網(wǎng)絡(luò)安全與防火墻 英文文獻(xiàn)翻譯.doc

Research of Network Security and Firewalls TechniquesAbstract:As the key facility that maintains the network security , firewalls take the purpose of establishing an obstacle between trust and trustless network, and put corresponding safety strategy into practice. In this paper , the computer network security and the techniques of firewalls were mainly discussed, the concept and classification of the firewalls were introduced. It also introduced three kinds of basic implement techniques of the firewalls: Packet filtering , Application Proxy and Monitor model in detail. Finally described the trend of development of the firewalls techniques in Internet briefly. Key words: network security, firewalls, Packet filtering, monitor1. IntroductionNow with the computer network and e-commerce used widely, network security has become an important problem that we must consider and resolve. More and more professions. enterprises and individuals surfer from the security problem in different degree. they are looking for the more reliable safety solution . In the defense system adopted by network security at present, the firewalls stand the very important position.As the key facility that maintains the network security. firewalls take the purpose of establishing an obstacle between trust and trustless network, and put corresponding safety strategy into practice. All the firewalls have the function to filter the IP address. This task checks the IP packet, makes the decision whether to release or to abandon it according to the source address and destination address of the IP. Shown in Fig.I, there is a firewall between two network sections, an UNIX computer is on one side of the firewall, and the other side is a PC client. While the PC client asks a telnet request for the UNIX computer, the client procedure of telnet in the PC produces a TCP packet and passes the packet to the local protocol stack to prepare to send. The protocol stack fills it in one IP packet. then, sends it to UNIX computer through the path defined by the TCP/IP stack of PC. The IP packet cant reach the UNIX computer until it passes the firewall between the PC and the UNIX computer.Fig. I Ip Address Filtering The application firewall is a very efficient means of network security on Internet, it is installed between the trust and trustless network, can isolate the connection between the trust and trustless network, and doesnt hamper peoples access to the trustless network at the same time. It can isolate the connection between the risk area (namely there may be a certain risk on Internet) and the safe area (LAN), and doesnt hamper peoples access to the risk area at the same time. Firewall can monitor the traffic flowing in and out from the network to finish the task seemingly impossible;it only allows the safe and checked information to enter into, and meanwhile resists on the data that may bring about the threat to enterprise. As the fault and defect of the security problem become more and more general, the invasion to the network not only comes from the super attack means, but also may be from the lower-level mistakes or improper password selections on the configuration. So, the function of the firewalls is preventing the communication that not hoped and authorized passes in and out of the network protected. forcing the companies to strengthen their own network security policy. The general firewalls can achieve the following purposes: First, restraining others from entering the inside network, filtering the unsafe service and illegal user; Second, preventing the invaders from closing to your defense installation; Third,limiting the user to access the special site; Fourth,providing convenience for monitoring the Internet security.2. The classification and implement technology of firewalls An integrated firewalls system usually consists of screening router and proxy server. The screening router is a multi-port IP router. it check the each coming IP packet according to the group regular to judge whether to transmit it. The screening router gets information from the packet. fot example the protocol number. the IP address and port number that receiving and sending massages. the flag of link even some other IP selections. filtering IP packet. The proxy server are server process in the firewall. it can replace the network user to finish the specific TCP/IP function. A proxy server is naturally a gateway of application layer. a gateway of two networks joined specific network application. Users contact with proxy server by one of the TCP/IP application such as Telnet