防火墙按概念分类_官方防火墙概念

防火墙按概念分类

Each packet contains a header (control information) and payload (actual data). The header provides information about the sender and receiver. Before a packet can enter the internal network through a defined port, it must pass through a firewall. This transfer depends on the information it carries and its correspondence with predefined rules.

每个数据包都包含一个标头 (控制信息)和有效载荷 (实际数据)。 标头提供有关发送方和接收方的信息。 在数据包可以通过定义的端口进入内部网络之前，它必须经过防火墙。 这种转移取决于它携带的信息及其与预定义规则的对应关系。

For example, a firewall may have rules that exclude traffic from specified IP addresses. If the firewall receives a packet with this IP address in the header, the firewall denies access. Similarly, the firewall can deny access to anyone except the defined trusted sources. There are many ways to configure this security device. Its degree of protection for existing systems depends on the type of firewall. Although they can prevent unauthorized access, the firewall’s operation method and overall structure may be very different.

例如，防火墙可能具有从指定IP地址排除流量的规则。 如果防火墙收到标头中具有此IP地址的数据包，则防火墙拒绝访问。 同样，防火墙可以拒绝对除已定义的受信任源之外的任何人的访问。 有许多方法可以配置此安全设备。 它对现有系统的保护程度取决于防火墙的类型。 尽管它们可以防止未经授权的访问，但是防火墙的操作方法和总体结构可能有很大不同。

Software firewall

软件防火墙

A software firewall has been installed on the host device. Therefore, this type of firewall is also called a host firewall . Because it is connected to a specific device, it must use its resources to work. Therefore, it will inevitably exhaust some RAM and CPU of the system. If there are multiple devices, you need to install the software on each device. Because it needs to be compatible with the host, it needs to be individually configured for each host. Therefore, the main disadvantage is the time and knowledge required to manage and manage the firewall for each device. On the other hand, software firewalls have the advantage that they can distinguish between programs while filtering incoming and outgoing traffic. Therefore, they can deny access to one program while allowing access to another program.

主机设备上已安装软件防火墙。 因此，这种类型的防火墙也称为主机防火墙 。 由于它已连接到特定设备，因此必须使用其资源才能工作。 因此，将不可避免地耗尽系统的某些RAM和CPU。 如果有多个设备，则需要在每个设备上安装软件。 因为它需要与主机兼容，所以需要为每个主机分别进行配置。 因此，主要缺点是管理和管理每个设备的防火墙所需的时间和知识。 另一方面，软件防火墙的优势在于，它们可以在过滤传入和传出流量的同时区分程序。 因此，他们可以拒绝访问一个程序，同时允许访问另一个程序。

Hardware firewall

硬件防火墙

As the name suggests, a hardware firewall is a security device that represents a separate piece of hardware placed between the internal and external network (Internet). This type is also called device firewall . Unlike software firewalls, hardware firewalls have their resources and do not occupy any CPU or RAM of the host device. It is a physical device that acts as a gateway for traffic to and from the internal network. Both medium and large organizations with multiple computers running on the same network use them. In this case, using a hardware firewall is more practical than installing separate software on each device. Configuring and managing hardware firewalls requires knowledge and skills, so please ensure that a skilled team takes this responsibility.

顾名思义，硬件防火墙是一种安全设备，代表位于内部和外部网络(Internet)之间的单独硬件。 此类型也称为设备防火墙 。 与软件防火墙不同，硬件防火墙具有其资源，并且不会占用主机设备的任何CPU或RAM。 它是一种物理设备，充当往返于内部网络的流量的网关。 具有在同一网络上运行的多台计算机的中型和大型组织都可以使用它们。 在这种情况下，使用硬件防火墙比在每个设备上安装单独的软件更为实用。 配置和管理硬件防火墙需要知识和技能，因此请确保熟练的团队承担此责任。

Packet filtering firewall

包过滤防火墙

When dividing firewall types according to firewall operation methods, the most basic type is packet filtering firewall. It is used as an inline security checkpoint connected to a router or switch. As the name suggests, it monitors network traffic by filtering based on the information carried by incoming packets.

