MENU service case
Website construction website design Beijing website construction high-end website production company Shangpin China
We create by embracing change
360 ° brand value__
simplified Chinese character
Simplified Chinese English

Shangpin China Joins Hands with Beisheng Internet to Create a New Chapter in Website Construction

Type: Shangpin Dynamic Learn more

Limitations of firewall

Source: Shangpin China | Type: website encyclopedia | Time: 2015-06-17
Most fire prevention picks focus on the prevention of external data packets, while ignoring the internal security risks. For example, we discussed that including Bekazaki, a roll over strategy is often used to allow incoming response packets from outside, while rejecting incoming connection requests or service requests. If an internal host first sends a request packet to an external attacker and introduces a response packet with some attack behavior, the attack packet will pass through the firewall smoothly. A server or Network construction The attack behavior of the device. At the same time, the data packets sent from the inside to the outside sometimes also have an internal sensitive information. Because the fire prevention team usually does not make too many restrictions on the sent data packets, this common information is easily obtained from the outside and becomes the key information for launching attacks on the internal network.
 
 
firewall
   
The fireproof plug itself is implemented on the basis of TCP/IP protocol. Therefore, it is difficult to completely eliminate the security threat caused by this residual protocol. For example, a SYN attack launched against the server by using the protocol Handong of TCP will eventually cause the attacked server to stop "refusing" to accept all service requests. Also known as the denial of service attack DoS (Denial-o (- Service), the implementation is very simple. The attacker keeps sending the largest TCP connection request SYN message to the server, which provides some service. After sending the SY and connection request, the attacker will not continue to complete the next handshake signal exchange with the server, making the server in a state of waiting for the requester to send the third handshake signal. The connection state in this waiting period is also called the semi connected state of the server. The server will save all the resources to be allocated for the connection until the timing shift timeout. If the server opens a large segment of semi connected TCP connections, the server will eventually run out of resources and cannot accept new TCP connection requests, even if it is a normal request SYN attacks are usually launched against servers in the intranet that provide public services to the outside. A single TCP request to connect SYN packets sent from an attacker cannot be distinguished from a normal connection request. It is also a SYN attack. Some fireproof J Check whether the change of the header status information (such as the SYN bit and ACK bit of TCP) of the side data packet conforms to the corresponding protocol rules by tracking the connection status change of the input and output data packets. The formed rules are not only more than the first field of the data packet, but also the status change and other parameters of the data packet, so as to improve the security defense capability of the internal network system. However, the problem faced by this kind of fire protection device with the state detection function is that, first of all, the state detection side of all data streams has high requirements on the processing and computing capacity of the fire protection device, and the state gun side will directly affect the processing speed of the fire protection device for each data packet; Secondly, for the above SYN attack packets, even the firearm with the status gun test function can hardly accurately determine whether a SYN attack packet is an attack packet. In particular, some attack villages that carry out SYN attacks will use addresses to coax them to use different sending addresses.

Finally, the strong security defense capability of fire prevention is inversely proportional to its processing speed. The more complex the firewall's a-pass rules are and the more detailed the packet inspection is, the higher the security of the internal network will be. But correspondingly, the faster a packet is processed, the lower the performance of the town network will be.

The above limitations of the firewall indicate that fire prevention. Well can not be bent to provide absolute security protection for the network, In the actual two network system, other safety control side finger devices are usually used as a necessary supplement to the fire plug, such as the human site IDS (Intrusion Detection System) can be used as the second way to find after the fire prevention. Under the premise of not affecting the network operation and performance, collect the corresponding information from the fire prevention station or other shutdown nodes in the network. And analyze these information to see whether there is an attempt to attack in the network. When you find the At behavior, you can report it to the network and the administrator in a timely manner. As a compensation technology for the fire prevention station The human spirit of the side claw of the spear can not only send out attacks from the outside, but also send out evil behaviors from the inside. It is of great significance for Lazhicheng to reduce various safety reductions suffered by the two collateral systems.
Source Statement: This article is original or edited by Shangpin China's editors. If it needs to be reproduced, please indicate that it is from Shangpin China. The above contents (including pictures and words) are from the Internet. If there is any infringement, please contact us in time (010-60259772).
TAG label:

What if your website can increase the number of conversions and improve customer satisfaction?

Make an appointment with a professional consultant to communicate!

* Shangpin professional consultant will contact you as soon as possible

Disclaimer

Thank you very much for visiting our website. Please read all the terms of this statement carefully before you use this website.

1. Part of the content of this site comes from the network, and the copyright of some articles and pictures involved belongs to the original author. The reprint of this site is for everyone to learn and exchange, and should not be used for any commercial activities.

2. This website does not assume any form of loss or injury caused by users to themselves and others due to the use of these resources.

3. For issues not covered in this statement, please refer to relevant national laws and regulations. In case of conflict between this statement and national laws and regulations, the national laws and regulations shall prevail.

4. If it infringes your legitimate rights and interests, please contact us in time, and we will delete the relevant content at the first time!

Contact: 010-60259772
E-mail: [email protected]

Communicate with professional consultants now!

  • National Service Hotline

    400-700-4979

  • Beijing Service Hotline

    010-60259772

Please be assured to fill in the information protection
Online consultation

Disclaimer

Thank you very much for visiting our website. Please read all the terms of this statement carefully before you use this website.

1. Part of the content of this site comes from the network, and the copyright of some articles and pictures involved belongs to the original author. The reprint of this site is for everyone to learn and exchange, and should not be used for any commercial activities.

2. This website does not assume any form of loss or injury caused by users to themselves and others due to the use of these resources.

3. For issues not covered in this statement, please refer to relevant national laws and regulations. In case of conflict between this statement and national laws and regulations, the national laws and regulations shall prevail.

4. If it infringes your legitimate rights and interests, please contact us in time, and we will delete the relevant content at the first time!

Contact: 010-60259772
E-mail: [email protected]