新型软件防火墙的设计与实现
摘要
随着计算机网络的飞速发展和网上交易、生活的日益普及,网络的安全成为了一个焦点问题。而防火墙为网络安全解决方案中的重要组成部分日益显得重要,现在市场上已经有了许许多多的防火墙强产品,然而针对于中小用户、要求操作简单但功能又要强大的防火墙并不多,本文所论述的防火墙就是在这样的背景下设计的。
首先本文在介绍了该防火墙的体系结构时,重点介绍了它的新颖性,就是实现一个增强SSN模型的防火墙,它可以提供无数的子网,也可以定义任何一个或多个子网作为安全服务器网络,你可以为任何两个子网间定义安全策略。此外,它虽然功能强大,但只需要一台普通的PC,当然为了性能要求和避免单失效点等原因你可以使用几台计算机并行来运行该防火墙。接下来分别论述了该防火墙的组成部分,最主要的是:1.综合包过滤系统
这里综合了无状态包过滤与有状态包过滤,并且提供了分层次的过滤规则表结构来满足本文论述的防火墙体系结构的要求,另外用户还可以自定义规则表,此外还介绍了一些常用规则。这里还涉及到Windows平台下驱动程序编写。2.NAT
这里介绍了网络地址翻译在本系统的位置,并且阐述了怎么实现负载均衡等功能。3.多代理系统
这里介绍了常见的几种代理,比如Http和FTP代理。在HTTP代理中,还论述了为了加快访问速度提供的新技术,如Cache技术,主动代理技术,重点讲述了前一种。4.身份认证系统
现在的身份认证方法很多,为了满足不同的用户要求,这里集成了不同的身份认证机制到防火墙中。这里主要讲了两个较强认证功能的机制:Kerberos系统和OTP系统。
最后展望了随着网络技术的发展,今后该防火墙要加入的新功能:防病毒功能、主动代理功能、全方面并行功能。总之,要为用户提供一个可扩充、适应新网络安全要求、功能强大的新型防火墙。
With the rapidly development of the computer network and the prosperity of e-business, the security of network becomes more and more important. Firewall, the key component of network security solution, is being concerned and researched. Now there are many firewalls. Some are powerful and complex, the others are simple bat of few functions. There are so few suitable firewalls for department users and even single users that we design the new firewall this paper describes.
The first, this paper introduces the architecture of the new firewall, and emphasizes the creativity of it, which is the model breaking the frame of SSN (secure server network). Using the firewall, you can define the one or more security sever network freely, and the same time, you can setup the security policy between one sub network and any other sub network. On the other hand, though it is powerful, the need of it is little. It can run on one pc just as you now use. Of course, if you want to get the high performance and avoid the single key point, you can use more than one pc to run our firewall parallel to resolve them.
The second, the paper describes the components of the firewall one by one. The primary components include:
Packet Filter. It makes up of the stateless and the stateful packet filter. In order to meet the request of the firewall architecture, the system filter rule tables are organized with the hierarchical structure. At the same time, users can define themselves filter rule table. The windows drivers programming is involved here.
NAT (network address translate). NAT is a component, which is close and relevant with packet filter. The load balance is involved here.
Proxy. The paper introduces some familiar proxies such as Http proxy, ftp proxy etc. while introducing the http proxy, the cache technique and self-active technique are described, especially the fist
Authentication. Recently there are many authentication systems. In order to satisfy the different users, the new firewall integrates some popular authentication techniques. Two high security and performance techniques, Kerberos and OTP are described in detail.
In the end, this paper forecasts the future of the firewall. It will grow with the development of network security. Three functions including anti-virus, self-active proxy, parallel running will be implemented in the next version. To sum up, we provide a new powerful, extendible, user-defined firewall to satisfy different users.
首先本文在介绍了该防火墙的体系结构时,重点介绍了它的新颖性,就是实现一个增强SSN模型的防火墙,它可以提供无数的子网,也可以定义任何一个或多个子网作为安全服务器网络,你可以为任何两个子网间定义安全策略。此外,它虽然功能强大,但只需要一台普通的PC,当然为了性能要求和避免单失效点等原因你可以使用几台计算机并行来运行该防火墙。接下来分别论述了该防火墙的组成部分,最主要的是:1.综合包过滤系统
这里综合了无状态包过滤与有状态包过滤,并且提供了分层次的过滤规则表结构来满足本文论述的防火墙体系结构的要求,另外用户还可以自定义规则表,此外还介绍了一些常用规则。这里还涉及到Windows平台下驱动程序编写。2.NAT
这里介绍了网络地址翻译在本系统的位置,并且阐述了怎么实现负载均衡等功能。3.多代理系统
这里介绍了常见的几种代理,比如Http和FTP代理。在HTTP代理中,还论述了为了加快访问速度提供的新技术,如Cache技术,主动代理技术,重点讲述了前一种。4.身份认证系统
现在的身份认证方法很多,为了满足不同的用户要求,这里集成了不同的身份认证机制到防火墙中。这里主要讲了两个较强认证功能的机制:Kerberos系统和OTP系统。
最后展望了随着网络技术的发展,今后该防火墙要加入的新功能:防病毒功能、主动代理功能、全方面并行功能。总之,要为用户提供一个可扩充、适应新网络安全要求、功能强大的新型防火墙。
With the rapidly development of the computer network and the prosperity of e-business, the security of network becomes more and more important. Firewall, the key component of network security solution, is being concerned and researched. Now there are many firewalls. Some are powerful and complex, the others are simple bat of few functions. There are so few suitable firewalls for department users and even single users that we design the new firewall this paper describes.
