What Is the Difference Between Firewall and Antivirus Software?

The software firewall is embedded in the hardware. The hardware firewall provided by a general software security vendor is to customize the hardware at the hardware server vendor, and then embed the Linux system with its own software system. (Symantec's SGS is DELL + Symantec's software firewall.) The advantage of doing so is that Linux is relatively secure compared to Windows server. The reason for this is that because ISA must be installed under the Windows operating system, Microsoft's operating system is relatively insecure, and deploying security policies on systems with inherent security risks is equivalent to being in a sub-safe state and is unreliable. In terms of compatibility, hardware firewalls are even better. In fact, the main difference between software firewalls and hardware firewalls is the hardware.

In the field of computer computing, a firewall (English: Firewall) is a device that helps ensure information security. It allows or restricts the transmission of data in accordance with specific rules. The firewall may be a dedicated hardware or a set of software built on general hardware.

Chinese name: Hardware firewall

Field: computer
Function: Protect the system

Hardware firewall overview

Hardware firewall refers to putting the firewall program into the chip and executing these functions by the hardware, which can reduce the burden on the CPU and make routing more stable. ^[1]

A hardware firewall is an important barrier to securing your internal network. Its security and stability are directly related to the security of the entire internal network. Therefore, the daily routine inspection is very important to ensure the security of the hardware firewall. ^[1]

Hardware firewall principle

As for the high price, the reason is that the software firewall only has the function of packet filtering, and the hardware firewall may have other functions besides the software firewall, such as CF (Content Filtering) IDS (Intrusion Detection) IPS (Intrusion Prevention) and VPN, etc Functions.

In other words, the hardware firewall means that the firewall program is implemented in the chip, and these functions are performed by the hardware, which can reduce the burden on the CPU and make routing more stable.

Many hidden dangers and faults in the system will appear before or after the outbreak. The task of routine inspection is to find these hidden dangers, and to locate the problem as far as possible to facilitate the solution of the problem.

(1) Packet filtering firewall

Packet filtering firewalls are generally implemented on routers to filter user-defined content, such as IP addresses. The working principle of the packet filtering firewall is that the system checks data packets at the network layer, which has nothing to do with the application layer. In this way, the system has good transmission performance and strong scalability. However, the security of packet filtering firewalls has certain shortcomings, because the system is not aware of the application layer information, that is, the firewall does not understand the content of the communication, so it may be compromised by hackers.

Figure 1: Working principle of packet filtering firewall

(2) Application gateway firewall

The application gateway firewall checks the packets of all application layers and puts the content of the check into the decision process, thereby improving the security of the network. However, application gateway firewalls are implemented by breaking the client / server model. Each client / server communication requires two connections: one from the client to the firewall and one from the firewall to the server. In addition, each agent needs a different application process or a service program running in the background. For each new application, a service program for this application must be added, otherwise the service cannot be used. Therefore, application gateway firewalls have the disadvantage of poor scalability. (figure 2)

Figure 2: Working principle of application gateway firewall

(3) Stateful inspection firewall

The stateful inspection firewall basically maintains the advantages of a simple packet filtering firewall, has better performance, and is transparent to applications. Based on this, it has greatly improved security. This type of firewall abandons simple packet filtering. The firewall only looks at the data packets entering and leaving the network, and does not care about the shortcomings of the packet status. It establishes a state connection table in the core part of the firewall, maintains the connection, and treats the data entering and leaving the network as events. deal with. It can be said that the stateful inspection packet filtering firewall regulates the behavior of the network layer and the transport layer, while the application proxy firewall regulates the behavior on the specific application protocol. (image 3)

Figure 3: Working principle of stateful inspection firewall

(4) Composite firewall

The composite firewall refers to a new generation of firewalls that integrates state detection and transparent proxying. It is further based on the ASIC architecture and integrates anti-virus and content filtering into the firewall. It also includes VPN and IDS functions. Multiple units are integrated into one. A new breakthrough. Conventional firewalls cannot prevent attacks hidden in network traffic. Scanning the application layer on the network interface, combining anti-virus, content filtering, and firewalls, reflects a new idea of network and information security. It implements OSI Layer 7 content scanning at the network boundary, and implements application-layer service measures such as virus protection and content filtering at the network edge in real time. (Figure 4)

Comparison of four types of firewalls

Packet filtering firewall: The packet filtering firewall does not check the data area, the packet filtering firewall does not establish a connection state table, the packets are unrelated, and the application layer control is weak.

