防火墙与IDS在校园网中结合部署的研究与应用
|
摘要
随着互联网的飞速发展,攻击和入侵等安全问题与日俱增,给很多校园网管理员带来了巨大的压力。考虑到校园网络数据的巨大价值,安全业务已持续成为各大学校、公司和研究机构关注的重点。
加强网络安全保障工作,必须以我为主,坚持管理与技术并重。这就要求我们通过采用相应的技术和措施,是整个网络系统正常运行,确保网络数据的可用性、完整性和保密性,通过网络安全技术保护信息网络所依存的网络环境得到安全保障,通过这些技术的部署和实施,确保经过网络传输和交换的数据不会被增加、修改、丢失和泄漏。
本文基于网络安全的相关理论,深入分析防火墙和IDS(入侵检测系统)的优缺点,提出将防火墙和IDS结合起来运行在校园网络中的方法,将防火墙作为网络对外界的屏障,将IDS作为防火墙的有益补充,以便防火墙可通过IDS及时发现其策略以外的攻击行为以及通过防火墙对来自外部网络的攻击行为进行阻断。本文对校园网络中防火墙的部署和IDS的设置进行了较为深入地分析和研究。其主要工作包括:
1.校园网络攻击技术的调查和研究。在比较了多个学校的网络攻击事件后,发现现在校园网络攻击的自动化程度和攻击速度不断提高,利用安全漏洞的速度越来越快和防火墙被攻击者渗透的情况越来越多。防御系统由简单的防火墙向VPN(虚拟专用网)、电子邮件网关、防拒绝服务网络攻击防御系统、IDS的综合迈进。
2.防火墙安全防护的技术研究。深入分析防火墙的三种技术,对包过滤技术、代理技术和状态监视技术的各自优缺点进行分析比较。对目前防火墙体系结构中的包过滤防火墙、双宿主主机防火墙、屏蔽主机网关防火墙和屏蔽子网防火墙进行分析比较。通过分析当前主流防火墙的主要功能和其局限性,表明防火墙只是整体安全防范策略的一个组成部分。在防火墙环境中,深层次防御策略应体现在多层次的防火墙部署体系,即采用集互联网边界防火墙、部门边界防火墙和主机防火墙于一体的多层次防御体系;将入侵检测、网络加密、病毒查杀等多种安全措施结合在一起的多层次安全体系。
3.IDS技术的研究。对其系统组成、应用基础、语法规则和数据分析进行深入分析。将防火墙和IDS结合部署后能提高校园网络的安全性能。通过对入侵检测的实例分析和实验测试的数据验证防火墙和IDS对于网络整体的安全缺一不可。入侵检测系统能使系统对于外部入侵事件和过程做出实时响应;能够成为防火墙的合理补充,通过收集入侵技术信息来加强防御措施。同时入侵检测系统也需要面对误报率和漏报率的问题,如果入侵特征编写不完善,“误报”就有可乘之机,会导致网络中合法通信被意外拦截。这需要使用专门硬件加速系统来提高入侵检测系统的运行效率和综合采用多种检测技术。
With the rapid development of the Internet, attacks and intrusion security issues such as the increasing number of campus network administrators to tremendous pressure. Taking into account the enormous value of the campus network data, security, business has continued to be the major schools, companies and research institutions, the focus of attention.
Strengthen network security, we must focus on ourselves and uphold the equal emphasis on management and technology. This requires us through the use of appropriate technologies and measures, the whole network uptime and ensure network data availability, integrity and confidentiality, through the network security technology to protect information networks, the network of interdependent security environment, through these techniques the deployment and implementation, to ensure that through the network transmission and exchange of data will not be increased, modified, loss and leakage.
Based on relevant theories of network security, in-depth analysis of firewall and IDS (Intrusion Detection System) the advantages and disadvantages and proposes that the combination of firewall and IDS is running on the campus network method, as a network firewall, the barrier to the outside world will be as a firewall IDS a useful complement to the firewall through the IDS to detect attacks outside of its strategy as well as through the firewall from external networks to block attacks. In this paper, the campus network, firewall settings IDS deployment and conduct a fairly in-depth analysis and research. Its main work includes:
1. Campus network attack technology, surveys and studies. In comparing a number of schools of network attacks, was found that the degree of automation campus network attacks and attack speed continues to increase the use of security vulnerabilities at an increasing rate, and the firewall has been the attacker infiltrated the situation more and more. Defense system consists of a simple firewall to the VPN (Virtual Private Network), e-mail gateway, anti-denial of service network attack defense system, IDS integrated forward.