根据防火墙操作方法划分防火墙类型时，最基本的类型是数据包过滤防火墙。 它用作连接到路由器或交换机的串联安全检查点。 顾名思义，它通过根据传入数据包携带的信息进行过滤来监视网络流量。

As mentioned above, each packet includes a header and the data it sends. This type of firewall decides whether to allow or deny access to the packet based on the header information. For this, it will check the protocol, source IP address, destination IP, source port and destination port. Depending on how the numbers match the access control list (the rules that define the required/unwanted traffic), the data packets will continue to be delivered or dropped.

如上所述，每个分组包括报头和它发送的数据。 此类防火墙根据标头信息决定是允许还是拒绝对数据包的访问。 为此，它将检查协议，源IP地址，目标IP，源端口和目标端口。 根据数字与访问控制列表的匹配方式(定义所需/不需要的流量的规则)，数据包将继续传递或丢弃。

Circuit-level gateway

电路级网关

The circuit-level gateway is a firewall that works at the session layer of the OSI model. It complies with TCP (Transmission Control Protocol) connections and sessions. Their main function is to ensure that the established connection is secure. In most cases, circuit-level firewalls are built into certain types of software or existing firewalls. Like pocket filtering firewalls, they do not check actual data, but check information about transactions. In addition, the circuit-level gateway is very practical, easy to set up, and does not require a separate proxy server.

电路级网关是在OSI模型的会话层工作的防火墙。 它符合TCP(传输控制协议)连接和会话。 它们的主要功能是确保已建立的连接是安全的。 在大多数情况下，某些类型的软件或现有防火墙都内置有电路级防火墙。 像袖珍过滤防火墙一样，它们不检查实际数据，而是检查有关事务的信息。 此外，电路级网关非常实用，易于设置，并且不需要单独的代理服务器。

Status check firewall

状态检查防火墙

The stateful inspection firewall tracks the connection status by monitoring the TCP 3-way handshake. In this way, it can track the entire connection-from beginning to end-allowing only the expected return traffic inbound.

状态检查防火墙通过监视TCP 3向握手来跟踪连接状态。 这样，它可以跟踪整个连接-从开始到结束，仅允许预期的返回流量入站。

When starting a connection and requesting data, the status check will establish a database (status table) and store the connection information. In the status table, it records the source IP, source port, destination IP, and destination port of each connection. Using the stateful inspection method, it can dynamically create firewall rules to allow the expected traffic. Such firewalls are used for additional security. Compared to stateless filters, it performs more checks and is more secure. However, unlike stateless/packet filtering, stateful firewalls examine the actual data transmitted across multiple packets, not just the header. Therefore, they also need more system resources.

启动连接并请求数据时，状态检查将建立一个数据库(状态表)并存储连接信息。 在状态表中，它记录每个连接的源IP，源端口，目标IP和目标端口。 使用状态检查方法，它可以动态创建防火墙规则以允许预期的流量。 此类防火墙用于提高安全性。 与无状态过滤器相比，它执行更多检查并且更安全。 但是，与无状态/数据包筛选不同，有状态防火墙检查跨多个数据包传输的实际数据，而不仅仅是报头。 因此，他们还需要更多的系统资源。

Proxy firewall

代理防火墙

The proxy firewall acts as an intermediate device between internal and external systems that communicate via the Internet. It protects the network by forwarding requests from the original client and masking it as its own network. Agent means acting as a substitute, so the agent plays a role. It replaces the client that sent the request. When the client sends a request to access the webpage, the proxy server will intersect the message. The agent forwards the message to the web server, pretending to be the client. Doing so can hide the client’s identity and geographic location, thereby protecting it from any restrictions and potential attacks. Then, the Web server responds and provides the requested information to the agent, and the information is passed to the client.

