A firewall is a security network the first barrier, the market share of the largest security technology is more mature. Architectural hardware firewall products are mainly divided into three categories: the X86 architecture, represented by a general purpose processor, AISC (ASIC) architecture and recent NP (Net Processor) architecture.
From the firewall function, it mainly includes the following aspects: access control, access control applications such as ACL, NAT; VPN; routing, authentication and encryption, logging, management, and attack defense.
To meet the diverse networking requirements, and reduce the need for other special equipment, thus reducing network construction costs, the firewall also often incorporated other network technologies, such as support for DHCP server, DHCP replay, dynamic routing, support for dial-up, PPPOE and other characteristics; support for WAN port; support transparent mode (bridge mode); support for content filtering (such as URL filtering), anti-virus and IDS functions.
State detection technology
State detection technology to monitor each connection initiated the whole process to the end, for some protocols, such as FTP, H.323 and other protocols, stateful protocol, the firewall must be analyzed for these protocols, in order to know what time, from which direction and allow specific connections into the close.
Stateful firewall can decode a specific protocol, so security is better. Some firewalls can FTP, SMTP and other malicious commands detection and filtering, www.britepic.org but because the application layer decoding analysis, processing speed is slow, for some firewall adaptive mode, the process is fast .
Another feature is a stateful firewall, when detecting SYN FLOOD attack, will start the broker. At this time, if it is forged source IP sessions, because they can not complete the three-way handshake, the attack packets will not reach the server, but normally accessed packets are still reachable.
The future development trend of the firewall is toward high-speed, multi-functional, safer direction.
Can be seen from the results of previous tests at home and abroad, is currently a lot of limitations firewall is fast enough. Application of ASIC, FPGA and network processor is the main way to achieve high-speed firewall, in which the best use of network processors, because the network processor microcode programming, you can upgrade at any time according to need and can even support IPV6, and other methods to not so flexible.
High-speed firewall, the algorithm is also a key, because the network processor integrates a number of hardware co-processing unit, it is easier to achieve high speed. For pure CPU firewall, there must be support algorithms, such as ACL algorithm. Some of the current application environment, frequently hundreds or even tens of thousands of application of the rules, no algorithm support for stateful firewall, establishing a session of speed will be very slow.
Limited by the prior art, there is no valid application layer for high-speed detection method, there is no Which chip can do this. Therefore, the firewall is not suitable for integrated content filtering, anti-virus and IDS functionality (IDS transport layers except these detection CPU consumption is small). For IDS, the most common way is to mirror the traffic on the network IDS processing equipment, to avoid large traffic caused by network congestion. In addition, many application layer vulnerabilities, attack signature database needs frequent upgrades, the network exit key position in the firewall, so frequently upgrade is unrealistic.
One is the development direction of multifunction firewalls, routers and firewalls, given the current prices are high, the network environment has become increasingly complex, general users always want more features firewall support, networking and saving to meet investment needs. For example, WAN port firewall support, does not affect the security, but it can save users a router, in some cases; some routers support the protocol, such as routing, dial-up, etc., can better meet the networking needs; support IPSEC VPN, you can use the Internet to set up a dedicated security channel, safe and saving green investment.
Firewall future operating system will be more secure. With the development of algorithms and chip technology, the firewall will be more involved in the application layer analysis for the application to provide a more secure protection.