The purpose of a network firewall is to provide a shell around the network which will protect the systems connected to the network from various threats.The types of threats a firewall can protect against include:
Unauthorized access to network resources—an intruder may break into a host on the network and gain unauthorized access to files.
Denial of service—an individual from outside of the network could,for example,send thousands of mail messages to a host on the net in an attempt to fill available disk space or load the network links[1].
Masquerading—electronic mail appearing to have originated from one individual could have been forged by another with the intent to embarrass or cause harm[2].
A firewall can reduce risks to network systems by filtering out inherently insecure network services.Network File System(NFS)services,for example,could be prevented from being used from outside of a network by blocking all NFS traffic to or from the network.This protects the individual hosts while still allowing the service,which is useful in a LAN environment,on the internal network.One way to avoid the problems associated with network computing would be to completely disconnect an organization’s internal network from any other external system.This,of course,is not the preferred method.Instead what is needed is a way to filter access to the network while still allowing users access to the“outside world”.
In this configuration,the internal network is separated from external networks by a firewall gateway.A gateway is normally used to perform relay services between two networks.In the case of a firewall gateway,it also provides a filtering service which limits the types of information that can be passed to or from hosts located on the internal network.There are three basic techniques used for firewalls:packet filtering,circuit gateway,and application gateways.Often,more than one of these is used to provide the complete firewall service.
There are several configuration schemes of firewall in the practical application of inter-network security.They usually use the following terminologies:
Screening router—it can be a commercial router or a host—based router with some kind of packet filtering capability.
Bastion host—it is a system identified by the firewall administrator as a critical strong point in the network security.
Dual—homed gateway—some firewalls are implemented without a screening router,by placing a system on both the private network and the Internet,and disabling TCP/IP forwarding.
Screened-host gateway一it is possibly the most common firewall configuration.This is implemented using a screening router and a bastion host.
Screened subnet—an isolated subnet is situated between the Internet and the private network.Typically,this network is isolated using screening routers,which may implement varying levels of filtering.
Application—level gateway—it is also called a proxy gateway and usually operates at a user level rather than the lower protocol level common to the other firewall techniques.
NOTES
[1]由于服务器磁盘空间已满或网络信道不空而拒绝提供服务。
[2]forge指伪造,intent后面的to...是它的定语。
KEYWORDS
gateway 网关
circuit gateway 电路网关
packet filtering 包过滤
screening router 屏蔽路由器
application-level gateway 应用级网关
bastion host 堡垒主机
screened subnet 屏蔽子网
dual-homed gateway 双宿主网关
screened-host gateway 屏蔽主机网关
proxy gateway 代理网关
EXERCISES
Fill in the blanks with appropriate terms or phrases.
(1)The purpose of a network firewall is to protect the systems connected to the network from .
(2)An intruder may break into a host on the network,this action is called .
(3)An attempt to fill available disk space or load the network links can cause .
(4)A firewall can out inherently insecure network services.
(5)A firewall gateway is used to separate the internal network from .
(6)There are three basic techniques used for firewall .
(7)A system that identified by the firewall administrator as a critical strong point in the ne-twork security is .
(8)A firewall implemented by a screening router and bastion host is called .
(9)A system that places on both the private network and the Internet and blocks TCP / IP forwarding is .
(10)An isolated subnet that is situated between the Internet and the private network is .
a.filtering
b.dual-homed gateway
c.packet filtering,circuit gateway and application gateway
d.various threats
e.bastion host
f.unauthorized access
g.screened subnet
h.external networks
i.screened-host gateway
j.denial of service
答案:
1.
(1)d (2)f (3)j (4)a
(5)h (6)c (7)e (8)i
(9)b (10)g
翻译:
网络防火墙
网络防火墙的目的是在网络周围设置一层外壳,用于防止连入网络的系统受到各种威胁。防火墙可以防止的威胁类型包括:
非授权的对网络资源的访问——入侵者渗入网上的主机,并对文件进行非授权访问;
拒绝服务——网络以外的某个人可能向该网上的主机发送成千上万个邮件消息,企图填满可用的磁盘空间,或者使网络链路满负荷;
冒充——某个人发出的电子邮件可能被别有用心的人篡改,结果使原发件人感到难堪,或受到伤害。
防火墙可以通过滤掉某些原有的不安全的网络业务而降低网络系统的风险。例如网络文件系统(NFS)可以通过封锁进出网络的所有NFS业务而防止为网络外部人员所利用。这就保护了各个主机,同时使其一直能在内部网络中服务,这在局域网环境中很有用。一种避免与网络计算有关问题的方法是把单位的内部网与其他外部系统完全断开。当然这不是一个好办法,其实需要的是对访问网络进行过滤,同时仍允许用户访问“外部世界”。
在这种配置中,用一个防火墙网关把内部网和外部网分开。网关一般用于实现两个网络之间的中继业务。防火墙网关还提供过滤业务,它可以限制进出内部网络主机的信息类型。有3种基本防火墙技术:包过滤、电路网关和应用网关。通常可采用上述的一种以上技术以提供完整的防火墙业务。
在互联网络安全的实际应用中有好几种防火墙配置方案,它们通常使用以下术语:
屏蔽路由器一一可以是一种商用路由器,或是带有某种包过滤功能的基于主机的路由器。
堡垒主机一一它是由防火墙管理人员认定作为网络安全最关键处的一个系统。
双宿主网关一一某些防火墙不使用屏蔽路由器,但在专用网和因特网之间放一个系统,不允许传送TCP/IP包。
主机屏蔽网关-一可能是最常用的防火墙配置,它由屏蔽路由器和堡垒主机构成。
子网屏蔽——位于因特网和专用网之间的一个隔离子网。一般来说,这种网络用一台屏蔽路由器来隔离,它可以实现不同级别的过滤功能。
应用级网关一一又叫做代理网关,它不像普通防火墙在低层协议上工作,而通常在用户级上工作。
文章来源于领测软件测试网 https://www.ltesting.net/