The firewall technology is a specific security technology. The term “firewall” was originally used to describe the wall built between buildings to prevent fire from spreading.
Firewall = Hardware + Software + Control policies
Control policies:
- Permit unless otherwise specified
- Deny unless otherwise specified
Hardware firewall: uses an embedded system, which is generally open-source. Hardware firewalls are used to isolate internal and external networks through a combination of hardware and software.
Software firewall: is generally installed on an OS platform. A software firewall isolates internal and external networks by means of software.
Standalone firewall: serves only the current host.
Network firewall: serves a specific network.
- Allow an app or feature through Windows Firewall: specifies a data pass-through rule.
- Change notification settings: specifies a notification rule.
- Turn Windows Firewall on or off: enables or disables the Windows firewall.
- Advanced settings: specifies detailed inbound & outbound rules and connection security rules.
- Restore defaults: restores the Windows firewall to its default settings.
- Troubleshoot my network: detects network issues.
- Change settings: adds, changes, or removes allowed apps and ports.
- Details: displays the details of allowed apps and features.
- Remove: removes apps or features from Allowed apps and features.
- Allow another app: adds an app or feature to Allowed apps and features.
- You can select apps and features from Allowed apps and features and apply them to a home/work (dedicated) network or a public network.
When a Windows firewall is enabled, you can determine whether to send a notification when the firewall blocks new apps.
Enable the firewall for a type of network for security protection, or disable the firewall so that all apps can pass through.
The window for enabling or disabling change notification is the same as that for enabling
or disabling the Windows firewall.
If firewall rules are not set properly, malicious network attacks may not be blocked, and users may fail to access the Internet. If such a situation occurs, click Restore defaults to restore the Windows firewall to the default settings.
If settings of Allow an app or feature to through Windows Firewall cannot meet your requirements, you can access the Windows Firewall with Advanced Security window to set more detailed rules.
Settings in this window allow you to customize inbound rules, outbound rules, and connection security rules, and monitor the firewall
- Program: specifies a rule that controls connections for specific local programs or all programs when they use public (or home) networks.
- Port: specifies a rule that controls connections for specific local ports or all ports when they use public (or home) networks.
- Predefined: specifies a predefined rule that controls connections.
- Custom: specifies a rule that controls connections for specific local programs when they use public (or home) networks through predetermined source and destination ports and IP addresses.
- A Linux firewall consists of two components: netfilter and iptables. Iptables is an interface between a firewall and users, while netfilter provides firewall functions.
- netfilter is a framework in the Linux kernel. It provides a series of tables. Each table consists of several chains, and each chain consists of several rules.
- Iptables is a user-level tool which can add, delete, and insert rules. These rules tell the netfilter component how to process data packets.
Iptables contains five rule chains:
- PREROUTING
- INPUT
- FORWARD
- OUTPUT
- POSTROUTING
Generally, three chains are allowed in a filter table: INPUT, FORWARD, and OUTPUT.
Generally, three chains are allowed in a nat table: PREROUTING, OUTPUT, and POSTROUTING.
All the five chains are allowed in a mangle table: PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING.
When a data packet enters a network adapter, it is first matched with the PREROUTING chain. The system determines the subsequent processing according to the destination address of the packet. Possible processing:
- If the destination address of the packet is the local host, the system sends the packet to the INPUT chain to match the packet with rules in this chain. If the packet matches a rule, the system sends the packet to the corresponding local process. If no match is found, the system discards the packet.
- If the destination address of the packet is not the local host, the packet will be forwarded. The system directly sends the packet to the FORWARD chain to match the packet with rules in this chain. If the packet matches a rule, the system sends the packet to the corresponding local process. If no match is found, the system discards the packet.
- If the packet is locally generated, the system directly sends the packet to the OUTPUT chain to match the packet with rules in this chain. If the packet matches a rule, the system sends the packet to the corresponding local process. If no match is found, the system discards the packet.
Scanners are the main part of antivirus software and are mainly used to scan viruses. The antivirus effect of antivirus software depends on how advanced the scanner compilation technology and algorithm are. Therefore, most antivirus software has more than one scanner.
The virus signature database stores virus signatures, which are classified into memory signatures and file signatures. Generally, file signatures exist in files that are not executed. Memory signatures generally exist in a running application program.
A VM enables viruses to be run in a virtual environment built by antivirus software.
If antivirus software does not have a strong unpacking capability, two different signature records must be added to defend against shell viruses. This is because if a hacker uses another tool to pack a virus, the virus will not be recognized by the antivirus software, and a new signature record must be added for removing the virus.
If antivirus software has a strong unpacking capability, it unpacks the virus file, and then scans and kills the virus. In this way, only one signature record is enough. This reduces the occupation of system resources by the antivirus software, and greatly improves the antivirus software's capability to scan and kill viruses.
Currently, a more advanced cloud antivirus technology can be used to access the virus signature database on the cloud in real time. Users do not need to update their local virus signature database frequently.
- Clear: Clear worms from infected files to restore the files.
- Delete: Delete virus files. These files are not infected but contain viruses. They cannot be cleared.
- Forbid access: Do not access virus files. After a virus file is detected, if you choose not to process the file, the antivirus software may deny access to this file. When you attempt to open such a file, an error message "not a valid win32 application" is displayed.
- Isolate: After a virus file is deleted, the file is moved to the isolation area. You can retrieve deleted files from the isolation area. Files in the isolation area cannot run.
- No process: If you are not sure whether a file contains viruses, do not process it temporarily.
- Most antivirus software is lagged behind computer viruses. In addition to updating antivirus software in a timely manner and periodically scanning your computer: update your computer and network security knowledge, do not open unknown files or insecure web pages, update your password as required, and use the security assistant and personal firewall. These measures will better protect your computer and network security
Ref : [1]