Application gateway firewall: does not check IP and TCP headers, does not establish a connection state table, and the network layer protection is relatively weak.

Stateful inspection firewall: It does not check the data area, establishes a connection state table, the messages before and after are related, and the application layer control is weak.

Composite firewall: You can check the entire data packet content, establish a connection state table as required, strong protection at the network layer, fine control at the application layer, and weak session control.

4.Firewall terminology

Gateway: A system that provides forwarding services between two devices. A gateway is a firewall that Internet applications use to process traffic between two hosts. This term is very common.

DMZ demilitarized zone: In order to facilitate the configuration and management, servers in the internal network that need to provide services to the outside are often placed on a separate network segment. This network segment is a demilitarized zone. The firewall is generally equipped with three network adapters, which are generally connected to the internal network, the internet and the DMZ respectively during configuration.

Throughput: The data in the network is composed of data packets, and the processing of each data packet by the firewall consumes resources. Throughput refers to the number of data packets passing through the firewall per unit time without packet loss. This is an important indicator for measuring firewall performance.

Maximum number of connections: As with throughput, a larger number is better. However, the maximum number of connections is closer to the actual network situation. Most connections in the network refer to a virtual channel established. The processing of each connection by the firewall also consumes resources, so the maximum number of connections has become an indicator of the ability of the firewall to test this aspect.

Data packet forwarding rate: refers to the speed at which the firewall processes data traffic when all security rules are configured correctly.

SSL: SSL (Secure Sockets Layer) is a set of Internet data security protocols developed by Netscape. The current version is 3.0. It has been widely used for authentication and encrypted data transmission between web browsers and servers. The SSL protocol is located between the TCP / IP protocol and various application layer protocols, providing security support for data communication.

Network address translation: Network address translation (NAT) is a technology that maps one IP address domain to another IP address domain, thereby providing transparent routing for end hosts. NAT includes static network address translation, dynamic network address translation, network address and port translation, dynamic network address and port translation, and port mapping. NAT is often used to translate private address domains and public address domains to solve the problem of lack of IP addresses. After NAT is implemented on the firewall, the internal topology of the protected network can be hidden, and the security of the network is improved to a certain extent. If reverse NAT provides dynamic network address and port translation functions, it can also implement functions such as load balancing.

Bastion host: A fortified computer that can defend against attacks, exposed to the Internet, as a checkpoint into the internal network, in order to achieve the concentration of the entire network security problem on a host, thereby saving time and effort , Regardless of the security purpose of other hosts.

Basic functions of hardware firewall

The first element: the basic function of the firewall The firewall system can be said to be the first line of defense of the network. Therefore, when an enterprise decides to use a firewall to protect the internal network, it must first understand the basic functions of a firewall system. This is the user Basis and prerequisites for selecting a firewall product. ^[1]

The second element: the special requirements of enterprises. There are often special requirements in corporate security policies that are not provided by every firewall. This aspect often becomes one of the considerations when choosing a firewall. ^[1]

Inside the hardware firewall

Hardware firewall configuration file

No matter how comprehensive and rigorous you think about when installing a hardware firewall, once the hardware firewall is put into the actual use environment, the situation is changing at any time. The rules of the hardware firewall are constantly changing and adjusting, and the configuration parameters are often changed. As a network security manager, it is best to write a set of security policies that modify firewall configurations and rules and implement them strictly. The hardware firewall configuration involved should be detailed to details such as which traffic is allowed and which services require proxying.