2. Firewall security protection technology research. In-depth analysis of the three kinds of firewall technology, packet filtering technology, agent technology, and status monitoring technology analysis and comparison of the respective advantages and disadvantages. Of the current architecture of the firewall packet filtering firewall, dual-homed host firewall, shielding the host gateway firewall, and screened subnet firewall analysis and comparison. By analyzing the main function of the current mainstream firewalls and their limitations, show that the overall security of a firewall is an integral part of preventive strategies. The firewall environment, in-depth defense strategy should be reflected in the deployment of multi-level firewall system, which adopts the set of the Internet edge firewall, departments, border firewalls and host firewalls in one multi-layered defense system; to intrusion detection, network encryption, virus killing combined with a variety of security measures such as multi-level security system.
3. IDS technology research. The composition of their systems, application infrastructure, grammar rules and data analysis in-depth analysis. The combination of firewall and IDS can be improved after the deployment of campus network security. Through examples of intrusion detection analysis and experimental test data validation for network firewall and IDS overall security are indispensable. Intrusion Detection System will enable the system to external intrusion events and processes that make a real-time response; to be a logical addition to a firewall, intrusion by gathering technical information to enhance preventive measures. At the same time intrusion detection system also needs to face the false alarm rate and omission rate, if the invasion characteristics of the preparation of imperfect, "false positives" have an opportunity, will lead to the network have been accidentally block legitimate traffic. This requires the use of specialized hardware acceleration system to improve the operating efficiency of intrusion detection system and integrated using a variety of detection techniques.
加强网络安全保障工作,必须以我为主,坚持管理与技术并重。这就要求我们通过采用相应的技术和措施,是整个网络系统正常运行,确保网络数据的可用性、完整性和保密性,通过网络安全技术保护信息网络所依存的网络环境得到安全保障,通过这些技术的部署和实施,确保经过网络传输和交换的数据不会被增加、修改、丢失和泄漏。
本文基于网络安全的相关理论,深入分析防火墙和IDS(入侵检测系统)的优缺点,提出将防火墙和IDS结合起来运行在校园网络中的方法,将防火墙作为网络对外界的屏障,将IDS作为防火墙的有益补充,以便防火墙可通过IDS及时发现其策略以外的攻击行为以及通过防火墙对来自外部网络的攻击行为进行阻断。本文对校园网络中防火墙的部署和IDS的设置进行了较为深入地分析和研究。其主要工作包括:
1.校园网络攻击技术的调查和研究。在比较了多个学校的网络攻击事件后,发现现在校园网络攻击的自动化程度和攻击速度不断提高,利用安全漏洞的速度越来越快和防火墙被攻击者渗透的情况越来越多。防御系统由简单的防火墙向VPN(虚拟专用网)、电子邮件网关、防拒绝服务网络攻击防御系统、IDS的综合迈进。
2.防火墙安全防护的技术研究。深入分析防火墙的三种技术,对包过滤技术、代理技术和状态监视技术的各自优缺点进行分析比较。对目前防火墙体系结构中的包过滤防火墙、双宿主主机防火墙、屏蔽主机网关防火墙和屏蔽子网防火墙进行分析比较。通过分析当前主流防火墙的主要功能和其局限性,表明防火墙只是整体安全防范策略的一个组成部分。在防火墙环境中,深层次防御策略应体现在多层次的防火墙部署体系,即采用集互联网边界防火墙、部门边界防火墙和主机防火墙于一体的多层次防御体系;将入侵检测、网络加密、病毒查杀等多种安全措施结合在一起的多层次安全体系。
3.IDS技术的研究。对其系统组成、应用基础、语法规则和数据分析进行深入分析。将防火墙和IDS结合部署后能提高校园网络的安全性能。通过对入侵检测的实例分析和实验测试的数据验证防火墙和IDS对于网络整体的安全缺一不可。入侵检测系统能使系统对于外部入侵事件和过程做出实时响应;能够成为防火墙的合理补充,通过收集入侵技术信息来加强防御措施。同时入侵检测系统也需要面对误报率和漏报率的问题,如果入侵特征编写不完善,“误报”就有可乘之机,会导致网络中合法通信被意外拦截。这需要使用专门硬件加速系统来提高入侵检测系统的运行效率和综合采用多种检测技术。
With the rapid development of the Internet, attacks and intrusion security issues such as the increasing number of campus network administrators to tremendous pressure. Taking into account the enormous value of the campus network data, security, business has continued to be the major schools, companies and research institutions, the focus of attention.
