⽹络安全与防⽕墙技术外⽂翻译⽂献
⽹络安全与防⽕墙技术外⽂翻译⽂献(⽂档含中英⽂对照即英⽂原⽂和中⽂翻译)
原⽂:
Research of Network Security and Firewalls Techniques
Abstract:
As the key facility that maintains the network security , firewalls take the purpose of establishing an obstacle between trust and trustless network, and put corresponding safety strategy into practice. In this paper , the computer network security and the techniques of firewalls were mainly discussed, the concept and classification of the firewalls were introduced. It also introduced three kind's of basic implement techniques of the firewalls: Packet filtering , Application Proxy and Monitor model in
detail. Finally described the trend of development of the firewalls techniques in Internet briefly.
Key words: network security, firewalls, Packet filtering, monitor
1. Introduction
Now with the computer network and e-commerce used widely, network security has become an important problem that we must consider and resolve. More and more professions. enterprises and individuals surfer from the security problem in different degree. they are looking for the more reliable safety solution . In the defense system adopted by network security at present, the firewalls stand the very important position.
As the key facility that maintains the network security. firewalls take the purpose of establishing an obstacle between trust and trustless network, and put corresponding safety strategy into practice.
All the firewalls have the function to filter the IP address. This task checks the IP packet, makes the decision whether to release or to abandon it according to the source address and destination address of the IP. Shown in Fig.I, there is a firewall between two network sections, an UNIX computer is on one side of the firewall, and the other side is a PC client. While the PC client asks a telnet request for the UNIX computer, the client procedure of telnet in the PC produces a TCP packet and passes the packet to the local protocol stack to prepare to send. The protocol stack fills it in one IP packet. then, sends it to UNIX computer through the path defined by the TCP/IP stack of PC. The IP packet can't reach the UNIX computer until it passes the firewall between the PC and the UNIX computer.
Fig. I Ip Address Filtering
The application firewall is a very efficient means of network security on Internet, it is installed between the trust and trustless network, can isolate the connection between the trust and trustless network, and doesn't hamper people's access to the trustless network at the same time. It can isolate the connection between the risk area (namely there may be a certain risk on Internet) and the safe area (LAN), and doesn't hamper people's access to the risk area at the same time. Firewall can monitor the traffic flowing in and out from the network to finish the task seemingly impossible;it only allows the safe and checked information to enter into, and meanwhile resists on the data that may bring about the threat to enterprise. As the fault and defect of the security problem become more and more general, the invasion to the network not only comes from the super attack means, but also may be from the lower-level mistakes or improper password selections on the configuration. So, the function of the firewalls is preventing the communication that not hoped and authorized passes in and out of the network protected. forcing the companies to strengthen their own network security policy. The general firewalls can achieve the following purposes: First, restraining others from entering the inside network, filtering the unsafe service and illegal user; Second, preventing the invaders from closing to your defense installation; Third,limiting the user to access the special site; Fourth,providing convenience for monitoring the Internet security.
2. The classification and implement technology of firewalls
An integrated firewalls system usually consists of screening router and proxy server. The screening router is a multi-port IP router. it check the each coming IP packet according to the group regular to judge whether to transmit it. The screening router gets information from the packet. fot example the protocol number. the IP address and port number that receiving and sending massages. the flag of link even some other IP selections. filtering IP packet. The proxy server are server process in the firewall. it can replace the network user to finish the specific TCP/IP function. A proxy server is naturally a gateway of application layer. a gateway of two networks joined specific network application. Users contact with proxy server by one of
the TCP/IP application such as Telnet or FTP. the proxy server ask the users for the name of the remote host. which users want to access. After the users have answered and offered the correct users' identities and authentication information, the proxy server communicates the remote host, act as the relay between two communication sites. The whole course can be totally transparent to users.
There are mainly three types in the firewalls: packet filtering. application gateways and state detection.
