防火墙的作用

1、防火墙的作用防火墙就是对通过互联网连接进入您的专用网络或计算机系统的信息进行过滤的程序或硬件设备。如果过滤器对传入的信息数据包进行标记，则不允许该数据包通过。如果阅读过Web 服务器工作原理，那么您对互联网上的数据传输方式应该已经有了充分认识， 并且能够很容易看出防火墙是如何帮助人们保护大公司内的计算机的。假设您所就职的公司拥有500 名员工。公司因而有数百台计算机通过网卡互相连接。此外， 公司还有一个或多个通过T1 或 T3 等类似线路实现的互联网连接。如果不安装防火墙，则互联网上的任何人都可以直接访问这数百台计算机。懂行的人可能探查这些计算机，尝试与这些计算机建立FTP连接，尝试与它们建立

2、 telnet连接，等等。如果有员工犯错从而留下安全漏洞，那么黑客可以进入相应的计算机并利用漏洞。如果安装防火墙，情况将大不相同。公司将在每个互联网连接处布置防火墙（例如，在每条进入公司的T1 线路上）防火墙可以实施安全规则。例如，公司内的一条安全规则可能是：在本公司内的500台计算机中，只允许一台计算机接收公共FTP通信。只允许与该计算机建立FTP连接，而阻止与其他任何计算机建立这样的连接。公司可以为FTP服务器、Web服务器、Telnet服务器等设置类似的规则。此外，公司还可以控制员工连接网站的方式、控制是否允许文件通过网络离开公司等。利用防火墙，公司可以对人们使用网络的方式进行诸多控制。

3、防火墙使用以下三种方法中的一种或多种来控制流入和流出网络的通信：? 数据包过滤根据一组过滤器分析数据包（小的数据块） 。通过过滤器的数据包将发送到请求数据包的系统，没有通过的数据包将被丢弃。? 代理服务防火墙检索来自互联网的信息， 然后将信息发送到请求信息的系统，反之亦然。? 状态检测这是一种较为新颖的方法， 它并不检查每个数据包的内容，而是将数据包的特定关键部分与受信任信息数据库进行比较。从防火墙内部传递到外部的信息将受到监视，以获得特定的定义特征，然后将传入的信息与这些特征进行比较。如果通过比较得出合理的匹配，则允许信息通过。否则将丢弃信息。定制合适的防火墙可以对防火墙进行定制。这意味着您

4、可以根据多个条件来添加或删除过滤器。其中一些条件如下：?IP地址一一互联网上的每台计算机被分配了一个唯一的地址，称为 IP地址。IP地址是32 位数字，通常表示为4 个“八位二进制数”，并以“句点分隔的十进制数”直观表示。典型的 IP 地址如下所示：37。例如，如果公司外部的某个IP 地址从服务器读取了过多文件，则防火墙可以阻止与该IP地址之间的所有通信。? 域名地地由于组成IP 地址的数字串不容易记住，而且IP 地址有时需要更改，因此互联网上的所有服务器还拥有易于理解的名称，称为域名。例如，对大多数人来说，记住 比记住 37 更容易。 公司可以阻止

5、对特定域名进行的所有访问，或者仅允许访问特定域名。? 协议地地协议是想要使用某一服务的某一方与该服务之间进行通信的一种预定义方式。“某一方”可能是一个人，但在更多的情况下，它是一个计算机程序，例如 Web 浏览器。协议通常是文本，并简单说明客户机和服务器进行会话的方式。http 是 Web 协议。公司可以只设置一台或两台计算机来处理特定协议，而在其他所有计算机上禁用该协议。下面是一些可以为其设置防火墙过滤器的常见协议：IP （互联网协议，Internet Protocol ）互联网上的主要信息传递系统TCP （传输控制协议，Transmission Control Protocol）用于拆分和

6、复原互联网上传递的信息HTTP （超文本传输协议，Hyper Text Transfer Protocol -用于网页FTP （文件传协议，File Transfer Protocol -用于下载和上传文件UDP （用户数据报协议，User Datagram Protocol -用于无需响应的信息，如音频流和视频流ICMP（ Internet 控制消息协议，Internet Control Message Protocol ）供路由器用来与其他路由器交换信息SMTP （简单邮件传输协议，Simple Mail Transport Protocol -用于发送基于文本的信息（电子邮件） SNMP

