VPN, Proxy

Posted on Edited on In Waline:

When it comes to VPN, the first reaction of many of us is to circumvent the wall, which is actually a famous reason for VPN. ** VPN will actually assign you an extranet IP directly, but this IP is only valid on the proxy server at the other end of this dedicated line **. The advantage and usage of VPN is not circumvention, but data encryption. And because of its obvious traffic characteristics, its performance when used to circumvent the wall is not very good. Proxies such as ** SS help you forward requests, provided that you can find a server that can be accessed within the wall **, and the server is willing to forward traffic for you. Let’s start by talking about what a VPN is. What is the difference between it and a proxy?

What is a “wall”

We usually say that the wall actually refers to the firewall, it is running in our domestic network and foreign network between the gateway on a set of hardware and software collection, it will be through DNS hijacking or IP Address filtering and other ways to make our request can not be properly through the firewall.

A firewall is a combination of components that are placed between different networks (such as trusted corporate intranets and untrusted public networks) or cyber security domains. It is the only entrance and exit of information between different networks or cyber security domains. By monitoring, restricting, and changing the data flow across the firewall, the information, structure and operating conditions inside the network are shielded from the outside as much as possible, and external access is selectively accepted. Strengthen internal equipment supervision, control access to servers and external networks, and erect a barrier between the protected network and external networks to prevent unpredictable and potentially destructive intrusions.

防火墙有两种,硬件防火墙和软件防火墙,他们都能起到保护作用并筛选出网络上的攻击者。

Firewall technology has experienced three stages: packet filtering, application proxy gateway, and then state detection.

Packet filtering technology is a simple and effective security control technology. It loads rules such as allowing and prohibiting certain specific source addresses, destination addresses, and TCP Port Numbers on devices connected to each other between networks. Check packets to limit data packets from entering and leaving the internal network. The biggest advantage of packet filtering is transparency to users and high transmission performance. However, due to the security control level in the network layer, the transport layer, the intensity of security control is limited to the source address, destination address and Port Number, and therefore can only be more preliminary security control, for malicious congestion attacks, memory overlay attacks or viruses and other high-level attack means, it is powerless.

State detection is a more effective security control method than packet filtering. For a newly created application connection, state detection checks the pre-set security rules, allows connections that meet the rules to pass, and records the relevant information of the connection in memory to generate a state table. Subsequent data packets of the connection can pass as long as they meet the state table. The advantage of this approach is that: since there is no need to check the rules for each data packet, but a subsequent data packet (usually a large number of data packets) connected by the hashing algorithm, the state check directly, so that the performance has been greatly improved; moreover, since the state table is dynamic, it is possible to selectively and dynamically open ports 1024 or more, so that the security is further improved.

Packet filtering technique

Packet filtering firewalls are generally implemented on routers to filter user-defined content, such as IP Addresses. The working principle of packet filtering firewalls is: the system checks data packets at the network layer, regardless of the application layer. In this way, the system has good transmission performance and strong scalability. However, the security of packet filtering firewalls has certain defects, because the system has no perception of application layer information, that is to say, the firewall does not understand the content of communication, so it may be breached by hackers.

The packet filtering firewall works at the network layer and has the function of identifying and controlling the source and destination IP of data packets. For the transport layer, it can only identify whether the data packet is TCP or UDP and the port information used. Now routers, Switch Routers and some operating systems already have the ability to control with Packet Filter.

Since only for数据包The IP Address, TCP/UDP Protocol, and Port are analyzed, and the packet filtering firewall is fast and easy to configure.

Packet filtering firewalls have fundamental flaws:

  1. Cannot prevent hacker attacks. The work of the packet filtering firewall is based on the premise that the network manager knows which IPs are trusted networks and which are the IP addresses of untrusted networks. However, with the emergence of new applications such as remote work, it is impossible for network managers to distinguish the boundaries between trusted networks and untrusted networks. For hackers, they only need to change the source IP packet to a legitimate IP to easily enter the intranet through the packet filtering firewall., and any elementary level hacker can deceive the IP Address.
  2. Application layer protocol is not supported. If intranet users make such a request, only intranet employees are allowed to access extranet web pages (using HTTP protocol), and movies are not allowed to download from extranet (generally using FTP protocol). The packet filtering firewall is powerless because it does not recognize the application layer protocol in the data packet and the access control granularity is too rough.
  3. Cannot handle new security threats. It cannot track TCP status, so there are vulnerabilities in the control of the TCP layer. For example, when it is configured to only allow TCP access from the inside out, some attacks on the intranet from the outside in the form of TCP response packets can still penetrate the firewall.

