Firewall security and performance analysis

Firewall security and performance analysis

Network firewalls have long been the main mechanism used by ordinary enterprises to protect the network security of enterprises. However, the overall security of the corporate network involves quite a wide range of aspects. Not only can the firewall not solve all security problems, but the control technology used by the firewall, its own security protection capabilities, network structure, security strategy and other factors will affect the security of the corporate network.
Among the many factors that affect the security performance of firewalls, some are controllable by administrators, but some are characteristics that cannot be changed after the firewall is selected. One of the most critical is the access control technology used by the firewall. At present, the control technology of the firewall can be roughly divided into: Packet Filter (Packet Filter), Packet Inspection (Stateful InspecTIon Packet Filter) and Application Layer Gate Channel (ApplicaTIon Gateway). These three technologies have their own characteristics in terms of security or effectiveness, but the average person often only pays attention to the effectiveness of the firewall and ignores the conflict between security and efficiency. This article explains the three technologies of firewall, and compares the characteristics of various methods and the possible security risks or performance losses.

Packet filtering type: The packet filtering type control method will check the contents of all packet headers that enter and exit the firewall, such as controlling the source and destination IP, usage protocol, TCP or UDP Port and other information. Today's routers, Switch Routers, and certain operating systems already have the ability to be controlled with Packet Filter. The biggest advantage of the packet filtering control method is high efficiency, but it has several serious disadvantages: complex management and inability to fully control the connection, the order of rule setting will seriously affect the results, it is not easy to maintain and has less recording function.

Packet inspection type: The control mechanism of the packet inspection type is to inspect each level in the packet through an inspection module. The packet inspection type can be described as an enhanced version of the packet filtering type. The purpose is to increase the security of the packet filtering type and increase the ability to control the "connection". However, since the main inspection object of the packet inspection is still individual packets, different packet inspection methods may cause great differences. The wider the inspection level, the safer it will be, but the lower its relative effectiveness.

Packet inspection firewalls may cause problems when the inspection is incomplete. One example is the security weakness of the Fast Mode TCP Fragment that was announced last year about Firewall-1. This design to increase efficiency has become a security weakness.

Application layer gate channel type: Application layer gate channel type firewall intercepts the connection action, and a special agent program handles the connection between the two ends, and analyzes whether the connection content meets the standards of the application agreement. The control mechanism in this way can effectively control the operation of the entire connection from beginning to end, without being spoofed by the client or server, and will not be as complicated in management as the packet filtering type. But you must write a dedicated agent for each application, or use a general-purpose agent to handle most connections. This mode of operation is the safest way, but it is also the least effective way.

The firewall is designed to protect security, and security should be its main consideration. Therefore, instead of just asking for performance, it is better to think about how to provide maximum security without affecting performance.

Although the above three modes of operation are different in terms of efficiency, we must consider whether this difference in efficiency will affect the actual operation while evaluating the efficiency. In fact, for most "broadband" networks that still use several Mbps such as below T1 or future xDSL, even using ApplicaTIon Gateway will not really affect the performance of the network. In this application environment, the effectiveness of the firewall should not be the focus of consideration. However, when the firewall is built between different departments of the enterprise network, the enterprise must consider whether this sacrifice in efficiency is acceptable.