防火墙技术研究—透明代理服务器的实现
摘要
本课题目标是完成一套基于Linux操作系统的透明代理型防火墙软件,为在内部网的主机提供安全保护。透明代理是指内网受保护主机需要访问外部网络时,不需要做任何设置,完全意识不到防火墙的存在,就能完成内外网的通信。它的引入可以对出入防火墙的应用层数据进行强制过滤,这一过程是对用户透明的。透明代理能提供强大的应用层安全功能,同时能有效地减小用户使用的复杂度和部署难度,是一种优秀的网络安全产品的实现形式。
首先,论文陈述了防火墙的相关技术基础,分析了透明代理作为一种先进易用的防火墙技术的原理,阐述了Linux操作系统网络数据包拦截技术和HTTP、FTP、TELNET、NNTP、POP3、SMTP等应用层协议的协议规范和具体的工作流程。
接着叙述了本透明代理服务器的系统总体设计方案,将系统分为以下几个部分:透明通道建立、代理服务实现、GUI配置管理程序以及过滤功能(如URL过滤、命令过滤和日志审计等)。论文然后分别介绍各个关键部分的具体实现要点,解释了相互间的接口关系,列出了主要数据结构和实现流程。
论文最后详细阐述了其核心模块的设计实现及测试结果,并在现有基础上对后继扩展与开发进行了展望。
The purpose of this subject is to implement a transparent proxy server based on Linux OS which can provide Intranet host network security. The transparent proxy is the technology that inner hosts can visit the Internet without any user intervention or awareness of firewall working process. All application layer data are forced to be filtered by proxy when transparent proxy is working and the process seems transparent for users. The transparent proxy provides a powerful function for the application layer's security; it can also reduce the complexity of using and deployment efficiently. It's one of the best implement of network security products.
At the very beginning, this paper introduces firewall technology relating to the topic, analyses the transparent proxy as one convenient firewall technology with full advantages. Then this paper concerns about the network packet intercepting technology of Linux OS and gives a thoroughly overview of network hacking methods and some application protocol criterion, including HTTP , FTP, TELNET, NNTP, POP3, SMTP etc.
Then the system design scheme of the transparent proxy has been discussed, this system can be divided to 4 modules below: establishment of transparent charnel, implement of proxy service , GUI configuration and management application , accessory filter functions(such as URL filter, command filter and logger etc).We explain key techniques in all 4 main parts of this system, define the interfaces of each module, what is more the main data structures and software implements codes are all illustrated.
In succession all the implement details of the core modules have been illustrated, the testing result of this software also has been discussed. At the end of this paper, a brief prospect for the future extended development on basis of existing system has been shown.
首先,论文陈述了防火墙的相关技术基础,分析了透明代理作为一种先进易用的防火墙技术的原理,阐述了Linux操作系统网络数据包拦截技术和HTTP、FTP、TELNET、NNTP、POP3、SMTP等应用层协议的协议规范和具体的工作流程。
接着叙述了本透明代理服务器的系统总体设计方案,将系统分为以下几个部分:透明通道建立、代理服务实现、GUI配置管理程序以及过滤功能(如URL过滤、命令过滤和日志审计等)。论文然后分别介绍各个关键部分的具体实现要点,解释了相互间的接口关系,列出了主要数据结构和实现流程。
论文最后详细阐述了其核心模块的设计实现及测试结果,并在现有基础上对后继扩展与开发进行了展望。
The purpose of this subject is to implement a transparent proxy server based on Linux OS which can provide Intranet host network security. The transparent proxy is the technology that inner hosts can visit the Internet without any user intervention or awareness of firewall working process. All application layer data are forced to be filtered by proxy when transparent proxy is working and the process seems transparent for users. The transparent proxy provides a powerful function for the application layer's security; it can also reduce the complexity of using and deployment efficiently. It's one of the best implement of network security products.
At the very beginning, this paper introduces firewall technology relating to the topic, analyses the transparent proxy as one convenient firewall technology with full advantages. Then this paper concerns about the network packet intercepting technology of Linux OS and gives a thoroughly overview of network hacking methods and some application protocol criterion, including HTTP , FTP, TELNET, NNTP, POP3, SMTP etc.
Then the system design scheme of the transparent proxy has been discussed, this system can be divided to 4 modules below: establishment of transparent charnel, implement of proxy service , GUI configuration and management application , accessory filter functions(such as URL filter, command filter and logger etc).We explain key techniques in all 4 main parts of this system, define the interfaces of each module, what is more the main data structures and software implements codes are all illustrated.
In succession all the implement details of the core modules have been illustrated, the testing result of this software also has been discussed. At the end of this paper, a brief prospect for the future extended development on basis of existing system has been shown.
引文
1) R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee. "RFC2616 Hypertext Transfer Protocol--HTTP/1.1 ". RFC1999
2) J. Postel, J. K. Reynolds. "RFC0959 File Transfer Protocol". RFC1999
3) J. Postel, J. K. Reynolds. "RFC0854 Telnet Protocol Specification". RFC1999
4) J. Myers, M. Rose. "RFC1939 Post Office Protocol-Version 3". RFC1999
5) J. Postel. "RFC0821 Simple Mail Transfer Protocol". RFC1999
6) Kantor, P. Lapsley. "RFC0977 Network News Transfer Protocol". RFC 1999
7) Constance E. Bagley, David J. Berger. "Proxy Contests & Corporate Control: Conducting the Proxy Campaign". BNA Books 1999
8) Ositis Software. "WinProxy Technology White Paper", Ositis Software
9) 钱伟中,《桑达防火墙技术研究-NAT和透明代理的设计和实现》,[硕士论文],成都:电子科技大学2001
10) 傅勇杰,《Internet代理服务器的研究与实现》,[硕士论文],成都:电子科技大学2000
11) 楚狂,《网络安全和防火墙技术》,人民邮电出版社1999年
12) 袁津生、吴砚农,《计算机网络安全基础》,人民邮电出版社2002年
13) 刘心松、邱元杰,《代理服务器的设计与实现》,小型微型计算机系统2000/3
14) 梁志龙、张志浩,《代理服务器的工作原理及应用》,计算机应用技术2001/6
15) 张斌、高波,《Linux网络编程》,清华大学出版社,2000
16) W.Richard Stevens,杨继张译,《UNIX网络编程 第二卷 进程间通信》,清华大学出版社,2000
17) W. Richard Stevens(Addison Wesley),胡谷雨译,《TCP/IP Illustrated,Volume 1》,机械工业出版社,2000
18) Gray R.Wright,陆雪莹译,《TCP/IP Illustrated,Volume 2》,机械工业出版社,2000
19) Arthur Griffith,吴向峰译《Kylix编程宝典》,电子工业出版社,2000
2) J. Postel, J. K. Reynolds. "RFC0959 File Transfer Protocol". RFC1999
3) J. Postel, J. K. Reynolds. "RFC0854 Telnet Protocol Specification". RFC1999
4) J. Myers, M. Rose. "RFC1939 Post Office Protocol-Version 3". RFC1999
5) J. Postel. "RFC0821 Simple Mail Transfer Protocol". RFC1999
6) Kantor, P. Lapsley. "RFC0977 Network News Transfer Protocol". RFC 1999
7) Constance E. Bagley, David J. Berger. "Proxy Contests & Corporate Control: Conducting the Proxy Campaign". BNA Books 1999
8) Ositis Software. "WinProxy Technology White Paper", Ositis Software
9) 钱伟中,《桑达防火墙技术研究-NAT和透明代理的设计和实现》,[硕士论文],成都:电子科技大学2001
10) 傅勇杰,《Internet代理服务器的研究与实现》,[硕士论文],成都:电子科技大学2000
11) 楚狂,《网络安全和防火墙技术》,人民邮电出版社1999年
12) 袁津生、吴砚农,《计算机网络安全基础》,人民邮电出版社2002年
13) 刘心松、邱元杰,《代理服务器的设计与实现》,小型微型计算机系统2000/3
14) 梁志龙、张志浩,《代理服务器的工作原理及应用》,计算机应用技术2001/6
15) 张斌、高波,《Linux网络编程》,清华大学出版社,2000
16) W.Richard Stevens,杨继张译,《UNIX网络编程 第二卷 进程间通信》,清华大学出版社,2000
17) W. Richard Stevens(Addison Wesley),胡谷雨译,《TCP/IP Illustrated,Volume 1》,机械工业出版社,2000
18) Gray R.Wright,陆雪莹译,《TCP/IP Illustrated,Volume 2》,机械工业出版社,2000
19) Arthur Griffith,吴向峰译《Kylix编程宝典》,电子工业出版社,2000