基于IPSec的分布式防火墙的研究与实现
摘要
网络安全问题是自从网络出现以来就一直存在的问题,为了保护网络的安全很多安全协议和技术已被广泛地采用,其中最基本、最重要的就是防火墙。但是,随着网络连接的开放性,各种网络新技术如extranet、远程办公、端到端加密、复杂安全协议等的不断出现,传统防火墙本身固有的缺点逐渐暴露出来,为了克服传统防火墙的缺点,近年来提出了分布式防火墙的概念,分布式防火墙采用策略集中制定,分发到受保护主机执行,很好的解决了传统防火墙面临的一些问题,更加适应了网络的发展需要。
本文首先对网络安全和传统防火墙技术进行了介绍,指出传统防火墙面临的问题,接着对分布式防火墙的结构、关键技术以及优势进行了深入的研究,并对几种现存的分布式防火墙模型进行了分析,在此基础上,设计和实现了一个充分利用现有技术的基于IPSec的分布式防火墙系统。本系统主要由策略执行器、策略控制中心以及IPSec通信三部分组成,策略执行器运行在受保护主机上,强制执行由策略控制中心发放的安全策略,策略控制中心完成受保护主机的注册、策略的制定和分发,IPSec通信对内部主机间的通信进行保护,防止内部攻击。本文对各部分的模块组成以及所使用的关键技术进行了详细的介绍,最后在RedHatLinux平台上对整个系统进行了实现,本系统很好的解决了传统防火墙单点故障、内部攻击等问题。
Network security is the most import problem since network is appeared, in order to protect the network security many security protocols and technologies are used, among them firewall is the most basic and important technology. But with the development of more distributed network and the advent of many new network technologies, such as extranet, telecommuting, point-to-point encryption and computation-intensive security protocols, the shortcomings of the conventional firewalls are more and more exposed. In order to eliminate the shortcomings of the conventional firewalls, the concept of the distributed firewalls is proposed. In the distributed firewalls, security policy is still centrally defined, but enforcement is left up to the individual endpoints. The distributed firewalls solves many problems of the conventional firewalls and meets the need of network development
This thesis first introduces network security and the conventional firewalls technology and points out the problems that the conventional firewalls faced. Then lucubrates the structure, key technologies and advantages of the distributed firewalls and designs and implements a distributed firewalls system based on IPSec. This system is made up of three parts: policy executor, policy control center and IPSec communicating. The policy executor is run on the protected host and executes the security policy that received from policy control center. The policy control center registers the protected host, edits the security policy and distributes it to the protected host. The IPSec communicating part is up to preventing the inner attack. This thesis introduces the constitutes and key technologies of each modules of each part and implements it on Redhat Linux operating system. This system solves the problems of single point and inner attack of the conventional firewalls.
本文首先对网络安全和传统防火墙技术进行了介绍,指出传统防火墙面临的问题,接着对分布式防火墙的结构、关键技术以及优势进行了深入的研究,并对几种现存的分布式防火墙模型进行了分析,在此基础上,设计和实现了一个充分利用现有技术的基于IPSec的分布式防火墙系统。本系统主要由策略执行器、策略控制中心以及IPSec通信三部分组成,策略执行器运行在受保护主机上,强制执行由策略控制中心发放的安全策略,策略控制中心完成受保护主机的注册、策略的制定和分发,IPSec通信对内部主机间的通信进行保护,防止内部攻击。本文对各部分的模块组成以及所使用的关键技术进行了详细的介绍,最后在RedHatLinux平台上对整个系统进行了实现,本系统很好的解决了传统防火墙单点故障、内部攻击等问题。
Network security is the most import problem since network is appeared, in order to protect the network security many security protocols and technologies are used, among them firewall is the most basic and important technology. But with the development of more distributed network and the advent of many new network technologies, such as extranet, telecommuting, point-to-point encryption and computation-intensive security protocols, the shortcomings of the conventional firewalls are more and more exposed. In order to eliminate the shortcomings of the conventional firewalls, the concept of the distributed firewalls is proposed. In the distributed firewalls, security policy is still centrally defined, but enforcement is left up to the individual endpoints. The distributed firewalls solves many problems of the conventional firewalls and meets the need of network development
This thesis first introduces network security and the conventional firewalls technology and points out the problems that the conventional firewalls faced. Then lucubrates the structure, key technologies and advantages of the distributed firewalls and designs and implements a distributed firewalls system based on IPSec. This system is made up of three parts: policy executor, policy control center and IPSec communicating. The policy executor is run on the protected host and executes the security policy that received from policy control center. The policy control center registers the protected host, edits the security policy and distributes it to the protected host. The IPSec communicating part is up to preventing the inner attack. This thesis introduces the constitutes and key technologies of each modules of each part and implements it on Redhat Linux operating system. This system solves the problems of single point and inner attack of the conventional firewalls.