7、 （简单网络管理协议，Simple Network Management Protocol -用于从远程计算机收集系统信息Telnet用于在远程计算机上执行命? 端口任何服务器计算机都使用带编号的端口向互联网提供服务， 每个端口对应于该服务器上提供的一项服务（详细信息，请参见Web 服务器工作原理）。例如，如果服务器计算机正在运行 Web （HTTP）服务器和FTP服务器，则通常可以通过端口80访问Web服务器，并可以通过端口21访问FTP服务器。除一台计算机外，公司可能阻止对公司内其他所有计算机上的端口21 进行访问。? 特定词汇和短语这可以是任意内容。防火墙将嗅探（彻底搜寻）每个信息数据包

8、，确定是否存在与过滤器中列出的文本完全匹配的内容。例如， 您可以指示防火墙阻止任何含有“X-rated” 一词的数据包。这里的关键在于必须是精确匹配。"X-rated”过滤器不会捕捉“X rated"（不含连字符）。但您可以根据需要包括任意多的词汇、短语以及它们的变体。一些操作系统内置了防火墙。如果没有，您可以在家中具有互联网连接的计算机上安装软件防火墙。该计算机称为网关，因为它提供了家庭网络与互联网之间的唯一接入点。至于硬件防火墙，防火墙装置本身通常就是网关。Linksys Cable/DSL路由器就是这方面的例子。 它内置了以太网卡和集线器。家庭网络中的计算机与路由器连

9、接，而路由器又与电缆调制解调器或DSL调制解调器连接。您可以通过基于Web的界面配置路由器，该界面可以通过计算机上的浏览器访问。然后，您可以设置任何过滤器或其他信息。硬件防火墙非常安全，而且价格也不贵。包含路由器、防火墙和以太网集线器的、用于宽带连接的家庭版硬件防火墙价格在100 美元以内。防火墙提供哪些保护？肆无忌惮的人们想出了各种富有创意的方法来访问或滥用未加保护的计算机：? 远程登录他人能够连接到您的计算机并以某种形式控制它。 这包括查看或访问您的文件以及在您的计算机上实际运行程序。? 应用程序后门一些程序具有特殊功能， 能够进行远程访问。另外一些程序含有缺陷，这些缺陷提供了后门（即隐藏

10、入口），可用来对程序进行某种程度的控制。? SMTP 会话劫持SMTP 是通过互联网发送电子邮件的最常用方法。通过获取对电子邮件地址列表的访问权，可以向数以千计的用户发送未经请求的垃圾邮件。常用的方法是通过不知情主机的 SMTP服务器重定向电子邮件，从而隐藏垃圾邮件的实际发件人的踪迹。? 操作系统缺陷像应用程序一样， 一些操作系统也有后门。另外一些操作系统提供了缺乏足够安全控制的远程访问，或者存在经验丰富的黑客可以利用的缺陷。? 拒绝服务您可能在关于大型网站受到攻击的新闻报道中听说过这个短语。 这种类型的攻击几乎无法抵御。这种攻击的原理是：黑客向服务器发送连接请求。当服务器用应答响应并尝试建立

11、会话时，却找不到发出请求的系统。黑客通过向服务器发送无数这类无法应答的会话请求，使得服务器速度变慢或者最终崩溃。? 电子邮件炸弹电子邮件炸弹通常是针对个人发起的攻击。 某人向您发送数百或数千封相同的电子邮件，直到您的电子邮件系统再也无法接收任何邮件。? 宏为了简化复杂过程， 许多应用程序允许创建可供应用程序运行的命令脚本。该脚本称为宏。黑客利用这一功能创建自己的宏，根据应用程序的不同，这些宏可以摧毁您的数据或使计算机崩溃。? 病毒计算机病毒大概是最著名的威胁。 病毒是可以将自己复制到其他计算机的小程序。通过复制，病毒可以在不同系统之间快速传播。病毒既包括无害的邮件，也包括可以擦除您所有数据的危

12、险病毒。? 垃圾邮件这里将现实生活中的 “垃圾邮件”一词借用到电子领域，它们通常是无害的，但总是令人讨厌。不过垃圾邮件也可能具有危险。它常常包含指向网站的链接。单击这些链接时一定要小心，因为您可能意外接受向您的计算机提供后门的Cookie。? 重定向炸弹黑客可以使用 ICMP 将信息发送到别的路由器，从而更改（重定向）信息采用的路径。这是实施拒绝服务攻击的一种方法。? 源路由在大多数情况下， 数据包在互联网（或其他任何网络）上传输的路径由沿该路径的路由器决定。但提供数据包的源可以任意指定数据包的传输路由。黑客有时利用这一点使信息看起来像是来自受信任的源甚至网络内部！大部分防火墙产品默认情况下禁