Strengthen network security, we must focus on ourselves and uphold the equal emphasis on management and technology. This requires us through the use of appropriate technologies and measures, the whole network uptime and ensure network data availability, integrity and confidentiality, through the network security technology to protect information networks, the network of interdependent security environment, through these techniques the deployment and implementation, to ensure that through the network transmission and exchange of data will not be increased, modified, loss and leakage.
Based on relevant theories of network security, in-depth analysis of firewall and IDS (Intrusion Detection System) the advantages and disadvantages and proposes that the combination of firewall and IDS is running on the campus network method, as a network firewall, the barrier to the outside world will be as a firewall IDS a useful complement to the firewall through the IDS to detect attacks outside of its strategy as well as through the firewall from external networks to block attacks. In this paper, the campus network, firewall settings IDS deployment and conduct a fairly in-depth analysis and research. Its main work includes:
1. Campus network attack technology, surveys and studies. In comparing a number of schools of network attacks, was found that the degree of automation campus network attacks and attack speed continues to increase the use of security vulnerabilities at an increasing rate, and the firewall has been the attacker infiltrated the situation more and more. Defense system consists of a simple firewall to the VPN (Virtual Private Network), e-mail gateway, anti-denial of service network attack defense system, IDS integrated forward.
2. Firewall security protection technology research. In-depth analysis of the three kinds of firewall technology, packet filtering technology, agent technology, and status monitoring technology analysis and comparison of the respective advantages and disadvantages. Of the current architecture of the firewall packet filtering firewall, dual-homed host firewall, shielding the host gateway firewall, and screened subnet firewall analysis and comparison. By analyzing the main function of the current mainstream firewalls and their limitations, show that the overall security of a firewall is an integral part of preventive strategies. The firewall environment, in-depth defense strategy should be reflected in the deployment of multi-level firewall system, which adopts the set of the Internet edge firewall, departments, border firewalls and host firewalls in one multi-layered defense system; to intrusion detection, network encryption, virus killing combined with a variety of security measures such as multi-level security system.
3. IDS technology research. The composition of their systems, application infrastructure, grammar rules and data analysis in-depth analysis. The combination of firewall and IDS can be improved after the deployment of campus network security. Through examples of intrusion detection analysis and experimental test data validation for network firewall and IDS overall security are indispensable. Intrusion Detection System will enable the system to external intrusion events and processes that make a real-time response; to be a logical addition to a firewall, intrusion by gathering technical information to enhance preventive measures. At the same time intrusion detection system also needs to face the false alarm rate and omission rate, if the invasion characteristics of the preparation of imperfect, "false positives" have an opportunity, will lead to the network have been accidentally block legitimate traffic. This requires the use of specialized hardware acceleration system to improve the operating efficiency of intrusion detection system and integrated using a variety of detection techniques.