代理防火墙充当通过Internet通信的内部和外部系统之间的中间设备。 它通过转发来自原始客户端的请求并将其屏蔽为自己的网络来保护网络。 代理人是指充当替代者，因此代理人起着作用。 它替换了发送请求的客户端。 当客户端发送访问网页的请求时，代理服务器将与该消息相交。 代理将消息转发给Web服务器，假装自己是客户端。 这样做可以隐藏客户端的身份和地理位置，从而保护其不受任何限制和潜在的攻击。 然后，Web服务器响应并将请求的信息提供给代理，然后将该信息传递给客户端。

Next generation firewall

下一代防火墙

The next generation firewall is a security device that combines many other firewall functions. It incorporates packet, status and deep packet inspection. In short, NGFW will check the actual payload of the packet instead of focusing only on the header information.

下一代防火墙是结合了许多其他防火墙功能的安全设备。 它包含数据包，状态和深度数据包检查。 简而言之，NGFW将检查数据包的实际有效负载，而不是仅关注标头信息。

Unlike traditional firewalls, next-generation firewalls inspect the entire transaction of data, including TCP handshake, surface-level, and deep packet inspection. Using NGFW can fully protect against malware attacks, external threats and intrusions. These devices are very flexible and the functions they provide are not clearly defined. Therefore, make sure to study what each specific option provides.

与传统防火墙不同，下一代防火墙会检查整个数据事务，包括TCP握手，表面级别和深度包检查。 使用NGFW可以完全防御恶意软件攻击，外部威胁和入侵。 这些设备非常灵活，提供的功能也不清楚。 因此，请务必研究每个特定选项提供的内容。

Cloud firewall

云防火墙

Cloud firewall or firewall as a service (Faas) is a cloud solution for network protection. Like other cloud solutions, it is maintained by third-party vendors and runs on the Internet. The client usually uses the cloud firewall as a proxy server, but the configuration can be changed according to requirements. Their main advantage is scalability. They have nothing to do with physical resources, so that the firewall capacity can be expanded according to the traffic load. Enterprises use this solution to protect internal networks or other cloud infrastructure (Iaas/Paas).

云防火墙或防火墙即服务(Faas)是用于网络保护的云解决方案。 与其他云解决方案一样，它由第三方供应商维护并在Internet上运行。 客户端通常使用云防火墙作为代理服务器，但是可以根据需要更改配置。 它们的主要优点是可伸缩性。 它们与物理资源无关，因此可以根据流量负载来扩展防火墙容量。 企业使用此解决方案来保护内部网络或其他云基础架构(Iaas / Paas)。

Which firewall architecture is suitable for your business?

哪种防火墙体系结构适合您的业务？

When deciding which firewall to choose, there is no need to specify one. Using more than one firewall type provides multiple layers of protection. In addition, please consider the following factors:

在决定选择哪种防火墙时，无需指定一个。 使用不止一种防火墙类型可提供多层保护。 此外，请考虑以下因素：

• The size of the organization: How big is the internal network? Can you manage the firewall on each device, or do you need to monitor the firewall of the internal network? These issues are important when deciding between software and hardware firewalls. In addition, the decision between the two will largely depend on the ability of the technical team assigned to manage the setup.

  组织的规模：内部网络有多大？ 您可以管理每台设备上的防火墙，还是需要监视内部网络的防火墙？ 在决定软件和硬件防火墙之间时，这些问题很重要。 此外，两者之间的决定将在很大程度上取决于指派的技术团队管理设置的能力。

• Available resources: By placing the firewall on separate hardware or even the cloud, can you afford to separate the firewall from the internal network? The traffic load that the firewall needs to filter and whether the traffic load is consistent also plays an important role.

  可用资源：通过将防火墙放置在单独的硬件甚至是云上，您能否负担得起将防火墙与内部网络分开？ 防火墙需要过滤的流量负载以及流量负载是否一致也起着重要作用。

• The required level of protection: The number and type of firewalls should reflect the security measures required by the internal network. Companies that handle sensitive client information should strengthen firewall protection to ensure that data is protected from hackers.

  所需的保护级别：防火墙的数量和类型应反映内部网络所需的安全措施。 处理敏感客户端信息的公司应加强防火墙保护，以确保数据免受黑客攻击。

翻译自: https://levelup.gitconnected.com/the-official-firewall-concepts-cc723b311dde

防火墙按概念分类