13、用源路由。即使有可能，以上列出的一些项也难以利用防火墙进行过滤。虽然一些防火墙提供了防病毒功能， 但在每台计算机上安装防病毒软件是值得的。另外，尽管令人讨厌，但只要您接受电子邮件，一些垃圾邮件就能够穿过您的防火墙。您所确立的安全级别将决定防火墙可以阻止的威胁的数量。最高安全级别可以阻止一切通信。显然， 这也使互联网连接失去了意义。但一条常用的经验法则是阻止一切通信，然后开始选择允许通过的通信类型。您还可以对通过防火墙的通信进行限制，从而只允许特定类型的信息（如电子邮件）通过。如果企业拥有有经验的网络管理员，并且这些管理员了解企业需求并确切知道允许哪些通信通过，那么这是一条不错的规则。对于我们大

14、多数人来说，除非有特定的更改理由，否则最好使用由防火墙开发人员提供的默认设置。站在安全角度来说，防火墙最大的好处之一在于它能够阻止任何外人登录您的专用网络中的计算机。这对企业来说非常重要，大多数家庭网络大概不会受到这方面的威胁。不过，布置防火墙还是能让人放心一些。Firewall roleA firewall is to through Internet connection to your special network or computer systems information filtering program or hardware equipment. If filters th

15、e information on to into packets, do not allow the mark packets through.If read Web server working principle, then you for Internet data transmission should already have fully understand and can easily see firewall is how to help people to protect the computers in a large company. Assuming your comp

16、any has 500 employees. Companies which have hundreds of computer through the nic interconnect. In addition, the company have one or more through T1 or T3 and similar lines realize Internet connection. If not to install a firewall, then Internet anyone can directly access this hundreds of computer. J

17、udges may detect these computers, try to establish the FTP connection with these computers, trial and they build Telnet connection, etc. If there are employees to leave vulnerabilities that mistakes that hackers can enter the corresponding computer and use the loophole.If install a firewall, the sit

18、uation will differ greatly. The company will decorate firewall in every Internet connection (for example, after each road into the company's T1 line) firewall can implement safety rules. For example, a safety rules within the company may be:In the company of 500 computer within only allows a com

19、puter receiving public FTP communications. Only allow computers to establish FTP connection with this, and prevent and any other computer establish such a connection.The company can for FTP server, Web server, Telnet server setting similar rules, etc. In addition, the company also can control the wa

20、y links employees, control whether to allow files through the network to leave the company, etc. Use a firewall, companies to the way people using the web to so many control.Firewall use the following three methods of one or more to control the inflows and outflows of network communication:?packet f

21、iltering - according to a set of filters analysis of data packets (small block). Through the filter packet will send to request packet system, not through the packet will be discarded. ?agency services - the information from Internet firewall retrieval, then sends messages to request information sys

22、tem, and vice versa.? state test - this is a very novel method, it does not examine each packet content, but a key part of the package to specific with trusted information database are compared. From the internal transfer to external firewall information would be watched, to obtain specific definiti

23、on characteristics, then will the incoming information compared with these features. If by comparing reasonably come to the match, then allow information through. Otherwise will forsake information.For a custom fit a firewallCan be customized to the firewall. This means that you can according to mul

24、tiple conditions to add or delete filters. Some conditions as follows:? IP address - Internet each computer is assigned a unique address, called IP address. IP address is a 32-bit Numbers, usually expressed as a 4 "8 binary number", and with "period space decimal number" intuitiv

25、e said. The typical IP address shown below: 37. For example, if a IP address outside the company from server read too many documents, is a firewall with the IP address can stop all communication between.? a domain name - because the composed IP address numeric string not easy to remember,

26、 and IP address sometimes need to change, so Internet all servers have easily understood, called the domain name. For example, for most people, remember 37 more easily than remembering. The company can stop all of specific domain name, or simply allow access to visit specific domains.?agr

27、eement - protocol is want to use a service with the service of one side of the communication between a predefined ways. "One party" may be one person, but in more cases, it is a computer program, such as Web browser. An agreement is usually is text, and a brief explanation of the client an

28、d server conversation way. HTTP is Web agreement. The company can only set up one or two computers to handle specific agreement, and in all other computer disable this agreement. Below are some for its setting firewall filter can be a common agreement:IP (Internet Protocol), Internet protocols - Int

