防火墻的作用

1、防火墻的作用防火墻就是對通過互聯(lián)網(wǎng)連接進(jìn)入您的專用網(wǎng)絡(luò)或計(jì)算機(jī)系統(tǒng)的信息進(jìn)行過濾的程序或硬件設(shè)備。如果過濾器對傳入的信息數(shù)據(jù)包進(jìn)行標(biāo)記，則不允許該數(shù)據(jù)包通過。如果閱讀過Web 服務(wù)器工作原理，那么您對互聯(lián)網(wǎng)上的數(shù)據(jù)傳輸方式應(yīng)該已經(jīng)有了充分認(rèn)識(shí)， 并且能夠很容易看出防火墻是如何幫助人們保護(hù)大公司內(nèi)的計(jì)算機(jī)的。假設(shè)您所就職的公司擁有500 名員工。公司因而有數(shù)百臺(tái)計(jì)算機(jī)通過網(wǎng)卡互相連接。此外， 公司還有一個(gè)或多個(gè)通過T1 或 T3 等類似線路實(shí)現(xiàn)的互聯(lián)網(wǎng)連接。如果不安裝防火墻，則互聯(lián)網(wǎng)上的任何人都可以直接訪問這數(shù)百臺(tái)計(jì)算機(jī)。懂行的人可能探查這些計(jì)算機(jī)，嘗試與這些計(jì)算機(jī)建立FTP連接，嘗試與它們建立

2、 telnet連接，等等。如果有員工犯錯(cuò)從而留下安全漏洞，那么黑客可以進(jìn)入相應(yīng)的計(jì)算機(jī)并利用漏洞。如果安裝防火墻，情況將大不相同。公司將在每個(gè)互聯(lián)網(wǎng)連接處布置防火墻（例如，在每條進(jìn)入公司的T1 線路上）防火墻可以實(shí)施安全規(guī)則。例如，公司內(nèi)的一條安全規(guī)則可能是：在本公司內(nèi)的500臺(tái)計(jì)算機(jī)中，只允許一臺(tái)計(jì)算機(jī)接收公共FTP通信。只允許與該計(jì)算機(jī)建立FTP連接，而阻止與其他任何計(jì)算機(jī)建立這樣的連接。公司可以為FTP服務(wù)器、Web服務(wù)器、Telnet服務(wù)器等設(shè)置類似的規(guī)則。此外，公司還可以控制員工連接網(wǎng)站的方式、控制是否允許文件通過網(wǎng)絡(luò)離開公司等。利用防火墻，公司可以對人們使用網(wǎng)絡(luò)的方式進(jìn)行諸多控制。

3、防火墻使用以下三種方法中的一種或多種來控制流入和流出網(wǎng)絡(luò)的通信：? 數(shù)據(jù)包過濾根據(jù)一組過濾器分析數(shù)據(jù)包（小的數(shù)據(jù)塊） 。通過過濾器的數(shù)據(jù)包將發(fā)送到請求數(shù)據(jù)包的系統(tǒng)，沒有通過的數(shù)據(jù)包將被丟棄。? 代理服務(wù)防火墻檢索來自互聯(lián)網(wǎng)的信息， 然后將信息發(fā)送到請求信息的系統(tǒng)，反之亦然。? 狀態(tài)檢測這是一種較為新穎的方法， 它并不檢查每個(gè)數(shù)據(jù)包的內(nèi)容，而是將數(shù)據(jù)包的特定關(guān)鍵部分與受信任信息數(shù)據(jù)庫進(jìn)行比較。從防火墻內(nèi)部傳遞到外部的信息將受到監(jiān)視，以獲得特定的定義特征，然后將傳入的信息與這些特征進(jìn)行比較。如果通過比較得出合理的匹配，則允許信息通過。否則將丟棄信息。定制合適的防火墻可以對防火墻進(jìn)行定制。這意味著您

