12.3. Common Network Devices

12.3.1. Firewall

12.3.1.1. Introduction

Firewall refers to a protective barrier composed of a combination of software and hardware devices and constructed on the interface between the internal network and the external network, and between the private network and the public network. It can protect the network by monitoring, restricting, and changing the data flow across the firewall, and shielding the information, structure and operation status of the network from the outside as much as possible.

Firewalls can be divided into network layer firewalls and application layer firewalls. The network layer firewall makes a pass or fail judgment based on the source and destination addresses, applications, protocols, and ports of each IP packet. The application layer firewall targets the special network application service protocol, that is, the data filtering protocol, and can analyze the data packets and form relevant reports.

12.3.1.2. Main functions

  • Filter data in and out of the network

  • Protection against insecure protocols and services

  • Manage access behavior in and out of the network

  • Log the content of information passing through the firewall

  • Detect and warn of cyber attacks

  • Prevent external access to internal network information

  • Provides centralized management of external connections

12.3.1.3. Next-Generation Firewalls

It is mainly a high-performance firewall that comprehensively responds to application-layer threats. It can achieve intelligent active defense, application layer data leakage prevention, application layer insight and control, threat protection and other features.

The next-generation firewall integrates traditional firewall, IPS, application identification, content filtering and other functions in one device, which not only reduces the procurement investment of the overall network security system, but also reduces the deployment cost caused by multiple devices accessing the network. Maintenance and management costs for managers are reduced through technologies such as application identification and user management.

12.3.2. IDS

12.3.2.1. Introduction

Intrusion detection is to collect and analyze information from several key nodes in the network system to monitor whether there are behaviors that violate security policies or whether there are intrusion behaviors in the network. Intrusion detection systems usually contain three necessary functional components: information sources, analysis engines and response components.

Information collection includes collecting the status and behavior of systems, networks, data, and user activities. The information used by intrusion detection generally comes from three aspects: system and network log files, abnormal directory and file changes, and abnormal program execution.

The analysis engine analyzes the collected information about the state and behavior of the system, network, data and user activities through pattern matching, statistical analysis and integrity analysis. The first two are used for real-time intrusion detection, and integrity analysis is used for post-mortem analysis.

Alarm and response According to the nature and type of intrusion, make corresponding alarm and response.

12.3.2.2. Main types

IDS can be divided into host-based intrusion detection system (HIDS) and network-based intrusion detection system (NIDS).

Host-based intrusion detection system is an early intrusion detection system structure, usually software type, installed directly on the host that needs to be protected. The detection targets are mainly the host system and local users of the system. The detection principle is to find suspicious events based on the audit data and system logs of the host.

The main advantages of this detection method are: more detailed information, lower false positive rate, and flexible deployment. The main disadvantages of this method are: it will reduce the performance of the application system; it depends on the original log and monitoring capabilities of the server; the cost is high; the network cannot be monitored; multiple detection systems for different systems need to be installed.

The network-based intrusion detection method is a relatively mainstream monitoring method at present, and this type of detection system needs a special detection device. The detection device is placed in a more important network segment, and constantly monitors various data packets in the network segment, instead of only monitoring a single host. It analyzes the characteristics of every data packet or suspicious data packet on the monitored network. If the data packet matches some rules built in the product, the intrusion detection system will issue an alarm, or even cut off the network connection directly. Currently, most intrusion detection products are network-based.

The main advantages of this detection technology are: it can detect those attacks from the network and unauthorized access; it does not need to change the configuration of the server and other hosts, and it will not affect the performance of the host; low risk; simple configuration. The main disadvantages are: high cost and limited detection range; a lot of calculation, which affects system performance; a lot of data flow analysis, which affects system performance; it is difficult to process encrypted session processes; when the network flow rate is high, many packets may be lost, which is easy to make Intruders can take advantage; encrypted packets cannot be detected; direct intrusions to the host cannot be detected.

12.3.3. IPS(Intrusion Prevention System)

12.3.3.1. Introduction

An intrusion prevention system is a computer network security device that can monitor the network data transmission behavior of the network or network equipment, and can immediately interrupt, adjust or isolate some abnormal or harmful network data transmission behavior.

Firewalls deployed in series can block low-level attacks, but are powerless against deep-level attacks at the application layer. The IDS deployed by the bypass can timely detect the deep attack behaviors that penetrate the firewall, as a beneficial supplement to the firewall, but it cannot block in real time.

Therefore, an IPS based on the linkage between IDS and firewall has appeared: discovered through IDS and blocked through firewall. However, since there is no unified interface specification so far, coupled with the more and more frequent “instantaneous attacks” (one session can achieve attack effects, such as SQL injection, overflow attacks, etc.), the effect of IDS and firewall linkage in practical applications Not obvious.

12.3.3.2. Main types

It can be divided into signature-based IPS, exception-based IPS, policy-based IPS, and protocol analysis-based IPS.

Signature-based IPS is the most common approach among many IPS solutions. Add signatures to devices to identify the most common attacks today. Also known as pattern matching IPS. Signature libraries can be added, adjusted, and updated to address new attacks.

