【轉貼】翻譯分享~防火牆辯論:硬體-軟體

顯示結果從第 1 筆 到 6 筆,共計 6 筆
  1. #1
    會員
    註冊日期
    2001-07-27
    討論區文章
    135

    【轉貼】翻譯分享~防火牆辯論:硬體-軟體

    原文:
    http://www.smallbusinesscomputing.co...le.php/3103431

    好友幫我翻譯後跟大家分享:希望大家提出看法

    Firewall Debate: Hardware vs. Software(防火牆辯論:硬體-軟體)

    I'm about to get my first broadband connection, and I know I need to get a firewall. However, I've been getting some conflicting advice as to what type of firewall I need. Some people tell me I should get a hardware firewall, while others tell me a software firewall is preferred. What's the difference, and more importantly, which is better?
    我準備架設第一個寬頻網路,我知道我需建立一個防火牆。然而,對於我需要的防火牆,我得到一些建議是互相衝突的。某些人告訴我應架設一個硬體防火牆,而其它人卻告訴我寧可使用軟體防火牆,到底它們之間有何不同,最重要的是,哪一個較好。


    Good question. The truth is that in a typical home office environment, one type of firewall isn't necessarily better than the other. They are some differences, though, and they can be used together to give you an even greater degree of protection.
    好問題,這是一個家庭辦公室網路環境的典型問題,某一型式的防火牆未必會比另一型式的好,他們有些差異,因此,它們可以一起被使用,以得到一個相當高的保護等級。

    Hardware firewalls are important because they provide a strong degree of protection from most forms of attack coming from the outside world. Additionally, in most cases, they can be effective with little or no configuration, and they can protect every machine on a local network.
    硬體防火牆是重要的,因為對於來自外界多數的攻擊類型,它們提供一個很強的保護能力。此外,在大多數的情形下,它們僅需經過極少的組態設定(甚至不用設定)即可發揮功效,它們能夠保護到區域網路(LAN)中的每一部機器。

    A hardware firewall in a typical broadband router employs a technique called packet filtering, which examines the header of a packet to determine its source and destination addresses. This information is compared to a set of predefined and/or user-created rules that determine whether the packet is to be forwarded or dropped. A more advanced technique called Stateful Packet Inspection (SPI <http://sbc.webopedia.com/TERM/s/stat...nspection.html>), looks at additional characteristics such as a packet's actual origin (i.e. did it come from the Internet or from the local network) and whether incoming traffic is a response to existing outgoing connections, like a request for a Web page.
    在一個典型的寬頻路由器中,硬體防火牆利用一個名為封包過濾的技術(藉由檢測封包的head,來決定封包的來源與目的位址),這個資訊再與預先設定或使用者制訂的法則來決定是否傳送封包或把它丟掉,更進一步的技術叫指定封包檢驗(SPI),留意附帶的特性,如封包實際的來源,也就確定來自Internet或LAN,進來的流量是否對目前的對外連結有所回應,就像對一個網頁做請求(request)一般。

    But most hardware residential firewalls have an Achilles' heel in that they typically treat any kind of traffic traveling from the local network out to the Internet as safe, which can sometimes be a problem.
    但是大多數的住宅式硬體防火牆有一個阿基里德傾斜效應,為了安全處理LAN至INTERNET各種流量資訊的典型方式,有時會是一個問題。

    Consider this scenario: What would happen if you received an e-mail message or visited a website that contained a concealed program? Let's say this program was designed to install itself on your machine and then surreptitiously communicate with someone via the Internet - a distributed denial of service (DDoS <http://sbc.webopedia.com/TERM/D/DoS_attack.html>) attack zombie or a keystroke logger, for example? And trust me, this is by no means an unlikely scenario.
    考慮以下情形:當你收到內嵌隱藏程式的一封Email訊息或是一個網站時,這個程式已被設計自行安裝在你的機器上,然後將偷偷地透過internet與某台主機相連-例如一種分散式的服務拒絕(ddos):攻擊木馬或键盤輸入程式,這絕不是一個不可能的情形。

