[译]理解为什么防火墙聊胜于无

See why even a simple firewall is better than nothing
理解为什么防火墙聊胜于无

《endurer注：1。better than nothing聊胜于无》

by Jonathan Yarden
作者：Jonathan Yarden
翻译：endurer

Keywords: Firewalls | Security applications/tools | Internet | Security management

关键字：防火墙 | 安全应用程序／工具 | Internet | 安全管理
英文来源：http://techrepublic.com.com/5100-1009-6036812.html?tag=nl.e044

Takeaway:
Deciding which type of firewall to use depends on what you're trying to protect. In this edition of Internet Security Focus, Jonathan Yarden breaks down the differences between software and hardware firewalls, and he discusses situations in which advanced firewall features are necessary.
概述：
决定使用哪种防火墙取决于你要保护的是什么。在这期Internet安全焦点中，Jonathan　Yarden分解了软件防火墙和硬件防火墙的不同，并讨论了哪些高级防火墙特性是必要的。

《endurer注：1。break down 毁掉, 制服, 压倒, 停顿, 倒塌, 中止, 垮掉, 分解；打破(减轻,坍塌,彻底失败,精神不支,中止,把分解)
2。discuss a situation讨论局势》

As a systems administrator for an ISP, my primary function is to support several thousand customers by ensuring that equipment and services are operating correctly. Depending on the customer, this job can include maintaining on-site routing and firewall equipment, which can vary depending on the specific needs of the customer.

作为一名ISP（Internet服务提供者）的系统管理员，我的主要职责是确保设备和服务正常运行，为数千客户提供支持。这些工作取决于用户，可能包括维护所在地的路由和防火墙设备，它们可能因客户的特别需要而不同。
《endurer注：1。primary function主要职责；基函数, 原函数
2。on-site现场；所在地的》

When it comes to supplying Internet access, ISPs provision a single IP address or a subnet for their customers. Either way, I always suggest that anyone accessing the Internet protect systems with either a hardware or software firewall.

ISP提供Internet访问时，为客户提供一个单一IP地址或子网。总之，我一直建议任何人在硬件或软件防火墙下访问Internet保护系统。
《endurer注：1。either way 总之,两种情况都》

Of course, IT pros know that a firewall is anything that protects a computer or network from the ravages of the Internet. But when talking to end users, I try to describe the level of questionable activity on the Internet in terms of worldwide accessibility.

当然，IT专家们知道防火墙是保护计算机或网络免于Internet破坏的东东。但对最终用户而言，我尽力用全世界可接受的术语描述Internet上的可疑行为。
《endurer注：1。talk to 对某人说话；责备》

Because public Internet addresses are readily accessible from anywhere in the world, even a simple dial-up Internet connection with a public IP address exposes your computer to the rest of the world while you're connected. This means anyone on the Internet can identify your computer梐nd perhaps scan it to see whether it's running vulnerable software or services. That's why you need to implement a firewall to try to protect it.

因为公共Internet地址可以很容易地从世界上任何一个地方访问，即使是一个使用公共IP地址的简单的拨号连接，在连上网时，使计算机暴露于世界上的其他人。这意味着Internet上的任何一个人都能确定该计算机——并可能扫描它，看看它是否正在运行有缺陷的软件或服务。这就是为什么你需要执行一个防火墙尽力保护它。

Hardware vs. software firewalls

As I tell my customers, deciding which type of firewall to use depends on what you're trying to protect. If you're just worried about a single computer system with Internet access, ZoneAlarm software works well enough for most people.

我告诉客户，决定使用哪种防火墙取决于你要保护的是什么。如果你只是担心可以访问Internet的单一计算机系统，那么软件ZoneAlarm可以为大多数人很好的工作。
《endurer注：1。worry about 担心》

ZoneAlarm not only alerts you when someone tries to access your computer, but it alerts you when a program on your computer attempts unauthorized access to the Internet. If the access is valid, you can instruct ZoneAlarm to remember the program and allow access in the future without alerts. Although it's not an antivirus program, ZoneAlarm can also detect Trojan horse and spyware programs.

