来源:蜘蛛抓取(WebSpider)
时间:2018-08-03 00:30
标签:
中国防火墙
全面解读防火墙 - 开源中国社区
全面解读防火墙
英文原文:
Stateless and Stateful Firewalls
The concierge and the security person filter incoming and outgoing mail. If they are new on the job, they are like stateless firewalls, i.e. . They treat all mail equally. When you send a letter to apartment 80, apartment 80 will send a letter back. That reply is checked against their lists. Your letter only gets through if mail from apartment 80 is allowed out.
After a while, they move up the pay scale and become stateful firewalls. They are trained to differentiate the outgoing mail between brand new outgoing letters and replies to previous letters. Consequently, their lists of rules can be a lot shorter. They can be told to deliver all letters that are part of an established correspondence, and throw away almost all new outgoing mail. So when you send a letter to apartment 80, the reply from apartment 80 is automatically allowed back through. But if on some lonely winter’s evening, apartment 80 suddenly decides to start up its own letter writing campaign, it won’t get through.
The next section looks at how the piece of paper with all the rules is formatted.
无状态和有状态的防火墙
看门人和安全专员对进出邮件进行过滤。如果他们是新上岗的,那他们就会有点象无状态的防火墙,也即,包过滤器()。无状态防火墙平等处理所有邮件。当你向80号房间发送邮件时,80号房间会给你回一封邮件。回信需要通过列表的检查,发送给你的邮件只有在80号房间允许向外发出邮件的情况下,才能通过检查。
经过一段时间以后,他们的工资得以上调,从而成为了有状态的防火墙。经过培训,他们会对即将发出去的邮件进行区别对待,识别出哪些是回信哪些是全新的邮件。因此,他们的规则列表比以前要精炼得多。对于已经建立通信通道的回信,他们会按照要求给予放行;而那些新发起的发送出去的邮件就会被抛弃。因此,当你发邮件给80号房间时,给你的回信会自动允许通过检查。但如果是在冬日某个寂寞的夜晚,80号房间突然自行决定开始向外发起发邮件的活动,那么这些邮件将是无法通过检查的。
下一小结将介绍过滤检查中所需的规则列表的形式是怎样的。
Firewall Rules
Whether you use a software or hardware firewall, you will hopefully get some sort of visual management tool. There are many firewalls available, each with its own way of doing things, but they generally stick to the same concepts. They mainly vary in their complexity. Some give you complete control but also require a lot of knowledge and effort. Others are simple but far less flexible.
This section introduces the terminology and shows two examples of firewall configuration interfaces.
防火墙规则
无论是软件防火墙还是硬件防火墙,都会有类似的可视化管理工具。市面上的防火墙林林总总,每个防火墙都有自己做事情的方式,但一般他们都会有一些共通的概念,而他们之间的区别主要体现在复杂程度方面。有的防火墙能让你对其进行完全彻底的控制,但要达到这个效果就需要你有大量的知识并花费相当的时间和精力;还有一些防火墙使用起来很简单,但在灵活度方面就要逊色不少。
本小结将介绍相关术语,并给出防火墙配置界面的两个例子。
Firewall Terminology
This is what the piece of paper on the concierge’s desk might look like:
Letters from any sender in any apartment to the TCP building, apartment 80 – replies to those letters from apartment 80 – deliver
Letters from the address99.99.99.99, any apartment number, to the TCP building, apartment 22 – replies to those letters from apartment 22 – deliver
Any other letters to or from the TCP building – throw away
Any other letters to or from the UDP building – throw away
Whenever the concierge receives a new letter, he compares the sender’s and recipient’s addresses to each of these rules in order. When he finds a matching rule, he follows the instruction, which is to either deliver the letter or throw it away.