引文
[1] 李昂,刘芳萍,杨旭,程鹏.防火墙技术大全.机械工业出版社,2003
[2] 王敏,刘绍龙.计算机网络安全与防火墙技术.电脑知识与技术,2005,(20)
[3] 袁占亭,冯涛,杨鹏.分布式入侵检测系统和防火墙技术结合的研究与实现.兰州理工大学学报,2005,(01)
[4] 汪艳华.浅析网络防火墙技术.赤峰学院学报(自然科学版),2005,(06)
[5] M. SIoman, E. C. Lupu, Security and Management Policy Specification, IEEE Network, Mar./Apr. 2002. pp.10-19
[6] http://www2.ccw.com.cn/1997/19/156877.shtml
[7] 冯运波.防火墙技术的演变.计算机安全,2005,(05)
[8] 王志祥,肖军模.防火墙多级安全参考模型的设计与实现.电子科技大学学报,2003,(02)
[9] 刘喆,王蔚然.分布式防火墙的网络安全系统研究.电子科技大学学报,2005,(03)
[10] 钱伟中,王蔚然,袁宏春.分布式防火墙环境的边界防御系统.电子科技大学学报,2005,(04)
[11] Ramkumar Chinchani, Derek Atkins. A Proactive Enhancement to the Distributed Firewall, Proceedings of the 2002 IEEE Workshop on Information Assurance and Security, 2002
[12] 杨鑫坤,王薇.分布式防火墙的设计及其在校园网中的实现.安阳工学院学报,2006,(06)
[13] 郦昊,曾玲.基于分布式防火墙的网络安全系统研究.计算机与数字工程,2007,(06)
[14] 秦智,揭金良.防火墙分布集中管理应用研究 成都信息工程学院学报,2005,(06)
[15] 王伟,曹元大,阎慧.分布式防火墙下的分布式通信技术.计算机工程,2003,(22)
[16] 蔡淑珍,陆阳,陈蕾.基于分布的嵌入式防火墙的设计与实现,计算 机工程与应用,2003,NO.11:162-164
[17] 邹学强,冯登国.基于Agent的分布式防火墙系统的设计与实现.计算机工程,2005,(13)
[18] 杨光军,王丽丽,冉玉梅.一种基于IPSec的防火墙模型.福建电脑,2006,(11)
[19] 崔伟,齐竞艳,蔡圣闻,黄皓.基于IPSec的分布式防火墙安全体系框架.计算机工程, 2004,(16)
[20] M. Blaze, A. keromytis, IP Security Policy (IPSP) Requirements, RFC3586, August 2003
[21] Man Li, Policy-Based IPSec Management, IEEE Network, 2003, pp. 36-43
[22] Man Li, David Arneson, IPSec Policy Information Base,〈draft-ietf-ipsp-ipsecpib-00.txt〉, Internet Draft, April 2004
[23] 李方敏,彭小兵,叶澄清.基于FreeSWAN的网络安全研究和VPN的构建,小型微型计算机系统,2003,Vol.24 No.5:797—800
[24] 刘建峰,潘军,李祥和.Linux防火墙内核中Netfilter和IPtables的分析.微计算机信息,2006,(03)
[25] 汤隽,赵荣彩,李超.Linux下IPsec协议的实现 计算机应用,2002,(06)
[26] 刘华,颜国正,丁国清.在Linux下用IPtables建立防火墙的方法.计算机工程,2003,(10):129—131
[27] 陈五友,刘万里,尹治本.利用Netfilter构建防火墙 通信技术,2003,(01)
[28] M. Baltatu, A. Lioy, D. Mazzocchi, Security Policy System: Status and Perspective, Proccedings of the IEEE International Conference on Networks 2000 (ICON 2000), September 2000, pp. 278-284
[29] K. Chan, J. Seligson, D. Durham, COPS Usage for Policy Provisioning(COPS-PR), RFC3084, March 2001
[30] M. condell, C. Lynn, J. Zao, Security Policy Specification Language,〈draft-ietf-ipsp-spsl-00.txt〉, Internet Draft, March 2000
[31] Ray Hunt, Theuns Verwoerd, Reactive Firewalls—a new technique, Computer Communication 26 2003:1302-1317