It can be seen from the above that the Technical Fundamentals of the Packet Filter Firewall are too rudimentary, just like a security guard can only judge whether to allow him (her) to enter based on which province and city the visitor comes from, and it is difficult to perform the duty of protecting intranet security.

Application Gateway Firewall

The application gateway firewall checks the information packets of all application layers and puts the checked content information into the decision-making process, thus improving the security of the network. However, the application gateway firewall is implemented by breaking the client/server pattern. Each client/server communication requires two connections: one is from the Client to the firewall, and the other is from the firewall to the server. In addition, each agent needs a different application process, or a service program running in the background. For each new application, a service program for this application must be added, otherwise the service cannot be used. Therefore, the application gateway firewall has the disadvantage of poor scalability.

The application proxy gateway firewall completely cuts off the direct communication between the intranet and the extranet. The access of the intranet user to the external network becomes the access of the firewall to the external network, and then forwarded by the firewall to the intranet user. All communication must be forwarded by the application layer proxy software. Visitors cannot establish a direct TCP connection with the server at any time. The protocol session process at the application layer must comply with the security policy requirements of the proxy.

The advantage of the application proxy gateway is that the protocol characteristics of the application layer, the transport layer and the network layer can be checked, and the detection ability of data packets is relatively strong.

The shortcomings are also very prominent, mainly including:

  • Difficult to configure. Since each application requires a separate proxy process, it requires the network manager to understand the weaknesses of each application protocol and configure security policies reasonably. Due to the cumbersome configuration, it is difficult to understand, and it is prone to configuration errors, which ultimately affects the security of the intranet.
  • The processing speed is very slow. Disconnecting all connections and re-establishing the connection by the firewall can theoretically make the application proxy firewall highly secure. However, it is not feasible in practical applications, because for each Web access request on the intranet, the application proxy needs to open a separate proxy process. To protect the web server, database server, file server, mail server, and business programs of the intranet, it is necessary to establish a service proxy to handle client access requests. In this way, the processing delay of the application agent will be very large, and the normal Web access of the intranet user cannot be responded to in time.

In short, application proxy firewalls cannot support large-scale concurrent connections, which is a disaster when used in speed-sensitive industries. In addition, the firewall core requires pre-built proxies for some known applications, making some emerging applications ruthlessly blocked within the proxy firewall and unable to support new applications well.

In the IT field, new applications, new technologies, and new protocols emerge one after another, and it is difficult for proxy firewalls to adapt to this situation. Therefore, in some important fields and core business applications of the industry, proxy firewalls are gradually alienated.

However, the emergence of Self-Adaptation proxy technology has brought about a new turn in the application proxy firewall technology. It combines the advantages of the security of the proxy firewall and the high speed of the packet filtering firewall, and improves the performance of the proxy firewall without losing security. 10 times.

State detection firewall

The state detection firewall basically maintains the advantages of the simple packet filtering firewall, with better performance and transparency to the application. On this basis, the security has been greatly improved. This kind of firewall abandons the simple packet filtering firewall, which only examines the data packets entering and leaving the network, and does not care about the shortcomings of the data packet state. A state connection table is established in the core part of the firewall to maintain the connection, and the data entering and leaving the network is treated as an event. It can be said that the state detection packet filtering firewall regulates the behavior of the network layer and the transport layer, while the application proxy firewall regulates the behavior of specific application protocols.

We know that the data transmitted over the Internet must follow the TCP/IP protocol. According to the TCP protocol, the establishment of each reliable connection needs to go through three stages: “Client Synchronization Request”, “Server Response”, and “Client Reply”. The most commonly used web browsing, file downloading, sending and receiving emails, etc. have to go through these three stages. This reflects that data packets are not independent, but have a close state connection between them. Based on this state change, state detection technology is introduced.

The state detection firewall abandons the packet filtering firewall, which only examines several parameters such as the IP Address of the data packet, and does not care about the shortcomings of the data packet connection state change. A state connection table is established in the core part of the firewall, and the data entering and leaving the network is treated as one by one session, and the state table is used to track the state of each session. The state monitoring checks each packet not only according to the rule table, but also considers whether the data packet meets the state of the session, thus providing complete control over the transport layer.

One of the challenges of gateway firewalls is the traffic that can be processed. State detection technology greatly improves the security capabilities and also improves the traffic processing speed. Condition monitoring technology adopts a series of optimization techniques to greatly improve the performance of the firewall and can be applied in various network environments, especially in large networks with complex rules.

Any high-performance firewall will use state detection technology.

