Brief Introduction to Firewall Technology of iMAX Wireless System

Guoxin Longxin iMAX Wireless System is positioned with Wireless Metropolitan Area Network (WMAN) technology at its core. Some of its product series already have expansion capabilities for Wireless Local Area Network (WLAN) and Wireless Wide Area Network (WWAN), and will further expand IoT data collection and control functions in the future. Compared with wireless bridge products and other devices based on WiFi technology from some competitors, the iMAX Wireless System not only features outstanding attributes such as ultra-long-distance communication capability, high capacity, high quality, and high reliability, but also boasts numerous technical advantages (e.g., support for a wide range of routing technologies and Firewall). These strengths together establish the iMAX Wireless System as one of the top solutions in the field of “wireless private networks” (also known as “wireless ad hoc networks”).
This article aims to introduce the Firewall technology of the iMAX 5G Wireless System, helping industry partners of Guoxin Longxin make better use of relevant technologies to enhance network security and reliability, prevent potential cyber attacks, and manage and control networks.

I. What is a Firewall

A firewall is a system composed of computer hardware and software. Deployed at the network boundary, it serves as a connection bridge between internal and external networks. Meanwhile, it protects data passing through the network boundary, preventing malicious intrusions and the spread of malicious code to ensure the security of internal network data. Simply put, a firewall is a protective tool that prevents your computer from being hacked and a method to ensure network security.
It can isolate the internal network from the external network and restrict mutual access between networks to protect the security of the internal network. A firewall can be implemented using only a router, a host, or even a subnet. The purpose of setting up a firewall is to establish a unique channel between the internal and external networks, simplifying network security management.
A firewall can monitor the traffic entering and exiting the network, thereby accomplishing the seemingly impossible task of allowing only secure, authorized information to enter while blocking data that poses a threat to the enterprise. For example, it is like a city defense team: when the city is on high alert, only law-abiding citizens from outside are allowed to enter, and potential troublemakers trying to enter are thoroughly screened to ensure none slip through.
The role of a firewall is to prevent unwanted, unauthorized communications from entering or exiting the protected network and to compel organizations to strengthen their network security policies.

II. Functions of a Firewall

The primary application scenario of a firewall is when large-scale networks connect to external networks, especially the Internet. A local area network (LAN) that does not connect to an external network generally does not require a firewall. However, firewalls are necessary for scenarios involving remote access or cross-regional interconnection, as well as for private networks of government agencies and enterprises with specific security level requirements. Firewalls provide strong protection: accessors must first pass the security verification and filtering of the firewall before they can access target computers and servers, thereby blocking intruders.
Firewalls have five basic functions:
  1. Filter data entering and exiting the network to prevent intruders from accessing your defensive facilities or key data devices.
  2. Manage access behavior to and from the network, restricting others from entering the internal network and filtering out unsafe services and unauthorized users.
  3. Block certain prohibited services and restrict users from accessing specific sites.
  4. Record the content and activities of data passing through the firewall, making illegal intrusions clearly visible.
  5. Detect and alert on network attacks, facilitating the monitoring of network security, especially for the Internet.
In summary, firewalls aim to enhance network security, covering users’ networks, data, and applications. When Guoxin Longxin designs firewall policies for users, it is evident that many government and enterprise clients have weak network security awareness. Some even simply use “whether a product is domestically made” as the sole criterion for judging its security. Little do they know that fortresses are most easily breached from the inside! Even for internal office networks, it is necessary to customize different user groups and policies based on actual business needs, block unauthorized access, record abnormal behaviors, and minimize damage caused by internal “traitors.”

III. Brief Introduction to Firewall Technology of iMAX Wireless Systems

One of the most important functions of a firewall is filtering. Filters are used to allow or block specific data packets forwarded to the local network, originating from the router, or sent to the router. The filtering firewall functions of the iMAX Wireless System are divided into Layer 2 filtering firewalls (bridge filters) and Layer 3+ filtering firewalls (IP firewall filters), with support for Layer 7 protocol filtering.
It is important to emphasize that ACL (Access Control List) technology, which is integrated into many switches and routers, is often confused with firewall technology. As the name suggests, ACL technology controls access to data packets through a list, while firewall technology supports higher-level policy control. From a deployment perspective, firewall technology requires dedicated IOS software packages for support, whereas ACL is usually integrated into the core system of switches and routers. In practical applications, ACL is often regarded as a part of firewalls.

1. Typical Applications of the Filter Function in iMAX Wireless Systems

The typical applications of the filter function in iMAX Wireless Systems include but are not limited to the following examples:
  1. Device Management Restrictions: In a project, Hsinchu Technology’s iMAX Wireless Metropolitan Area Network (WMAN) system is used for video backhaul networking. To ensure network security and prevent unauthorized system intrusions, firewall filtering functions can be configured on the iMAX WMAN system. Remote management of the Customer Premises Equipment (CPE) by the Base Station (BS) is not allowed.
  2. Network “Isolation” for Different Services: In a project, both video data and PLC data need to communicate with the control center. To prevent mutual interference between video and PLC data, a firewall can be configured on the CPE side to isolate the two types of data. This ensures they cannot communicate with each other while both maintaining communication with the command center.
  3. “One-Way” and Omni-Directional Allocation for Remote Access: A chain restaurant has numerous branches. The network video surveillance, integrated chain restaurant management system, and employee attendance management system of each branch need to transmit data back to the headquarters. Using Hsinchu Technology’s “cloud exchange + hardware VPN” method to build a relatively secure virtual private network (VPN) based on Internet interconnection is the most cost-effective solution. However, when building a VPN over the Internet, security must be considered—especially for preventing unauthorized intrusions, virus DoS attacks, and database attacks—all of which require protection from a firewall. The firewall function can be configured to allow only data from ports related to video surveillance, the integrated management system, and the attendance management system to pass, while blocking all other data.
The filtering function of the iMAX Wireless System is powerful and flexible. For example:
  • Layer 7 protocols can be used to block hosts in the 192.168.10.0 network segment from accessing MSN and QQ.
  • File downloads with extensions such as “.mp3, .mp4, .avi” from the 192.168.1.0 network segment can be blocked during working hours.

