基于嵌入式Linux防火墙的研究与实现
摘要
防火墙技术是网络安全的基石,本文介绍了防火墙的相关内容,包括防火墙的基本概念、分类、主要技术和体系结构。在此基础上,研究了Linux操作系统下TCP/IP协议的实现,并对Linux防火墙的Netfilter/Iptables进行了研究。最后,本文开发了一个适合中小型用户的具有基本包过滤、动态包过滤、内容过滤,规则设置等功能的防火墙产品。该防火墙以Linux的Netfilter架构为基础,用Netfilter来实现基本包过滤功能。本文在Netfilter的基础上添加了三个功能模块,分别是:
动态包过滤模块:Netfilter自带的动态包过滤机制比较简单,只是将源、目的地址和源、目的端口保存在一张连接表中。其检查的连接信息较少,安全性不高。因此,本文重新开发了一个动态包过滤模块,其在连接状态表中增加了连接序号,应答号,窗口大小等表项,不但检测包是否属于合法连接,判断其TCP状态转换是否正确,而且还对包进行序号检查,判断包在这条连接上的合法性,即保证收到的包不是伪造的包,从而增强了防火墙的安全性。
内容过滤模块:采用基于协议分析的内容过滤算法对数据包进行内容过滤,解决了包过滤和动态包过滤不能防止基于内容级的攻击问题。该算法在协议分析的基础上检测数据包是否包含危险字符串,其性能优于一般的模式匹配算法,具有检测快,时延较小等特点。
Web设置系统:用户可以使用iptables命令来建立防火墙规则,但是iptables的配置所需要的参数很多,使用iptables命令建立防火墙规则相当烦琐。因此,本文开发了Linux防火墙规则的Web设置系统,利用浏览器对防火墙进行可视化配置,同时提出了一些防火墙规则语义完整性检测的方法,以辅助用户输入。
最后,本文对论文所作的工作进行了总结并指出了进一步的研究工作。
The firewall technology is the footstone of the network security. This paper introduces the relevant contents of the firewall, including the basic conception, classes, technology and system structure. On this basis, the author researches the implementation of TCP/IP in the Linux operating system, and netfilter/iptables of the Linux firewall. Finally, This paper developed a firewall product with composed capabilities of basic packet filter, dynamic packet filter, content filter and web configuration system, which applies to medium-sized and small-sized users. This firewall based on the netfilter structure of Linux, it implemented the basic packet filter function using the netfilter of Linux, based on which three basic modules are added.
Dynamic packet filter module: The dynamic packet filter comed with netfilter is relatively easy, which only save the source address and port, object address and port in a connection state table with little connection message and low security. Therefore, a new dynamic packet filter model was developed, in which some table items are added, such as sequence number, answer number and the size of the window. It not only can check whether the packet is a legal connection and determine whether the TCP state transformation is right, but also can the check the sequence of the packet and assure that the packet on this connection is the right one. That is to say the packet is not a forgery one. So this model can improve the security of the firewall.
Content filter module: This module uses the content filter algorithm based on protocol analysis to filter the packet, which can solve the problem that the packet filter and dynamic packet filter can't resist the attacks based on the content. This algorithm can detect whether the packets contain some dangerous strings on the basis of protocol analysis. It is fast in detection and has little time delay, which is better than common patern matching algorithm.
Web configuration system: The users may create the rules of firewall by iptables, but much more parameters are needed. So the author developed web configuration system of linux firewall. This system implements the visual configuration by browser. At the same time, the author introduces some methods of check semantic integrality of firewall rules, in order to assist users to input the rules.
Finally, this author sums up the research works and points out the further research work.