Composite firewall refers to a new generation of firewall that integrates state detection and transparent proxies. It is further based on ASIC architecture, integrating anti virus and content filtering into the firewall, which also includes VPN and IDS functions. Multi-unit integration is a new breakthrough. Conventional firewalls cannot prevent attacks hidden in network traffic. They scan the application layer at the network interface and combine anti virus, content filtering and firewalls, which reflects the new ideas of network and information security. It implements the content scanning of the seventh layer of OSI at the network boundary, and realizes the real-time deployment of application layer service measures such as virus protection and content filtering at the network edge.

Comparison of four types of firewalls

  • Packet filtering firewall: packet filtering firewall does not check the data area, packet filtering firewall does not establish a connection state table, before and after the message network packet is irrelevant, the application layer control is weak.
  • Application Gateway Firewall: Does not check the IP and TCP headers, does not establish a connection status table, and the network layer protection is relatively weak.
  • Status detection firewall: do not check the data area, establish a connection status table, before and after the message network packet correlation, the application layer control is weak.
  • Composite firewall: You can check the entire data packet content, establish a connection state table as needed, strong network layer protection, fine application layer control, and weak session control.

What is a proxy

I personally feel that proxy is more like a concept, it can help you do some extra things, these things may be you can not do, such as access to foreign resources, it may be you entrusted it to do, such as help you cache recently visited information.

Proxies can also work at different network levels. For example, at the application layer, you can direct HTTP requests generated by an application to a specified port, or you can direct IP data packets generated by the entire system to a server.

** So from this perspective, firewalls are also a type of proxy. **

Agents are also divided into正向代理和反向代理There are also many functions, but these functions are not their essence. Their essence is to help you do something. As long as it meets this essence, it is called an agent. As for how to do it, what to do at that level, what to do can be subdivided into many Different types of agents.

Several common functions of agents

  • Break through IP restrictions. This is the most common feature we listen to. The so-called IP restriction is to limit the requests of certain specified IPs. The most famous is our Great Firewall, but we also understand that it is impossible for us to deal with a large intranet. If you are not connected to any foreign network, then there must be a server that can be accessed within the wall. We only need to find this server **, assuming that it is A, build a service on it, and then use some local IP requests for access to services outside the wall with headers and then encrypt them locally as the request body to generate a new IP datagram Send it to this service, the firewall can only see that the header of this datagram is sent to A and release it. Even if the content is taken out, it cannot analyze its behavior, because the content is also encrypted. After this request arrives at A, it is decrypted by our service. When it is found that it is accessing another service, it helps us to request, encapsulate and send the request result again, and then decrypt it by our local service.
  • Access some internal resources of units or groups, such as FTP of a university (provided that the proxy address is within the allowed access range of the resource), and use the free proxy server of the address segment in the education network, which can be used for various types of open to the education networkFTPDownload and upload, as well as various data query and sharing services.
  • Break through China Telecom’s IP blockade: China Telecom users have many websites that are restricted from accessing. This restriction is artificial, and different Serves block addresses differently. So you can try changing to a foreign proxy server when you can’t access it.
  • Improve access speed: usually proxy servers are set up with a larger hard disk缓冲区When external information passes through, it is also saved in the buffer. When other users access the same information again, the information is directly removed from the buffer and passed to the user to improve the access speed.
  • Hide the real IP: Internet users can also hide their IP in this way from attacks.

Proxies that work at different levels utilize different protocols, such as HTTP proxies specifically for HTTP, and lower-level proxies such as SOCKS proxies.

What is VPN?

** VPN is a tool used to circumvent the wall in the minds of many people, but it is not **. The main function of vpn is not to circumvent the wall, but it can achieve the purpose of circumventing. vpn – virtual private network, ** its function is: to establish a private network on a public network for encrypted communication **. It is widely used in corporate networks and university networks. When you access a vpn, you are actually connected to a proprietary network, and your network access goes out from this exit. Whether the communication between you and the vpn is encrypted depends on the way or protocol you connect to the vpn.

In fact, once you successfully connect to a VPN, you will be assigned an IP address of the VPN. If you find that you can access Google, but the IP address is still local, it means that you are only through a proxy. Traffic forwarding, but if you find that your IP address has been changed, it means that you have joined a virtual private line through the VPN and obtained an internal IP of the network, but this IP is only valid on this private line, so all your traffic must be sent to this intranet first and forwarded through the intranet.

So in theory, if your company intranet can’t access a website, and you let the VPN proxy your traffic globally, then you can’t access the website either.