引文
[1]魏永红,李天智,张志.网络信息安全防御体系探讨[J].河北省学院学报,2006-01
[2]陈伟.网络攻击行为及蜜罐技术研究[J].电子科技大学硕士学位论文,2004
[3]何为超,李宏,张雯.网络安全管理系统的设计与实现[J].信息安全与通信保密,2006-.09
[4]连洁,王杰,李素敏.人工免疫原理在入侵检测系统中的应用研究[J].计算机工程与设计,2006-19
[5]王文娟,李炳龙,张鹏.入侵检测系统中关联规则的挖掘与过滤[J].微计算机信息,2010-18
[6]彭晖,庄镇泉,李斌.基于模糊关联规则挖掘的模糊入侵检测[J].计算机工程与应用,2004-31
[7]蒋建春,马恒太,任党恩.网络安全入侵检测:研究综述[J].软件学报,200011
[8]罗守山,杨义先.入侵检测系统的测试与评估[J].中国数据通信,2002-11
[9]徐菁.浅谈政府部门的计算机网络管理技术[C].科技创新导报(总第87期)北京:中国宇航出版社,2008:32
[10]黄仰诚,张德运.分布式网络信息实时审计系统的研究与实现[C].CERNET的研究与发展(第六卷),2001:224-227
[11]丁勇,陆展,龚俭.一个基于知识的优化入侵检测系统.CERNET的研究与发展(第六卷),2001:216-217
[12]华三通信.H3C网络学院系列教材[M].北京:杭州华三通信技术有限公司出版社,2009:465-469
[13]林涛,张建辉,黄瑾瑜,等.网络安全与管理.北京:电子工业出版社[M],2005:14
[14].唐正军.网络入侵检测系统的设计与实现[M].北京:电子工业出版社,2002:75-77
[15](美)Stephen Northcutt.网络入侵检测分析员手册[M].北京:人民邮电出版社,2000:9,82-87
[16](美)Peter H. Gregory. Solaris安全手册[M].北京:人民邮电出版社,2000:18
[17][美]Thomas A. Wadlow.网络安全实施方法[M].北京:人民邮电出版社,2003:48-50
[18]孙剑颖,邹鹏.东北财经大学校园网网络安全及出口优化解决案例[J].中国教育信息化,2010,12(3):23-24
[19]韩东海.入侵检测系统实例剖析[M].北京:清华大学出版社,2006:5-9,78
[20]陈远春.信息安全检测鉴别监控技术与系统安全性能评估分析标准实用手册[M].北京:人民出版社,2007:92
[21]陈伟,周继军,许德武Snort轻量级入侵检测系统全攻略[M].北京:北京邮电大学出版社,2009:8-14,283-287
[22]王述洋,黎粤华.信息与网络安全技术基础[M].哈尔滨:东北林业大学出版社,2005
[23]张吉赞.校园网防火墙的开发应用[M].北京:北方工业大学出版社,2003
[24]李亚恒,唐毅.网络安全监测系统[J].计算机工程,2001
[25]Denning D E. An intrusion-detection model. IEEE Transaction onSoftware Engineering[C], February 1987, VOL.5E-13, NO.2:222-232
[26]Zhang Y, Lee W. Intrusion detection in wireless Ad-Hoc networks.In Proceedings of the Sixth Annual International Conferenceon Mobile Communication and Networking[C], ACM Press New York,USA,2001:275-283
[27]Perkins C.Addison-Wesley,DSDV:Routing over a multihop wirelessnetwork of mobile computers[C],Reading, MA,2003:88-91.
[28]孙军帅.无线Ad hoc网络的入侵检测系统研究[EB/OL].http://219.246.131.5/kns50.
[29]3GPPTS 33.203.3G Security; Access Security for IP-based Service(SA3). [S].2006
[30]3GPP TS 33.210.3G Security, Network Domain Security, IP Network Layer Security [S]. 2006
[31]张世伟,丽娜A-IMS安全性分析与探讨[J].中兴通讯技术,2007,16(1)
[33]杨奕.基于入侵诱骗技术的网络安全研究与实现[J].计算机应用研究.2004,11(3)
[34]贾志平,杨武,云晓春。一个分布式高效网络入侵检测系统[J].微计算机信息,2006(03):33-35
[35]SUN Jingru, DONG Xiaomei, YU Ge. A Survey on Alert CorrelationMethods in Distributed Instrusion Detection [J]. Computer Engineering,2005(04):58-59
[36]Northcutt.Network Intrusion Detection[M].New Riders,1999
[37]Terry Escamilla.吴炎.入侵检测[M].电子工业出版社,1999
[38]黎连业,张维,向东明.路由器及其应用技术[M].清华大学出版社,2004
[39]Paul E.Proctor.入侵检测使用手册.邓琦皓,许鸿飞,张斌译.北京:中国电力出版社,2002
[40]李天,翟学明.一种分布式智能网络入侵检测系统的设计与实现[J].计算机与网络,2009,73(22):68-70
[41]李明,胥光辉,陈佳佳,等.入侵检测系统性能比较[J].电脑知识与技术,2010,36(3):547-549
[42]杜雷,李文雅.网络入侵检测系统的研究[J].沈阳工程学院学报,2009,5(4):376-378
[43]伊胜伟,刘旸,魏红芳.基于数据挖掘的入侵检测系统智能结构模型[J].计算机工程与设计.2005
[44]陈斌.计算机网络安全与防御.北京:信息技术与网络服务[J],2006,7(4)
[45]马宜兴,张海峰,张志徐.网络安全与病毒防范(第三版)[M].上海:上海交通大学出版社,2009:12
[46]荆继武,高能.信息安全技术教程.北京:中国人民公安大学出版社[M],2007:144-149,173
[47]Cisco Networking Academy Program.思科网络技术学院教程[M].北京:人民邮电出版社[M],2006:507-508
[48]曾树洪.Netfilter防火墙原理分析及其扩展应用[J].现代计算机,2009,33(12):140-143
[49]吴金龙,蔡灿辉,王晋隆.网络安全.北京:高等教育出版社[M],2004:184-189,193
[50]谭兵,吴宗文,黄伟.网络入侵检测技术综述.电脑编程技巧与维护,2010,13(2):110-112
[51]蒋威,刘磊.校园网络的安全分析及解决方案[J].吉林师范大学学报(自然科学版),2006
[52]唐赛文,诸凤丹.浅析科研网络信息安全隐患及控制策略[J].农业网络信息,.2010,24(1):86-87
[2]陈伟.网络攻击行为及蜜罐技术研究[J].电子科技大学硕士学位论文,2004
[3]何为超,李宏,张雯.网络安全管理系统的设计与实现[J].信息安全与通信保密,2006-.09
[4]连洁,王杰,李素敏.人工免疫原理在入侵检测系统中的应用研究[J].计算机工程与设计,2006-19
[5]王文娟,李炳龙,张鹏.入侵检测系统中关联规则的挖掘与过滤[J].微计算机信息,2010-18
[6]彭晖,庄镇泉,李斌.基于模糊关联规则挖掘的模糊入侵检测[J].计算机工程与应用,2004-31
[7]蒋建春,马恒太,任党恩.网络安全入侵检测:研究综述[J].软件学报,200011
[8]罗守山,杨义先.入侵检测系统的测试与评估[J].中国数据通信,2002-11
[9]徐菁.浅谈政府部门的计算机网络管理技术[C].科技创新导报(总第87期)北京:中国宇航出版社,2008:32
[10]黄仰诚,张德运.分布式网络信息实时审计系统的研究与实现[C].CERNET的研究与发展(第六卷),2001:224-227
[11]丁勇,陆展,龚俭.一个基于知识的优化入侵检测系统.CERNET的研究与发展(第六卷),2001:216-217
[12]华三通信.H3C网络学院系列教材[M].北京:杭州华三通信技术有限公司出版社,2009:465-469
[13]林涛,张建辉,黄瑾瑜,等.网络安全与管理.北京:电子工业出版社[M],2005:14
[14].唐正军.网络入侵检测系统的设计与实现[M].北京:电子工业出版社,2002:75-77
[15](美)Stephen Northcutt.网络入侵检测分析员手册[M].北京:人民邮电出版社,2000:9,82-87
[16](美)Peter H. Gregory. Solaris安全手册[M].北京:人民邮电出版社,2000:18
[17][美]Thomas A. Wadlow.网络安全实施方法[M].北京:人民邮电出版社,2003:48-50
[18]孙剑颖,邹鹏.东北财经大学校园网网络安全及出口优化解决案例[J].中国教育信息化,2010,12(3):23-24
[19]韩东海.入侵检测系统实例剖析[M].北京:清华大学出版社,2006:5-9,78
[20]陈远春.信息安全检测鉴别监控技术与系统安全性能评估分析标准实用手册[M].北京:人民出版社,2007:92
[21]陈伟,周继军,许德武Snort轻量级入侵检测系统全攻略[M].北京:北京邮电大学出版社,2009:8-14,283-287
[22]王述洋,黎粤华.信息与网络安全技术基础[M].哈尔滨:东北林业大学出版社,2005
[23]张吉赞.校园网防火墙的开发应用[M].北京:北方工业大学出版社,2003
[24]李亚恒,唐毅.网络安全监测系统[J].计算机工程,2001
[25]Denning D E. An intrusion-detection model. IEEE Transaction onSoftware Engineering[C], February 1987, VOL.5E-13, NO.2:222-232
[26]Zhang Y, Lee W. Intrusion detection in wireless Ad-Hoc networks.In Proceedings of the Sixth Annual International Conferenceon Mobile Communication and Networking[C], ACM Press New York,USA,2001:275-283
[27]Perkins C.Addison-Wesley,DSDV:Routing over a multihop wirelessnetwork of mobile computers[C],Reading, MA,2003:88-91.
