防火墙包过滤规则框架的设计与实现
摘要
随着经济社会的不断发展和各种网络应用的进一步普及,各类企事业单位及行业用户对网络安全防护的需求也在不断增加,对于网络安全防护设备的要求也在逐步提高,传统的安全防护设备防火墙已经很难满足用户复杂应用的需要,其功能正在不断扩充,逐步向统一威胁管理系统UTM进行过渡。随着网络安全设备功能的日益扩充,作为安全功能基础的安全规则,其种类也在随之增多。如果针对每种新规则都独立的开发一套规则管理和规则匹配功能,那必将耗费不小的开发与维护代价,而且也不利于产品的快速开发。因此,开发一种易于扩展的安全规则框架来使新规则的集成模块化,降低新规则开发和维护的成本,便成为了一个亟待解决的问题。
本文通过对防火墙转发流程和各安全规则特点的分析,提出了抽象规则的概念,并设计实现了一个通用的防火墙包过滤规则管理与匹配的框架系统,为防火墙各安全规则模块提供了可复用的规则匹配和规则管理接口。全文详细介绍了整个规则框架的设计与实现过程,并举例说明了基于规则框架实现IP包过滤规则模块的过程与方法,最后对规则框架的功能和性能进行了测试验证。本课题所实现的规则框架,不但可以实现各类规则的添加、删除、匹配等基本功能的通用操作接口,使得新集成的规则模块可以复用之前开发的功能,并且为扩展的规则匹配算法也提供了接口,对扩展匹配算法进行了统一的组织和管理,解决了各类规则模块对规则匹配算法复用的问题,使得产品的规则系统更具扩展性,集成新规则时更加方便,提高了系统的模块化程度和代码复用率,节约了开发成本。基于规则框架所开发完成的具体应用IP包过滤规则功能也成功的集成到了东软最新版本的UTM产品中,新的规则匹配算法的使用,也使得规则匹配的性能有了很大的提升。
论文结尾总结了规则框架所取得的成果以及还存在的问题,并提出了后续的改进方向。
With the continuous development of economy and society, and the more widespread of network applications, the user demand for the network security protection is growing continuously. And the requirement of protection capabilities and performance of the network security equipment is gradually improving too. The traditional network security equipment Firewall has been difficult to meet the needs of complex applications, and it started the transition from the traditional firewall to Unified Threat Management (UTM) system. In the meantime, with the expansion of security equipment functions, the categories of filter rule which is the basis of the network security are increased subsequently. Supposing that, the manufacturers implement rule management modules and rule matching modules for each new rule independently, it would be bound to the high cost of development and maintenance, and also it is not conducive to accelerating the pace of product development.Therefore, developing a scalable security rules framework has become an urgent need. It will make the integration of new rules modular, and reduce the development and maintenance cost of new rules.
This thesis analyses the packet forwarding process and the characteristics of the various security rules of firewall, and proposes the concept of abstract rules. It designed and implemented a common framework system for security rules management and matching rules, provided the reusable interfaces for rule matching and rule management. The thesis describes the design of the whole framework of rules and the implementation process, and illustrates the process and methods of the IP packet filtering rule module implements based on rule framework. Finally, it introduces the function and performance test process against the rule framework.The rule framework not only integrated interfaces of various rules to add, delete, match and the other conventional operations,, allows modules can be re-used when developing new rule functions, the rule framework also provides the interface of expanding rule matching algorithm, organize and manage these expanding rule matching algorithm uniform and solves the problem of all kinds of rules'reuse for matching algorithm. It makes the rules system of the product more scalable and easier to integrate new rules; also it improved the code reuse rates, saved the development costs. The specific application IP packet filter rule module which is developed based on rule framework has been successfully integrated into the latest version of the Neusoft UTM products. And the using of new matching algorithm, greatly enhance the performance of the rule matching function
At the end of the thesis, it summarizes achievement and problems in the rule framework, and proposed improvements in the following work.
