There are some problems often make user confusion: on the product's features, very similar description of the various vendors, a number of "rising star" and the well-known brand is very similar. Faced with this situation, how to identify?
It is described as very similar products, even if the same function, in specific implementation, the availability and ease of use, the individual differences in very obvious places.
First, the network layer access control
All firewalls must have this feature, otherwise it could not be called a firewall. Of course, most of the routers can also be achieved through its own ACL this feature.
1, Rule Editor
Access to the network layer is controlled mainly in the edit firewall rules, we must examine: whether the network layer access control can be demonstrated by the rules? Granular access controls whether fine enough? Similarly a rule, whether the means of control in different time periods? Whether the rule is configured to provide a friendly interface? It can easily reflect the will of network security?
2, IP / MAC address binding
The same IP / MAC address binding function, there are some details to be investigated, such as firewalls can automatically collect IP addresses and MAC addresses? Violation of the IP / MAC address binding rule is to provide appropriate access whether the alarm mechanism? Because these features are very useful, if the firewall can not provide automatically collect IP addresses and MAC addresses, network management may be forced to adopt other means of obtaining the jurisdiction of the user's IP and MAC address, it will be a very tedious job.
3, NAT (network address translation)
The original function of the router has been gradually evolved into one of the standard functions of a firewall. But this a feature that the manufacturers realize the difference is very large, many manufacturers realize the presence of a big problem NAT function: difficult to configure and use, which will bring great trouble to the network administrator. We must learn to NAT works, to improve their level of network knowledge, analysis and comparison, to find a use in the NAT configuration and simple processing of the firewall.
Second, the application layer access control
This feature is the strength of the various firewall vendors Competition, and most out of place color. Because although many free operating system based firewall can achieve with the state monitoring module (as Linux, FreeBSD and other kernel modules already support condition monitoring), but the application layer control can not achieve "used", requires real programming.
On the application layer control, the choice of a firewall can examine the following points.
1, whether to provide content filtering HTTP protocol?
At present the enterprise network environment, the main two applications are WWW access and e-mail. Can access the WWW fine-grained control reflects a firewall technical strength.
2, whether to provide SMTP protocol content filtering?
E-mail attack more and more: mail bombs, mail virus, leakage of confidential information, etc., can provide content-based SMTP protocol filtering, and filtering the coarser become the focus of the user.
3, whether to provide FTP protocol content filtering?
In examining this function must be careful careful, many manufacturers of firewalls propaganda that have FTP content filtering, but careful comparison will find that the vast majority of which only implements the FTP protocol in two control commands: PUT and GET. Good firewall should be on the FTP commands to control all of the other, including the CD, LS, etc., to provide control on the command level, to realize the directory and file access control, all the filter support wildcard.
Third, management and certification
This is a very important function of the firewall. At present, the firewall management based WUI into WEB management interface, GUI-based management graphical user interface and command-line management of CLI.
A variety of management, based on the CLI command-line mode is not suitable for most firewalls.
WUI and GUI management methods have advantages and disadvantages.
WUI management is simple, no special management software, as long as the line with the browser; the same time, WUI management interface is very suitable for remote management, firewall configuration as long as a reachable IP, can be realized in the US administration office is located in China's firewall.
WUI form of a firewall has its drawbacks: First, WEB interface is not suitable for complex, dynamic page shows ordinary WUI interface is difficult to display rich statistical tables, so for audit, statistical functional requirements more demanding users, try not to select the WUI mode; in addition, it will lead to increased security threats, firewall management, if the user is located in the home through the company's firewall browser management, trust relationships depend only on a simple user name and password, hackers can easily guess the password, which increases safety threats.
GUI is present, most widely used way firewall. Features of this approach is professional, it can provide a wealth of management features, easy to configure the firewall administrator. But the disadvantage is the need for special management client software, while no flexibility WUI management in remote and centralized management.
Fourth, auditing and logging, and storage methods
At present, most firewalls provide auditing and logging, the difference is the size of the audit of different thickness, different storage methods and storage logs.
Auditing and logging weak many firewalls, which is in those with DOM, DOC and other electronic disk (and do not provide support for network database) firewall storage medium was especially evident, and some even did not distinguish between event logs and access logs. If you need a wealth of audit and log function, you need to examine the firewall is stored, if it is DOM, DOC, etc. Flash is stored electronic disk, may limit the effect of audit and log function.
At present, most firewall audit logs using hard disk storage manner, the advantages of this approach is that it can store a large number of logs (a few tens of G to G), but in some extreme cases, such as abnormal power, hard disk It suffered damage often than electronic severe damage.
Good firewall should provide a variety of storage methods, to facilitate users the flexibility to choose and use.
5, how to distinguish between packet filtering and condition monitoring
Some small companies to promote their own firewall product, often claim to use the state monitoring technology; the surface, we tend to be easily confused. Here are two techniques to distinguish between the tips.
1, whether to provide real-time connection status view?
Stateful inspection firewall can provide view the current connection status of the function and interface, and real-time broken the current connection, the connection should have a wealth of information, including connecting the two sides of the IP, port, connection status, connection time, etc., and simple packet filtering It does not have this feature.
2, the availability of dynamic rules library?
Some applications use a connection agreement and not just a port, usually an application layer to complete the operation by connecting a series of linked. Such as FTP protocol, the user commands are transmitted by connecting to port 21, and the data is established by another temporary connection (the default source port is 20, in the PASSIVE mode is temporary assigned port) transmission. For such applications, packet filtering firewall is difficult to set a simple safety rules, often have open access to all the source port 20.
Stateful inspection firewall can support dynamic rules to automatically allow legitimate connections by tracking the process of application layer session entry ban other connection request does not comply session state. For FTP, the only firewall set one pair of 21 port access rules, you can guarantee the normal FTP transfer, including the PASSIVE mode data transfer. This feature not only makes the rules simpler, while eliminating the need to open all 20 ports at risk.