摘要
目前,互联网的速率在飞速增长,宽带网络静悄悄地走进千家万户,人们在享受网络带来的便利性的同时,也面临着黑客入侵、网络病毒等诸多安全性问题。面对日益增长的网络安全需求和令人堪忧的安全现状,防火墙产品成为当前研究热点。
本文的核心是设计和实现基于IXP1200网络处理器(Network Processor,NP)的千兆硬件防火墙,在开发过程中,解决了多层体系结构、防火墙工作模式、微引擎分配、攻击防范策略、图形用户界面等多方面的问题,在今后网络处理器应用的推广和防火墙产品开发方面都提出了独特的见解。
传统的防火墙一般采用专用硬件芯片或者基于纯粹的软件方案,很难兼顾性能与灵活性两方面的要求。NP是用于实现报文处理、协议分析、路由、语音数据集成和QoS等通信工作的可编程硬件。它综合两者优点,摒弃它们的不足,提出了全新的软硬件联合解决方案。基于NP来设计网络设备符合中国国情。
Intel公司推出了一系列并行可编程的网络处理器IXP425、IXP1200、IXP2400和IXP2800,其中IXP1200是面向企业网络设备的入门级NP芯片,它具有一个通用处理器和六个微引擎,非常适合IP宽带网接入设备,是千兆防火墙核心处理器的理想选择。
本文从网络安全现状及NP应用角度出发,介绍了Intel网络处理器硬件和软件开发平台,设计了防火墙多层并行结构、剖析了防火墙基本工作模式,实现了TCP中继、ARP代理透明模式、WebUI防火墙控制界面等关键模块,并通过三个性能对比实验,确定了最佳微引擎分配方式,最后完成了NetChannel5000系列防火墙的研制工作,并展望了未来的发展方向。
本论文的创新点体现在如下三个方面:
·提出了基于NP的TCP中继方法,在保证吞吐率的前提下避免内网遭受恶意SYN攻击。
基于网络处理器的千兆防火墙设计与实现
摘要
通过微引擎分配的三个实验,提出了优于参考设计的微引擎分配方案,
在NP快通道性能研究方面作出一定贡献。
实现了高度人性化的V几b图形管理界面,提出了配置向导,使普通网
络管理人员能有效配置防火墙。
With the rapid increasing of Internet nowadays, Broadband network comes into people's daily life. Meanwhile, people have to suffer security problems as they enjoy the convenience brought by Network such as hacker intrusion and network virus. Therefore, firewall product playes an important role and is of great interest in meeting the increasing demands of network security.
This paper explores the research work on how to design a Giga-bit firewall based on intel's network processor IXP1200, which presents both high-performance and security functionality. During the developing period, the author and his friends solved many critical problems, including Multiple Layer Architecture, Working Modes, Allocation of Micro-engine, Attack Defence Policies and Web Uuser Interface. Also new ideas of improvement on both future network processors and firewall products have been well presented.
Compared with the traditional firewall, which cannot make a good tradeoff between performance and flexibility, the NetChannel 5000 Series Firewall uses NP as its core processor. NP is a programmable hardware and it is optimized for packet processing, protocol analysis, routing, voice integration and QoS. In china, NP is the best choice to design network devices.
Intel Co., Ltd invented a series of parallel programmable network processors, including IXP425, IXP1200, IXP2400 and IXP2800. IXP1200, one of the intel's Network Processors, is a primary product which is suitable for enterprise usage. It has a general purpose process and six micro engines. IXP1200 fits the requirements of Broad Band access device and it is the best choice of Giga-bit firewall.
This paper begins with the introduction of the current situation of network security and the network processor's application. The author introduces hardware and software development platform of Intel IXP1200. He puts forward TCP Relay module, ARP Proxy module and WebUI module etc. He also develops the best allocation way of micro-engine through three experiments. In the end, the conclusion is made on the whole project and gives an expectation for the development of network security devices in .the future.
The main innovative ideas in this paper are presented as follows:
First, TCP Relay method is applied to defend SYN Flooding attack and control the whole process of TCP connection.
Second, this paper provides new micro-engine allocation methods through three experiments. It puts forward a new idea to accelerate the performance of fast path.
Third, a Config Wizard is put forward, which can help users to config firewall easily. Every common operator can config firewall efficiently with the Wizard.