[2] 王敏,刘绍龙.计算机网络安全与防火墙技术.电脑知识与技术,2005,(20)
[3] 袁占亭,冯涛,杨鹏.分布式入侵检测系统和防火墙技术结合的研究与实现.兰州理工大学学报,2005,(01)
[4] 汪艳华.浅析网络防火墙技术.赤峰学院学报(自然科学版),2005,(06)
[5] M. SIoman, E. C. Lupu, Security and Management Policy Specification, IEEE Network, Mar./Apr. 2002. pp.10-19
[6] http://www2.ccw.com.cn/1997/19/156877.shtml
[7] 冯运波.防火墙技术的演变.计算机安全,2005,(05)
[8] 王志祥,肖军模.防火墙多级安全参考模型的设计与实现.电子科技大学学报,2003,(02)
[9] 刘喆,王蔚然.分布式防火墙的网络安全系统研究.电子科技大学学报,2005,(03)
[10] 钱伟中,王蔚然,袁宏春.分布式防火墙环境的边界防御系统.电子科技大学学报,2005,(04)
[11] Ramkumar Chinchani, Derek Atkins. A Proactive Enhancement to the Distributed Firewall, Proceedings of the 2002 IEEE Workshop on Information Assurance and Security, 2002
[12] 杨鑫坤,王薇.分布式防火墙的设计及其在校园网中的实现.安阳工学院学报,2006,(06)
[13] 郦昊,曾玲.基于分布式防火墙的网络安全系统研究.计算机与数字工程,2007,(06)
[14] 秦智,揭金良.防火墙分布集中管理应用研究 成都信息工程学院学报,2005,(06)
[15] 王伟,曹元大,阎慧.分布式防火墙下的分布式通信技术.计算机工程,2003,(22)
[16] 蔡淑珍,陆阳,陈蕾.基于分布的嵌入式防火墙的设计与实现,计算 机工程与应用,2003,NO.11:162-164
[17] 邹学强,冯登国.基于Agent的分布式防火墙系统的设计与实现.计算机工程,2005,(13)
[18] 杨光军,王丽丽,冉玉梅.一种基于IPSec的防火墙模型.福建电脑,2006,(11)
[19] 崔伟,齐竞艳,蔡圣闻,黄皓.基于IPSec的分布式防火墙安全体系框架.计算机工程, 2004,(16)
[20] M. Blaze, A. keromytis, IP Security Policy (IPSP) Requirements, RFC3586, August 2003
[21] Man Li, Policy-Based IPSec Management, IEEE Network, 2003, pp. 36-43
[22] Man Li, David Arneson, IPSec Policy Information Base,〈draft-ietf-ipsp-ipsecpib-00.txt〉, Internet Draft, April 2004
[23] 李方敏,彭小兵,叶澄清.基于FreeSWAN的网络安全研究和VPN的构建,小型微型计算机系统,2003,Vol.24 No.5:797—800
[24] 刘建峰,潘军,李祥和.Linux防火墙内核中Netfilter和IPtables的分析.微计算机信息,2006,(03)
[25] 汤隽,赵荣彩,李超.Linux下IPsec协议的实现 计算机应用,2002,(06)
[26] 刘华,颜国正,丁国清.在Linux下用IPtables建立防火墙的方法.计算机工程,2003,(10):129—131
[27] 陈五友,刘万里,尹治本.利用Netfilter构建防火墙 通信技术,2003,(01)
[28] M. Baltatu, A. Lioy, D. Mazzocchi, Security Policy System: Status and Perspective, Proccedings of the IEEE International Conference on Networks 2000 (ICON 2000), September 2000, pp. 278-284
[29] K. Chan, J. Seligson, D. Durham, COPS Usage for Policy Provisioning(COPS-PR), RFC3084, March 2001
[30] M. condell, C. Lynn, J. Zao, Security Policy Specification Language,〈draft-ietf-ipsp-spsl-00.txt〉, Internet Draft, March 2000
[31] Ray Hunt, Theuns Verwoerd, Reactive Firewalls—a new technique, Computer Communication 26 2003:1302-1317