** The SS and SSR we usually listen to are not actually VPNs. The principle of ss and ssr is the same, that is, socks5 proxy **. The socks proxy simply passes data packets without worrying about the protocol, so the socks proxy is much faster than other application layer proxies. The socks5 proxy forwards your network data request to the destination by the server through a channel connecting you and the proxy server. During this process, you do not pass through a dedicated channel, but the data packet is sent out and then received by the proxy server. There is no additional processing in the whole process. In layman’s terms, now you have a proxy server in Hong Kong. For example, if you want to access google now, your computer sends a request, the traffic is sent to your server in Hong Kong through a socks5 connection, and then your server in Hong Kong accesses Google, and then the access results are sent back to your computer, thus achieving the circumvention of the wall.

Differences, advantages and disadvantages of vpn and ss/ssr

Through the above introduction, in fact, the basic can already see the difference between vpn and ss/ssr, so they are superior and inferior.

Because v ** pn is a dedicated channel, it is used to transmit encrypted data to enterprises, so the traffic characteristics of vpn are very obvious **, taking openvpn as an example, more details are not said here, the traffic characteristics are obvious, The firewall directly analyzes your traffic, and if the characteristics match, block it directly. At present, as far as the wall is concerned, the PPTP type of vpn is basically dead, and the interference in most parts of L2TP is serious and unstable.

** The purpose of ss/ssr is to circumvent the wall, while the purpose of vpn is to encrypt enterprise data. For vpn, security is the first priority, while for ss/ssr, penetrating the firewall is the first priority. It has strong anti-interference and confuses the traffic. When all traffic passes through the firewall, it is basically recognized as ordinary traffic **, which means that you have circumvented the wall, but the government cannot detect that you are circumventing the wall. The starting point and focus of the two are different. SS/ssr pays more attention to confusing encryption of traffic. If you want to surf the Internet safely and anonymously, you can use vpn + tor or ss/ssr + tor.

And the security aspect is to add that the domestic VPN service providers, the government is very easy to get their server logs, if they really do, what you did over the wall, at a glance.

What is Gateway?

In computer networks, the definition of a gateway is a router between two different networks, that is, the exit of a local area network. For example, each of us will have a router at home. There are many devices connected to this router. These devices are all owned by the router. An intranet IP assigned by the router, all our requests need to go through this router first to reach outside the intranet, so the gateway of these devices is this router.

The most basic function of the gateway at the beginning should be to convert the protocol. For example, if we request a resource on an FTP server through an HTTP request, we must first send the request to the gateway of the FTP server. The gateway parses the request into the FTP protocol and obtains After the file is encapsulated into the return body of HTTP and returned to the Client.

The API should also be regarded as a gateway. At the beginning, our HTTP request was only responsible for obtaining WEB resources, but we can use our own API to direct this request to different services or perform different processing.

Gateway should also be considered a proxy, but the gateway is a unified entrance to a service or LAN, you can integrate many functions in the gateway, such as Byte Flow Control, Load Balance, reverse proxy and so on.

Summary

To sum up, a proxy is actually to help you do some things, whether it is to help you do a layer of caching, to help you do traffic forwarding, or to help you encrypt data, in fact, they are all proxies. From this point of view, HTTPS is actually a Local proxy, he will encrypt your HTTP data once and then throw it to the IP layer. If the firewall only filters by analyzing the content of your request, then an HTTPS proxy can help you get around the wall very well.

VPN is also called a virtual private network. In fact, it is to help you access an intranet data. Once you connect to the VPN successfully, your IP Address will be assigned to the IP of the intranet. This IP is only valid in this intranet., but don’t worry, if you choose a global proxy, all your traffic will be encapsulated by the VPN Client and forwarded to the intranet proxy server. When you arrive at the proxy server, you will unpack and see its real request for forwarding. So VPN also A proxy server is used, but it is a forward proxy.

The SS and SSR we usually use are actually just a proxy, not a VPN. Its most basic principle is to forward traffic, because it is impossible for us to have no contact with the extranet at all. As long as we find a server that is not blocked, We can send all traffic to this server and let it proxy us to send requests.

From the perspective of circumvention, both VPNs and proxies can circumvent the wall, but the difference is that VPNs establish a dedicated channel between you and the proxy server through tunneling technology, and then directly assign you an IP. The proxy server knows that all your traffic is sent to the proxy server. After receiving it, the proxy server uses the IP assigned to you for data access. It feels like your computer is connected to the company’s intranet. But SS this proxy just help you forward the proxy, your IP Address has not changed, but you need to find a server that can be accessed in the country, rent it, and then start a service on it to help you forward traffic.

The gateway should be regarded as an enhanced version of the proxy, integrating many functions, such as protocol conversion, Load Balance, and so on.

The above is the author’s understanding of the relationship between gateways, VPNs, proxies, etc.