How the firewall works

"Will a hacker get my idea?" That's right, the hacker would like to fly through the cracks in the egg, seeing a trace of light from the system's vulnerability will be tempted! Okay, how to protect your network? Computer masters may suggest that you install a firewall on the network, so the first question will come: What is a firewall?

What is a firewall?
A firewall is a kind of filter plug (you do n’t think it is wrong at the moment), you can let your favorite things pass through this plug, and all other gadgets are filtered out. In the networked world, what is filtered by the firewall is the communication packets carrying the communication data.

Every firewall in the world will say at least two words: Yes or No. To speak directly is to accept or reject. The simplest firewall is an Ethernet bridge. But almost no one thinks how useful this primitive firewall can be. The technology and standards adopted by most firewalls can be described as varied. These firewalls come in many forms: some replace the TCP / IP protocol stack already equipped on the system; some build their own software modules on the existing protocol stack; some simply are an independent set of operating systems. There are also application firewalls that only provide protection for certain types of network connections (such as SMTP or HTTP protocols). There are also some hardware-based firewall products that should actually be classified as security routers. The above products can be called firewalls, because they work in the same way: analyze the packets going into and out of the firewall and decide whether to let them go or throw them aside.

All firewalls have IP address filtering. This task is to check the IP header and make a release / discard decision based on its IP source and destination addresses. Looking at the picture below, there is a firewall between the two network segments, a UNIX computer on one end of the firewall, and a PC client on the other segment.

When the PC client initiates a telnet request to the UNIX computer, the PC's telnet client program generates a TCP packet and passes it to the local protocol stack to be sent. Next, the protocol stack "plugs" the TCP packet into an IP packet, and then sends it to the UNIX computer through the path defined by the PC's TCP / IP stack. In this example, the IP packet must pass through the firewall across the PC and UNIX computer to reach the UNIX computer.

Now our "command" (provisioned in professional terms) firewall rejects all data packets sent to UNIX computers. After this work is completed, the better "heart" firewall will notify the client program! Since the IP data sent to the target cannot be forwarded, only users on the same network segment as the UNIX computer can access the UNIX computer.

In another case, you can order the firewall to find fault for that poor PC, and it won't work if other people's data packets are passed. This is the most basic function of the firewall: forwarding judgment based on IP address. But the trick of getting to the big scene will not work. Because hackers can use IP address spoofing technology, computers disguised as legitimate addresses can traverse firewalls that trust this address. However, the forwarding decision mechanism based on the address is still the most basic and necessary. Another point to note is that, instead of using DNS host names to create filter tables, it is much easier to forge DNS than to spoof IP addresses.

Server TCP / UDP port filtering is not feasible in actual use only by address filtering. Another reason is that a variety of communication services are often running on the target host. For example, we do not want users to use telnet to connect to System, but this does not mean that we must also ban them from using SMTP / POP mail servers, right? Therefore, in addition to the address, we also need to filter the TCP / UDP port of the server.

For example, the default telnet service connection port number is 23. If we do n’t allow the PC client to establish a telnet connection to the UNIX computer (in this case we think it is a server), then we only need to instruct the firewall to check the packets sent to the UNIX server and filter the packets with the 23 target port number That's it. In this way, can we combine the IP address and the target server TCP / UDP port as a filtering standard to achieve a fairly reliable firewall? No, it's not that simple.
Clients also have TCP / UDP ports. TCP / IP is an end-to-end protocol, and each network node has a unique address. The same is true for the application layer of the network node. Each application and service in the application layer has its own corresponding "address", which is the port number. Both address and port are required to establish effective communication between the client and server applications. For example, the telnet server listens for inbound connections on port 23. At the same time, the telnet client also has a port number, otherwise how does the client's IP stack know to which application a certain data packet belongs?

For historical reasons, almost all TCP / IP client programs use random port numbers greater than 1023. Only the root user on a UNIX computer can access ports below 1024, and these ports are also reserved for services on the server. Therefore, unless we let all packets with a port number greater than 1023 enter the network, various network connections will not work properly.

This can be troublesome for firewalls. If you block all inbound ports, all clients cannot use network resources. Because the server sends an inbound response to the external connection request (that is, it means entering the firewall), the data packet cannot pass the inbound filtering of the firewall. Conversely, is it feasible to open all ports above 1023? Not exactly. Because many services use ports greater than 1023, such as X client, RPC-based NFS services, and numerous non-UNIX IP products (NetWare / IP). So is it safe to let all packets that meet the 1023 port standard enter the network? Not even these client programs dare to say that they are safe enough.

Two-way filtering is OK, let's change our mind. We give the firewall a command like this: packets for known services can come in, and everything else is blocked outside the firewall. For example, if you know that the user wants to access the Web server, then only let the packet with the source port number 80 enter the network:

But new problems have arisen again. First, how do you know which port numbers are running on the server you want to access? A server like HTTP can be configured arbitrarily, and the ports used can also be arbitrarily configured. If you set up a firewall like this, you will not be able to access any network sites that do not use standard port numbers! Conversely, you can't guarantee that the packets with the port number 80 that come into the network must come from the Web server. Some hackers use this to make their own intrusion tool and let it run on port 80 of this machine!
We do n’t believe in checking the source address of the ACK bit, and we ca n’t believe the source port. What else can we trust in this crazy world that has to dance with hackers? Fortunately, things haven't reached the point of nowhere. There are still countermeasures, but this method can only be used for the TCP protocol.