4、可以根據(jù)多個(gè)條件來添加或刪除過濾器。其中一些條件如下：?IP地址一一互聯(lián)網(wǎng)上的每臺(tái)計(jì)算機(jī)被分配了一個(gè)唯一的地址，稱為 IP地址。IP地址是32 位數(shù)字，通常表示為4 個(gè)“八位二進(jìn)制數(shù)”，并以“句點(diǎn)分隔的十進(jìn)制數(shù)”直觀表示。典型的 IP 地址如下所示：37。例如，如果公司外部的某個(gè)IP 地址從服務(wù)器讀取了過多文件，則防火墻可以阻止與該IP地址之間的所有通信。? 域名地地由于組成IP 地址的數(shù)字串不容易記住，而且IP 地址有時(shí)需要更改，因此互聯(lián)網(wǎng)上的所有服務(wù)器還擁有易于理解的名稱，稱為域名。例如，對大多數(shù)人來說，記住 比記住 37 更容易。 公司可以阻止

5、對特定域名進(jìn)行的所有訪問，或者僅允許訪問特定域名。? 協(xié)議地地協(xié)議是想要使用某一服務(wù)的某一方與該服務(wù)之間進(jìn)行通信的一種預(yù)定義方式。“某一方”可能是一個(gè)人，但在更多的情況下，它是一個(gè)計(jì)算機(jī)程序，例如 Web 瀏覽器。協(xié)議通常是文本，并簡單說明客戶機(jī)和服務(wù)器進(jìn)行會(huì)話的方式。http 是 Web 協(xié)議。公司可以只設(shè)置一臺(tái)或兩臺(tái)計(jì)算機(jī)來處理特定協(xié)議，而在其他所有計(jì)算機(jī)上禁用該協(xié)議。下面是一些可以為其設(shè)置防火墻過濾器的常見協(xié)議：IP （互聯(lián)網(wǎng)協(xié)議，Internet Protocol ）互聯(lián)網(wǎng)上的主要信息傳遞系統(tǒng)TCP （傳輸控制協(xié)議，Transmission Control Protocol）用于拆分和

6、復(fù)原互聯(lián)網(wǎng)上傳遞的信息HTTP （超文本傳輸協(xié)議，Hyper Text Transfer Protocol -用于網(wǎng)頁FTP （文件傳協(xié)議，F(xiàn)ile Transfer Protocol -用于下載和上傳文件UDP （用戶數(shù)據(jù)報(bào)協(xié)議，User Datagram Protocol -用于無需響應(yīng)的信息，如音頻流和視頻流ICMP（ Internet 控制消息協(xié)議，Internet Control Message Protocol ）供路由器用來與其他路由器交換信息SMTP （簡單郵件傳輸協(xié)議，Simple Mail Transport Protocol -用于發(fā)送基于文本的信息（電子郵件） SNMP

7、 （簡單網(wǎng)絡(luò)管理協(xié)議，Simple Network Management Protocol -用于從遠(yuǎn)程計(jì)算機(jī)收集系統(tǒng)信息Telnet用于在遠(yuǎn)程計(jì)算機(jī)上執(zhí)行命? 端口任何服務(wù)器計(jì)算機(jī)都使用帶編號(hào)的端口向互聯(lián)網(wǎng)提供服務(wù)， 每個(gè)端口對應(yīng)于該服務(wù)器上提供的一項(xiàng)服務(wù)（詳細(xì)信息，請參見Web 服務(wù)器工作原理）。例如，如果服務(wù)器計(jì)算機(jī)正在運(yùn)行 Web （HTTP）服務(wù)器和FTP服務(wù)器，則通?？梢酝ㄟ^端口80訪問Web服務(wù)器，并可以通過端口21訪問FTP服務(wù)器。除一臺(tái)計(jì)算機(jī)外，公司可能阻止對公司內(nèi)其他所有計(jì)算機(jī)上的端口21 進(jìn)行訪問。? 特定詞匯和短語這可以是任意內(nèi)容。防火墻將嗅探（徹底搜尋）每個(gè)信息數(shù)據(jù)包