引文
[1] Intel Co., Ltd, IXP1200 Network Processor Family Hardware Reference Manual, Dec. 2001
[2] Intel Co., Ltd, IXP 1200 Network Processor Family Software Reference Manual, Dec. 2001
[3] Intel Co., Ltd, IXP1250 Network Processor Datasheet, Dec. 2001
[4] Douglas E. Comer, Network Systems Design Using Network Processors Inter IXP version, 2003, Purdue University
[5] Intel Co., Ltd, Intel IXP1200 Network Processor Family Programmer's Reference Manual, 2001
[6] 谭章熹等,网络处理器的分析与研究,软件学报,2003年第14卷第2期,253页-267页
[7] Mark Kohler, NP Complete: An Intruduction to Network Processing, CMP Media Inc., 2000,
[8] Intel Co., Ltd, NAT MicroACE Design Revision 1.0, 2001
[9] I.A. Troxel, A.D. George, and S. Oral, Design and Analysis of a Dynamically Reconfigurable Network Processor, HCS Research Lab, 2002
[10] 信息技术应用级防火墙安全技术要求,中华人民共和国国家标准GB/T18020-1999,北京;国家质量技术监督局,1999.11
[11] 信息技术包过滤防火墙安全技术要求,中华人民共和国国家标准GB/T18019-1999,北京;国家质量技术监督局,1999.11
[12] CNNIC发布第12次互联网统计报告,新浪网,2003年7月,http://tech.sina.com.cn/focus/cnnic_12/index.shtml
[13] 2003年网络安全面临五大挑战,计算机世界网,2003年1月 http://www.ccw.com.cn/htm/newsl/net/safe/03_1_2_2.asp
[14] 2003我国网络安全分析,商业周刊,2003年8月,http://tech.tom.com/1121/1794/2003820-56217.html
[15]Intel Co., Ltd, IXDP1200 Advanced Development Platform Product Brief, Dec. 2001
[16]叶静,把脉防火墙产品市场,网络应用与安全,2002年5月,81-85页
[17]徐海琛,魏柏丛,防火墙的安全分析,网络应用与安全,2002年5月,34-37页
[18]Robert L.Ziegler,Linux防火墙,2000,人民邮电出版社
[19]董剑安,吴秋峰,Linux混合防火墙的研究与实现,网络应用与安全,2002年5月,41-44页
[20]张宏科,IP路由原理与技术,2000,清华大学出版社,北京,136-142页
[21]Rajesh Krishma Balan and Urs Hengartner, "Performance Analysis of the Intel IXP 1200 Porcessor", http://www.cs.cmu.edu/~uhegart/15-740
[22]Nick McKeown, "A Fast Switched Backplane for a Gigabit Switched Router.", Business Communications Review, December 1997.
[23]Linley Gwennap, Network Processors Hit 10Gbps, http://www.linleygroup.com/npu/index.html
[24]Check Point Software Technologies, Check Point Getting Started Guide V ersion 4. 1. http://www.checkpoint.com
[25]刘玉莎 张晔 张志浩,嵌入式防火墙系统的实现,计算机工程与应用,2000年7月,135-138页
[26]陈一帅 赵永祥 陈常嘉,网络处理器及其应用,中国数据通信,2001年3月,28-31页
[27]王志恒、刘刚、白英彩,A TCAM-based Two-dimensional Prefix Packet Classification Algorithm,Journal of Donghua University,2003年20卷第4期。
[28]黄允聪 严望佳,防火墙的选型、配置、安全和维护,清华大学出版社,1999年2月
[29]尹欣 肖德宝,新型混合防火墙结构HWT-FW的研究,计算机科学,2000年10月
[30]郑林,防火墙基础,http://cisco-net.myrice.com/netsafety/0019.htm
[31] Shalaby N, Peterson L, Karlin S, Extensible Routers for active Networks, 2001, Princeton University, http://www.cs.princeton.edu/nsg/papers/dance.pdf
[32] David Husak, Network Processors: A Definition and Comparison, http://www.cport.com, 2000
[33] Stephen J, Sheafor, Network Processors: Using in a New Era of Performance and Flexibility, 2000, http://www.sitera.com
[34] 许锦波、严望佳,Internet/Intranet网络安全结构设计,1999,清华大学出版社,144-160页
[35] Dafonte J C,A rcay B, Taboada A. Database based reasoning for real timemonitoring and data analysis in intensive care units, Expert System, November 1997, Volume 14, 190~197.
[36] 吴克喜 赵勤燕 章仁龙 白英彩,具有智能特征的防火墙,小型微型计算机系统,1999,20卷,1-5页
[36] X.Qiem, A.Bavier, L.Peterson, and S.Karlin, "Scheduling Computations on a Programmable Router", ACM SIGMETRICS 2001 Conference, June 2001, 13-24
[37] Tammo Spalink, Scott Karlin, Larry Peterson, "Building a Robust Software-Based Router Using Network Processors", 1999
[38] Intel Co., Ltd, IXP 1200 Macro Library Reference Manual, 2002
[39] Intel Co., Ltd, IXP 1200 Microengine C Compiler Language Reference, Intel, 2002
[40] Intel Co., Ltd, IXP 1200 Microengine C Compiler Library Reference, Intel, 2002
[41] 林晓东 杨义先,网络防火墙技术,电信科学,1997(13)