防火墙用语
下面给出的就是看门人桌子上那张纸上内容大致的样子:
发送自任何发送人,任何房间的、发送给TCP大楼的80号房间的邮件 —— 投递;从80号房间发出的给这些邮件的回信 —— 投递
发送自地址99.99.99.99,任何房间号的、发送给TCP大楼的,22号房间的邮件 —— 投递;从22号房间发出的给这些邮件的回信 —— 投递
任何其它发自或发向TCP大楼的邮件 —— 丢弃
任何其它发自或发向UDP大楼的邮件 —— 丢弃
在看门人收到每封新邮件时,他都将发送者和接收者的地址同上面的每条规则按照上面所列顺序进行比较。若同某规则相匹配,则按照规则中的指令行事,要么投递要么丢弃手里的信邮件。
The overall effect is that anybody in the world can correspond with the Web server in apartment 80, but only the trustworthy people living at99.99.99.99can write to the SSH server in apartment 22. All other attempted communication is thrown away. This is how that would translate to a real software firewall like :
Remote port
Server port
established
99.99.99.99
established
99.99.99.99
Most firewalls, however, will hide the gory details of new and established connections. They will assume that all replies to established connections are allowed through and only deal with the new connections. The table can then be much shorter:
Remote port
Server port
99.99.99.99
If these rules were applied to a hardware firewall, there would also be a server IP address, as hardware firewalls usually work on behalf of more than one server. In that case, the table could just have source and destination and no direction. like this:
Source port
Destination IP
Destination port
80.72.139.101
99.99.99.99
80.72.139.101
To allow outgoing requests, the source and destination would be switched, with the server’s IP address80.72.139.101appearing in the source IP address column. Also note that the remote and server protocol are always the same.
总的效果是,世界上所有人都可以同80号房间的Web服务器进行通信,但只有住在99.99.99.99的人是可信任的,只有他可以同22号房间的SSH服务器进行通信。所有企图进行其它通信的邮件都会被丢弃。将上述规则转化一下,就可以为一个叫做IPTables的、真实的软件防火墙所用:
服务器端口
已建立连接
99.99.99.99
已建立连接
99.99.99.99
然而,所有防火墙都会隐藏新的或者已建好的连接这些琐碎的细节,它们都假定所有对已建立的连接的回复是允许通过检查的,所以仅仅处理所有的新连接。基于此,上表可以简洁很多:
服务器端口
99.99.99.99
如果要把这些规则应用于硬件防火墙,那么就还需要服务器的IP地址。这是因为硬件防火墙往往是为多个服务器工作的。在这种情况下,上面的表格就需要源和目的两项内容,并且不需要方向了。就象这样:
80.72.139.101
99.99.99.99
80.72.139.101
想要允许发出的请求,将源和目的中的内容相互交换,将服务器的IP地址80.72.139.101填写在源IP地址栏。还要注意的一点是,远端和服务器的协议总是一致的。
Firewall Example
Some firewall configurations provide tables and forms similar to the one above and you just have to fill in the blanks. The example below is the software firewall tool provided by Plesk 9.5.4.
is a common server management application. To see the screen below, click “Modules” on the left, then “Firewall,” “Edit Firewall Configuration” and “Add Custom Rule.”
Adding a new rule to the firewall in Plesk 9.5.4.
This has most of the fields shown in the table above: direction, action of allow or deny, server port, protocol and remote/source IP address. The mini-table above blocks both directions within the same rule (rules 3 and 4). In many configurations, these have to be done separately by setting up the rule and choosing a direction of incoming or outgoing.
防火墙举例
有些防火墙会给出如上文所列的表格和表单让你进行配置,你所需要做的就是填空而已。下面给出的例子,是由Plesk 9.5.4所提供的软件防火墙工具。Plesk是一个常用的服务器管理应用程序。要看到下面给出的界面,可点击左侧的“模块(Modules)”,然后按顺序再点击“防火墙(Firewall)”,“编辑防火墙配置(Edit Firewall Configuration)”和“添加自定义规则(Add Custom Rule)”。
向Plesk 9.5.4中的防火墙添加一条新规则
该界面中具有上文所列的表格中的大部分内容:方向、表示允许或拒绝的动作、服务器端口、协议和远程/源IP地址。前面的那个小表格中用同一条规则(规则3和规则4)同时拒绝了两个方向的通信。在多数情况下,这需要通过分别选择是进还是出,建立两条规则来实现。
In this interface, there is another choice for direction — forwarding. Port forwarding allows letters to be forwarded from one port to another. It is commonly used in household broadband routers, which allow several computers to share a single IP address by mapping ports.
For example, your laptop might have a local IP address of192.168.1.10. When you request a Web page (with your sender’s address like192.168.1.10, TCP, 60000), your letter first goes to your broadband router, which puts your letter in a brand new envelope with a new sender’s address (such as78.78.78.78, TCP, 12013) and forwards it to its destination (such as80.72.139.101, TCP, 80). When the router gets the reply, it remembers that apartment 12013 is just a forwarding address, so it puts it in a new envelope and forwards it to you (at192.168.1.10, TCP, 60000). A typical Web server would not need to do port forwarding and so the firewall would block all forwarding.
The Plesk firewall is just a friendly interface for the UNIX firewall IPTables. The commandiptables -Lshows the current rules as above.