The first, this paper introduces the architecture of the new firewall, and emphasizes the creativity of it, which is the model breaking the frame of SSN (secure server network). Using the firewall, you can define the one or more security sever network freely, and the same time, you can setup the security policy between one sub network and any other sub network. On the other hand, though it is powerful, the need of it is little. It can run on one pc just as you now use. Of course, if you want to get the high performance and avoid the single key point, you can use more than one pc to run our firewall parallel to resolve them.
The second, the paper describes the components of the firewall one by one. The primary components include:
Packet Filter. It makes up of the stateless and the stateful packet filter. In order to meet the request of the firewall architecture, the system filter rule tables are organized with the hierarchical structure. At the same time, users can define themselves filter rule table. The windows drivers programming is involved here.
NAT (network address translate). NAT is a component, which is close and relevant with packet filter. The load balance is involved here.
Proxy. The paper introduces some familiar proxies such as Http proxy, ftp proxy etc. while introducing the http proxy, the cache technique and self-active technique are described, especially the fist
Authentication. Recently there are many authentication systems. In order to satisfy the different users, the new firewall integrates some popular authentication techniques. Two high security and performance techniques, Kerberos and OTP are described in detail.
In the end, this paper forecasts the future of the firewall. It will grow with the development of network security. Three functions including anti-virus, self-active proxy, parallel running will be implemented in the next version. To sum up, we provide a new powerful, extendible, user-defined firewall to satisfy different users.
引文
[1] [美]David A. Solomon,北京博彦科技发展有限公司 译,Windows NT技术内幕 (第二版),1999年7月
[2] 张健,防火墙技术及其产品,电子计算机与外部设备,1999年2月
[3] [美]Robert L. Ziegler,余青霓 周刚等 译,Linux防火墙,人民邮政出版社,2000年12月
[4] [美]Marc Fraley Tom Steams Jeffery Hsu,李明之 赵粮 张侃等 译,网络安全与数据完整性指南,机械工业出版社,1994年4月
[5] internet/intranet网络安全结构设计,许锦波 严望佳,清华大学出版社,1999年2月
[6] 李海泉,计算机网络防火墙的体系结构,微型机与应用 2000年11月
[7] 邹勇 白跃彬 赵银亮,增强型包过滤防火墙规则的形式化及推理机的设计与实现,计算机研究与发展,2000年12月
[8] W. Richard Stevens, TCP/IP详解 卷1:协议,机械工业出版社,2000.4
[9] Gary R. Wright, TCP/IP详解 卷2:实现TCP/IP,机械工业出版社,2000.6
[10] W. Richard Stevens, TCP/IP详解卷三:TCP事务协议,HTTP,NNTP和UNIX域协议,机械工业出版社,,2000.9
[11] Casey Wilson Peter,虚拟专用网的创建与实现,机械工业出版社,August,2000
[12] Naganand Doraswamy, IPSEC:新一代因特网安全标准,机械工业出版社,December,1999
[13] 朱纯 闫继和 李伟琴,具有强身份认证功能的通用代理防火墙系统 北京航空航天大学学报 1998年4月
[14] 冯登国,计算机通信网络安全,清华大学出版社 20001年3月
[15] 石琳 刘建辉,应用层网关防火墙构造原理,辽宁工程技术大学学报,2000年8月
[16] 公安部计算机管理监察司编著,计算机信息系统安全技术,群众出版社,1998年6月
[17] [美]Lars Klander,陈永剑等 译,挑战黑客—网络安全的最终解决方案,电子工业出版社,2000年6月
[18] 张小斌 严望佳 编著,黑客分析与防范技术,清华大学出版社,1999年5月
[19] 王锐等 译,网络最高安全指南,机械工业出版社,1998.5
[20] Marcus Goncalves,Firewalls Complete,McGraw-Hill,1997
[21] Elizabeth D.Zwicky,Simon Cooper,and D.Brent Chapman Buildingthe Internet Firewall O'Reilly & Associates June 2000
[22] Worfgang Weber,Firewall Basics,IEEE 1999. 10
[23] Michael Greenwald,Sandeep K,Singhal etc,Designing an AcademicFirewall:Policy,Practice,and Experience With SURF 1996 IEEE