2. Other Firewall Functions of iMAX Wireless Systems

In addition to filtering functions (filtering by source MAC, IP address, port, IP protocol, and interface; P2P protocol filtering; source and destination NAT, etc.), the iMAX Wireless System can also mark internal data packets and connections, perform ToS byte analysis, content filtering, and priority setting. It can further implement functions such as traffic frequency and time control, and packet length control.

1) IP Address Masquerading

IP Masquerade is another important function of the iMAX Wireless System’s firewall. Masquerade, known as “address masquerading,” is often used in conjunction with NAT technology. If a host connects to an external network using the IP Masquerade function, other computers connected to it can also access the external network—even if they do not have officially assigned IP addresses. This allows multiple computers to access the Internet while hidden behind a gateway system, making it appear as if only the gateway is using the Internet. Technically, breaking through the security of a well-configured masquerade system is more difficult than breaking through a well-designed packet-filtering firewall.

2) Data Packet Marking and Analysis

Mangle is a data packet analysis function, commonly referred to as “marking,” though marking is only part of its capabilities. The literal meaning of “mangle” is to crush or tear; in the iMAX Wireless System, it refers to unpacking data packets for analysis and then repackaging them. Through mangle rules, we analyze key information contained in data packets, then reclassify, mark, or modify some of their parameters. The common classifications of the Mangle function and their corresponding actions are as follows:
  • Analysis monitoring: Monitor data packets that match the rules without performing other operations on them.
  • Analysis marking: Mark data packets that match the rules by adding a tag.
  • Analysis adjustment: Unpack and modify data packets that match the rules, then repackage them.
It should be noted that the Quality of Service (QoS) and Type of Service (ToS) functions can be used in conjunction with this technology.
In addition, the iMAX Wireless System supports IPv6 technology and thus also supports IPv6 firewalls. Support for IPv6 is an important criterion for evaluating the advanced nature of network devices.
Currently, a common Internet attack method is DoS (Denial of Service). This attack uses the TCP/IP protocol to continuously send invalid SYN requests, overloading routers or servers. This causes CPU usage to reach 100%, making the router extremely slow to respond or even unresponsive. Since attackers send a large number of small SYN data packets, all traffic passes through the firewall (filter, NAT, mangle), resulting in CPU overload on the router. Attackers may also use distributed infected hosts to launch DDoS (Distributed Denial of Service) attacks. There is no perfect solution to completely avoid DoS attacks, but we can minimize their impact on the network. The iMAX Wireless System also implements DoS attack prevention through its firewall.

IV. Final Remarks

Firewall technology is just one of the many security technologies of the iMAX Wireless System. Together with other security technologies—such as private communication protocols, wireless packetization, data encryption, VLAN (Virtual Local Area Network), and VPN (Virtual Private Network)—it forms the cornerstone of the iMAX Wireless System’s network security. For in-depth documentation on the security system of Guoxin Longxin’s wireless systems, please contact our technical staff; further details will not be covered here.
No matter how advanced device technology is, it requires support from the supplier’s technical capabilities. There is a well-known saying in the firewall industry: “A firewall without a ‘security policy’ is a ‘leaky wall’.” In other words, no matter how strong a firewall’s security capabilities are, the key lies in the customization of firewall security policies by the supplier’s technical staff based on specific scenarios. Although Guoxin Longxin is not a professional hardware firewall manufacturer, it has accumulated years of experience serving government and enterprise clients and has a deep understanding of users’ private network security needs. This enables it to customize the most suitable security policies for users to meet the network security requirements of different clients and scenarios.
This article does not elaborate on the data encryption, VLAN, and VPN technologies of the iMAX Wireless System, as these topics are covered in separate dedicated documents.
It can be said that if the iMAX Wireless Metropolitan Area Network System—integrating the aforementioned security technologies—is configured with security policies by Guoxin Longxin’s professional technical staff, any intrusion would likely be an “inside job” by internal personnel. Of course, if we implement comprehensive defensive measures (such as dividing workgroups through VLANs and assigning different network access permissions; blocking abnormal access through the firewall functions of routers and gateways; and effectively managing network usage behaviors), it will be extremely difficult for internal “traitors” to cause significant damage.
From a network security perspective, private networks are more secure than public networks—meaning wireless private networks are more secure than 4G/5G networks based on the Internet. Network security is not only a technical issue but also a management issue. In other words, if personnel cannot be properly managed and their network security awareness cannot be improved, even the best products and technologies will be useless.
Enhancing users’ security awareness and building a comprehensive in-house security technology system are essential to ensuring network security, reliability, and stability. This has always been the goal and direction of Guoxin Longxin’s efforts.
The translation adheres to technical accuracy, retains the original logical structure, and uses industry-standard terminology (e.g., “VLAN,” “VPN,” “DoS,” “ACL”). If you need to adapt this translation for specific scenarios—such as simplifying it for a product brochure or refining it for a technical white paper—would you like me to adjust the language style or add explanatory notes for key terms?
订阅评论
提醒
guest

0 Comments
最旧
最新 最多投票
内联反馈
查看所有评论
0
希望看到您的想法,请您发表评论x