    To most broadband hardware firewalls, the traffic generated by such programs would appear legitimate since it originated inside your network and would most likely be let through. This malevolent traffic might be blocked if the hardware firewall was configured to block outgoing traffic on the specific Transmission Control Protocol/Internet Protocol (TCP/IP <http://sbc.webopedia.com/TERM/T/TCP_IP.html>) port(s) the program was using, but given that there are over 65,000 possible ports and there's no way to know which ports a program of this nature might use, the odds of the right ones being blocked are slim.
    對大多數的寬頻硬體防火牆而言,上述程式產生的流量將被認為是合法的,由於它來自你的內部網路,大多數都可通過。若你的硬體防火牆設定TCP/IP PORT的組態,這個惡意的流量可能被攔下來,但是多達65000個可能的PORT,因此無法得知哪些程式使用哪些port,做到正確port的阻隔的可能性是微乎其微的。

    Moreover, blocking too many ports would almost certainly adversely affect your ability to use some programs (many games, for instance). Also, some broadband router firewalls don't even provide the ability to restrict outgoing traffic, only incoming traffic.
    再者,阻隔太多的port會造成無法使用某些軟體(如很多的遊戲),某些寬頻路由器的防火牆甚至不能提供限制送出流量的能力,只有限制送入的流量。

    Advantages of Software Firewalls(軟體防火牆的好處)
    Now consider what a software firewall might do in the aforementioned scenario. When you first set up a software firewall, you can specify which applications are allowed to communicate over the Internet from that PC. Programs that aren't explicitly allowed to do so are either blocked or else the user is prompted for confirmation before the traffic is allowed to pass. Therefore, it would likely intercept this kind of traffic before it left your computer.
    現在再考慮軟體防火牆對前面提到的情形如何因應,當你第一次設定軟體防火牆時,你可指定哪些軟體可透過這台PC在internet上通訊,在允訊息通過前,未經允許的程式不是會被攔下來就是需要再經過使用者確認方可通過。因此,此類流量資訊在送出你的電腦之前將可能被攔劫下來。

    Another potential scenario where a software firewall would be useful is in the case of an e-mail worm with its own e-mail sever, like the recent "SoBig" worm. Its built-in mail server could attempt to send mail on the valid Simple Mail Transfer Protocol (SMTP <http://sbc.webopedia.com/TERM/S/SMTP.html>) port (25), which would probably pass through the router because of its trusted origin.
    另一個潛在的情形是:軟體防火牆對帶有自己的eamil server的eamil蠕蟲病毒是有用的,像最近的sobig蠕蟲病毒,它會利用內建的eamil server透過有效的smtp port(25)來送email,它可能可正常的通過路由器,因為它透過原來就被信任的機制。

    On the other hand, a software firewall could be configured to only allow Microsoft Outlook to use port 25 (assuming Outlook is your e-mail client). Any attempt by another application to use the port would be dropped, or blocked pending user confirmation. For that matter, the application's attempt to use any port would be blocked if the firewall was configured that way.
    換句話說,軟體防火牆能設定組態讓它僅能允許MS OUTLOOK來使用PORT 25(假設outlook是你內定的email發信軟體),任何企圖使用這個port來送信的軟體,在這段期間所送的東西都會被丟掉或攔助,對於此類事件,應用程式企圖使用任何的port都會被攔助,如果防火牆做好組態設定。

    By comparison, a hardware firewall that had the ability to filter outgoing traffic might allow you to block most kinds of traffic from a particular PC, but it wouldn't be able to flag you and alert you to repeated attempts to infiltrate your computer.
    相較之下,有能力來過濾送出流量資訊的硬體防火牆可讓你攔助來自某部特殊PC送出的不同種類流量資訊,但是它不能識別及警告你潛藏在電腦中某支程式的企圖。