这个界面还提供了方向的另外一个选项 ——转发(forwoarding)。使用端口转发,可以将邮件从一个端口转发到另外一个端口。这常用于家庭中的宽带路由器,通过端口映射,可以让多台计算机共享一个单个的IP地址。
例如,你的笔记本的本地IP地址也许是192.168.1.10。当你请求网页(用类似192.168.1.10,TCP,60000这样的地址发出请求)时,你的邮件先是发送到你家的宽带路由器,由它将你的邮件放入一个全新的信封中,新信封上写上了新的发送者地址(比如78.78.78.78.78,TCP,12013),然后将你的请求转发到它的目的地址(比如80.72.139.101,TCP,80)。当连衣裙得到回信后,它想起12013号房间只不过是个转发地址,因此,它将邮件放入一个新信封中后将其转发给你(地址是192.168.1.10,TCP,60000)。典型的Web服务器是不需要做端口转发的,因此防火墙将屏蔽掉所有的转发动作。
Plesk防火墙只是在UNIX防火墙IPTables的基础上添加了个友好的界面。上图是用命令iptables -L所显示的当前规则。
Another Firewall Example
The screenshot below is from the shared hardware firewall configuration tool provided by the host UK Fast. You have to pay extra for this service. In exchange, you can log into the UK Fast website and add, modify and remove rules:
A hardware firewall configuration interface for allowing incoming and outgoing traffic to TCP ports.
This interface is very simple. It already knows your server IP address and it assumes that everything not listed is denied. The only thing you can do is add allowed ports.
The ports relate to the server port for incoming connections and the remote port for outgoing connections. As above, this only deals with new connections. Established requests are allowed through automatically. So the first incoming rule on the left states that anybody in the world can access port 80 on the server (the web-crazy family).
防火墙的另一个例子
下面的截屏来自一个共享的硬件防火墙配置工具,该工具由主机提供商UK Fast提供的。要获得此服务,你需要付额外的费用。作为交换,你可以登录到UK Fast的网站,添加、修改和删除规则:
允许进和出的通信的硬件防火墙配置界面
该界面非常简单。该防火墙已知你的服务器的IP地址,它假定所有没有列在其中的其它所有通信都会被拒绝。你所能做的只有添加允许通信的端口。
界面中所列端口涉及向内连接的服务器端口以及向外连接的远程端口。就象上文所述一样,这些规则仅仅处理新连接,已经建立好的连接将自动通过检查。在左侧的、方向为进(incoming)的第一个规则规定,世界上所有人都可以访问服务器上的端口80(为Web而疯狂的居民)。
The first outgoing rule on the right allows the server to request port 80 on other servers. You may wonder why your Web server would ever need to do this. Surely it is not spending its free time browsing the Internet. But it is necessary for things like PayPal Instant Payment Notification, where your server sends a request to PayPal to double check that a payment has been received. Similarly, most of the other outgoing rules allow your server to send emails, check email accounts and do FTP.
There is no mention of the remote IP address on this screen. That is configured separately by clicking on “Admin Config” and is shown in the next subsection.
右侧第一个方向为出(outgoing)的规则规定,本服务器可以向任何其它Web服务器发出请求。你可能会奇怪你的Web服务器怎么会需要这么做。当然它不是在有空的时候自行浏览互联网。对于类似象PayPal即时支付通知这样的东西,这么做是必须的,因为你的服务器需要向PayPal服务器发出请求以确认PayPal的确接收到了支付操作。同样,其它向外的规则是为了你的服务器能够发送email,收取email账户的邮件,进行FTP操作。
在上面的界面中并没有体现远程IP地址。在下一小结中将讲解,这需要通过点击“管理配置(Admin Config)”单独进行配置。
The UK Fast hardware firewall has a separate screen for entering remote IP addresses. They have a preset list of restricted ports (such as 22 for SSH and 8443 for Plesk), and only the IP addresses shown are allowed to communicate with those ports. All other ports (like 80 for Web serving) are allowed to correspond with anybody. You lose some flexibility this way, but it makes it very easy to configure.
Entering a list of source IP addresses which are allowed to connect to restricted ports.
This screen also introduces subnets. Up till now, all the rules have dealt with single IP addresses like99.99.99.99, but you can also enter IP addresses in ranges.
IP addresses consist of four numbers between 0 and 255. (There are newer ones with six numbers but they are still relatively uncommon.) It would be nice to be able to enter ranges by putting things like 99.99.0-255.0-255. Unfortunately you can’t. Instead you enter a starting address like 99.99.0.0 and a mask like255.255.0.0. Similarly the range77.77.77.0-255is entered as the address77.77.77.0and the subnet mask255.255.255.0.