本文通过对防火墙转发流程和各安全规则特点的分析,提出了抽象规则的概念,并设计实现了一个通用的防火墙包过滤规则管理与匹配的框架系统,为防火墙各安全规则模块提供了可复用的规则匹配和规则管理接口。全文详细介绍了整个规则框架的设计与实现过程,并举例说明了基于规则框架实现IP包过滤规则模块的过程与方法,最后对规则框架的功能和性能进行了测试验证。本课题所实现的规则框架,不但可以实现各类规则的添加、删除、匹配等基本功能的通用操作接口,使得新集成的规则模块可以复用之前开发的功能,并且为扩展的规则匹配算法也提供了接口,对扩展匹配算法进行了统一的组织和管理,解决了各类规则模块对规则匹配算法复用的问题,使得产品的规则系统更具扩展性,集成新规则时更加方便,提高了系统的模块化程度和代码复用率,节约了开发成本。基于规则框架所开发完成的具体应用IP包过滤规则功能也成功的集成到了东软最新版本的UTM产品中,新的规则匹配算法的使用,也使得规则匹配的性能有了很大的提升。
论文结尾总结了规则框架所取得的成果以及还存在的问题,并提出了后续的改进方向。
With the continuous development of economy and society, and the more widespread of network applications, the user demand for the network security protection is growing continuously. And the requirement of protection capabilities and performance of the network security equipment is gradually improving too. The traditional network security equipment Firewall has been difficult to meet the needs of complex applications, and it started the transition from the traditional firewall to Unified Threat Management (UTM) system. In the meantime, with the expansion of security equipment functions, the categories of filter rule which is the basis of the network security are increased subsequently. Supposing that, the manufacturers implement rule management modules and rule matching modules for each new rule independently, it would be bound to the high cost of development and maintenance, and also it is not conducive to accelerating the pace of product development.Therefore, developing a scalable security rules framework has become an urgent need. It will make the integration of new rules modular, and reduce the development and maintenance cost of new rules.
This thesis analyses the packet forwarding process and the characteristics of the various security rules of firewall, and proposes the concept of abstract rules. It designed and implemented a common framework system for security rules management and matching rules, provided the reusable interfaces for rule matching and rule management. The thesis describes the design of the whole framework of rules and the implementation process, and illustrates the process and methods of the IP packet filtering rule module implements based on rule framework. Finally, it introduces the function and performance test process against the rule framework.The rule framework not only integrated interfaces of various rules to add, delete, match and the other conventional operations,, allows modules can be re-used when developing new rule functions, the rule framework also provides the interface of expanding rule matching algorithm, organize and manage these expanding rule matching algorithm uniform and solves the problem of all kinds of rules'reuse for matching algorithm. It makes the rules system of the product more scalable and easier to integrate new rules; also it improved the code reuse rates, saved the development costs. The specific application IP packet filter rule module which is developed based on rule framework has been successfully integrated into the latest version of the Neusoft UTM products. And the using of new matching algorithm, greatly enhance the performance of the rule matching function
At the end of the thesis, it summarizes achievement and problems in the rule framework, and proposed improvements in the following work.