8、，確定是否存在與過濾器中列出的文本完全匹配的內(nèi)容。例如， 您可以指示防火墻阻止任何含有“X-rated” 一詞的數(shù)據(jù)包。這里的關(guān)鍵在于必須是精確匹配。"X-rated”過濾器不會(huì)捕捉“X rated"（不含連字符）。但您可以根據(jù)需要包括任意多的詞匯、短語以及它們的變體。一些操作系統(tǒng)內(nèi)置了防火墻。如果沒有，您可以在家中具有互聯(lián)網(wǎng)連接的計(jì)算機(jī)上安裝軟件防火墻。該計(jì)算機(jī)稱為網(wǎng)關(guān)，因?yàn)樗峁┝思彝ゾW(wǎng)絡(luò)與互聯(lián)網(wǎng)之間的唯一接入點(diǎn)。至于硬件防火墻，防火墻裝置本身通常就是網(wǎng)關(guān)。Linksys Cable/DSL路由器就是這方面的例子。 它內(nèi)置了以太網(wǎng)卡和集線器。家庭網(wǎng)絡(luò)中的計(jì)算機(jī)與路由器連

9、接，而路由器又與電纜調(diào)制解調(diào)器或DSL調(diào)制解調(diào)器連接。您可以通過基于Web的界面配置路由器，該界面可以通過計(jì)算機(jī)上的瀏覽器訪問。然后，您可以設(shè)置任何過濾器或其他信息。硬件防火墻非常安全，而且價(jià)格也不貴。包含路由器、防火墻和以太網(wǎng)集線器的、用于寬帶連接的家庭版硬件防火墻價(jià)格在100 美元以內(nèi)。防火墻提供哪些保護(hù)？肆無忌憚的人們想出了各種富有創(chuàng)意的方法來訪問或?yàn)E用未加保護(hù)的計(jì)算機(jī)：? 遠(yuǎn)程登錄他人能夠連接到您的計(jì)算機(jī)并以某種形式控制它。 這包括查看或訪問您的文件以及在您的計(jì)算機(jī)上實(shí)際運(yùn)行程序。? 應(yīng)用程序后門一些程序具有特殊功能， 能夠進(jìn)行遠(yuǎn)程訪問。另外一些程序含有缺陷，這些缺陷提供了后門（即隱藏

10、入口），可用來對程序進(jìn)行某種程度的控制。? SMTP 會(huì)話劫持SMTP 是通過互聯(lián)網(wǎng)發(fā)送電子郵件的最常用方法。通過獲取對電子郵件地址列表的訪問權(quán)，可以向數(shù)以千計(jì)的用戶發(fā)送未經(jīng)請求的垃圾郵件。常用的方法是通過不知情主機(jī)的 SMTP服務(wù)器重定向電子郵件，從而隱藏垃圾郵件的實(shí)際發(fā)件人的蹤跡。? 操作系統(tǒng)缺陷像應(yīng)用程序一樣， 一些操作系統(tǒng)也有后門。另外一些操作系統(tǒng)提供了缺乏足夠安全控制的遠(yuǎn)程訪問，或者存在經(jīng)驗(yàn)豐富的黑客可以利用的缺陷。? 拒絕服務(wù)您可能在關(guān)于大型網(wǎng)站受到攻擊的新聞報(bào)道中聽說過這個(gè)短語。 這種類型的攻擊幾乎無法抵御。這種攻擊的原理是：黑客向服務(wù)器發(fā)送連接請求。當(dāng)服務(wù)器用應(yīng)答響應(yīng)并嘗試建立