In the security policy, the steps to modify the hardware firewall configuration should be specified, such as which authorizations need to be modified, who can make such changes, when can they be changed, and how to record these changes. The security policy should also specify the division of responsibilities, such as one person making specific changes, another person responsible for recording, and a third person to check and test whether the modified settings are correct. The detailed security policy should ensure that the modification work of the hardware firewall configuration is programmatic, and try to avoid errors and security loopholes caused by modifying the configuration.

Hardware firewall disk usage

If logging is maintained on the hardware firewall, it is important to check the disk usage of the hardware firewall. Without logging, it becomes even more important to check the disk usage of your hardware firewall. In the case of keeping log records, the abnormal increase in disk usage is likely to indicate a problem with the log cleanup process, which is relatively easy to handle. Without keeping logs, if the disk usage grows abnormally, it means that the hardware firewall may have been installed by the rootkit tool and it has been broken.

Therefore, network security managers must first understand the disk usage of the firewall under normal circumstances, and use this as a basis to set a check baseline. Once the disk usage of the hardware firewall exceeds this baseline, it means that the system has encountered security or other issues and needs further inspection.

CPU Hardware firewall CPU load

Similar to disk usage, CPU load is also an important indicator to determine whether the hardware firewall system is operating normally. As a security manager, you must understand the normal value of the CPU load of the hardware firewall system. A load value that is too low does not necessarily mean that everything is normal, but a value that is too high indicates that the firewall system must have a problem.

Excessive CPU load is most likely caused by a DoS attack on the hardware firewall or a disconnected external network connection.

Hardware firewall daemon

Under normal operating conditions, each firewall has a set of daemons, such as name service programs, system log programs, network distribution programs, or authentication programs. During routine inspection, you must check whether these programs are running. If you find that some daemon programs are not running, you need to further check what causes these daemon programs not to run, and which daemon programs are still running.

Hardware firewall system files

The changes of key system files are nothing more than three situations: managers make purposeful and planned changes, such as those caused by planned system upgrades; managers make occasional changes to system files; and attackers modify files Modifications.

Regularly check the system files, and check the system file modification records, you can find the attacks against the firewall in time. In addition, it should be emphasized that it is best to include a record of changes to system files in the modification of the hardware firewall configuration policy.

Hardware firewall exception log

The hardware firewall log records all permitted or denied communications and is the main source of information on the health of the hardware firewall. Due to the large amount of data in the log, checking the exception log should usually be an automatic process. Of course, what kind of event is an abnormal event must be determined by the administrator. Only when the administrator defines and records the abnormal event, the hardware firewall will keep the corresponding logs for future reference.

The above-mentioned routine inspections in the six aspects may not immediately detect all the problems and hidden dangers that the hardware firewall may encounter, but it is very important that the inspections are stable and reliable. If necessary, administrators can also use packet scanners to confirm the correctness of the hardware firewall configuration, or even further use vulnerability scanners to simulate attacks to assess the capabilities of the hardware firewall.

Comparison of hardware firewalls

Hardware firewall costs

The hardware firewall is a combination of software and hardware, and users do not need to invest additional costs after purchasing. The general price of a hardware firewall is between 10,000 and 20,000.

Software firewalls have three aspects of cost overhead: the cost of software, the cost of the equipment on which the software is installed, and the cost of the operating system on the device. Windows Server 2003 costs between 4400-6000.

Note: Based on the above costs, a software firewall must be configured according to the minimum network requirements. The cost is about 10,000 yuan.

Hardware firewall stability

The advantages and disadvantages of stable performance mainly come from the operating platform of the firewall, that is, the operating system.