引文
1. ZDNet CIO.2009网络安全管理刻不容缓[EB/OL].http://www.powereasy.net/HelpYo u/Knowledge/eCommerce/6986.html,2009.5.25
2. Hacker.cn统一威胁管理UTM市场发展趋势大剖析[EB/OL].http://www.hacker.cn/n ews/list1_6/2009-5-18/095181613277G.shtml,2009.5.18
3. Hacker.cn防火墙疑似终结UTM将成主流[EB/OL].http://www.hacker.cn/News /Product/list1 1/2008-6-16/086161447JKK.shtml,2008.6.16
4.牧洋.多核让UTM大面积应用于行业成为可能[EB/OL].http://safe.csdn.net/n /20090708/3230.html,2009.7.8
5.朱亮Linux防火墙技术的研究[J].电脑知识与技术,2008(8):1401-1404
6.于宗平,万振凯Linux网络安全技术[J].电脑与信息技术,2009,17(5):60-62
7.吴结,高随祥Netfilter的实现分析与网络数据包的捕获[J].计算机系统应用,2006(6):84-90
8.高祥斌.基于Linux的Netfilter处理数据包的过程分析[J].Silicon Valley,2009(13):41-42
9.尚晓梅.基于Netfilter机制的IPv4/IPv6网络平滑过渡技术的研究与实现[D].南京:南京理工大学,2007
10.王占刚,王泽恒,王希山.基于Linux模块编程的包过滤型防火墙系统[J].电脑知识与技术,2009(5):1090-1092
11.陈敏Linux防火墙的框架与性能分析[J],计算机安全,2009(3):49-52
12. Steve Suehring, Roboert L.Ziegler著,何泾沙译.《Linux防火墙》(原书第3版)[M].机械工业出版社,40-49
13.甘迎辉,刘勇,秦志光.Netfilter技术分析及在入侵响应中的应用[J].电子科技大学学报,2005,34(1):94-96
14.于洁.数据库安全理论研究及实例[D].成都:成都理工大学,2007
15.刘勇.嵌入式LINUX开发技术研究[D].成都:西南交通大学,2004
16.马风格,王先培.嵌入式Linux系统中系统调用机制的分析与研究[J].计算机工程与设计,2008,29(2):271-273
17.陈昱志.基于数据包过滤的防火墙设计与实现[D],大连:大连理工大学,2007
18.思伯伦.Smartbits测试指导[EB/OL].http://www.testmart.cn/CN/News /NewsText/24443.html,2008.12.24
19.王建军VMware虚拟机技术在计算机机房管理中的应用[J].科技信息2009(1):96-96
20. Tom Hurst.VMware Workstation 简介.[EB/OL].http://www.vmsky.com/tech/vmware /workstation/2009/02/1l/585.html,2007.5.17
21.陈红军,薛冰.应用框架的基本思想初探[J].福建电脑,2005(10):33-34
22.王永亮,陈性元,吴蓓,代向东,彭军.基于多维整数空间的安全策略冲突检测与消解.计算机工程,2009,35(4):134-136
23.赵新亮.江西国税信息系统安全域划分与等级保护设计[D].上海:同济大学,2006
24.Marasystems.《FAQ of nf-HiPAC》.[EB/OL].http://www.hipac.org/documentationn/f aq.html
25.李安怀,荆继武.网络安全系统中的快速规则匹配[J].计算机工程与设计,2007,28(6):1269-1272
26.王永纲,石江涛,戴雪龙,颜天信.网络包分类算法仿真测试与比较研究[J].中国科学技术大学学报,2004.34(4):401-408
27.W.Richard Stevens,范建华译.TCP/IP详解卷1:协议[M].机械工业出版社,2000
28.谭浩强.《C程序设计》[M].北京:清华大学出版社
29.潘金贵.《现代计算机常用数据结构和算法》[M].南京:南京大学出版社
30.Donald.E.Knuth(著)苏云霖(译).《计算机程序设计艺术》第一卷[M].北京:国防工业出版社
31.Donald.E.Knuth(著)苏云霖(译).《计算机程序设计艺术》第三卷[M].北京:国防工业出版社
32.Pankaj Gupta and Nick.《Algorithms for Packet Classification》 [M].McKeown,Stanford University
33.《Linux Networking-concepts HOWTO》 Rusty Russell [EB/OL].http://www.iptables. org/documentation/HOWTO/networking-concepts-HOWTO.html,2001.7.29
34.《Linux 2.4 Packet Filtering HOWTO》 Rusty Russell [EB/OL].http:// netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html,2002.1.24
35.The netfilter framework in Linux 2.4 [EB/OL].http://www.uninet.edu/umeet/confer encias/HaraldWelte/netfilter.html,2000.9.24