Anomaly-based IPS is also known as profile-based IPS. Anomaly-based methods can use statistical anomaly detection and non-statistical anomaly detection.

Policy-based IPS is more concerned with enforcing the organization’s security policies. Alerts are triggered if detected activity violates an organization’s security policy. Using this method of IPS, the security policy should be written into the device.

IPS based on protocol analysis is similar to signature-based methods. Most cases check for common signatures, but methods based on protocol analysis can do deeper packet inspection and be more flexible to spot certain types of attacks.

12.3.4. Secure Isolation Gatekeeper

12.3.4.1. Introduction

A security isolation gatekeeper is an information security device that uses a solid-state switch read-write medium with multiple control functions to connect two independent network systems. Due to the physical isolation between the two independent network systems connected by the gatekeeper, there is no physical connection, logical connection, information transmission command, information transmission protocol for communication, and there is no information packet forwarding according to the protocol, only the non-protocol of data files” Ferry”, and there are only two commands “read” and “write” for solid-state storage media. Therefore, the physical isolation gatekeeper physically isolates and blocks all connections with potential attacks, making it impossible for attackers to invade, attack, and destroy, and achieve real security.

12.3.4.2. Main functions

Block the direct physical connection of the network: The physical isolation gatekeeper can only connect to one of the untrusted network and the trusted network at any time, but not to both networks at the same time.

Block the logical connection of the network: The physical isolation gatekeeper does not depend on the operating system and does not support the TCP/IP protocol. The information exchange between the two networks must be stripped of the TCP/IP protocol, and the original data must be forwarded through the “write” and “read” of the storage medium through the P2P non-TCP/IP connection method.

Security review: The physical isolation gatekeeper has a security review function, that is, before the network “writes” the original data to the physical isolation gatekeeper, the security of the original data is checked as needed, and possible virus codes and malicious attack codes are filtered out. .

The original data is harmless: The original data forwarded by the physical isolation gatekeeper does not have the characteristics of attack or harmful to network security.

Management and control functions: establish a complete log system.

Establish a data feature library as needed: In the application initialization stage, combined with the application requirements, the features of the application data are extracted to form a user-specific data feature library, which serves as the basis for data verification during operation. When the user requests, extract the user’s application data, extract the data features and compare with the original data feature database, the data requests that conform to the original feature database enter the request queue, and those that do not conform are returned to the user to filter the data.

Provide the function of customizing security policies and transmission policies as needed: Users can set data transmission policies, such as: transmission unit (based on data or based on tasks), transmission interval, transmission direction, transmission time, start time, etc.

Support timing/real-time file exchange; support one-way/two-way file exchange; support digital signature, content filtering, virus checking and other functions.

12.3.5. VPN Devices

12.3.5.1. Introduction

A virtual private network refers to the technology of establishing a private network on a public network. The reason why it is called a virtual network is mainly because the connection between any two nodes of the entire VPN network does not have the end-to-end physical link required by the traditional private network, but is built on the network platform provided by the public network service provider. On the logical network, user data is transmitted in logical links.

12.3.5.2. Common techniques

MPLS VPN:It is an IP VPN based on MPLS technology. It applies MPLS (Multi-Protocol Label Switching) technology on network routing and switching equipment to simplify the routing selection method of core routers. Virtual Private Network (IP VPN). The advantage of MPLS lies in the combination of Layer 2 switching and Layer 3 routing technology, and it has excellent performance in solving major problems in IP networks such as VPN, service classification and traffic engineering. Therefore, MPLS VPN is increasingly favored by operators in solving enterprise interconnection and providing various new services, and has become an important means for IP network operators to provide value-added services. MPLS VPNs can be further classified into Layer 2 MPLS VPNs (MPLS L2 VPNs) and Layer 3 MPLS VPNs (MPLS L3 VPNs).

SSL VPN:It is a VPN technology based on HTTPS (SecureHTTP, secure HTTP, that is, the HTTP protocol that supports SSL), and works between the transport layer and the application layer. SSL VPN makes full use of the certificate-based authentication, data encryption and message integrity verification mechanisms provided by the SSL protocol, and can establish secure connections for communication between application layers. SSL VPN is widely used in web-based remote secure access, providing security guarantee for users to remotely access the company’s internal network.

IPSecVPN: It is a VPN technology based on the IPSec protocol, and the IPSec protocol provides tunnel security. IPSec is an end-to-end mechanism designed by the IETF to ensure the data security of IP-based communications. It provides high-quality, interoperable, cryptography-based security guarantees for data transmitted over the Internet.

12.3.6. Security Audit System

12.3.6.1. Introduction

The network security audit system provides effective behavior audit, content audit, behavior alarm, behavior control and related audit functions for Internet behavior. Provide effective supervision of the Internet from the management level to prevent and stop data leakage. Meet users’ requirements for Internet behavior audit filing and security protection measures, and provide complete online records to facilitate information tracking, system security management and risk prevention.