11、會(huì)話時(shí)，卻找不到發(fā)出請求的系統(tǒng)。黑客通過向服務(wù)器發(fā)送無數(shù)這類無法應(yīng)答的會(huì)話請求，使得服務(wù)器速度變慢或者最終崩潰。? 電子郵件炸彈電子郵件炸彈通常是針對個(gè)人發(fā)起的攻擊。 某人向您發(fā)送數(shù)百或數(shù)千封相同的電子郵件，直到您的電子郵件系統(tǒng)再也無法接收任何郵件。? 宏為了簡化復(fù)雜過程， 許多應(yīng)用程序允許創(chuàng)建可供應(yīng)用程序運(yùn)行的命令腳本。該腳本稱為宏。黑客利用這一功能創(chuàng)建自己的宏，根據(jù)應(yīng)用程序的不同，這些宏可以摧毀您的數(shù)據(jù)或使計(jì)算機(jī)崩潰。? 病毒計(jì)算機(jī)病毒大概是最著名的威脅。 病毒是可以將自己復(fù)制到其他計(jì)算機(jī)的小程序。通過復(fù)制，病毒可以在不同系統(tǒng)之間快速傳播。病毒既包括無害的郵件，也包括可以擦除您所有數(shù)據(jù)的危

12、險(xiǎn)病毒。? 垃圾郵件這里將現(xiàn)實(shí)生活中的 “垃圾郵件”一詞借用到電子領(lǐng)域，它們通常是無害的，但總是令人討厭。不過垃圾郵件也可能具有危險(xiǎn)。它常常包含指向網(wǎng)站的鏈接。單擊這些鏈接時(shí)一定要小心，因?yàn)槟赡芤馔饨邮芟蚰挠?jì)算機(jī)提供后門的Cookie。? 重定向炸彈黑客可以使用 ICMP 將信息發(fā)送到別的路由器，從而更改（重定向）信息采用的路徑。這是實(shí)施拒絕服務(wù)攻擊的一種方法。? 源路由在大多數(shù)情況下， 數(shù)據(jù)包在互聯(lián)網(wǎng)（或其他任何網(wǎng)絡(luò)）上傳輸?shù)穆窂接裳卦撀窂降穆酚善鳑Q定。但提供數(shù)據(jù)包的源可以任意指定數(shù)據(jù)包的傳輸路由。黑客有時(shí)利用這一點(diǎn)使信息看起來像是來自受信任的源甚至網(wǎng)絡(luò)內(nèi)部！大部分防火墻產(chǎn)品默認(rèn)情況下禁

13、用源路由。即使有可能，以上列出的一些項(xiàng)也難以利用防火墻進(jìn)行過濾。雖然一些防火墻提供了防病毒功能， 但在每臺(tái)計(jì)算機(jī)上安裝防病毒軟件是值得的。另外，盡管令人討厭，但只要您接受電子郵件，一些垃圾郵件就能夠穿過您的防火墻。您所確立的安全級(jí)別將決定防火墻可以阻止的威脅的數(shù)量。最高安全級(jí)別可以阻止一切通信。顯然， 這也使互聯(lián)網(wǎng)連接失去了意義。但一條常用的經(jīng)驗(yàn)法則是阻止一切通信，然后開始選擇允許通過的通信類型。您還可以對通過防火墻的通信進(jìn)行限制，從而只允許特定類型的信息（如電子郵件）通過。如果企業(yè)擁有有經(jīng)驗(yàn)的網(wǎng)絡(luò)管理員，并且這些管理員了解企業(yè)需求并確切知道允許哪些通信通過，那么這是一條不錯(cuò)的規(guī)則。對于我們大

14、多數(shù)人來說，除非有特定的更改理由，否則最好使用由防火墻開發(fā)人員提供的默認(rèn)設(shè)置。站在安全角度來說，防火墻最大的好處之一在于它能夠阻止任何外人登錄您的專用網(wǎng)絡(luò)中的計(jì)算機(jī)。這對企業(yè)來說非常重要，大多數(shù)家庭網(wǎng)絡(luò)大概不會(huì)受到這方面的威脅。不過，布置防火墻還是能讓人放心一些。Firewall roleA firewall is to through Internet connection to your special network or computer systems information filtering program or hardware equipment. If filters th

