Firewall防火墙的
March 31, 2008 2008年3月31日
If you're new here, you may want to subscribe to my RSS feed .如果你是新这里,您可能想订阅我RSS资讯提供。 Thanks for visiting and have a nice day!谢谢来访,并有一个很好的一天!
In the era of the Internet being necessary for business, companies have found out that they need to think long and hard about the security implications of an internet connection.在时代的互联网是必要的业务,公司已经发现了,他们需要考虑长期艰苦的有关安全问题的互联网连接。 One needs to find a form of security policy that includes the number of machines and systems with Internet connection.A firewall is a set of tools (firmware ie hardware and software) designed to prevent unauthorized access to a network.一个需要寻找一种形式的安全政策,其中包括一些设备和系统与互联网connection.A防火墙是一套工具(固件即硬件和软件)旨在防止未经授权的访问网络。 A typical firewall is based on 2 architectures ie the “choke router” and the “bastion host” CHOKE ROUTER一个典型的防火墙是基于2架构即“呛路由器”和“堡垒主机” CHOKE路由器
This involves using a router to limit access ie using access control list to control which IP packets are routed and to where.这包括使用路由器限制进入即利用访问控制列表来控制它的IP数据包的路由和地点。 You can use it to deny access to your network for specific types or to make sure that specific packets are delivered to specific machines. BASTION HOST您可以使用它拒绝访问您的网络的特定类型或,以确保具体的数据包被送到特定的机器。 宿主堡垒
This is a computer that is used for only one purpose and that is to pass packets between your network and the Internet.这就是电脑是用来只有一个目的,就是通过之间的数据包网络和因特网。 It is a dedicated machine with two separate NICS, It acts as an active router linking the private network to the Internet, monitoring the state of the connection and blocking packets that do not meet the rules defined.它是一个专门的机器有两个独立的新兴工业化国家,它作为一个积极的路由器连接专用网络到互联网,监测状态的连接和数据包阻止不符合议事规则的规定。 This machine should not be used for anything else eg checking e-mails.这台机器不应被用于任何其他如检查电子邮件。 The Bastion host must be configured to prevent any packets from being routed directly between its networks interfaces.堡垒主机必须设定,以防止任何数据包被直接转接网络之间的接口。
THE DMZ 非军事区
The DMZ lies between the choke router and the bastion hosts.位于非军事区之间的淤塞路由器和堡垒主机。 It is a partially protected area where one can install public services.这是一个保护区部分地方一个可以安装的公共服务。 Machines in the DMZ should be used for only one purpose and should not be fully trusted eg web server, FTP Server.机器在非军事区应该用于只有一个目的,不应完全信任如Web服务器, FTP服务器。 Any extra service should be disabled and user accounts kept to a minimum.任何额外的服务应该是残疾人和用户帐户压缩到最低限度。 Some DMZ are mode secure by hosting a third NIC to host-public services and using a firewall to protect them rather than a choke router.一些非军事区的安全模式举办第三网卡主办,公共服务和使用防火墙来保护他们,而不是阻塞路由器。
CHOOSING A FIREWALL 选择防火墙
There are two technologies that are used to build a firewall ie packet filters and application gateways.有两种技术,是用来建立一个防火墙,即包过滤和应用网关。
One can use packet filtering technologies which can allow or prevent access to specific services from specific machines.一个可以使用包过滤技术,可以允许或阻止访问特定服务的具体机器。 It can be done on the sites access routers (high level) or in a specific firewall.它可以做到的网站上接入路由器(高级别) ,或在一个特定的防火墙。 A router alone cannot effectively monitor all incoming and outgoing IP packets thus protocols like FTP that use more than one data stream present a problem.路由器本身并不能有效地监测所有传入和传出的IP数据包这样的FTP等协议使用一个以上的数据流目前的一个问题。 It gets worse when using connectionless protocol like UDP.它日益恶化时,使用连接协议UDP连接一样。
Circuit level or application gateway are used to act as routers that pass only specific packets onto specific machines (eg HTTP requests to a web server or SMTP to mail server).电路级网关或应用程序被用来作为路由器,只有通过具体的数据包到特定的计算机(例如HTTP请求的Web服务器或SMTP邮件服务器) 。 Circuit level gateways open a virtual circuit on receiving a valid handshake but don’t analyze packet traffic.线路级网关打开一个虚电路接收一个有效的握手,但没有分析数据包的流量。
Once a firewall has been built you can add extra features like virus checker between an email gateway and your SMTP mailer so all encapsulated files are virus checked before entry to the system.一旦防火墙已经建成,您可以添加额外的功能,如病毒检查之间的电子邮件网关和您的SMTP邮件封装,以便所有文件之前检查病毒进入系统。
NB : A proxy server is not a firewall, they make it easy to connect to the Internet but don’t protect it from intrusion. 注:代理服务器是防火墙,他们可以很容易地连接到互联网但不要保护它免遭入侵。
RUNNING A FIREWALL: 防火墙运行:
Once a firewall is chosen, one then defines the rules of procedure you will use to defend your system.一旦防火墙是选择,然后确定一个议事规则,您将使用保护您的系统。 Test your firewall regularly by using scanning tools.测试你的防火墙定期用扫描工具。
Comments评论
