Weak current College】 【interpretation of distributed firewall - skills (2).

5. the basic principle of distributed firewall
Distributed firewall still interpreted by the Center, but by each distributed across a network endpoint to implement these strategies developed. It relies on three major concepts: what kind of connection instructions can be allowed to ban policy language, a system management tool and IP Security Protocol.
There are many kinds of policy language, such as the KeyNote is a common policy language. In fact, as long as the choice of language to easily express the need to adopt specific strategies which language does not primarily, the real key is how to sign internal hosts, obviously should not be using the traditional firewall with port on the physical implementation of logo. The IP address to sign internal host is one of the main points, but it's security is not high, so I tend to use IP Security Protocol password credentials to sign each host that hosts provide reliable, unique logo, and the network's physical topology.
Distributed firewall server system management tool for the formation of a policy file will be distributed to all firewall protection, you should keep an eye on the host is here refers to the firewall is not a traditional sense of the physical firewall, but logically distributed firewall. IP security protocol is a TCP/IP protocol family network layer encryption to safeguard mechanisms, including the AH and ESP, respectively on the IP header and an entire IP packet performing certification, can prevent various host attacks.
Now we look at distributed firewall works.
First of all by setting firewall access control center through the compiler will policy language v. description into the internal format, form the policy file; and then Center system management tools make policy files distributed to each host "internal"; "internal" host will be two ways to determine whether or not we can accept receipt of the package, on the one hand is based on the IP Security Protocol, on the other hand is based on a policy file on the server side.
6. the main features of distributed firewall
The above describes a distributed firewall features and advantages, so really what this firewall? because the software forms (a adopted software + hardware), so the function configuration more flexible, fully equipped, intelligent management ability in General can be reflected in the following aspects:
(1) Internet access control
Based on the workstation name, device properties such as fingerprints, using "Internet access criteria, control the workstations or workstation group within a specified time period will not be allowed to prohibit access to the template, or/list of URLs in the InternetWeb server, a user can access a workstation-based www server, and when a workstation/users achieve the required flow back to determine whether or not we can cut off the net.
(2) use access control
Through the network traffic from the link layer, network layer, transport layer, using layer based on source address, destination address, ports, protocol-layer packet filtering and intrusion monitoring, and control the use of from the LAN/Internet service requests, such as SQL database access, the IPX protocol access.
(3) the network status monitor
Real-time dynamic reports on the current network all users login, Internet access, intranet access, network intrusion events and other information.
(4) hacker attacks defense
Resist including Smurf denial of service attacks, ARP spoofing attacks, Ping attacks, Trojan horse attacks, almost 100 species originating from inside the network, as well as hacker attacks from the Internet.
(5) log management
On workstation Protocol guidelines log, log in to the event log, users Internet access log, fingerprint verification guidelines logs, intrusion detection criteria log records and query analysis.
(6) system tools
Including system layer parameters setting, guidelines, and other configuration information in the backup and restore, traffic statistics, template configuration, workstation management, etc.