15、e information on to into packets, do not allow the mark packets through.If read Web server working principle, then you for Internet data transmission should already have fully understand and can easily see firewall is how to help people to protect the computers in a large company. Assuming your comp

16、any has 500 employees. Companies which have hundreds of computer through the nic interconnect. In addition, the company have one or more through T1 or T3 and similar lines realize Internet connection. If not to install a firewall, then Internet anyone can directly access this hundreds of computer. J

17、udges may detect these computers, try to establish the FTP connection with these computers, trial and they build Telnet connection, etc. If there are employees to leave vulnerabilities that mistakes that hackers can enter the corresponding computer and use the loophole.If install a firewall, the sit

18、uation will differ greatly. The company will decorate firewall in every Internet connection (for example, after each road into the company's T1 line) firewall can implement safety rules. For example, a safety rules within the company may be:In the company of 500 computer within only allows a com

19、puter receiving public FTP communications. Only allow computers to establish FTP connection with this, and prevent and any other computer establish such a connection.The company can for FTP server, Web server, Telnet server setting similar rules, etc. In addition, the company also can control the wa

20、y links employees, control whether to allow files through the network to leave the company, etc. Use a firewall, companies to the way people using the web to so many control.Firewall use the following three methods of one or more to control the inflows and outflows of network communication:?packet f

21、iltering - according to a set of filters analysis of data packets (small block). Through the filter packet will send to request packet system, not through the packet will be discarded. ?agency services - the information from Internet firewall retrieval, then sends messages to request information sys

22、tem, and vice versa.? state test - this is a very novel method, it does not examine each packet content, but a key part of the package to specific with trusted information database are compared. From the internal transfer to external firewall information would be watched, to obtain specific definiti

23、on characteristics, then will the incoming information compared with these features. If by comparing reasonably come to the match, then allow information through. Otherwise will forsake information.For a custom fit a firewallCan be customized to the firewall. This means that you can according to mul

24、tiple conditions to add or delete filters. Some conditions as follows:? IP address - Internet each computer is assigned a unique address, called IP address. IP address is a 32-bit Numbers, usually expressed as a 4 "8 binary number", and with "period space decimal number" intuitiv

25、e said. The typical IP address shown below: 37. For example, if a IP address outside the company from server read too many documents, is a firewall with the IP address can stop all communication between.? a domain name - because the composed IP address numeric string not easy to remember,

26、 and IP address sometimes need to change, so Internet all servers have easily understood, called the domain name. For example, for most people, remember 37 more easily than remembering. The company can stop all of specific domain name, or simply allow access to visit specific domains.?agr

27、eement - protocol is want to use a service with the service of one side of the communication between a predefined ways. "One party" may be one person, but in more cases, it is a computer program, such as Web browser. An agreement is usually is text, and a brief explanation of the client an

28、d server conversation way. HTTP is Web agreement. The company can only set up one or two computers to handle specific agreement, and in all other computer disable this agreement. Below are some for its setting firewall filter can be a common agreement:IP (Internet Protocol), Internet protocols - Int

29、ernet information transmission system mainly § TCP (Transmission Control Protocol, Transmission Control Protocol) - used to split and recover the Internet message§ HTTP (hypertext Transfer Protocol, Hyper Protocol) - 'sites for web page§ FTP (File Transfer Protocol, File for downl

30、oading Protocol) - 'and upload files(the User data submitted§ UDP Protocol User Datagram Protocol, without response - used forthe) information, such as audio stream and streaming video§ Internet Control Message Protocol (ICMP Protocol), Internet Control for router macro - with other ro