TCP is a reliable communication protocol. The word "reliable" means that the protocol has some special properties including error correction mechanisms. In order to achieve its reliability, each TCP connection must first go through a "handshake" process to exchange connection parameters. Also, each packet sent must have an acknowledgment response before subsequent packets are sent out. But it is not necessary to respond to each TCP packet with a special ACK packet. In fact, this function can be completed by simply setting a special bit on the TCP packet header. Therefore, the ACK bit is set whenever a response packet is generated. The first packet of the connection session is not used for acknowledgment, so it does not set the ACK bit, and the TCP packets exchanged for subsequent sessions will have the ACK bit set.

For example, the PC initiates a connection to the remote Web server, and it generates a connection request packet without the ACK bit set. When the server responds to the request, the server sends back a data packet with the ACK bit set, and marks the number of bytes received from the client in the packet. The client then responds to the data packet with its own response packet, which also sets the ACK bit and marks the number of bytes received from the server. By monitoring the ACK bit, we can limit the data entering the network to the response packet. Therefore, the remote system simply cannot initiate a TCP connection but can respond to the received data packet.

This mechanism cannot be considered impeccable. For a simple example, suppose we have an internal web server, so port 80 has to be opened so that external requests can enter the network. Also, for UDP packets, there is no way to monitor the ACK bit, because there is no ACK bit at all for UDP packets. There are also TCP applications, such as FTP, which must be initiated by these server programs.

Difficulties caused by FTP General Internet services use only one pair of port numbers for all communications, and FTP programs use two pairs of port numbers during connection. The first pair of port numbers for FTP "command channel" provides a communication link for logging in and executing commands, while the other pair of port numbers for FTP "data channel" provides file transfer between the client and server.

During the normal FTP session, the client first sends a TCP connection request to the server's port 21 (command channel), and then executes various commands such as LOGIN and DIR. Once the user requests the server to send data, the FTP server uses its 20 port (data channel) to initiate a connection to the client's data port. The problem is, if the server initiates a connection to transfer data to the client, then it will send a data packet without the ACK bit set, and the firewall rejects the data packet according to the rules just now. Usually only a high-level, smart enough firewall can see the port that the client just told the server, and then allow inbound connections to that port.

The UDP port filtering is done, now let's go back and see how to solve the UDP problem. As I said just now, there is no ACK bit in UDP packets, so ACK bit filtering is not possible. UDP is an "unreliable" communication that is sent out regardless of the type of service. This type of service is usually used for communication tasks such as broadcast, routing, and multimedia. NFS, DNS, WINS, NetBIOS-over-TCP / IP and NetWare / IP all use UDP.

It seems that the simplest possible method is not to allow the establishment of inbound UDP connections. The firewall is set to only forward UDP packets from the internal interface, but not UDP packets from the external interface. The problem now is that, for example, DNS name resolution requests use UDP. If you provide DNS services, at least some internal requests must be allowed to traverse the firewall. Client programs like IRC also use UDP. If you want your users to use it, you also need to let their UDP packets enter the network. All we can do is restrict connections from local to trusted sites. But what is trustworthy! If hackers take the method of address spoofing, don't they return to the old road?

Some new routers can solve this problem by "memorizing" outbound UDP packets: if the inbound UDP packet matches the destination address and port number of the most recent outbound UDP packet, let it in. If you can't find a matching UDP packet in memory, you have to reject it! But how can we be sure that the external host that generated the packet is the server that the internal client wants to communicate with? If the hacker fraudulently claimed the address of the DNS server, then in theory he can of course launch an attack from the UDP port attached to the DNS. As long as you allow DNS queries and feedback packets to enter the network, the problem is bound to exist. The method is to use a proxy server.

The so-called proxy server, as the name suggests, is the server that deals with the outside world on your network. The proxy server does not allow any direct connections inside or outside the network. It itself provides multiple functions such as public and private DNS, mail server and so on. The proxy server rewrites the packet instead of simply forwarding it. The impression is that the hosts inside the network are all standing on the edge of the network, but in fact they are hiding behind the agent, and it is only the fake mask of the agent.

The IP address may be fake. This is due to the mechanism of the source path of the IP protocol. This mechanism tells the router not to use the normal path for the data packet, but to transmit the data packet according to the path in the header. Then the hacker can use the system's IP address to obtain the returned data packet. Some advanced firewalls allow users to prohibit source routing. Usually our network connects to ISP through a path, and then enters the Internet. Disabling source routing at this time will force the packet to return along the normal path.

Also, we need to understand what other work the firewall does when rejecting packets. For example, did the firewall send back an ICMP message "Host unreachable" to the connection initiating system? Or the firewall really didn't do anything else? These problems may have potential safety hazards. The ICMP "host unreachable" message will tell the hacker that "the firewall has blocked certain ports", and the hacker can immediately smell something from this message. If ICMP "host unreachable" is an error that occurs during communication, then the honest system may really send nothing. Conversely, if there is no response, the system that initiates the communication will continue to try to establish a connection until the application or protocol stack times out. As a result, the end user can only get an error message. Of course, this way will make it impossible for hackers to judge whether a port is closed or not used.

Welcome to the Night lights Store, where you'll find great prices on a wide range of different night lights for your home.


Users: Suitable for all kinds of persons to use. No matter you are a student or a white collar, you will like this natural and comfortable light.

Light sensor lamp, energy-saving light, bringing your life great convenience.
Made of high-quality material, durable enough for long time daily use.
Easy and convenient to use and install.

LED Night Light

LED Night Light,LED Socket Night Light,Portable LED Night Light,LED USB Night Light,Colorful Night Light

Shenzhen Superlight Technology Co., Ltd. ,