Packet filtering firewall works on the network layer.it can filter the source address. destination address.
source port and destination port of TCP/IP data packet. It has advantages such as the higher efficiency.
transparent to user. and users might not feel the existence of the packer filtering firewall, unless he is the illegal user and has been refused. The shortcomings are that it can't ensure the security to most services and protocols, unable to distinguish the
different users of the same IP address effectively,and it is difficult to be configured, monitored and managed. can't offer enough daily records and warning.
The application gateways firewall performs its function on the application layer, it connects with specific middle-joint (firewall) by a client procedure, and then the middle-joint connects with the server actually. Unlike the packet filtering firewall. when using the firewall of this kind. there is no direct connection between the outside networks. so even if the matter has happened in the firewall. the outside networks can't connect with networks protected. The application gateway firewall offers the detailed daily records and auditing function, it improved the security of the network greatly. and provides the possibility to improve the security performance of the existing software too. The application gateways firewall solves the safety problem based on the specific application program. the
products based on Proxy will be improved to configure the service in common use and non-standard port. However. so long as the application program needs upgrading. the users based on Proxy will find that they must buy new Proxy server. As a technique of network safety. Firewall combined with proxy server has simple and practical characteristics, can reach a certain security request in case of not revising the original network application system. However. if the firewall system is broken through. the network protected is in having no state of protecting. And if an enterprise hopes to launch the business activity on Internet and carry on communication with numerous customers. it can't meet the demands. In addition, the firewall based on Proxy Service will often makes the performance of the network obviously drop.
The third generation of firewall takes the detection technique of state as the core,
combines the packet filtering firewall and application gateways firewall. The state detection firewall accesses and analyzes the data achieved from the communication layer through the module of state detection to perform its function. The state monitor act as firewall technique. it is best in security perfonnance, it adopts a software engine.
which executes the tactics of network security on the gateways, called the detection module. On the pr
emise of not influencing the network to work normally, detection module collects the relevant data to monitor each of the network communication layers, collects a part of data, namely status information, and stores the data up dynamically for the reference in making security decision afterward. Detection module
supports many kinds of protocols and application program, and can implement the expansion of application and service very easily. Different from other safety schemes, before the user's access reaches the operating system of network gateways, the state monitor should collect the relevant data to analyze, combine network configuration and safety regulation to make the decisions of acceptance, refutation, appraisal or encrypting to the communication etc Once a certain access violates the security regulation, the safety alarm will refuse it and write down to report the state of the network to the system management device. This technology has defects too, namely the configuration of the state monitor is very complicated, and will decelerate the network.
3. New generation technique of firewalls
According to the present firewalls market, the domestic and international
manufacturers of firewall can all support the basic function of the firewall well,including access control,
the network address transform, proxy, authentication, daily records audit etc. However, as stated before, with the attack to the network increasing, and user's requisition for network security improving day by day, the firewall must get further development. Combine the present experience of research and development and the achievement,some relevant studies point out, according to the development trend of application and technology, how to strengthen the security of firewall, improve the performance of firewall, enrich the function of firewall, will become the problem that the manufacturer of firewalls must face and solve next. The purpose of the new generation firewall is mainly combining the packet filtering and proxy technology, overcoming the defects in the safety respect of two; being able to exert the omnidirectional control from the layer of data chain to the application layer; implementing the micro-kernel of TCP/IP protocol to perform all the security control on the layer of TCP/IP protocol; based on the micro-kernel above, making the speed to exceed the
traditional packet filtering firewall; Offering the transparent mode of proxy. lightening the configuration work on the client; Supporting the data encryption and decryption (DES and RSA ), offering the strong support to the Virtual Private Network VPN; hiding the Inside information totally; producing a new firewall theory.
The new techniqe of firewalls has not only covered all the functions of traditional packet filtering firewal
ls, but also has remarkable advantages in opposing overall the attack means of IP deception, SYN Flood, ICMP. ARP, etc. strengthening proxy service, merging it with packet filtering, then adding the intelligence filtering
technology to make the security of the firewall rising to another height.
transparent中文翻译4. Conclusion
Now the firewall has already been widely used on Internet, and because of its characteristic of not limited to the TCP/IP protocol, it has more vitality outside Internet progressively too. To be subjective, the firewall is not the omnipotent prescription of solving the problem of network security, but only a component of the network security policy and tactics. However, understanding the technology of firewall and learning to use it in actual operation, believing that every net friend may be benefited a lot from the network life in the new century.