You can enter smaller ranges such as77.77.77.8-15, which would be77.77.77.8with subnet mask255.255.255.248. It’s confusing because it invokes binary, but there are lots of
available.
UK Fast硬件防火墙有一个单独的界面供你输入远程IP地址。他们预设了一些有限端口(比如SSH的端口22和Plesk的端口8443),只有下面给出的IP地址才能够同这些端口进行通信。其它端口(如Web服务的端口80)允许同任何人进行通信。这么做会损失一些灵活性,但能是配置工作简化不少。
输入源IP地址列表,只有这些地址才能向有限端口建立连接。
上面的界面还引入了子网这个概念。直到现在,所有规则处理的都是象99.99.99.99这样单个的IP地址,但你还可以输入一个IP地址范围。
IP地址由大小介于0和255之间的四个数字组成(现在又有一种由六个数字组成的新地址了,但相对还不怎么常用)。要是能够输入象99.99.0-255.0-255这样的地址范围就好了,但很不幸,你不能这么做。有个替代方法,你可以通过输入一个起始地址,99.99.0。0和一个子网掩码255.255.0.0达到相同目的。同样,地址范围77.77.77.0-255可以通过输入77.77.77.0和子网掩码255.255.255.0来实现。
你还可以输入象77.77.77.8-15这样更小的范围:开始地址77.77.77.8和子网掩码255.255.255.248。这个看上去有点乱因为要算清楚这些还需要进行二进制计算,但已有很多了。
All the Fields
Here is a summary of the different fields discussed in this section:
Rule number: remember that rules are checked and applied in order
Protocol: either TCP or UDP
Direction: incoming, outgoing or forwarding
Remote IP address: such as77.77.77.0
Remote subnet mask: such as255.255.255.0
Remote port or port range
Server IP address
Server subnet mask
Server port or port range
Action: allow or deny
Sometimes the interface will have source and destination instead of direction, remote and server. In this case, they are the same for incoming mail, but reversed for outgoing. In other words, remote equals source for incoming but remote equals destination for outgoing.
The next section discusses the ports in more detail. The concierge’s piece of paper is very limiting. A real Web server will look more like the hardware firewall example above.
在这里对本小结中讨论过的不同栏目进行一下总结:
规则编号:别忘了规则是按顺序进行检查和使用的
协议:或者是TCP,或者是UDP
方向:进,出,转发
远程IP地址:比如77.77.77.0
远程子网掩码:比如255.255.255.0
远程端口或端口范围
服务器的IP地址
服务器的子网掩码
动作:允许或禁止
有时界面里会有源和目的两项内容而不是方向,远程和服务器。这种情形下,它们与接收邮件的情况完全相同,但是是为发出的邮件预留的。换言之,在接收时远程等于是源而在发送时远程等于是目的。
下一节将对端口进行展开讨论。看门人的那张纸太有限了。一个真正的Web服务器看上去更象是上面所举的硬件防火墙的例子。&&|&&责编:白宁