or FTP. the proxy server ask the users for the name of the remote host. which users want to access. After the users have answered and offered the correct users identities and authentication information, the proxy server communicates the remote host, act as the relay between two communication sites. The whole course can be totally transparent to users. There are mainly three types in the firewalls: packet filtering. application gateways and state detection. Packet filtering firewall works on the network layer.it can filter the source address. destination address. source port and destination port of TCP/IP data packet. It has advantages such as the higher efficiency.transparent to user. and users might not feel the existence of the packer filtering firewall, unless he is the illegal user and has been refused. The shortcomings are that it cant ensure the security to most services and protocols, unable to distinguish the different users of the same IP address effectively,and it is difficult to be configured, monitored and managed. cant offer enough daily records and warning. The application gateways firewall performs its function on the application layer, it connects with specific middle-joint (firewall) by a client procedure, and then the middle-joint connects with the server actually. Unlike the packet filtering firewall. when using the firewall of this kind. there is no direct connection between the outside networks. so even if the matter has happened in the firewall. the outside networks cant connect with networks protected. The application gateway firewall offers the detailed daily records and auditing function, it improved the security of the network greatly. and provides the possibility to improve the security performance of the existing software too. The application gateways firewall solves the safety problem based on the specific application program. the products based on Proxy will be improved to configure the service in common use and non-standard port. However. so long as the application program needs upgrading. the users based on Proxy will find that they must buy new Proxy server. As a technique of network safety. Firewall combined with proxy server has simple and practical characteristics, can reach a certain security request in case of not revising the original network application system. However. if the firewall system is broken through. the network protected is in having no state of protecting. And if an enterprise hopes to launch the business activity on Internet and carry on communication with numerous customers. it cant meet the demands. In addition, the firewall based on Proxy Service will often makes the performance of the network obviously drop.The third generation of firewall takes the detection technique of state as the core, combines the packet filtering firewall and application gateways firewall. The state detection firewall accesses and analyzes the data achieved from the communication layer through the module of state detection to perform its function. The state monitor act as firewall technique. it is best in security perfonnance, it adopts a software engine.which executes the tactics of network security on the gateways, called the detection module. On the premise of not influencing the network to work normally, detection module collects the relevant data to monitor each of the network communication layers, collects a part of data, namely status information, and stores the data up dynamically for the reference in making security decision afterward. Detection modulesupports many kinds of protocols and application program, and can implement the expansion of application and service very easily. Different from other safety schemes, before the users access reaches the operating system of network gateways, the state monitor should collect the relevant data to analyze, combine network configuration and safety regulation to make the decisions of acceptance, refutation, appraisal or encrypting to the communication etc Once a certain access violates the security regulation, the safety alarm will refuse it and write down to report the state of the network to the system management device. This technology has defects too, namely the configuration of the state monitor is very complicated, and will decelerate the network.3. New generation technique of firewallsAccording to the present firewalls market, the domestic and international manufacturers of firewall can all support the basic function of the firewall well,including access control, the network address transform, proxy, authentication, daily records audit etc. However, as stated