31、uters to exchange information§ SMTP (Simple Mail transfer Protocol Transport Protocol), Simple E-mail - used to send text-based information (email)§ SNMP Protocol), a Simple Management from the remote computer - used for collecting system informationTelnet § - used for remote computer

32、 on execution in life?port - any server computers are used to the Internet with Numbers port provide services, each port provide corresponding to the server of a service (detailed information, please see the Web server working principle). For example, if the server computer is running the Web (HTTP)

33、 server and FTP server, it can usually through port 80 access Web server, and may through port 21 visit the FTP server. In addition to a computer, the company may prevent outside of all other computer within the company the port 21 visit.?specific words and phrases - this can be arbitrary content. F

34、irewall will sniffer (thorough search) each information packets to determine whether existence and filter listed in the text exactly match the content. For example, you can indicate the firewall to stop any contains "rated X - the word" packets. Here's the key lies in must be accuratel

35、y match. "X - rated" filter "X rated won't catch" (excluding hyphens). But you may, according to needs including arbitrary number of vocabulary and phrases and their variants.Some operating system built-in firewall. If not, you can have an Internet connection in the home comp

36、uter software installed on the firewall. This computer called gateway, because it provides a home network and the Internet only access points between.As for the hardware firewall, firewall the device itself is usually gateways. Linksys Cable/DSL router is example of this. Its built-in Ethernet card

37、and hubs.Family the computer on the network and router connection, and routers and with cable modem or DSL modem connection. You can pass based on Web interface configuration router, this interface can visit the browser by computer. Then, you can set up any filter or other information.Hardware firew

38、all very safe, and the price is expensive. Contains routers, firewalls and Ethernet hub, used for broadband connection family edition hardware firewall prices within the $100. Firewall protection? Provide whatUnbridled people come up with all sorts of creative ways to access or abuse didn't add

39、protection computer:? Telnet - others to connect to your computer and control it in some form. This includes view or access to your files, and on your computer actual operation procedure.?application back door - some procedure has special function, the ability of remote access. Some other programs c

40、ontain flaws that provides door (namely hidden entrance), can be used to the procedure some degree of control.? SMTP session hijacking via the Internet - SMTP is the most commonly used to send email method. Through the acquisition of an E-mail address list, can access to thousands of users send unso

41、licited junk mail. Commonly used method is through the uninformed host SMTP relied on directional E-mail, thus hide the actual sender of junk mail trace.? operating system defect - like application is same, some operating system also have door. Other operating system provides the lack of safe enough

42、 to control remote access, or existence experienced hackers can use defects.?denial of service - you may be in large sites attacked on the news reports heard of this phrase. This type of attack almost impossible to resist. This kind of attack is principle: hackers to the server sends the connection

43、attempt. When the server response response and try to establish conversation, but couldn't find the system request. Hackers through to the server sends countless such cannot response session request, make server slowing down or eventually collapse.? E-mail bomb - electronic mail bombs are usuall

44、y any attack against individuals. Someone asks you to send the hundreds or thousands of sealing the same email, until your email system couldn't receive any mail.?macro - in order to simplify the complex process, many application allows to create for application to run scripts. This script calle

45、d macros. Hackers use this function to create their own macro, according to the different application, these macros can destroy your data or make a computer crash.?virus - a computer virus is probably the most famous threat. The virus is can own copy to other computer small programs. Through the cop

46、y and the virus can spread rapidly between on different systems. The virus both harmless mail, also including can erase your risk of all data virus.? spam - here will be real-life "spam" one word borrow electronic fields, they are usually harmless, but always unpleasant. But spam may also

47、have dangerous. It often contain pointing and web link. Click the links must be careful, because you have accidentally accept to your computer provides of back-door Cookie.?redirection bomb - hackers can use ICMP sends messages to other routers, thus change (redirection) information USES the path. This is implementing denial-of-service attack a method.?source routing - in most cases, packets in the Internet (or any other network) transmitted on path along the path router by decision. But the source can provide packet transmission of arbitrary designati