《防火墙简介-防护边界安全1》由会员分享,可在线阅读,更多相关《防火墙简介-防护边界安全1(3页珍藏版)》请在金锄头文库上搜索。
1、As enterprises grow, corporate networks will most likely be growing to support this expansion. As growth occurs, so do security risks. Expansion of your enterprises Internet and mobile computing infrastructure will result in an increased number of access points to privileged corporate data. Every ac
2、cess point represents a possible vulnerability that may be exploited to gain unauthorized entry into the newly expanded network. Knowledge of the access points, and how these must be configured to protect the enterprises intellectual, commercial and proprietary assets from hackers, competitors, and
3、electronic vandals is an essential pre- requisite to enabling the enterprise to continue to operate in a safe and productive manner. 企 業在成長過程中,企業網路多半會因應成長而擴展。在擴展的同時也會帶來安全上的風 險。企業網路和行動商務基礎設施的擴張,會導致能夠接觸到機密企業資料的存取點變 多。每個存取點都可能是安全脆弱處,可能導致非法使用者也能夠進入這些新擴展的網 路。要確保企業能夠繼續在安全、高生產力的情況下運作的重要前提,是必須要知道這 些存取點的狀況並作
4、適當設定,以保護企業的智慧財產、商業及私有資產不受駭客、競 爭者和電腦惡意破壞者的侵害。Typically, the first line of technical defense within the enterprise is to protect access to and from the Internet with a firewall. This will place a barrier between the corporate network and the outside, thus securing the perimeter and repelling hackers.
5、Each firewall acts as a single point of entry, where all traffic coming into the network can be audited, authorized and authenticated. Based on the rules used to configure it, the firewall will alert you of any suspicious activity. 一般來說,企業內技術上的第一道防線是使用防火牆來保護進出 Internet 的網路存取,在企業網路和外部網路之間建立起一道屏障,以防護這
6、道邊界 的安全,將駭客阻絕於門外。每個防火牆都代表一個單一進入點,所有進入網路的存取 行為都會被檢查、並賦予授權及認證。防火牆會根據於一套設定好的規則來過濾可疑的 網路存取行為,並發出警告。Common Types of Firewalls 一般防火牆的種類 Firewall technology has changed over the past few years, so whether an enterprise needs to replace an existing firewall, or is installing one for the first time, the ente
7、rprise needs to be up- to-date on whats available today and what the specific security requirements are for the various types of firewalls. Each kind of firewall offers a different degree of security and flexibility based on how each firewall type deals with network traffic. Below you will find an o
8、verview of some basic types of firewalls. Discover what each type has to offer: 防火牆科技在過去幾年中變化很大,所 以企業不管是準備要更新現存的防火牆,或是第一次裝置新的防火牆,都要先知道目前 市場上的防火牆種類,及其特定之安全要求。每一種防火牆,根據其對網路傳輸的處理 方式不同,能提供不同程度的安全防護與彈性。以下概述幾種基本的防火牆種類及其所 提供的功能:1.Router. A simple router is an inexpensive form of protection. However, a rout
9、er is not a very comprehensive form of protection, and lacks the level of flexibility and features that a full- security enterprise firewall provides. A simple router is the “traditional network layer firewall, and it is not able to make particularly sophisticated decisions about who a packet is act
10、ually talking to or where it actually comes from. 路由器(Router)。簡單的路由器是一種便宜的 安全防護型式。不過,路由器並不能提供完整的安全防護,且缺乏完整企業防火牆所提供的彈性和功能。簡單的路由器是傳統的網路層防火牆,無法做特定複雜的判 斷來決定封包的目的地及實際來源。 2.Packet filter. A packet filter is a very simple type of firewall. Often, packet filters are located on routers, and most major router
11、 vendors supply packet filters as part of the default distribution. The firewall examines each packet based on source and destination IP addresses as well as source and destination TCP/UDP ports, and accepts or rejects it based on basic user-defined rules. 封包過濾(packet filtering)。封包過濾是一種很簡單的防火牆。封包過濾常
12、與路 由器結合,且大部分的主要廠商都把封包過濾作為內定的組態。這種防火牆會檢查 封包的目的地和來源的 IP 位址、TCP/UDP 埠,並根據使用者設定的簡單規則來決 定是否接受或拒絕封包。 3.Stateful packet systems. Stateful packet firewalls (sometimes called smart packet filters) control network traffic using a similar method to packet filters, but go beyond them to examine the context of d
13、ata packet streams rather than just filtering them. Stateful packet firewalls make access decisions based on the source and destination of IP addresses and ports and the service requested by the packet. These firewalls are called “stateful“ because they can remember prior connection states, and as a
14、 result, build a context for each data stream in memory. 狀態檢視(stateful inspection)。狀態型封包防火牆(有時稱作智慧型封包過濾) 使用與封包過濾類似的方法來控制網路傳輸,但會進一步地檢查資料封包流的內容, 而不只是單純地過濾封包而已。狀態檢視封包防火牆根據封包的來源和目的地 IP 位址、埠號碼及所要求的服務來作判斷過濾。這種防火牆之所以稱作狀態型的 原因是它們會記住之前的連線狀態,目的是在記憶體中建立每一個資料流中封包的 前後關聯。 The firewall evaluates each new packet it
15、 receives against current connection context to determine if this is a new connection or a continuance of an existing session. In the latter case, the amount of processing the firewall performed in checking the packet is substantially less than for a new connection. 防火牆會根據此前後關聯來檢查每一個新收 到的封包,並判斷此封包是新
16、連線或是現有連線的延續。如果是後者,防火牆所進 行的檢查動作會比對新連線的檢查少上許多。 These firewalls at the network layer tend to be fast and the users will probably not even realize that the checks are taking place, but this simplicity leads to the filters biggest drawback: one user on a machine cannot be securely distinguished from another on the same machine since no packet filter firewalls (stateful or otherwise) support user authentication by default. User authentication requires t
