网络安全与防火墙 英文文献翻译文档格式.docx
《网络安全与防火墙 英文文献翻译文档格式.docx》由会员分享,可在线阅读,更多相关《网络安全与防火墙 英文文献翻译文档格式.docx(6页珍藏版)》请在冰豆网上搜索。
Asthekeyfacilitythatmaintainsthenetworksecurity,firewallstakethepurposeofestablishinganobstaclebetweentrustandtrustlessnetwork,andputcorrespondingsafetystrategyintopractice.Inthispaper,thecomputernetworksecurityandthetechniquesoffirewallsweremainlydiscussed,theconceptandclassificationofthefirewallswereintroduced.Italsointroducedthreekind'
sofbasicimplementtechniquesofthefirewalls:
Packetfiltering,ApplicationProxyandMonitormodelindetail.FinallydescribedthetrendofdevelopmentofthefirewallstechniquesinInternetbriefly.
Keywords:
networksecurity,firewalls,Packetfiltering,monitor
1.Introduction
Nowwiththecomputernetworkande-commerceusedwidely,networksecurityhasbecomeanimportantproblemthatwemustconsiderandresolve.Moreandmoreprofessions.enterprisesandindividualssurferfromthesecurityproblemindifferentdegree.theyarelookingforthemorereliablesafetysolution.Inthedefensesystemadoptedbynetworksecurityatpresent,thefirewallsstandtheveryimportantposition.
Asthekeyfacilitythatmaintainsthenetworksecurity.firewallstakethepurposeofestablishinganobstaclebetweentrustandtrustlessnetwork,andputcorrespondingsafetystrategyintopractice.
AllthefirewallshavethefunctiontofiltertheIPaddress.ThistaskcheckstheIPpacket,makesthedecisionwhethertoreleaseortoabandonitaccordingtothesourceaddressanddestinationaddressoftheIP.ShowninFig.I,thereisafirewallbetweentwonetworksections,anUNIXcomputerisononesideofthefirewall,andtheothersideisaPCclient.WhilethePCclientasksatelnetrequestfortheUNIXcomputer,theclientprocedureoftelnetinthePCproducesaTCPpacketandpassesthepackettothelocalprotocolstacktopreparetosend.TheprotocolstackfillsitinoneIPpacket.then,sendsittoUNIXcomputerthroughthepathdefinedbytheTCP/IPstackofPC.TheIPpacketcan'
treachtheUNIXcomputeruntilitpassesthefirewallbetweenthePCandtheUNIXcomputer.
Fig.IIpAddressFiltering
TheapplicationfirewallisaveryefficientmeansofnetworksecurityonInternet,itisinstalledbetweenthetrustandtrustlessnetwork,canisolatetheconnectionbetweenthetrustandtrustlessnetwork,anddoesn'
thamperpeople'
saccesstothetrustlessnetworkatthesametime.ItcanisolatetheconnectionbetweentheriskareanamelytheremaybeacertainriskonInternetandthesafeareaLAN,anddoesn'
saccesstotheriskareaatthesametime.Firewallcanmonitorthetrafficflowinginandoutfromthenetworktofinishthetaskseeminglyimpossible;
itonlyallowsthesafeandcheckedinformationtoenterinto,andmeanwhileresistsonthedatathatmaybringaboutthethreattoenterprise.Asthefaultanddefectofthesecurityproblembecomemoreandmoregeneral,theinvasiontothenetworknotonlycomesfromthesuperattackmeans,butalsomaybefromthelower-levelmistakesorimproperpasswordselectionsontheconfiguration.So,thefunctionofthefirewallsispreventingthecommunicationthatnothopedandauthorizedpassesinandoutofthenetworkprotected.forcingthecompaniestostrengthentheirownnetworksecuritypolicy.Thegeneralfirewallscanachievethefollowingpurposes:
First,restrainingothersfromenteringtheinsidenetwork,filteringtheunsafeserviceandillegaluser;
Second,preventingtheinvadersfromclosingtoyourdefenseinstallation;
Third,limitingtheusertoaccessthespecialsite;
Fourth,providingconvenienceformonitoringtheInternetsecurity.
2.Theclassificationandimplementtechnologyoffirewalls
Anintegratedfirewallssystemusuallyconsistsofscreeningrouterandproxyserver.Thescreeningrouterisamulti-portIProuter.itchecktheeachcomingIPpacketaccordingtothegroupregulartojudgewhethertotransmitit.Thescreeningroutergetsinformationfromthepacket.fotexampletheprotocolnumber.theIPaddressandportnumberthatreceivingandsendingmassages.theflagoflinkevensomeotherIPselections.filteringIPpacket.Theproxyserverareserverprocessinthefirewall.itcanreplacethenetworkusertofinishthespecificTCP/IPfunction.Aproxyserverisnaturallyagatewayofapplicationlayer.agatewayoftwonetworksjoinedspecificnetworkapplication.UserscontactwithproxyserverbyoneoftheTCP/IPapplicationsuchasTelnetorFTP.theproxyserverasktheusersforthenameoftheremotehost.whichuserswanttoaccess.Aftertheusershaveansweredandofferedthecorrectusers'
identitiesandauthenticationinformation,theproxyservercommunicatestheremotehost,actastherelaybetweentwocommunicationsites.Thewholecoursecanbetotallytransparenttousers.
