【 Weak current College 】 how to resolve firewall efficiency and security of the contradiction between

In defense of network security, firewalls are more and more customers. As an information security services, network and information security infrastructure, firewall using the intranet and public networks such as the Internet separately, as different networks or network security domains of information, in accordance with corporate security policies to control the flow of information to and from the network. Plus firewall itself with strong resistance to attack capability to effectively monitor the intranet and Internet activities between the internal network security provides a strong guarantee.
　　
However, the firewall in the security for an internal network, it also produced a certain reaction — it reduces the network operating efficiency. As the main firewall application security technology, the design of a traditional firewall, packet filtering is only match with rules table, to comply with the rules of packet processing, does not comply with the rules of the discarded. Because is based on the rules of inspection, with the same connection of different packages without any contact, each package must be based on the rule order filter. Since the area of network security involves many complex, technical, safety rules tend to reach hundreds or even thousands. With the security rules increases, many firewall products will appear significantly reduced performance, network resource failure, resulting in network congestion. Therefore, the safety and efficiency of the dilemma becomes traditional firewall as the biggest problem. In addition, in this design, hackers can use IPSpoofing approach will own illegal package disguised as part of a legitimate connections to invade user's internal network system. Therefore, traditional packet filtering technology inefficient and prone to security vulnerabilities.
　　
Today, technology has enabled network gradually integrated into people's lives. People enjoy the convenience of the Internet, not only it has a high safety factor, while its data transfer rate to a higher demand. Meet this need, a firewall product must improve security performance, resolving transfer rate bottlenecks, achieving safety, efficiency, exceeded the two sides. To achieve this goal, connection-based packet filtering technology. Recently, the company launched legendmaker with independent core technology, the new firewall products utilizing this technology will be of the same connection of all package data flow as a whole, through rules table and the connection state common table, greatly improving system efficiency and security of transport, thus better addressing the firewall inherent contradiction of security and efficiency.
　　
With traditional packet filtering of no connection detection technologies, based on the connection state packet filtering in a package, not only will it as an independent unit, taking its historical relevance. For example, in the connection based on the TCP protocol, each package in the transfer includes the IP source address, the IP destination address, Protocol, source and purpose of the interface and other information, is also included in the allowed time interval is a TCP handshake message monitoring information, etc. These information and each packet is related. In other words, for part of the same packet, the connection is not isolated, they exist within the associated information. Connectionless packet filtering rule due to ignore these inherent associated information, the packet is an isolated detection, so the rules significantly reduces the transmission efficiency.
　　
As a result of the packet filtering based on connections, the firewall in legendmaker for rule check, you can package a record of the status of the connection, the connection after the package is no longer checked by rules, but simply through State of the exterior of the package belongs to the connection of the record to check. If you have the appropriate State identity, then the package belongs to the legitimate connection has been established, you can accept. Check the connection status after the record will be refreshed. This enables the same connection status of the package to avoid duplicate checks. At the same time as the sort of rule table is fixed and can only assume linear approach to search, and connection status table records can be arranged, so you can use such as binary tree or hash algorithm for fast search and so on, which improves the efficiency of the transmission system. At the same time, a real-time connection status monitoring technology, can be in the state table through initiatives such as ACK (answer response), NO such connection status to identify factors that prevented the package passed, enhance system security.
　　
In addition, for applications based on UDP protocol, because the agreement itself for sequential errors or missing package does not do entanglement or retransmission, it is difficult to use a simple packet filtering technology on its processing. Legendmaker firewall on a connection based on UDP protocol, will establish a virtual UDP connections, similar to the status of the connection process, the adoption of rules for monitoring and connection status of common tie, packet filtering efficiency and security.