    One obvious downside to software firewalls is that they can only protect the machine they're installed on, so if you have multiple computers (which many small offices do), you need to buy, install, and configure a software firewall separately on each machine. This can get expensive and can be difficult to manage if you have a lot of computers.
    一個明顯的不利因素就是軟體防火牆它們只能保護安裝此套軟體的機器,因此當你有多台電腦(如小型辦公室),你需買並分別安裝及設定每台電腦的防火牆組態,如果你有很多電腦,這種方式會很花錢而且很難管理。

    But the fact of the matter is that software firewalls generally offer the best measure of protection against certain types of situations like Trojan programs or e-mail worms. Speaking of which, a firewall isn't the only protection method available to you. Whether you end up using a software firewall or a hardware firewall, you should always supplement it with anti-virus software.

    但是事實上軟體防火牆一般能對某些情形提供最佳的保護監測,如特洛依木馬及eamil 蠕蟲病毒,解說至此,其實防火牆並不是你可使用的唯一保護方式,當你裝完了軟體防火牆或是硬體防火牆,你應再加裝一套防毒軟體。
    A good anti-virus package is just as important as a firewall, and I would seriously suggest that you invest in a good one (I'm partial to both Norton and McAfee myself). However, keeping your virus definitions updated is far more important than which program you use. I cannot stress the importance of this enough. Making sure your definitions are current is absolutely critical to maintaining your protection. Many Anti-virus programs today can be configured to automatically update themselves, so you have no excuse for not maintaining them.
    一套好的防毐軟體和防火牆一樣重要,這是我慎重的建議你買一套防毐軟體,再者,隨時保持病毐碼的更新,我要強調此點的重要性,很多防毐軟體已會自動更新,所以你不會花時間維護它們。

    The bottom line is that with any home-office broadband connection, a hardware firewall should be considered a bare minimum, and supplementing it with a software firewall on one or more computers (and don't forget anti-virus software) is almost always a good idea.
    家庭辦公室的防火牆策略如下:
    硬體防火牆是基本需求,每台電腦以軟體防火牆來輔助,並且不要忘了安裝防毐軟體。



  2. #2
    人不機車罔少年~機 TAIWAN 的大頭照
    註冊日期
    2003-06-26
    所在地區
    衛星上網
    討論區文章
    1,161
    看起來這篇文章有點過時了

    約1年前的觀念
    國道客運台北站揭開2008年市值佰億的都市計畫變更利益輸送弊案~ 提早上映嘍~
    http://www.pczone.com.tw/vbb3/showthread.php?t=119462



    生命應該倒過來活!一出生就是老年!接著先享受退休!開始工作就是個老闆!
    懂得少做些決定!多留點時間給自己!當您進入人生的黃金時期!衝勁十足!
    也正該擁有 MERCEDES-BENZ R-CLASS
    你買了沒 ? R系列贊啦~
    作業系統:WINDOWS VISTA 全區AV成人版

  3. #3
    會員
    註冊日期
    2001-07-27
    討論區文章
    135
    可否指出何處觀念過時???

    最初由 TAIWAN 發表
    看起來這篇文章有點過時了

    約1年前的觀念

  4. #4
    拉登長官 dou0228 的大頭照
    註冊日期
    2002-08-26
    所在地區
    2M/256K
    討論區文章
    1,073
    最初由 jeffking 發表
    可否指出何處觀念過時???
    我沒詳細看完, 但是有不少地方都翻錯了..
    像: But most hardware residential firewalls have an Achilles' heel

    應該先去看一下西洋神話裡面 Achilles 是怎麼死的才會知道Achilles' heel 是什麼意思喔..
    O/S: XPro SP2;Gentoo 05-r1;F-BSD 5.4/N-BSD 2.0.2
    替代役第一梯次, 矯正役笨蛋
    Bug !?
    Red Hat 技術支援的改變引起眾怒_原文出處
    echo $(echo 4jp022f@n5549i5o9or | tr 0-9a-z 0-3d-l6-9m-w4-5) | tr i .
    就讓 LP 去耍, 我們好在旁邊笑
    QoS 沒中文資料!?