Therearemainlythreetypesinthefirewalls:
packetfiltering.applicationgatewaysandstatedetection.
Packetfilteringfirewallworksonthenetworklayer.itcanfilterthesourceaddress.destinationaddress.sourceportanddestinationportofTCP/IPdatapacket.Ithasadvantagessuchasthehigherefficiency.
transparenttouser.andusersmightnotfeeltheexistenceofthepackerfilteringfirewall,unlessheistheillegaluserandhasbeenrefused.Theshortcomingsarethatitcan'
tensurethesecuritytomostservicesandprotocols,unabletodistinguishthedifferentusersofthesameIPaddresseffectively,anditisdifficulttobeconfigured,monitoredandmanaged.can'
tofferenoughdailyrecordsandwarning.
Theapplicationgatewaysfirewallperformsitsfunctionontheapplicationlayer,itconnectswithspecificmiddle-jointfirewallbyaclientprocedure,andthenthemiddle-jointconnectswiththeserveractually.Unlikethepacketfilteringfirewall.whenusingthefirewallofthiskind.thereisnodirectconnectionbetweentheoutsidenetworks.soevenifthematterhashappenedinthefirewall.theoutsidenetworkscan'
tconnectwithnetworksprotected.Theapplicationgatewayfirewalloffersthedetaileddailyrecordsandauditingfunction,itimprovedthesecurityofthenetworkgreatly.andprovidesthepossibilitytoimprovethesecurityperformanceoftheexistingsoftwaretoo.Theapplicationgatewaysfirewallsolvesthesafetyproblembasedonthespecificapplicationprogram.theproductsbasedonProxywillbeimprovedtoconfiguretheserviceincommonuseandnon-standardport.However.solongastheapplicationprogramneedsupgrading.theusersbasedonProxywillfindthattheymustbuynewProxyserver.Asatechniqueofnetworksafety.Firewallcombinedwithproxyserverhassimpleandpracticalcharacteristics,canreachacertainsecurityrequestincaseofnotrevisingtheoriginalnetworkapplicationsystem.However.ifthefirewallsystemisbrokenthrough.thenetworkprotectedisinhavingnostateofprotecting.AndifanenterprisehopestolaunchthebusinessactivityonInternetandcarryoncommunicationwithnumerouscustomers.itcan'
tmeetthedemands.Inaddition,thefirewallbasedonProxyServicewilloftenmakestheperformanceofthenetworkobviouslydrop.
Thethirdgenerationoffirewalltakesthedetectiontechniqueofstateasthecore,combinesthepacketfilteringfirewallandapplicationgatewaysfirewall.Thestatedetectionfirewallaccessesandanalyzesthedataachievedfromthecommunicationlayerthroughthemoduleofstatedetectiontoperformitsfunction.Thestatemonitoractasfirewalltechnique.itisbestinsecurityperfonnance,itadoptsasoftwareengine.
whichexecutesthetacticsofnetworksecurityonthegateways,calledthedetectionmodule.Onthepremiseofnotinfluencingthenetworktoworknormally,detectionmodulecollectstherelevantdatatomonitoreachofthenetworkcommunicationlayers,collectsapartofdata,namelystatusinformation,andstoresthedataupdynamicallyforthereferenceinmakingsecuritydecisionafterward.Detectionmodule
supportsmanykindsofprotocolsandapplicationprogram,andcanimplementtheexpansionofapplicationandserviceveryeasily.Differentfromothersafetyschemes,beforetheuser'
saccessreachestheoperatingsystemofnetworkgateways,thestatemonitorshouldcollecttherelevantdatatoanalyze,combinenetworkconfigurationandsafetyregulationtomakethedecisionsofacceptance,refutation,appraisalorencryptingtothecommunicationetcOnceacertainaccessviolatesthesecurityregulation,thesafetyalarmwillrefuseitandwritedowntoreportthestateofthenetworktothesystemmanagementdevice.Thistechnologyhasdefectstoo,namelytheconfigurationofthestatemonitorisverycomplicated,andwilldeceleratethenetwork.
3.Newgenerationtechniqueoffirewalls
Accordingtothepresentfirewallsmarket,thedomesticandinternationalmanufacturersoffirewallcanallsupportthebasicfunctionofthefirewallwell,includingaccesscontrol,thenetworkaddresstransform,proxy,authentication,dailyrecordsauditetc.However,asstatedbefore,withtheattacktothenetworkincreasing,anduser'
srequisitionfornetworksecurityimprovingdaybyday,thefirewallmustgetfurtherdevelopment.Combinethepresentexperienceofresearchanddevelopmentandtheachievement,somerelevantstudiespointout,accordingtothedevelopmenttrendofapplicationandtechnology,howtostrengthenthesecurityoffirewall,improvetheperformanceoffirewall,enrichthefunctionoffirewall,willbecometheproblemthatthemanufactureroffirewallsmustfaceandsolvenext.
Thepurposeofthenewgenerationfirewallismainlycombiningthepacketfilteringandproxytechnology,overcomingthedefectsinthesafetyresp
升级会员 