Firewalls are the most commonly used means of network isolation, mainly through the route control of the network, that is, the access control list (ACL) technology. The network is a packet switching technology, and packets arrive at the destination through route switching, so if you control the route, you can control the communication line and control the flow direction of packets. In the early days, the network security control was basically a firewall. Domestic influential manufacturers include Tianrongxin, Venus Star, Lenovo Net Royal, etc.
However, the firewall has a very obvious disadvantage: it can only control the network below four layers, and there is no way for viruses and worms in the application layer. It is ok to require primary isolation for security, but it is not enough for deep network isolation.
It is worth mentioning the NAT technology in the firewall. Address translation can hide the IP address of the intranet. Many people regard it as a kind of security protection, and think that it is safe enough without routing. Address translation is actually a kind of proxy server technology. It is a step forward in security to prevent business access from passing directly, but at present, the technology of bypassing NAT in application layer is very common, and hiding addresses is only relative. At present, many attack technologies are aimed at the firewall, especially the firewall has no control over the application layer, which facilitates the entry of trojans. Trojans entering the intranet see the address of the intranet and report it directly to the attackers of the external network, so the security function of NAT is not great.
2. Multiple security gateways (also known as new generation firewalls)
A firewall is a checkpoint erected on a "bridge", which can only be used for "passport" inspection. The method of multiple security gateways is to erect multiple checkpoints, one for baggage inspection and the other for inspectors. Multiple security gateways also have a unified name: UTM (Unified Threat Management). Whether it is designed as one device or multiple devices is only the difference of the processing capacity of the devices themselves. It is important to conduct a comprehensive inspection from the network layer to the application layer. There are many manufacturers of UTM in China, such as Tianrongxin and Venus Star.
The inspection of multiple security gateways is divided into several levels:
FW: ACL of the network layer
IPS: anti-intrusion behavior
AV: anti-virus intrusion
Extensible functions: self-defense against DOS attacks, content filtering, traffic shaping ...
Firewalls and multiple security gateways are all "bridging" strategies, mainly adopting the way of security inspection.
3. Gateway
The design of gateway is "agent+ferry". Instead of bridging the river, you can set up a ferry boat. The ferry boat does not directly connect the two sides of the river, so the safety is of course better than that of the bridge. Even if it is attacked, it is impossible to enter at once, and it is always under the control of the managers. In addition, the gateway functions as a proxy. This proxy is not just a protocol proxy, but a "disassembly" of data, which restores the data to its original appearance and removes the "headers and tails" added by various communication protocols. Many attacks hide themselves by disassembling the data. Without these "communication coats", it is difficult for attackers to hide.
the security concept of the gateway is:
network isolation-"crossing the river by boat without bridge"; network isolation by ferry
protocol isolation-"container transportation is prohibited"; communication protocol is grounded, communication protocol connection is blocked by special protocol or storage, and upper-level business is supported by proxy
according to national security requirements, classified networks and services are required.
4. Exchange network
The model of exchange network comes from Clark-Wilson model of banking system, which mainly protects the integrity of data through the idea of business agent and double audit. Switching network is to establish a data exchange area between two isolated networks, which is responsible for business data exchange (one-way or two-way). Both ends of the switching network can use multiple gateways or gateways. Security technologies such as monitoring and auditing are adopted in the switching network to form a three-dimensional switching network security protection system as a whole.
the core of the switching network is also the business agent, and the customer's business can only enter the production network through the application agent accessing the buffer and the business agent accessing the service buffer.
both the gateway and the switching network technology adopt the ferry strategy to extend the "mileage" of data communication and increase security measures.
III. Comparison of data exchange technologies
Different business networks choose different data exchange technologies according to their own security requirements, mainly depending on the amount of data exchange, real-time requirements and service mode requirements.