If you use a high-speed connection such as DSL or cable, consider downloading Zone-Alarm, CNET’s favorite free personal firewall. Firewalls not only keep hostile apps from entering your PC from the outside, they also block hidden or unknown software on your PC (the sort a virus could install) from connecting to the Internet without your knowledge and giving away your valuable information.
To find out how secure your connection is, go to Steve Gibson’s Shields Up site and get a free test of your security. Shields Up performs many of the same tests hackers use to probe your computer for vulnerabilities and provides you with a summary assessment of your PC’s security and what you need to do (if anything) to make yourself less vulnerable. Gibson’s scan can tell you if the back door program is running but not if it has been (or is being) used. But a little information goes a long way. If you know the Trojan is there, you can work to get rid of it.
【New Words】
preference
偏爱,优先选择
iota
极微小,希腊字母第9位
duration
持续时间,为期
erosion
侵蚀,腐蚀
antivirusprogram
防病毒程序
linger
逗留,闲逛,拖延
hostile
敌对的,敌方的
vulnerability
弱点,攻击
9.3 Network Firewall
The purpose of a network firewall is to provide a shell around the network which will protect the systems connected to the network from various threats. The types of threats a firewall can protect against include:
Unauthorized access to network resources an intruder may break into a host on the network and gain unauthorized access to files.
Denial of service an individual from outside of the network could, for example, send thousands of mail messages to a host on the net in an attempt to fill available disk space or load the network links.d
Masquerading electronic mail appearing to have originated from one individual could have been forged by another with the intent to embarrass or cause harm.
A firewall can reduce risks to network systems by filtering out inherently insecure network services. Network File System (NFS) services; for example, could be prevented from being used from outside of a network by blocking all NFS traffic to or from the network. This protects the individual hosts while still allowing the service, which is useful in a LAN environment, on the internal network. One way to avoid the problems associated with network computing would be to completely disconnect an organization’s internal network from any other external system. This, of course, is not the preferred method. Instead what is needed is a way to filter access to the network while still allowing users access to the “outside world”.
In this configuration, the internal network is separated from external networks by a firewall gateway. A gateway is normally used to perform relay services between two networks. In the case of a firewall gateway, it also provides a filtering service which limits the types of information that can be passed to or from hosts located on the internal network. There are three basic techniques used for firewalls: packet filtering, circuit gateway, and application gateways. Often, more than one of these is used to provide the complete firewall service.
There are several configuration schemes of firewall in the practical application of inter-network security. They usually use the following terminologies:
Screening router it can be a commercial router or a host based router with some kind of packet filtering capability.r
Bastion host it is a system identified by the firewall administrator as a critical strong point in the network security.
Dual homed gateway some firewalls are implemented without a screening router, by placing a system on both the private network and the Internet, and disabling TCP/IP forwarding.a
Screened host gateway it is possibly the most common firewall configuration. This is implemented using a screening router and a bastion host.
Screened subnet an isolated subnet is situated between tile Internet and the private network. Typically, this network is isolated using screening routers, which may implement varying levels of filtering.b
Application level gateway-- it is also called a proxy gateway and usually operates at a user level rather than the lower protocol level common to the other firewall techniques.l
【Vocabulary】
shell
n. 贝壳,壳,外形,炮弹
intruder
n. 入侵者
denial
n. 否定,否认,谢绝,拒绝
masquerade
n. 化妆舞会
v. 化妆
embarrass
vt. 使困窘,使不安;阻碍,麻烦
filter
vt. 过滤,渗透
inherently
adv. 天性地,故有地
gateway
n. 网关,通路,门
normally
adv. 正常地,通常地
configuration
n. 构造,结构,配置,外形
scheme
n. 安排,配置,计划
terminology
n. 术语学
screening
n. 放映
dual
adj. 双重的,双的
implement
n. 工具,器具 v. 贯彻,实现
router
n. 路由器
bastion
n. 堡垒,阵地工程
subnet
n. 子(分支)网络
proxy
n. 代理人
protocol
n. 草案,协议
【参考译文】
网络防火墙
网络防火墙的目的是在网络周围设置一层外壳,用于防止连入网络的系统受到各种威胁。防火墙可以防止的威胁类型包括:
非授权的对网络资源的访问-——入侵者渗入网上的主机,并对文件进行非授权访问;入
拒绝服务——网络以外的某个人可能向该网上的主机发送成千上万个邮件消息,企图填满可能的磁盘空间,或者使网络连路满负荷;网
假冒——某个人发出的电子邮件可能被别有用心的人篡改,结果使原发件人感到难堪,或受到伤害。某
防火墙可以通过滤掉某些原有的不安全的网络业务而降低网络系统的风险。例如,网络文件系统(NFS)服务,通过封锁它们进出网络,能防止从一个网络的外部被应用。这保护了个别宿主同时也允许该服务应用于内部网,这在局域网环境中很有用。一种避免与网络计算问题有关的方法是把单位的内部网与其它外部系统完全断开。当然这不是一个好办法,其实需要的是对访问网络进行过滤,同时仍允许用户访问“外部世界”。
在这种配置中,用一个防火墙网关把内部和处部网分开。网关一般用于实现两个网络之间的中继业务。防火墙网关还提供过滤业务,它可以限制进出内部网络主机的信息类型。有3种基本防火墙技术:包过滤、电路网和应用网关。通常可以采用上述一种以上的技术以提供完整的防火墙业务。
在互联网络安全的实际应用中,有好几种防火墙配置方案。它们通常采用以下术语:
屏蔽路由器——可以是一种商用路由器,或是带有某种包过滤功能的基于主机的路由器。可
堡垒主机——它是由防火墙管理人员认定作为网络安全最关键处的一个系统。它
双宿主网关——某些防火墙不使用屏蔽路由器,但在专用网和因特网之间放一个系统,不允许传送TCP/IP包。包
主机屏蔽网关——可能是最常用的防火墙配置,它由屏蔽路由器和堡垒主机构成。可
子网屏蔽——位于因特网和专用网之间的一个隔离子网。一般来说,这种网络用一台屏蔽路由器来隔离,它可以实现不同级别的过滤功能。网
应用级网关——又叫代理网关,它不像普通防火墙在低层协议上工作,而通常在用户级上工作。又
【Reading Material】
The Attacker