动态包过滤模块:Netfilter自带的动态包过滤机制比较简单,只是将源、目的地址和源、目的端口保存在一张连接表中。其检查的连接信息较少,安全性不高。因此,本文重新开发了一个动态包过滤模块,其在连接状态表中增加了连接序号,应答号,窗口大小等表项,不但检测包是否属于合法连接,判断其TCP状态转换是否正确,而且还对包进行序号检查,判断包在这条连接上的合法性,即保证收到的包不是伪造的包,从而增强了防火墙的安全性。
内容过滤模块:采用基于协议分析的内容过滤算法对数据包进行内容过滤,解决了包过滤和动态包过滤不能防止基于内容级的攻击问题。该算法在协议分析的基础上检测数据包是否包含危险字符串,其性能优于一般的模式匹配算法,具有检测快,时延较小等特点。
Web设置系统:用户可以使用iptables命令来建立防火墙规则,但是iptables的配置所需要的参数很多,使用iptables命令建立防火墙规则相当烦琐。因此,本文开发了Linux防火墙规则的Web设置系统,利用浏览器对防火墙进行可视化配置,同时提出了一些防火墙规则语义完整性检测的方法,以辅助用户输入。
最后,本文对论文所作的工作进行了总结并指出了进一步的研究工作。
The firewall technology is the footstone of the network security. This paper introduces the relevant contents of the firewall, including the basic conception, classes, technology and system structure. On this basis, the author researches the implementation of TCP/IP in the Linux operating system, and netfilter/iptables of the Linux firewall. Finally, This paper developed a firewall product with composed capabilities of basic packet filter, dynamic packet filter, content filter and web configuration system, which applies to medium-sized and small-sized users. This firewall based on the netfilter structure of Linux, it implemented the basic packet filter function using the netfilter of Linux, based on which three basic modules are added.
Dynamic packet filter module: The dynamic packet filter comed with netfilter is relatively easy, which only save the source address and port, object address and port in a connection state table with little connection message and low security. Therefore, a new dynamic packet filter model was developed, in which some table items are added, such as sequence number, answer number and the size of the window. It not only can check whether the packet is a legal connection and determine whether the TCP state transformation is right, but also can the check the sequence of the packet and assure that the packet on this connection is the right one. That is to say the packet is not a forgery one. So this model can improve the security of the firewall.
Content filter module: This module uses the content filter algorithm based on protocol analysis to filter the packet, which can solve the problem that the packet filter and dynamic packet filter can't resist the attacks based on the content. This algorithm can detect whether the packets contain some dangerous strings on the basis of protocol analysis. It is fast in detection and has little time delay, which is better than common patern matching algorithm.
Web configuration system: The users may create the rules of firewall by iptables, but much more parameters are needed. So the author developed web configuration system of linux firewall. This system implements the visual configuration by browser. At the same time, the author introduces some methods of check semantic integrality of firewall rules, in order to assist users to input the rules.
Finally, this author sums up the research works and points out the further research work.
