance and exit between network information transmission, according to the security policy control (allow, refuse, monitor) access to network information flow, and itself has a strong anti-attack capability. It is to provide information security services, it is important, basic safety devices for network and information security. Logically, a firewall is a separator, a limiter, is a parser to effectively monitor the activities of any of the internal network and the Internet to ensure that the internal network security.
Traditional firewalls limit depends on the topology of the network, it assumes that all hosts on the Internet are trusted, all hosts out online are credible. When the network topology restrictions in accordance with this model worked well; However, with the expansion of internet access and new network applications, this model more and more flaws exposed, facing great challenges . Main features:
(1) to bypass the firewall attacks powerless; if the firewall rules set up properly, all hosts on the Internet will be exposed to direct attacks from the outside.
(2) Since all trusted hosts in the Internet, and malicious attacks from within the network, unauthorized access or inadvertent misuse, "turning a blind eye."
(3) potential communication bottlenecks and single points of failure.
(4) with end to end encryption (such as VPN) conflict.
(5) Dependent on the network topology, we can not support mobile computing.
In order to overcome the above drawbacks, resulting in the concept of "distributed firewall" (Distributed Firewall) is.
2 Distributed Firewall
But by multiple host-based centralized management and configuration of firewall composition distributed firewall. In a distributed firewall, centralized security policy is still defined, but the implementation of each separate network endpoint (such as a host, router).
Distributed firewall contains three essential components:
(1) description language security policy.
(2) safe release mechanism policy.
(3) application of policy implementation mechanisms.
Security policy language defines which communication is permitted and what is prohibited communication, it should support multiple types of applications, but also supports the right to delegate and identification. Strategic planning after being published to the network endpoint. Policy distribution mechanism should ensure that the policy during transmission integrity and authenticity. Policy released a variety of ways, can "push" system to the terminal, the terminal can be obtained on request, it can also be provided to the user in the form of certificates. Located on policy enforcement mechanisms to protect the host, before processing out of communication, it queries the local policy and then make a decision to allow or prohibited.