Hardware firewalls generally use Linux compiled by the kernel. With the high reliability and stability of Linux itself, the overall stability of the firewall is guaranteed. Linux will never crash. Its stability is because it does not have a huge kernel like other operating systems. And full of loopholes. The stability of the system mainly depends on the structure of the system design. The structure of computer hardware has not been particularly changed since the design of 1981, and continuous backward compatibility has made those applications with very poor programming styles reluctantly ported to the latest version of Windows, which will greatly hinder the existing software development model The development of system stability. The most eye-catching Linux open source development model, it guarantees that any system's vulnerabilities can be found and corrected in a timely manner. Linux has adopted many security technical measures, including permission control for read and write, subsystems with protection, audit trail, core authorization, etc., which provides necessary security guarantees for users in a multi-user network environment.

Software firewalls are generally installed on the windows platform, which is easy to implement, but at the same time, the security and stability of the software firewalls are caused by the vulnerabilities and instability of windows itself. Although Microsoft is also working hard to make up for these problems, the vulnerability of the Windows 2003 server itself is much less than that of the previous Windows NT, but compared with Linux, it is still more vulnerable. In terms of virus damage, from the development of Linux to today, Linux is hardly infected by viruses. As a virus on the Windows platform, we don't need to say more, as long as it has been experienced by anyone who has used a computer. For example, the ARP spoofing virus that has been widely spread in the internal network in recent months has caused the internal network to be unstable, the network is interrupted in time, frequently disconnected, and unable to carry out normal work, leaving many network management personnel helpless.

Main indicators of hardware firewall

Throughput and message forwarding rate are the main indicators related to the application of firewalls. The hardware equipment of hardware firewalls is customized by professional manufacturers. The problem of throughput is fully considered at the beginning of customization, which is far better than software firewalls. Because the hardware of the software firewall is selected by the user in many cases, the throughput is not considered. Moreover, the windows system itself consumes hardware resources, and its throughput and ability to process large data streams are far less than the hardware firewall. This is It goes without saying. If the throughput is too small, the firewall is the bottleneck of the network, which will cause problems such as slow network speed and insufficient Internet bandwidth.

How hardware firewalls work

Software firewalls can generally be packet filtering mechanisms. Packet filtering and filtering rules are simple. Only the third layer of the network layer can be checked. Only the source or destination IP is checked. The firewall is far less capable than the state detection firewall. All packets passing through are checked, so it is slower. The hardware firewall mainly adopts the fourth generation state detection mechanism. The status check is to check whether the rule allows the connection to be established when the communication initiates the connection, and then add a record to the cached status check table. You don't need to check the rules in the future. Just check the status monitoring table and it will be OK. The speed is great Promotion. Because of its increased level of work, its anti-blackout function is much stronger than packet filtering, and the stateful inspection firewall tracks not only the information contained in the packet. In order to track the status of packets, the firewall also records useful information to help identify the packets, such as existing network connections, outgoing requests for data, and so on.

For example, if the incoming packet contains a video data stream, and the firewall may have recorded relevant information, the firewall matches and the packet is allowed to pass. .

The hardware firewall has a very different implementation mechanism than the software firewall, and it also brings a great difference in the ability of software and hardware firewalls to prevent blackouts.

Intranet control of hardware firewall

Due to its working principle, software firewalls do not have the specific control and management of the internal network. For example, it cannot control BT, cannot ban QQ, cannot prevent virus intrusion, and cannot control Internet access based on specific IP and MAC. Its main function is external.

Based on the stateful inspection mechanism of hardware firewalls, security vendors can develop application-layer filtering rules based on different market requirements to meet the control of the internal network. They can perform filtering at a high level and achieve many things that software firewalls cannot. Especially for the popular ARP virus, the hardware firewall has made corresponding strategies according to the principle of its invasion, completely eliminating the harm of ARP virus.

Network security (firewall) is not limited to preventing external hacking attacks. More internal corporate networks often have problems such as slow Internet access, intermittent timing, and abnormal mail sending and receiving. We analyze the main reason, which is the use of intranet users. Many users use BT to download and browse some irregular websites during work hours. This will cause many problems on the intranet, such as viruses. Many viruses are transmitted by users. Caused by bad behavior. Therefore, the control and management of intranet users is very necessary.