[24] K.Egevang & P.Francis,The IP Network Address Translator (NAT),RFC1631,May 1994
[25] T.Berners-Lee,R.Fielding & H.Frysryk,Hypertext Transfer Protocol-HTTP/1. 0,RFC1945,May 1996
[26] G.Hicks,User FTP Documentation,RFC0412,Nov 1972
[27] AK.Bhushan,File Transfer Protocol (FTP) status and further comments,RFC0414,Dec 1972
[28] T.Ts'o,Telnet Authentication:Kerberos Version 5,RFC2942,September 2000
[29] M.Leech,M.Ganis,Y.Lee,R.Kuris,D.Koblas & L.Jones,SOCKSProtocol Version 5,RFC1928,April 1996
[30] N.Freed,Behavior of and Requirements for Internet Firewalls,RFC 2979,October 2000
[31] Christoph L.Schuba & Eugene H.Spafford,A Reference Model for FirewallTechnology Computer Security Applications Conference(IEEE),1997,page: 133-145
[32] Michael R.Lyu & Lorrien K.Y.Lau,Firewall Security : Policies,Testingand Performance Evaluation,Computer Software and ApplicationsConference(IEEE) 2000,page:116-121
[33] Marcus Goncalves ,Firewalls Complete,The McGraw-Hill Companies,1997
[2] 张健,防火墙技术及其产品,电子计算机与外部设备,1999年2月
[3] [美]Robert L. Ziegler,余青霓 周刚等 译,Linux防火墙,人民邮政出版社,2000年12月
[4] [美]Marc Fraley Tom Steams Jeffery Hsu,李明之 赵粮 张侃等 译,网络安全与数据完整性指南,机械工业出版社,1994年4月
[5] internet/intranet网络安全结构设计,许锦波 严望佳,清华大学出版社,1999年2月
[6] 李海泉,计算机网络防火墙的体系结构,微型机与应用 2000年11月
[7] 邹勇 白跃彬 赵银亮,增强型包过滤防火墙规则的形式化及推理机的设计与实现,计算机研究与发展,2000年12月
[8] W. Richard Stevens, TCP/IP详解 卷1:协议,机械工业出版社,2000.4
[9] Gary R. Wright, TCP/IP详解 卷2:实现TCP/IP,机械工业出版社,2000.6
[10] W. Richard Stevens, TCP/IP详解卷三:TCP事务协议,HTTP,NNTP和UNIX域协议,机械工业出版社,,2000.9
[11] Casey Wilson Peter,虚拟专用网的创建与实现,机械工业出版社,August,2000
[12] Naganand Doraswamy, IPSEC:新一代因特网安全标准,机械工业出版社,December,1999
[13] 朱纯 闫继和 李伟琴,具有强身份认证功能的通用代理防火墙系统 北京航空航天大学学报 1998年4月
[14] 冯登国,计算机通信网络安全,清华大学出版社 20001年3月
[15] 石琳 刘建辉,应用层网关防火墙构造原理,辽宁工程技术大学学报,2000年8月
[16] 公安部计算机管理监察司编著,计算机信息系统安全技术,群众出版社,1998年6月
[17] [美]Lars Klander,陈永剑等 译,挑战黑客—网络安全的最终解决方案,电子工业出版社,2000年6月
[18] 张小斌 严望佳 编著,黑客分析与防范技术,清华大学出版社,1999年5月
[19] 王锐等 译,网络最高安全指南,机械工业出版社,1998.5
[20] Marcus Goncalves,Firewalls Complete,McGraw-Hill,1997
[21] Elizabeth D.Zwicky,Simon Cooper,and D.Brent Chapman Buildingthe Internet Firewall O'Reilly & Associates June 2000
[22] Worfgang Weber,Firewall Basics,IEEE 1999. 10
[23] Michael Greenwald,Sandeep K,Singhal etc,Designing an AcademicFirewall:Policy,Practice,and Experience With SURF 1996 IEEE
[24] K.Egevang & P.Francis,The IP Network Address Translator (NAT),RFC1631,May 1994
[25] T.Berners-Lee,R.Fielding & H.Frysryk,Hypertext Transfer Protocol-HTTP/1. 0,RFC1945,May 1996
[26] G.Hicks,User FTP Documentation,RFC0412,Nov 1972
[27] AK.Bhushan,File Transfer Protocol (FTP) status and further comments,RFC0414,Dec 1972
[28] T.Ts'o,Telnet Authentication:Kerberos Version 5,RFC2942,September 2000
[29] M.Leech,M.Ganis,Y.Lee,R.Kuris,D.Koblas & L.Jones,SOCKSProtocol Version 5,RFC1928,April 1996
[30] N.Freed,Behavior of and Requirements for Internet Firewalls,RFC 2979,October 2000
[31] Christoph L.Schuba & Eugene H.Spafford,A Reference Model for FirewallTechnology Computer Security Applications Conference(IEEE),1997,page: 133-145
[32] Michael R.Lyu & Lorrien K.Y.Lau,Firewall Security : Policies,Testingand Performance Evaluation,Computer Software and ApplicationsConference(IEEE) 2000,page:116-121
[33] Marcus Goncalves ,Firewalls Complete,The McGraw-Hill Companies,1997
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |