分布式防火墙策略不规则的发现技术研究
|
摘要
分布式防火墙采用控制中心制定安全策略、多个节点防火墙执行策略的体系结构,能很好地解决边界防火墙安全策略越来越膨胀的弊端以及内部网的安全问题。分布式防火墙的策略管理比较复杂,在大型企业网络中,通常采用多层次分级管理方式,各级防火墙管理员都可能向策略库中增加过滤规则,而这些策略被分发到各个节点实施,容易导致防火墙内部以及防火墙与防火墙之间出现规则的冲突,即策略的不规则现象。本文分析了分布式防火墙不规则现象产生的原因,设计了基于PN的策略模型,然后分别针对分布式防火墙内部策略不规则的各种可能情况,运用基于PN的策略模型设计了基于PN的不能逆转发现算法,基于PN的不可到达性发现算法,基于PN的的无边际性发现算法。策略库一旦变化,此算法能够自动启动并判断策略库是否存在异常现象,如果存在,则分辨出不规则现象的类型,并调用维护方法对策略库进行修改或者删除操作,消除策略库中的不规则现象。最后针对本算法,进行了模拟实现,分析了算法的综合性能。
The distributional firewall uses architecture that the control center establish security policy and many node firewalls carry out the strategy.It can better resolve the security problems of more and more inflate malpractice and intranet of boundary firewall security policy.The strategy management of distributional firewall is quitely complex.In large-scale industry networks the multi-level and inheritage administration methods are always selected.Because every level firewall manager can add the filter rules into the firewall policy stores.Then they are issued into all nodes and implemented. It will easily cause the conflictions of rules in single firewall as well as among firewalls,in other words, anomalous phenomena of policy.In this paper,the reasons of policy anomalies in the distributed firewalls are analysed .The normative definitions are provided for all kinds of policy anomalies in distributed firewalls. The policy model basing on PN is designed.In view of all kinds of policy anormalies of the distributional firewall.We present a set of algorithms basing on PN in order to find the irreversibility, unboundedness, and unreachability.. As soon as there is any change in the policy stores, our algorithms will automatically start so as to search the policy anomalies and distinguish the type.If there is abnormal affair in policy stores,they can call maintainable methods such as modifying or deleting the rules from the policy stores so that all kinds of policy anomalies are eliminated.At last, we have simulated realized our algorithms and analysed their general properties.
The distributional firewall uses architecture that the control center establish security policy and many node firewalls carry out the strategy.It can better resolve the security problems of more and more inflate malpractice and intranet of boundary firewall security policy.The strategy management of distributional firewall is quitely complex.In large-scale industry networks the multi-level and inheritage administration methods are always selected.Because every level firewall manager can add the filter rules into the firewall policy stores.Then they are issued into all nodes and implemented. It will easily cause the conflictions of rules in single firewall as well as among firewalls,in other words, anomalous phenomena of policy.In this paper,the reasons of policy anomalies in the distributed firewalls are analysed .The normative definitions are provided for all kinds of policy anomalies in distributed firewalls. The policy model basing on PN is designed.In view of all kinds of policy anormalies of the distributional firewall.We present a set of algorithms basing on PN in order to find the irreversibility, unboundedness, and unreachability.. As soon as there is any change in the policy stores, our algorithms will automatically start so as to search the policy anomalies and distinguish the type.If there is abnormal affair in policy stores,they can call maintainable methods such as modifying or deleting the rules from the policy stores so that all kinds of policy anomalies are eliminated.At last, we have simulated realized our algorithms and analysed their general properties.
引文
1 Lars Strand.Adaptive Distributed Firewall Using Intrusion Detection.UniK University Graduate Center University of Oslo.Aug 2002
2 C.M.Bemardes,E.S.Moreira.Implementation of an Intrusion Detection System Based on Mobile Agents.IEEE.2000
3 N.Dulay,E.Lupu,M.Sloman,N.Damianou.A Policy Deployment Model for the Ponder Language.In Proc.IEEE/IFIP International Symposium on Integrated Network Management(IM'2001).Seattle.IEEE Press.May 2001
4 William R.Cheswick,Steven M.Bellovin,and Aviel D.Rubin.Firewalls and Internet Security:Repelling the Wily Hacker.AddisonWesley,second edition,Mar 2003
5 Theo Dimitrakos,Ivan Djordjevic,Brian Matthews,Juan Bicarreguil,Chris Phillips.Policy-Driven Access Control over a Distributed Firewall Architecture.Computer society,IEEE,2002
6 Matthew Bishop.Computer Security:Art and Science.AddisonWesley.Dec 2002
7 M.Blaze,J.Feigenbaum,J.Ioannidis,and A.Keromytis.The KeyNote Trust-Management System Version 2,Sept1999
8 朱良,谈香如.一种用决策树对XML文档进行分类的方法.长沙电力学院学报(自然科学版).2004
9 William R.Cheswick and Steven M.Bellovin.Firewalls and Internet Security:Repelling the Wily Hacker.Addison-Wesley,Reading,May1994
10 Steven M.Bellovin.Distributed Firewalls.login:magazine.special issue on security.Nov1999
11 N.Dulay,E.Lupu,M.Sloman,N.Damianou.A Policy Deployment Model for the Ponder Language.IEEE Press.May2001
12 周晓俊,谢小权.防火墙规则冲突分析算法改进及应用.计算机科学与工程.2005
13 喻飞,朱淼良,周洲仪.计算机网络安全.北京:科学出版社.2004
14 刘建伟,王育民.网络安全技术与实践.北京:清华大学出版社.2005
15 杨义先,钮心忻.网络安全理论与技术.北京:人民邮电出版社.2003
16 E.Al-Shaer and H.Hamed.Firewall Policy Advisor for Anomaly Detection and Rule Editing.IEEE/IFIP Integrated Management Conference IM'2003,March 2003
17 E.Al-Shaer and H.Hamed.Design and Implementation of Firewall Policy Advisor Tools.Depaul CTI Technical Report,CTI-TR-O2-006,Aug2002
18 程勇,秦祖福,傅建明.有序二叉决策图在防火墙规则库设计中的应用.武汉大学学报(理学版).2006
19 李春艳,杨永田.利用决策树实现包过滤的关键技术,计算机工程.2004
20 Ehab S.Al-Shaer and Hazem H.Hamed.Discovery of Policy Anomalies in Distributed Firewalls.IEEE.2004
22 S.Cobb.ICSA Firewall Policy Guide 2.0.NCSA Security White paper series,1997
23 D.Eppstein and S.Muthukrithnan.Internet Packel Filter Management and Rectangle Geometry.roceedings of 12~H Annual ACM-SIAM Symposium on Discrete Algorithm (SODA),Jan2001
24 REronen and J.Zitting.An Expert System for Analyzing Firewall Rules.Proceedings of 6~TH Nordic Workshop on Secure IT-System(NordSec 2001).Nov 2001
25 Jerry Ford著.段云所,王昭,唐礼勇,陈钟译.个人防火墙.北京:人民邮电出版社.2002
26 王伟,曹元大.分布式防火墙关键技术研究.大连理工大学学报.2003(10)
27 陈军,王海洋,曹鲁慧.基于SOAP的分布式防火墙策略发布研究.计算机科学.2005(5)
28 高永强,郭世泽.网络安全技术与应用大典.北京:人民邮电出版社.2003
29 D.Brent Chapman,Elizabeth D,Zwicky.构筑因特网防火墙.北京:电子工业出版社,1998
30 赵戈,钱德沛,范晖.用分布式防火墙构造网络安全体系.计算机应用研究.2004
31 李宏伟,杨寿保,任安西,黄梅荪.基于入侵检测的分布式防火墙系统.计算机工程.2005(3)
32 Carasik-Henmi A..李华飚译.防火墙核心技术精解.北京:中国水利水电出版社2005
33 http://www.cisco.com
34 http://www.huawei.com
35 http://www.harbournetworks.com
36 http://www.securityfocus.com
37 http://www.anyware.com.cn
38 梁作鹏,吴文明,董逸生.一种基于结构信息总结树的XML文档聚类方法.应用科学学报.2005
39 齐建东.基于数据挖掘的网络异常形为检测技术设计与实现.计算机工程与设计.2004
40 毛功萍,熊齐邦.基于WBEM的防火墙策略异常检测系统.计算机工程与设计.2004