[28]孙军帅.无线Ad hoc网络的入侵检测系统研究[EB/OL].http://219.246.131.5/kns50.
[29]3GPPTS 33.203.3G Security; Access Security for IP-based Service(SA3). [S].2006
[30]3GPP TS 33.210.3G Security, Network Domain Security, IP Network Layer Security [S]. 2006
[31]张世伟,丽娜A-IMS安全性分析与探讨[J].中兴通讯技术,2007,16(1)
[33]杨奕.基于入侵诱骗技术的网络安全研究与实现[J].计算机应用研究.2004,11(3)
[34]贾志平,杨武,云晓春。一个分布式高效网络入侵检测系统[J].微计算机信息,2006(03):33-35
[35]SUN Jingru, DONG Xiaomei, YU Ge. A Survey on Alert CorrelationMethods in Distributed Instrusion Detection [J]. Computer Engineering,2005(04):58-59
[36]Northcutt.Network Intrusion Detection[M].New Riders,1999
[37]Terry Escamilla.吴炎.入侵检测[M].电子工业出版社,1999
[38]黎连业,张维,向东明.路由器及其应用技术[M].清华大学出版社,2004
[39]Paul E.Proctor.入侵检测使用手册.邓琦皓,许鸿飞,张斌译.北京:中国电力出版社,2002
[40]李天,翟学明.一种分布式智能网络入侵检测系统的设计与实现[J].计算机与网络,2009,73(22):68-70
[41]李明,胥光辉,陈佳佳,等.入侵检测系统性能比较[J].电脑知识与技术,2010,36(3):547-549
[42]杜雷,李文雅.网络入侵检测系统的研究[J].沈阳工程学院学报,2009,5(4):376-378
[43]伊胜伟,刘旸,魏红芳.基于数据挖掘的入侵检测系统智能结构模型[J].计算机工程与设计.2005
[44]陈斌.计算机网络安全与防御.北京:信息技术与网络服务[J],2006,7(4)
[45]马宜兴,张海峰,张志徐.网络安全与病毒防范(第三版)[M].上海:上海交通大学出版社,2009:12
[46]荆继武,高能.信息安全技术教程.北京:中国人民公安大学出版社[M],2007:144-149,173
[47]Cisco Networking Academy Program.思科网络技术学院教程[M].北京:人民邮电出版社[M],2006:507-508
[48]曾树洪.Netfilter防火墙原理分析及其扩展应用[J].现代计算机,2009,33(12):140-143
[49]吴金龙,蔡灿辉,王晋隆.网络安全.北京:高等教育出版社[M],2004:184-189,193
[50]谭兵,吴宗文,黄伟.网络入侵检测技术综述.电脑编程技巧与维护,2010,13(2):110-112
[51]蒋威,刘磊.校园网络的安全分析及解决方案[J].吉林师范大学学报(自然科学版),2006
[52]唐赛文,诸凤丹.浅析科研网络信息安全隐患及控制策略[J].农业网络信息,.2010,24(1):86-87