引文
[1] 张小斌. 黑客分析与防范技术(第一版). 清华大学出版社, 1999.1
[2] Terry William Ogletree 著. 防火墙原理与实施. 电子工业出版社, 2001.3
[3] 袁军鹏. 浅谈防火墙技术与网络安全,安全技术防范,2002. 4. pp32-34.
[4] 杨辉军. 防火墙的基本知识及应用. 电脑知识与技术, 2002. 4. pp61-64
[5] 赵炯. Linux 内核完全注释. 机械工业出版社, 2004.2
[6] W. Richard Stevens. TCP/IP Illustrated, Volume2:The Implementation. 机械工业出版社, 2000.6
[7] 王鹏, 尤晋元. 操作系统:设计与实现. 电子工业出版社, 1998.6
[8] 毛德操, 胡希明. Linux 内核源代码情景分析. 浙江大学出版社, 2003.8
[9] W. Richard Stevens. TCP/IP Illustrated, Volume 1:The Protocols. 机械工业出版社, 2000.6
[10] Richard Petersen 著, 陶华敏等译. Linux 技术大全. 机械工业出版社, 2002.4
[11] 王莉, 黄光明, 刘志愚. 基于 Linux 的具有 DMZ 防火墙的实现. 微机发展, 2004, 14(4). pp 71-74
[12] 崔钰, 武舒凡. 防火墙包过滤技术研究. 计算机应用研究. 2004. 9. pp144-146
[13] 楚狂. 网络安全和防火墙技术. 人民邮电出版社, 2000.5
[14] 刘占全. 网络管理与防火墙技术. 人民邮电出版社, 1999.6
[15] 王睿, 林海波等. 网络安全与防火墙技术. 清华大学出版社, 2000.1
[16] 朱刚. Linux 网络编程. 科学出版社, 2000.6
[17] 刘渊等著. 因特网防火墙技术. 机械工业出版社. 1998.7
[18] 张兴虎. 黑客攻防技术内幕. 清华大学出版社, 2002.6
[19] 叶丹. 网络安全实用技术. 清华大学出版社, 2002.3
[20] 博嘉科技 主编. Linux 防火墙技术探秘. 国防工业出版社, 2002.2
[21] 陈朝阳, 潘雪增, 平铃娣. 新型防火墙的设计和实现. 计算机工程, 2002. 11. pp142-144
[22] 陈幼雷, 王张宜, 张焕国. 个人防火墙技术的研究与探讨. 计算机工程与应用, 2002. 8. pp136-139
[23] Linux 2. 4 Packet Filtering HOWTO. http://www. netfilter. org/documentation/HOWTO//packet-filtering-HOWTO. html
[24] Linux 2. 4 NAT HOWTO. http://www. netfilter. org/documentation/HOWTO//NAT-HOWTO. html
[25] Linux Networking-concepts HOWTO. http://www. netfilter. org/documentation/HOWTO//networking-concepts-HOWTO. html
[26] Linux netfilter Hacking HOWTO. http://www. netfilter. org/documentation/HOWTO//netfilter-hacking-HOWTO. html
[27] 胡安磊, 周大水, 李大兴. Linux 中 Netfilter/Iptables 的应用研究. 计算机应用与软件, 2004, 21(10). pp56-57
[28] 周明天, 汪文勇. TCP/IP 网络原理与技术. 清华大学出版社, 1997.1
[29] 张永辉, 吴小红, 李俊. Linux 下防火墙透明模式的原理及实现. 微电子学与计算机, 2004, 21(10). pp100-104
[30] 何海宾. 基于 Linux 包过滤的防火墙技术及应用. 电子科技大学学报, 2004, 33(1). pp75-78
[31] Hancock B. Security views. Computer & Security, 1999, 18. pp646-654
[32] Kent S. IP Authentication Header. RFC2402, 1998
[33] Kent S. IP Encapsulating Security Payload(ESP). RFC2406, 1998
[34] Randal E. Bryant. Computer System A Programmer's Perspective. 中国电力出版社. 2004.6
[35] David A Rusling. Linux Programming White Papers, 1998. 9
[36] Kent S. Security Architecture for the Internet Protocol. RFC2401, 1998
[37] V.V.Preetham. Internet 安全与防火墙. 清华大学出版社, 2004.6
[38] P.Mckeown. Algorithms for packet classification , IEEE Volume 15, Issue 2, March-April 2001 Page(s): 24-32
[39] Sartej Sahni. 数据结构算法与应用. 机械工业出版社, 2001.6
[40] Cherie Amon. The Best Daman Firewall Book Period, Syngress Publishing 2003
[41] Keith E.Strassberg. 防火墙技术大全. 机械工业出版社, 2003.6
[42] Greg Holden. 防火墙与网络安全. 清华大学出版社, 2004.6
[43] 宋舜宏. 基于 netfilter 的灵巧网关的设计与实现.计算机科学, 2004, 11(10). pp25-28
[44] Terry William Ogletree. 防火墙原理与实施. 电子工业出版社, 2001.2
[45] Bruce Schneier.网络信息安全的真相. 机械工业出版社, 2001.9
[46] Peter Norton. 网络安全指南. 人民邮电出版社, 2000.11
[2] Terry William Ogletree 著. 防火墙原理与实施. 电子工业出版社, 2001.3
[3] 袁军鹏. 浅谈防火墙技术与网络安全,安全技术防范,2002. 4. pp32-34.