  5. #5
    會員
    註冊日期
    2001-07-27
    討論區文章
    135
    sorry~~查字典好像~~翻成"唯一的(致命)弱點"
    最初由 dou0228 發表
    我沒詳細看完, 但是有不少地方都翻錯了..
    像: But most hardware residential firewalls have an Achilles' heel

    應該先去看一下西洋神話裡面 Achilles 是怎麼死的才會知道Achilles' heel 是什麼意思喔..



  6. #6
    人不機車罔少年~機 TAIWAN 的大頭照
    註冊日期
    2003-06-26
    所在地區
    衛星上網
    討論區文章
    1,161
    最初由 jeffking 發表
    可否指出何處觀念過時???
    這一段中文

    對大多數的寬頻硬體防火牆而言,上述程式產生的流量將被認為是合法的,由於它來自你的內部網路,大多數都可通過。若你的硬體防火牆設定TCP/IP PORT的組態,這個惡意的流量可能被攔下來,但是多達65000個可能的PORT,因此無法得知哪些程式使用哪些port,做到正確port的阻隔的可能性是微乎其微的。


    早期的 apple 有個晶片可直接進 BASIC --- ROM
    現在又有人把那個晶片稱為內崁式***
    硬體是由軟體來的
    軟體是由程式來的
    程式是要與計算器做溝通與下命令用的
    而最後都是由人在操作
    軟體要跑的快過硬體可能嗎
    硬體要修改又要靠軟體不然怎麼製造

    這種互相依存的關係都在 零與壹 而已

    那還有那來的硬體與軟體之辯

    只有差勁的操作人員 沒有差勁的機器與軟體
    國道客運台北站揭開2008年市值佰億的都市計畫變更利益輸送弊案~ 提早上映嘍~
    http://www.pczone.com.tw/vbb3/showthread.php?t=119462



    生命應該倒過來活!一出生就是老年!接著先享受退休!開始工作就是個老闆!
    懂得少做些決定!多留點時間給自己!當您進入人生的黃金時期!衝勁十足!
    也正該擁有 MERCEDES-BENZ R-CLASS
    你買了沒 ? R系列贊啦~
    作業系統:WINDOWS VISTA 全區AV成人版

類似的主題

  1. 【硬體】請問有沒有這樣功能的IP分享器或防火牆
    作者:suona 所在討論版:-- 網 路 硬 體 版
    回覆: 4
    最後發表: 2005-07-29, 10:17 PM
  2. 【轉貼】【硬體】FORTIGATE防火牆練習站
    作者:cheerx 所在討論版:-- 網 路 硬 體 版
    回覆: 0
    最後發表: 2005-01-23, 01:33 AM
  3. 硬體防火牆跟軟體防火牆的 優劣性 ??
    作者:cmc529t 所在討論版:-- 網 路 硬 體 版
    回覆: 1
    最後發表: 2003-10-31, 06:22 PM
  4. 【轉貼】防火牆軟體測試 (完整版)
    作者:lufonts 所在討論版:-- 防 駭 / 防 毒 版
    回覆: 2
    最後發表: 2003-03-20, 01:16 PM
  5. 防火牆硬體好還是軟體好
    作者:mingwei6444 所在討論版:-- 防 駭 / 防 毒 版
    回覆: 4
    最後發表: 2002-11-30, 03:11 AM

 

此網頁沒有從搜尋引擎而來的訪客

發表文章規則

  • 不可以發表新主題
  • 不可以回覆文章
  • 不可以上傳附加檔案
  • 不可以編輯自己的文章
  •