防火墙、路由器、滤包器、动态信息包系统和应用程序代理

防火墙 Firewalls

每一种防火墙的安全性与灵活性都有所不同。作为一家企业，无论是要更新现有的防火墙还是第一次安装防火墙，都需要掌握市面上防火墙版本的最新信息并了解对各种不同类型防火墙的独特安全需求。下面是对几种基本类型防火墙的概览/简介：

路由器 Router

仅仅简单地安装一个路由器虽然成本较低但功能有限，同时它缺少企业全方位安全防火墙所具有的灵活性等特点。

滤包器 Packet filter

滤包器是一种形式非常简单的防火墙。绝大部分路由器经销商也销售滤包器。防火墙依据源IP地址与目的IP地址以及源TCP/UDP端口与目的TCP/UDP端口检验每一个信息包，然后根据基本用户定义原则来决定是否接受或拒绝它。

动态信息包系统 Dynamic packet systems

也称智能滤包器。动态信息包防火墙控制网络通信量的方法与滤包器类似，但它对信息包数据流不是简单地过滤，而是检验他们的上下文。这种防火墙能够记住以前的连接状态并为每一个数据流在内存中建立一个上下文。它根据现有的连接纪录对每一个新接收的信息包进行评估以判定它是一个新连接还是一个已经存在的对话的延续。如果是后一种情况，防火墙检查信息包的工作量就会大大少于检查一个新连接的工作量。然而，无论是动态还是其它形式的滤包器都无法自动支持用户验证。

应用程序代理 Application proxy

应用层代理是运行于防火墙上的一种软件程序。一台电脑与另一台电脑联络时所有网络通信都要被强制通过代理程序，这样可以检验数据，使连接获得特许。代理程序评估来自客户的数据并决定哪些可以通过，哪些需要过滤。

英文原文：

Firewalls

Each kind of firewall offers a different degree of security and flexibility. Whether an enterprise needs to replace an existing firewall, or is installing one for the first time, the enterprise needs to be up-to-date on what’s available today and what the specific security requirements are for the various types of firewalls. Below you will find an overview of some basic types of firewalls.

Router

A simple router is an inexpensive but less comprehensive form of protection, and lacks the level of flexibility and features that a full-security enterprise firewall provides.

Packet filter

A packet filter is a very simple type of firewall. Most major router vendors supply packet filters as part of the default distribution. The firewall examines each packet based on source and destination IP address as well as source and destination TCP/UDP ports, and accepts or rejects it based on basic user-defined rules.

Dynamic packet systems

Sometimes called smart packet filters, Dynamic packet firewalls control network traffic using a similar method to packet filters, but go beyond them to examine the context of data packet streams rather than just filtering them. These firewalls can remember prior connection states and build a context for each data stream in memory. It evaluates each new packet it receives against the current connection record to determine if this is a new connection or a continuance of an existing session. In the latter case, the amount of processing the firewall performs in checking the packet is substantially less than for a new connection. But no packet filter firewalls (dynamic or otherwise) support user authentication by default.

Application proxy

An application-level proxy is a software program running on the firewall. Each computer communicates with the other by forcing all network traffic through the proxy program, so the data can be examined and connections can be authorized. The proxy program evaluates data sent from the client and decides which to pass on and which to drop.