[4] 杨辉军. 防火墙的基本知识及应用. 电脑知识与技术, 2002. 4. pp61-64
[5] 赵炯. Linux 内核完全注释. 机械工业出版社, 2004.2
[6] W. Richard Stevens. TCP/IP Illustrated, Volume2:The Implementation. 机械工业出版社, 2000.6
[7] 王鹏, 尤晋元. 操作系统:设计与实现. 电子工业出版社, 1998.6
[8] 毛德操, 胡希明. Linux 内核源代码情景分析. 浙江大学出版社, 2003.8
[9] W. Richard Stevens. TCP/IP Illustrated, Volume 1:The Protocols. 机械工业出版社, 2000.6
[10] Richard Petersen 著, 陶华敏等译. Linux 技术大全. 机械工业出版社, 2002.4
[11] 王莉, 黄光明, 刘志愚. 基于 Linux 的具有 DMZ 防火墙的实现. 微机发展, 2004, 14(4). pp 71-74
[12] 崔钰, 武舒凡. 防火墙包过滤技术研究. 计算机应用研究. 2004. 9. pp144-146
[13] 楚狂. 网络安全和防火墙技术. 人民邮电出版社, 2000.5
[14] 刘占全. 网络管理与防火墙技术. 人民邮电出版社, 1999.6
[15] 王睿, 林海波等. 网络安全与防火墙技术. 清华大学出版社, 2000.1
[16] 朱刚. Linux 网络编程. 科学出版社, 2000.6
[17] 刘渊等著. 因特网防火墙技术. 机械工业出版社. 1998.7
[18] 张兴虎. 黑客攻防技术内幕. 清华大学出版社, 2002.6
[19] 叶丹. 网络安全实用技术. 清华大学出版社, 2002.3
[20] 博嘉科技 主编. Linux 防火墙技术探秘. 国防工业出版社, 2002.2
[21] 陈朝阳, 潘雪增, 平铃娣. 新型防火墙的设计和实现. 计算机工程, 2002. 11. pp142-144
[22] 陈幼雷, 王张宜, 张焕国. 个人防火墙技术的研究与探讨. 计算机工程与应用, 2002. 8. pp136-139
[23] Linux 2. 4 Packet Filtering HOWTO. http://www. netfilter. org/documentation/HOWTO//packet-filtering-HOWTO. html
[24] Linux 2. 4 NAT HOWTO. http://www. netfilter. org/documentation/HOWTO//NAT-HOWTO. html
[25] Linux Networking-concepts HOWTO. http://www. netfilter. org/documentation/HOWTO//networking-concepts-HOWTO. html
[26] Linux netfilter Hacking HOWTO. http://www. netfilter. org/documentation/HOWTO//netfilter-hacking-HOWTO. html
[27] 胡安磊, 周大水, 李大兴. Linux 中 Netfilter/Iptables 的应用研究. 计算机应用与软件, 2004, 21(10). pp56-57
[28] 周明天, 汪文勇. TCP/IP 网络原理与技术. 清华大学出版社, 1997.1
[29] 张永辉, 吴小红, 李俊. Linux 下防火墙透明模式的原理及实现. 微电子学与计算机, 2004, 21(10). pp100-104
[30] 何海宾. 基于 Linux 包过滤的防火墙技术及应用. 电子科技大学学报, 2004, 33(1). pp75-78
[31] Hancock B. Security views. Computer & Security, 1999, 18. pp646-654
[32] Kent S. IP Authentication Header. RFC2402, 1998
[33] Kent S. IP Encapsulating Security Payload(ESP). RFC2406, 1998
[34] Randal E. Bryant. Computer System A Programmer's Perspective. 中国电力出版社. 2004.6
[35] David A Rusling. Linux Programming White Papers, 1998. 9
[36] Kent S. Security Architecture for the Internet Protocol. RFC2401, 1998
[37] V.V.Preetham. Internet 安全与防火墙. 清华大学出版社, 2004.6
[38] P.Mckeown. Algorithms for packet classification , IEEE Volume 15, Issue 2, March-April 2001 Page(s): 24-32
[39] Sartej Sahni. 数据结构算法与应用. 机械工业出版社, 2001.6
[40] Cherie Amon. The Best Daman Firewall Book Period, Syngress Publishing 2003
[41] Keith E.Strassberg. 防火墙技术大全. 机械工业出版社, 2003.6
[42] Greg Holden. 防火墙与网络安全. 清华大学出版社, 2004.6
[43] 宋舜宏. 基于 netfilter 的灵巧网关的设计与实现.计算机科学, 2004, 11(10). pp25-28
[44] Terry William Ogletree. 防火墙原理与实施. 电子工业出版社, 2001.2
[45] Bruce Schneier.网络信息安全的真相. 机械工业出版社, 2001.9
[46] Peter Norton. 网络安全指南. 人民邮电出版社, 2000.11