41 王永滨,聂俊岚,张吉.基于IPCHAINS的防火墙规则的建立和检测.计算机应用.2002
2 C.M.Bemardes,E.S.Moreira.Implementation of an Intrusion Detection System Based on Mobile Agents.IEEE.2000
3 N.Dulay,E.Lupu,M.Sloman,N.Damianou.A Policy Deployment Model for the Ponder Language.In Proc.IEEE/IFIP International Symposium on Integrated Network Management(IM'2001).Seattle.IEEE Press.May 2001
4 William R.Cheswick,Steven M.Bellovin,and Aviel D.Rubin.Firewalls and Internet Security:Repelling the Wily Hacker.AddisonWesley,second edition,Mar 2003
5 Theo Dimitrakos,Ivan Djordjevic,Brian Matthews,Juan Bicarreguil,Chris Phillips.Policy-Driven Access Control over a Distributed Firewall Architecture.Computer society,IEEE,2002
6 Matthew Bishop.Computer Security:Art and Science.AddisonWesley.Dec 2002
7 M.Blaze,J.Feigenbaum,J.Ioannidis,and A.Keromytis.The KeyNote Trust-Management System Version 2,Sept1999
8 朱良,谈香如.一种用决策树对XML文档进行分类的方法.长沙电力学院学报(自然科学版).2004
9 William R.Cheswick and Steven M.Bellovin.Firewalls and Internet Security:Repelling the Wily Hacker.Addison-Wesley,Reading,May1994
10 Steven M.Bellovin.Distributed Firewalls.login:magazine.special issue on security.Nov1999
11 N.Dulay,E.Lupu,M.Sloman,N.Damianou.A Policy Deployment Model for the Ponder Language.IEEE Press.May2001
12 周晓俊,谢小权.防火墙规则冲突分析算法改进及应用.计算机科学与工程.2005
13 喻飞,朱淼良,周洲仪.计算机网络安全.北京:科学出版社.2004
14 刘建伟,王育民.网络安全技术与实践.北京:清华大学出版社.2005
15 杨义先,钮心忻.网络安全理论与技术.北京:人民邮电出版社.2003
16 E.Al-Shaer and H.Hamed.Firewall Policy Advisor for Anomaly Detection and Rule Editing.IEEE/IFIP Integrated Management Conference IM'2003,March 2003
17 E.Al-Shaer and H.Hamed.Design and Implementation of Firewall Policy Advisor Tools.Depaul CTI Technical Report,CTI-TR-O2-006,Aug2002
18 程勇,秦祖福,傅建明.有序二叉决策图在防火墙规则库设计中的应用.武汉大学学报(理学版).2006
19 李春艳,杨永田.利用决策树实现包过滤的关键技术,计算机工程.2004
20 Ehab S.Al-Shaer and Hazem H.Hamed.Discovery of Policy Anomalies in Distributed Firewalls.IEEE.2004
22 S.Cobb.ICSA Firewall Policy Guide 2.0.NCSA Security White paper series,1997
23 D.Eppstein and S.Muthukrithnan.Internet Packel Filter Management and Rectangle Geometry.roceedings of 12~H Annual ACM-SIAM Symposium on Discrete Algorithm (SODA),Jan2001
24 REronen and J.Zitting.An Expert System for Analyzing Firewall Rules.Proceedings of 6~TH Nordic Workshop on Secure IT-System(NordSec 2001).Nov 2001
25 Jerry Ford著.段云所,王昭,唐礼勇,陈钟译.个人防火墙.北京:人民邮电出版社.2002
26 王伟,曹元大.分布式防火墙关键技术研究.大连理工大学学报.2003(10)
27 陈军,王海洋,曹鲁慧.基于SOAP的分布式防火墙策略发布研究.计算机科学.2005(5)
28 高永强,郭世泽.网络安全技术与应用大典.北京:人民邮电出版社.2003
29 D.Brent Chapman,Elizabeth D,Zwicky.构筑因特网防火墙.北京:电子工业出版社,1998
30 赵戈,钱德沛,范晖.用分布式防火墙构造网络安全体系.计算机应用研究.2004
31 李宏伟,杨寿保,任安西,黄梅荪.基于入侵检测的分布式防火墙系统.计算机工程.2005(3)
32 Carasik-Henmi A..李华飚译.防火墙核心技术精解.北京:中国水利水电出版社2005
33 http://www.cisco.com
34 http://www.huawei.com
35 http://www.harbournetworks.com
36 http://www.securityfocus.com
37 http://www.anyware.com.cn
38 梁作鹏,吴文明,董逸生.一种基于结构信息总结树的XML文档聚类方法.应用科学学报.2005
39 齐建东.基于数据挖掘的网络异常形为检测技术设计与实现.计算机工程与设计.2004
40 毛功萍,熊齐邦.基于WBEM的防火墙策略异常检测系统.计算机工程与设计.2004
41 王永滨,聂俊岚,张吉.基于IPCHAINS的防火墙规则的建立和检测.计算机应用.2002