29、ernet information transmission system mainly § TCP (Transmission Control Protocol, Transmission Control Protocol) - used to split and recover the Internet message§ HTTP (hypertext Transfer Protocol, Hyper Protocol) - 'sites for web page§ FTP (File Transfer Protocol, File for downl

30、oading Protocol) - 'and upload files(the User data submitted§ UDP Protocol User Datagram Protocol, without response - used forthe) information, such as audio stream and streaming video§ Internet Control Message Protocol (ICMP Protocol), Internet Control for router macro - with other ro

31、uters to exchange information§ SMTP (Simple Mail transfer Protocol Transport Protocol), Simple E-mail - used to send text-based information (email)§ SNMP Protocol), a Simple Management from the remote computer - used for collecting system informationTelnet § - used for remote computer

32、 on execution in life?port - any server computers are used to the Internet with Numbers port provide services, each port provide corresponding to the server of a service (detailed information, please see the Web server working principle). For example, if the server computer is running the Web (HTTP)

33、 server and FTP server, it can usually through port 80 access Web server, and may through port 21 visit the FTP server. In addition to a computer, the company may prevent outside of all other computer within the company the port 21 visit.?specific words and phrases - this can be arbitrary content. F

34、irewall will sniffer (thorough search) each information packets to determine whether existence and filter listed in the text exactly match the content. For example, you can indicate the firewall to stop any contains "rated X - the word" packets. Here's the key lies in must be accuratel

35、y match. "X - rated" filter "X rated won't catch" (excluding hyphens). But you may, according to needs including arbitrary number of vocabulary and phrases and their variants.Some operating system built-in firewall. If not, you can have an Internet connection in the home comp

36、uter software installed on the firewall. This computer called gateway, because it provides a home network and the Internet only access points between.As for the hardware firewall, firewall the device itself is usually gateways. Linksys Cable/DSL router is example of this. Its built-in Ethernet card

37、and hubs.Family the computer on the network and router connection, and routers and with cable modem or DSL modem connection. You can pass based on Web interface configuration router, this interface can visit the browser by computer. Then, you can set up any filter or other information.Hardware firew

38、all very safe, and the price is expensive. Contains routers, firewalls and Ethernet hub, used for broadband connection family edition hardware firewall prices within the $100. Firewall protection? Provide whatUnbridled people come up with all sorts of creative ways to access or abuse didn't add

39、protection computer:? Telnet - others to connect to your computer and control it in some form. This includes view or access to your files, and on your computer actual operation procedure.?application back door - some procedure has special function, the ability of remote access. Some other programs c

40、ontain flaws that provides door (namely hidden entrance), can be used to the procedure some degree of control.? SMTP session hijacking via the Internet - SMTP is the most commonly used to send email method. Through the acquisition of an E-mail address list, can access to thousands of users send unso

41、licited junk mail. Commonly used method is through the uninformed host SMTP relied on directional E-mail, thus hide the actual sender of junk mail trace.? operating system defect - like application is same, some operating system also have door. Other operating system provides the lack of safe enough

42、 to control remote access, or existence experienced hackers can use defects.?denial of service - you may be in large sites attacked on the news reports heard of this phrase. This type of attack almost impossible to resist. This kind of attack is principle: hackers to the server sends the connection

43、attempt. When the server response response and try to establish conversation, but couldn't find the system request. Hackers through to the server sends countless such cannot response session request, make server slowing down or eventually collapse.? E-mail bomb - electronic mail bombs are usuall

44、y any attack against individuals. Someone asks you to send the hundreds or thousands of sealing the same email, until your email system couldn't receive any mail.?macro - in order to simplify the complex process, many application allows to create for application to run scripts. This script calle

45、d macros. Hackers use this function to create their own macro, according to the different application, these macros can destroy your data or make a computer crash.?virus - a computer virus is probably the most famous threat. The virus is can own copy to other computer small programs. Through the cop

46、y and the virus can spread rapidly between on different systems. The virus both harmless mail, also including can erase your risk of all data virus.? spam - here will be real-life "spam" one word borrow electronic fields, they are usually harmless, but always unpleasant. But spam may also

47、have dangerous. It often contain pointing and web link. Click the links must be careful, because you have accidentally accept to your computer provides of back-door Cookie.?redirection bomb - hackers can use ICMP sends messages to other routers, thus change (redirection) information USES the path. This is implementing denial-of-service attack a method.?source routing - in most cases, packets in the Internet (or any other network) transmitted on path along the path router by decision. But the source can provide packet transmission of arbitrary designati