Firewalls use different techniques based on the type of firewall they are. The three types of firewalls are stateless packet filter, stateful packet filter, and ALG (Application Layer Gateway).
根据防火墙的类型,防火墙使用不同的技术。三种类型的防火墙是无状态包过滤器、有状态包过滤器和ALG(应用层网关)。
Firewalls can use different techniques to filter trafficregardless if they are hardware network-based firewalls or software host-based firewalls.
防火墙可以使用不同的技术来过滤流量,无论它们是基于硬件网络的防火墙还是基于软件主机的防火墙。
Packet filtering looks at each packet that enters or leaves a network.
信息包过滤检查进入或离开网络的每个信息包。
The firewall will permit or deny the packet based on user-defined ruleslike source IP address, destination IP address, protocol, and port.
防火墙将根据用户定义的规则(如源IP地址、目标IP地址、协议和端口)允许或拒绝数据包。
Packet filtering can be further broken down into two subcategories.
信息包过滤可以进一步分为两大类。
The first is stateless packet filtering, which is sessionless.
第一种是无状态包过滤,即无会话。
Each packet is treated by itself as an isolated piece of communication.
每个数据包本身都被视为一个独立的通信片段。
This requires less memory and time.
这需要更少的内存和时间。
There's low overhead and high throughput.
有低开销和高吞吐量。
However, this type of firewall technique cannot make complex decisions basedon a communication stage, just on access control lists, referencing,IP addresses, protocols, and ports.
然而,这种类型的防火墙技术不能基于通信阶段(仅基于访问控制列表、引用、IP地址、协议和端口)做出复杂的决策。
If an attacker spoofs an IP address, a stateless packet filter can be fooled.
如果攻击者欺骗IP地址,则可以欺骗无状态包过滤器。
Stateful packet filtering, on the other hand, uses sessions, can understand stagesof a TCP connection, and can be aware of a hacker who tries to spoof an IP address.
另一方面,有状态数据包过滤使用会话,可以理解TCP连接的各个阶段,并且可以识别试图欺骗IP地址的黑客。
For TCP-based traffic, after a connection has been established,packets can flow between the hosts without further checking.
对于基于tcp的流量,在建立连接之后,包可以在主机之间流动,而无需进一步检查。
An ALG, application layer gateway, applies security mechanisms basedon a certain application, like HTTP, SSL/TLS, FTP, DNS, and VoIP.
ALG,应用层网关,应用基于特定应用程序的安全机制,如HTTP、SSL/TLS、FTP、DNS和VoIP。
So instead of just looking at IP addresses, protocols, and ports,ALG's look deeper into the protocols to see if they're being used properly.
因此,ALG不只是查看IP地址、协议和端口,而是更深入地研究协议,看看它们是否被正确使用。
ALG's understand how specific protocols should work and look at layer seven.
ALG了解具体的协议应该如何工作,并查看第7层。
They can filter offensive or disallowed commands in the data stream.
它们可以过滤数据流中的攻击性或不允许的命令。
They are stateful.
他们是有状态的。
DPI, deep packet inspection, is done by an ALG -- application layer gateway --to examine in great detail the contents of the data being sent.
DPI,即深度数据包检查,是由ALG(应用层网关)完成的,用来详细检查发送的数据的内容。
Some examples include making sure that data is sent in the right formatand that there is no malware attached.
一些例子包括确保数据以正确的格式发送,并且没有附加恶意软件。
Other uses include snooping and censoring.
其他用途包括窥探和审查。
In fact, some ISP's have been known to use DPI -- deep packet inspection --to scan the contents of a packet and reroute or drop packets meeting certain criteria.
事实上,一些ISP已经知道使用DPI(深度包检查)扫描包的内容,并重新路由或删除符合某些标准的包。
High-bandwidth communications like those involving Skype or YouTube can be prioritizedover somebody going to the RIT.edu website.
像Skype或YouTube这样的高带宽通信可以优先于那些访问RIT.edu网站的人。
In fact, ISP's in certain countries use DPI to look for keywordsand web addresses for censorship purposes.
事实上,某些国家的ISP为了审查的目的,使用DPI来查找关键字和网址。
DPI has actually evolved into DCI, deep content inspection, which examines an entire fileor email attachment, looking for new generations of malware, for spam,for data exfiltration, for keywords, and other content.
DPI实际上已经演变成DCI,即深度内容检查,它检查整个文件或电子邮件附件,查找新一代的恶意软件、垃圾邮件、数据过滤、关键字和其他内容。
In other words, DPI -- deep packet inspection -- just looks into the actual protocolsand their behavior instead of relying on just headers from the lower layers.
换句话说,DPI(深度包检查)只检查实际的协议及其行为,而不依赖于底层的报头。
That's great.
太好了。
But DCI -- deep content inspection --puts together parts of actual objects that are transmitted in partsof different packets, like PDF's and images.
但是DCI——深度内容检查——将实际对象的各个部分放在一起,这些部分以不同的数据包的形式传输,比如PDF和图像。
DCI even decodes and decompresses files.
DCI甚至可以解码和解压缩文件。
This is a much greater form of intelligence than partial data layer seven that DPI's deal with.
这是一种比DPI处理的部分数据层7更大的智能形式。
In addition to firewalls, organizations can deploy a DMZ (demilitarized zone) to physically separate servers that the public should access from the servers that the public should not access.
除了防火墙之外,组织还可以部署DMZ(非军事区)来物理地将公众应该访问的服务器与公众不应该访问的服务器隔离开来。
Network Security First-Step: Firewalls, Donald Stoddard, Thomas M. Thomas, Cisco Press
DMZ (computing), Wikipedia
Virtual DMZs in the Cloud, Dejan Lukan, InfoSec Institute
Firewall DMZ Zone, Firewall.cx
转载于:https://www.cnblogs.com/sec875/articles/10420193.html
相关资源:Detection and Prevention of Code Injection Attacks on HTML5-based Apps