&&&&面对网络安全不断演变,绝大多数企业并没有真正意识到所带来的威胁。伴随安全技术的进步和不断的演变,传统企业客户通过传统防火墙,划分安全域进行访问控制。近几年诸如僵尸网络、蠕虫、木马、APT攻击的泛滥都给企业客户敲响警钟,部署IPS和内容级安全设备来增加整个网络系统的安全防护和管控能力。 然而,专业的IPS设备与传统防火墙设备相升级系统将带来成本的变化,对企业来说,需要有性价比更为优越的安全设备出现来解决企业客户在资金和安全需求之间的矛盾关系。当前企业已经开始尝试重构其网络防御体系,并开始考量其安全架构的新产品选择问题--下一代防火墙成为话题焦点。 &一、防火墙市场品牌结构分析 &1、知名品牌关注度持续较高&&&&从国内防火墙市场的品牌关注度来看,思科、华为等主流大品牌厂商关注度较高,分占27%和24.6%,另有Juniper与H3C紧随其后,各占10.7%和10.2%。另外其他六个品牌关注度略低,共计22.4%。图&2014年中国防火墙市场品牌关注比例分布&&&&2、知名品牌防火墙成市场首选&&&&对比防火墙品牌关注度调查结果,我们不难发现2014年Q1到Q4季度的品牌排名遵循了用户关注值,思科、华为、Juniper、H3C分列三甲,其中Juniper和H3C并列第三名。由此可见,知名品牌在市场中地位格局相对稳定。&&&&同时,看到由深信服、网康为代表,还包括Chenk&Point、山石网科、飞塔、WatchGuard等安全厂商,凭借出色的下一代防火墙产品也成功进榜。而企业新一代网络威胁所需,与下一代防火墙的未来发展演变中,它的关注度与所带动的品牌知名度会引起一次安全设备的破旧出新。表&2014年Q1-Q4中国防火墙市场品牌排名对比&排名Q1Q2Q3Q41思科思科思科思科2华为华为华为华为3JuniperJuniperH3CH3C4H3CH3CJuniperJuniper5Chenk&PointChenk&PointChenk&PointChenk&Point6山石网科网康网康深信服7深信服山石网科深信服网康8飞塔深信服山石网科山石网科9网康飞塔飞塔飞塔10WatchGuardWatchGuardWatchGuard启明星辰&&&&3、细分防火墙四大标杆品牌&&&&&细分防火墙市场的四大主流品牌,思科与华为远高于Juniper和H3C的走势值,在Q4阶段华为已与思科较为接近,共同拿下年底桂冠。H3C也于Q4阶段超过Juniper关注值,但与第一梯队的思科、华为相比,H3C与Juniper还有10到15个百分点的上升空间。&图&2014年Q1-Q4中国防火墙市场主流品牌关注比例走势
提示:支持键盘“← →”键翻页
版权说明:该文章由中关村在线ZDC调研中心版权所有,未以书面授权不得转载或摘录。
投诉欺诈商家:
天津重庆哈尔滨沈阳长春石家庄呼和浩特西安太原兰州乌鲁木齐成都昆明贵阳长沙武汉郑州济南青岛烟台合肥南京杭州东莞南宁南昌福州厦门深圳温州佛山宁波泉州惠州银川
本城市下暂无经销商中国的防火墙是怎么做到这一点的【显卡吧】_百度贴吧
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&签到排名:今日本吧第个签到,本吧因你更精彩,明天继续来努力!
本吧签到人数:0成为超级会员,使用一键签到本月漏签0次!成为超级会员,赠送8张补签卡连续签到:天&&累计签到:天超级会员单次开通12个月以上,赠送连续签到卡3张
关注:3,368,408贴子:
中国的防火墙是怎么做到这一点的收藏
暂停链接。。。
天猫世界妙物纪,显卡的价格,精选好货单件8折,2件75折,海量大牌商品包税包邮!更多海外畅销优质好货,尽在天猫世界妙物纪!
谷歌越来越人性化了。
看过谷歌一个公告 说这种现象找不出原因
自己查一下***,你就懂了
我的怎么没事?
壮哉我大天朝
显卡,企业会员专享价,部分2件5折,注即可领新人礼包,中秋福利提前购!显卡,企业询价,批量采购更优惠,一站式本地化购平台,为企业提供多样化采购方案!
与其佩服功夫网,你还不如佩服一下谷歌,功夫网说白了就是一个把某些网站和某些关键词过滤的超巨大防火墙罢了
超智能防火墙
直接DNS拦截,反正http协议不安全装哉我大局域网顺便说一下你在前边加上https后谷歌随便你搜啥都没事了
冲破***,占领全世界!
性刘的谁做坏事了,被和谐了?
我用自由间我怕谁
口胡,明显可以搜,我TC网络是世界上最自由的
撸住!!!查水表了!!!!!
长城防火墙、TC最强大的玩意,领先美国科技50年
把必经之路都封住了,技术再高也是无能为力
@google的消失
功夫网还有“域名污染”功能哦亲
这有啥,只要是高端防火墙,随便一台都能做到应用层过滤
登录百度帐号年中国防火墙市场竞争现状研究报告(目录)_图文_百度文库
您的浏览器Javascript被禁用,需开启后体验完整功能,
享专业文档下载特权
&赠共享文档下载特权
&100W篇文档免费专享
&每天抽奖多种福利
两大类热门资源免费畅读
续费一年阅读会员,立省24元!
年中国防火墙市场竞争现状研究报告(目录)
中国产业信息网是由北京智研科信咨询有限...|
总评分0.0|
&&《年中国防火墙市场竞争现状及市场前景预测报告》共九章,包含年中国防火墙行业投资机会与风险分析,年中国防火墙产业发趋势预测分析,防火墙优势企业竞争性财务数据分析等内容。
阅读已结束,下载本文需要
定制HR最喜欢的简历
下载文档到电脑,同时保存到云知识,更方便管理
加入VIP
还剩15页未读,
定制HR最喜欢的简历
你可能喜欢