ZoneAlarm不仅在某人试图访问你的计算机时向你报警，而且当你的计算机中的程序未经验证地企图访问Internet时，它也会向你报警。如果该访问是正当的，你可以指示ZoneAlarm记住这个程序，并允许以后访问时不再报警。尽管ZoneAlarm不是反病毒程序，但它也可以检测特洛伊木马和间谍程序。

However, sometimes a software firewall just won't cut it. I suggest using a hardware firewall in these situations:

然而，有时一个软件防火墙应付不了。我建议在这些情形中使用硬件防火墙：

• A customer needs Internet access on more than one computer.
  客户不止一台计算机需要Internet访问
• A customer needs a secure connection to a main office.
  客户需要到总公司的安全连接
  《endurer注：1。main office 总公司(社、行、局、店等)大会办公处》
• The client is a branch office.
  客户端是分部。
  《endurer注：1。branch office n.分局；分社；分行》
• A company needs to host e-mail and Web servers.
  公司需要e-mail和Web服务器主机

Even though it's possible to share an Internet connection and firewall software using one computer as the router, I think it's a bad idea to use a workstation in this manner. Everyone on the network becomes dependent on the reliability of someone else's computer.

即使在一台计算机上共享Internet连接和防火墙软件作为路由器是可行的，我想照这样使用工作站是个坏主意。网络上的计算机变得相互依赖。
《endurer注：1。even though 即使
2。in this manner 如此, 照这样》

If a computer locks up or reboots, it cuts off Internet access. Then people call the ISP to complain, even when it's not the source of the problem.

如果一台计算机锁定或重启，就切断了Internet访问，接着人们叫ISP来解释，甚至是在这不是问题的根源时。
《endurer注：1。lock up上锁,封锁,监禁,禁闭
2。cut off切断》

Hardware firewalls don't have to be expensive. For instance, NETGEAR and Linksys models sport sufficient features for a reasonable cost.

硬件防火墙并不昂贵。例如，NETGEAR和linksys模块就物有所值。
《endurer注：1。Netgear（美国网件）和linksys（思科系统子公司）都是两个在中小企业及产品中比较出众的牌子
2。sports model运动车型》

Do you need advanced firewall features?

<!-- MAC ad -->

If clients telecommute or are setting up a branch office of a larger corporation, they probably need to use virtual private networking (VPN) features. Clients may also need Network Address Translation (NAT) when there are multiple internal computers and only one public IP address.

如果客户远距离工作或设立一个大公司的分部，他们可能需要使用虚拟专用网（VPN）特性。当有多台内部计算机和一个公共IP地址时，客户端可能也需要网络地址转换（NAT）。
《endurer注：1。telecommute(在家里通过使用与工作单位连接的计算机终端)远距离工作
2。set up 设立, 竖立, 架起, 升起, 装配, 创(纪录), 提出, 开业》

If customers need a subnet to support public Internet servers, I recommend using port forwarding and "hiding" the real service behind the firewall. No matter which advanced features your clients need, they should choose a hardware firewall that supports these advanced features.

如果客户需要子网来提供公共Internet服务器，我推荐使用端口映射（port forwarding），并把真正的服务藏在防火墙后面。不论你的客户端需要哪个高级特性，他们需要选择支持这些高级特性的硬件防火墙。
《endurer注：1。no matter 不论...》

Another thing to keep in mind when dealing with telecommuters or branch offices is to always check with the company's IT department before buying anything. I can't tell you how many times I've needed to replace equipment and fix VPN settings because branch offices and telecommuters didn't check with their IT department before buying equipment.

在处理远距离工作者或分部时，另一件需要记住的事情是，在购买东西前与公司的IT部门协商。我无法告诉你，因为分部和远距离工作者没有和他们的IT部门协商就购买设备，我需要替换设备和修复VPN设置的次数。
《endurer注：1。deal with研究(讨论,处理,涉及)
2。check with与...相符合；与...协商》

Regardless of your clients' specific needs, using a firewall does improve security. Anything they can do to "hide" their computer systems and services from the public Internet reduces risk.

不论客户端的特别需要，使用防火墙增强安全。他们能对Internet隐藏计算机系统和服务，降低危险。

《endurer注：1。Regardless of不顾,不惜》
My personal preference is to always use hardware firewalls, but software programs such as ZoneAlarm are better than nothing at all. However, firewalls can't prevent a virus or worm from taking over your computer—that's typically the job of antivirus software.

我个人偏爱是一直使用硬件防火墙，但软件程序，如ZoneAlarm，也总比根本没有好。然而，防火墙不能防止病毒或蠕虫接管你的计算机——这是反病毒软件的典型工作。

《endurer注：1。take over接管,接任》

That's why it's important to remember that effective Internet security involves several layers. Consider a firewall system to be the first layer of your clients' security needs.

这就是为什么记住有效的Internet安全包含若干层是很重要的。考虑防火墙系统成为你的客户安全需要的第一层罢。