翻译:
⽹络安全与防⽕墙技术研究
摘要:
作为关键设施,维护⽹络的安全性,防⽕墙采取建⽴信任与不可靠的⽹络障碍的⽬的,并落实相应的安全策略。在这个⽂件中,计算机⽹络安全与防⽕墙的技术,主要讨论的概念和分类,介绍了防⽕墙。它还介绍了三种基本的防⽕墙实现技术:分组过滤,代理服务器和应⽤详细监测模型的。最后描述对互联⽹的简单防⽕墙技术的发展趋势。
关键词:⽹络安全,防⽕墙,包过滤,监控
1 介绍
现在,随着计算机⽹络和电⼦商务的⼴泛应⽤,⽹络安全已成为⼀个我们必须考虑和解决的重要问题。越来越多的专业,企业和个⼈上⽹的不同程度的安全问题。他们正在寻更可靠的安全解决⽅案。在防御系统所采⽤的⽹络安全的现状,防⽕墙占据了⾮常重要的地位。
作为维护⽹络安全的关键设施,防⽕墙采取建⽴⼀个障碍在信任和不信任的⽹络之间,并实施相应的安全策略。
所有的防⽕墙具有过滤IP地址的功能。这项任务是检查IP数据包,根据源地址和⽬的IP地址决定是否释放或放弃这个数据包。在图1所⽰,在两个⽹段中间有⼀个防⽕墙,⼀侧是UNIX计算机,另⼀侧是PC客户端。当PC客户端向UNIX 计算机发送远程登陆请求时,PC⾥的远程登陆客户端程序产⽣⼀个TCP 数
据包并把此包传递给本地协议栈准备发送。协议栈把它填充在⼀个IP数据包内,然后通过PC的TCP/IP协议栈中定义的路径发送到UNIX计算机。在它通过
PC和UNIX计算机之间的防⽕墙之前,这个IP包不能送达UNIX计算机。
图1 IP地址过滤
在互联⽹上防⽕墙是⽹络安全的⾮常有效的⼿段,它安装在信任和不可靠的⽹络之间,可以隔离安全区域和风险区域的连接,在同⼀时间并不妨碍⼈们进⼊风险区域。它可以隔离风险区域之间的连接(即有可能是在互联⽹上⼀定的风险)和安全区(局域⽹)上,也不妨碍⼈们在同⼀时间进⼊危险领域。防⽕墙可以监控进出⽹络的通信量,从⽹络来完成这项任务看似不可能的,它只允许安全和通过检查的信息进⼊,同时阻⽌那些可能给企业带来威胁的数据信息。由于故障和安全问题的缺陷变得越来越普遍,⼊侵⽹络不仅来⾃⾼超的攻击⼿段,也可能是来⾃配置上的低级错误或不合适的密码选择。因此,这个防⽕墙的功能是防⽌不被希望和未经许可的通讯进出⽹络保护。。迫使公司加强⾃⼰的⽹络安全策略。⼀般防⽕墙可以达到以下⽬的:第⼀,制⽌他⼈进⼊内部⽹络,过滤不安全服务和⾮法⽤户;第⼆,防⽌关闭安装到你的防御侵略者;第三,限制⽤户访问特殊站点;第四,提供便利的⽹络安全监控。
2防⽕墙技术的分类和实施
⼀个集成的防⽕墙系统通常包括筛选路由器和代理服务器。该筛选路由器是⼀个多端⼝的IP路由器,它根据定期的⼩组来检查每个IP数据包,以判断是否将其发送。筛选路由器得到分组信息,例如协议号、IP地址、端⼝号、甚⾄IP选择中的标志和联系。代理服务器是防⽕墙的过程服务器。它可以代替⽹

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。