before, with the attack to the network increasing, and users requisition for network security improving day by day, the firewall must get further development. Combine the present experience of research and development and the achievement,some relevant studies point out, according to the development trend of application and technology, how to strengthen the security of firewall, improve the performance of firewall, enrich the function of firewall, will become the problem that the manufacturer of firewalls must face and solve next. The purpose of the new generation firewall is mainly combining the packet filtering and proxy technology, overcoming the defects in the safety respect of two; being able to exert the omnidirectional control from the layer of data chain to the application layer; implementing the micro-kernel of TCP/IP protocol to perform all the security control on the layer of TCP/IP protocol; based on the micro-kernel above, making the speed to exceed thetraditional packet filtering firewall; Offering the transparent mode of proxy. lightening the configuration work on the client; Supporting the data encryption and decryption (DES and RSA ), offering the strong support to the Virtual Private Network VPN; hiding the Inside information totally; producing a new firewall theory.The new techniqe of firewalls has not only covered all the functions of traditional packet filtering firewalls, but also has remarkable advantages in opposing overall the attack means of IP deception, SYN Flood, ICMP. ARP, etc. strengthening proxy service, merging it with packet filtering, then adding the intelligence filtering technology to make the security of the firewall rising to another height. 4. ConclusionNow the firewall has already been widely used on Internet, and because of its characteristic of not limited to the TCP/IP protocol, it has more vitality outside Internet progressively too. To be subjective, the firewall is not the omnipotent prescription of solving the problem of network security, but only a component of the network security policy and tactics. However, understanding the technology of firewall and learning to use it in actual operation, believing that every net friend may be benefited a lot from the network life in the new century.外文資料翻譯譯文摘要：作為關(guān)鍵設(shè)施，維護(hù)網(wǎng)絡(luò)的安全性，防火墻采取建立信任與不可靠的網(wǎng)絡(luò)障礙的目的，并落實相應(yīng)的安全策略。在這個文件中，計算機(jī)網(wǎng)絡(luò)安全與防火墻的技術(shù)，主要討論的概念和分類，介紹了防火墻。它還介紹了三種基本的防火墻實現(xiàn)技術(shù)：分組過濾，代理服務(wù)器和應(yīng)用詳細(xì)監(jiān)測模型的。最后描述對互聯(lián)網(wǎng)的簡單防火墻技術(shù)的發(fā)展趨勢。關(guān)鍵詞：網(wǎng)絡(luò)安全，防火墻，包過濾，監(jiān)控1 介紹現(xiàn)在，隨著計算機(jī)網(wǎng)絡(luò)和電子商務(wù)的廣泛應(yīng)用，網(wǎng)絡(luò)安全已成為一個我們必須考慮和解決的重要問題。越來越多的專業(yè)，企業(yè)和個人上網(wǎng)的不同程度的安全問題。他們正在尋找更可靠的安全解決方案。在防御系統(tǒng)所采用的網(wǎng)絡(luò)安全的現(xiàn)狀，防火墻占據(jù)了非常重要的地位。 作為維護(hù)網(wǎng)絡(luò)安全的關(guān)鍵設(shè)施，防火墻采取建立一個障礙在信任和不信任的網(wǎng)絡(luò)之間，并實施相應(yīng)的安全策略。所有的防火墻具有過濾IP地址的功能。這項任務(wù)是檢查IP數(shù)據(jù)包，根據(jù)源地址和目的IP地址決定是否釋放或放棄這個數(shù)據(jù)包。在圖1所示，在兩個網(wǎng)段中間有一個防火墻，一側(cè)是UNIX計算機(jī)，另一側(cè)是PC客戶端。當(dāng)PC客戶端向UNIX 計算機(jī)發(fā)送遠(yuǎn)程登陸請求時，PC里的遠(yuǎn)程登陸客戶端程序產(chǎn)生一個TCP數(shù)據(jù)包并把此包傳遞給本地協(xié)議棧準(zhǔn)備發(fā)送。協(xié)議棧把它填充在一個IP數(shù)據(jù)包內(nèi)，然后通過PC的TCP/IP協(xié)議棧中定義的路徑發(fā)送到UNIX計算機(jī)。在它通過PC和UNIX計算機(jī)之間的防火墻之前，這個IP包不能送達(dá)UNIX計算機(jī)。圖1 IP地址過濾 在互聯(lián)網(wǎng)上防火墻是網(wǎng)絡(luò)安全的非常有效的手段，它安裝在信任和不可靠的網(wǎng)絡(luò)之間，可以隔離安全區(qū)域和風(fēng)險區(qū)域的連接，在同一時間并不妨礙人們進(jìn)入風(fēng)險區(qū)域。它可以隔離風(fēng)險區(qū)域之間的連接（即有可能是在互聯(lián)網(wǎng)上一定的風(fēng)險）和安全區(qū)（局域網(wǎng)）上，也不妨礙人們在同一時間進(jìn)入危險領(lǐng)域。防火墻可以監(jiān)控進(jìn)出網(wǎng)絡(luò)的通信量,從網(wǎng)絡(luò)來完成這項任務(wù)看似不可能的,它只允許安全和通過檢查的信息進(jìn)入,同時阻止那些可能給企業(yè)帶來威脅的數(shù)據(jù)信息。由于故障和安全問題的缺陷變得越來越普遍,入侵網(wǎng)絡(luò)不僅來自高超的攻擊手段,也可能是來自配置上的低級錯誤或不合適的密碼選擇。因此，這個防火墻的功能是防止不被希望和未經(jīng)許可的通訊進(jìn)出網(wǎng)絡(luò)保護(hù)。迫使公司加強自己的網(wǎng)絡(luò)安全策略。一般防火墻可以達(dá)到以下目的：第一，制止他人進(jìn)入內(nèi)部網(wǎng)絡(luò)，過濾不安全服務(wù)和非法用戶；第二，防止關(guān)閉安裝到你的防御侵略者；第三，限制用戶訪問特殊站點；第四，提供便利的網(wǎng)絡(luò)安全監(jiān)控。2防火墻技術(shù)的分類和實施 一個集成的防火墻系統(tǒng)通常包括篩選路由器和代理服務(wù)器。該篩選路由器是一個多端口的IP路由器，它根據(jù)定期的小組來檢查每個IP數(shù)據(jù)包，以判斷是否將其發(fā)送。篩選路由器得到分組信息，例如協(xié)議號、IP地址、端口號、甚至IP選擇中的標(biāo)志和聯(lián)系。代理服務(wù)器是防火墻的過程服務(wù)器。它可以代替網(wǎng)絡(luò)用戶還結(jié)束一個特殊的TCP/IP協(xié)議。代理服務(wù)器是應(yīng)用層的入口，也是兩個網(wǎng)關(guān)連接的特定應(yīng)用程序。用戶通過TCP/IP協(xié)議，例如遠(yuǎn)程登錄和FIP協(xié)議與代理服務(wù)器建立聯(lián)系。服務(wù)器要求用戶先聲明想要登錄的遠(yuǎn)程主機(jī)名。用戶輸入認(rèn)證的用戶名及密碼后，服務(wù)器即可為用戶和遠(yuǎn)程主機(jī)建立聯(lián)系，作為兩者信息傳遞的平臺，這整個過程對于用戶是完全透明的。主要有三種類型的防火墻：包過濾，應(yīng)用網(wǎng)關(guān)和狀態(tài)檢測。包過濾防火墻是工作在網(wǎng)絡(luò)層的，它可以過濾TCP/IP數(shù)據(jù)包的源地址，目標(biāo)地址、源端口、目標(biāo)端口。它具有效率高，對用戶透明度高等優(yōu)勢。除非用戶是以非法身份登錄被拒絕，否則不會感覺到分組過濾