Most fire prevention picks focus on the prevention of external data packets, while ignoring the internal security risks. For example, we discussed that including Bekazaki, a roll over strategy is often used to allow incoming response packets from outside, while rejecting incoming connection requests or service requests. If an internal host first sends a request packet to an external attacker and introduces a response packet with some attack behavior, the attack packet will pass through the firewall smoothly. A server or Network construction The attack behavior of the device. At the same time, the data packets sent from the inside to the outside sometimes also have an internal sensitive information. Because the fire prevention team usually does not make too many restrictions on the sent data packets, this common information is easily obtained from the outside and becomes the key information for launching attacks on the internal network.
The fireproof plug itself is implemented on the basis of TCP/IP protocol. Therefore, it is difficult to completely eliminate the security threat caused by this residual protocol. For example, a SYN attack launched against the server by using the protocol Handong of TCP will eventually cause the attacked server to stop "refusing" to accept all service requests. Also known as the denial of service attack DoS (Denial-o (- Service), the implementation is very simple. The attacker keeps sending the largest TCP connection request SYN message to the server, which provides some service. After sending the SY and connection request, the attacker will not continue to complete the next handshake signal exchange with the server, making the server in a state of waiting for the requester to send the third handshake signal. The connection state in this waiting period is also called the semi connected state of the server. The server will save all the resources to be allocated for this connection until the timing shift timeout. If the server opens a large segment of semi connected TCP connections, the server will eventually run out of resources and cannot accept new TCP connection requests, even if it is a normal request SYN attacks are usually launched against servers in the intranet that provide public services to the outside. A single TCP request to connect SYN packets sent from an attacker cannot be distinguished from a normal connection request. It is also a SYN attack. Some fireproof J Check whether the change of the header status information (such as the SYN bit and ACK bit of TCP) of the side data packet conforms to the corresponding protocol rules by tracking the connection status change of the input and output data packets. The formed rules are not only more than the first field of the data packet, but also the status change and other parameters of the data packet, so as to improve the security defense capability of the internal network system. However, the problem faced by this kind of fire protection device with the state detection function is that, first of all, the state detection side of all data streams has high requirements on the processing and computing capacity of the fire protection device, and the state gun side will directly affect the processing speed of the fire protection device for each data packet; Secondly, for the above SYN attack packets, even the firearm with the status gun test function can hardly accurately determine whether a SYN attack packet is an attack packet. In particular, some attack villages that carry out SYN attacks will use addresses to coax them to use different sending addresses.
Finally, the strong security defense capability of fire prevention is inversely proportional to its processing speed. The more complex the firewall's a-pass rules are and the more detailed the packet inspection is, the higher the security of the internal network will be. But correspondingly, the faster a packet is processed, the lower the performance of the town network will be.
The above limitations of the firewall indicate that fire prevention. Well can not be bent to provide absolute security protection for the network, In the actual two network system, other safety control side finger devices are usually used as a necessary supplement to the fire plug, such as the human site IDS (Intrusion Detection System) can be used as the second way to find after the fire prevention. Under the premise of not affecting the network operation and performance, collect the corresponding information from the fire prevention station or other shutdown nodes in the network. And analyze these information to see whether there is an attempt to attack in the network. When you find the At behavior, you can report it to the network and the administrator in a timely manner. As a compensation technology for the fire prevention station The human spirit of the side claw of the spear can not only send out attacks from the outside, but also send out evil behaviors from the inside. It is of great significance for Lazhicheng to reduce various safety reductions suffered by the two collateral systems.