2. Hacker.cn统一威胁管理UTM市场发展趋势大剖析[EB/OL].http://www.hacker.cn/n ews/list1_6/2009-5-18/095181613277G.shtml,2009.5.18
3. Hacker.cn防火墙疑似终结UTM将成主流[EB/OL].http://www.hacker.cn/News /Product/list1 1/2008-6-16/086161447JKK.shtml,2008.6.16
4.牧洋.多核让UTM大面积应用于行业成为可能[EB/OL].http://safe.csdn.net/n /20090708/3230.html,2009.7.8
5.朱亮Linux防火墙技术的研究[J].电脑知识与技术,2008(8):1401-1404
6.于宗平,万振凯Linux网络安全技术[J].电脑与信息技术,2009,17(5):60-62
7.吴结,高随祥Netfilter的实现分析与网络数据包的捕获[J].计算机系统应用,2006(6):84-90
8.高祥斌.基于Linux的Netfilter处理数据包的过程分析[J].Silicon Valley,2009(13):41-42
9.尚晓梅.基于Netfilter机制的IPv4/IPv6网络平滑过渡技术的研究与实现[D].南京:南京理工大学,2007
10.王占刚,王泽恒,王希山.基于Linux模块编程的包过滤型防火墙系统[J].电脑知识与技术,2009(5):1090-1092
11.陈敏Linux防火墙的框架与性能分析[J],计算机安全,2009(3):49-52
12. Steve Suehring, Roboert L.Ziegler著,何泾沙译.《Linux防火墙》(原书第3版)[M].机械工业出版社,40-49
13.甘迎辉,刘勇,秦志光.Netfilter技术分析及在入侵响应中的应用[J].电子科技大学学报,2005,34(1):94-96
14.于洁.数据库安全理论研究及实例[D].成都:成都理工大学,2007
15.刘勇.嵌入式LINUX开发技术研究[D].成都:西南交通大学,2004
16.马风格,王先培.嵌入式Linux系统中系统调用机制的分析与研究[J].计算机工程与设计,2008,29(2):271-273
17.陈昱志.基于数据包过滤的防火墙设计与实现[D],大连:大连理工大学,2007
18.思伯伦.Smartbits测试指导[EB/OL].http://www.testmart.cn/CN/News /NewsText/24443.html,2008.12.24
19.王建军VMware虚拟机技术在计算机机房管理中的应用[J].科技信息2009(1):96-96
20. Tom Hurst.VMware Workstation 简介.[EB/OL].http://www.vmsky.com/tech/vmware /workstation/2009/02/1l/585.html,2007.5.17
21.陈红军,薛冰.应用框架的基本思想初探[J].福建电脑,2005(10):33-34
22.王永亮,陈性元,吴蓓,代向东,彭军.基于多维整数空间的安全策略冲突检测与消解.计算机工程,2009,35(4):134-136
23.赵新亮.江西国税信息系统安全域划分与等级保护设计[D].上海:同济大学,2006
24.Marasystems.《FAQ of nf-HiPAC》.[EB/OL].http://www.hipac.org/documentationn/f aq.html
25.李安怀,荆继武.网络安全系统中的快速规则匹配[J].计算机工程与设计,2007,28(6):1269-1272
26.王永纲,石江涛,戴雪龙,颜天信.网络包分类算法仿真测试与比较研究[J].中国科学技术大学学报,2004.34(4):401-408
27.W.Richard Stevens,范建华译.TCP/IP详解卷1:协议[M].机械工业出版社,2000
28.谭浩强.《C程序设计》[M].北京:清华大学出版社
29.潘金贵.《现代计算机常用数据结构和算法》[M].南京:南京大学出版社
30.Donald.E.Knuth(著)苏云霖(译).《计算机程序设计艺术》第一卷[M].北京:国防工业出版社
31.Donald.E.Knuth(著)苏云霖(译).《计算机程序设计艺术》第三卷[M].北京:国防工业出版社
32.Pankaj Gupta and Nick.《Algorithms for Packet Classification》 [M].McKeown,Stanford University
33.《Linux Networking-concepts HOWTO》 Rusty Russell [EB/OL].http://www.iptables. org/documentation/HOWTO/networking-concepts-HOWTO.html,2001.7.29
34.《Linux 2.4 Packet Filtering HOWTO》 Rusty Russell [EB/OL].http:// netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html,2002.1.24
35.The netfilter framework in Linux 2.4 [EB/OL].http://www.uninet.edu/umeet/confer encias/HaraldWelte/netfilter.html,2000.9.24