论文部分内容阅读
传统防火墙分析 包过滤防火墙位于协议网络层,按照网络安全策略对IP包进行选择,允许或拒绝特定的报文通过。过滤一般是基于一个IP分组的有关域(IP源地址、IP目的地址、TCP/UDP源端口或服务类型和TCP/UDP目的端口或服务类型)进行的。基于IP源/目的地址的过滤,即根据特定组织机构的网络安全策略,过滤掉具有特定IP地址的分组,从而保护内部网络;基于TCP/UDP源/目的端口的过滤,因为端口号区分了不同的服务类型或连接类型(如SMTP使用端口25,Telnet使用端口23等),所以为包过滤提供了更大的灵活性。同时由于它是位于协议的网络层,所以效率较高;但是该防火墙所依靠的安全参数仅为IP报头的地址和端口信息,若要增加安全
The traditional firewall analysis packet filtering firewall is located in the protocol network layer, according to the network security policy to select the IP packet, allowing or denying specific packets through. Filtering is typically based on the relevant domain (IP source address, IP destination address, TCP / UDP source port or service type, and TCP / UDP destination port or service type) of an IP packet. Filtering based on IP source / destination addresses, ie, filtering out packets with a specific IP address based on a particular organization’s network security policy to protect the internal network; Filtering based on TCP / UDP source / destination ports because the port numbers differ Service type or connection type (such as SMTP using port 25, Telnet using port 23, etc.), thus providing greater flexibility for packet filtering. At the same time, because it is located in the network layer of the protocol, it is more efficient. However, the security parameters relied upon by the firewall are only the address and port information of the IP header. To increase the security