基于NDIS技术的深度包检测防火墙的研究与实现
|
摘要
近年来,网络攻击呈大幅上升趋势,冲击波、震荡波等蠕虫给网络安全带来了很大的挑战。传统的防火墙技术如包过滤防火墙、状态检测防火墙等,都缺乏应对这些新的攻击的能力。作为网络安全体系的重要一环,防火墙技术也需要不断发展,需要增加新的技术手段来应对新出现的威胁。
基于此,本文提出了新型的、基于TDI层过滤驱动和基于NDIS-HOOK技术的深度包检测双重防护型防火墙架构,并在windows内核实现了防火墙系统。论文的主要工作包括:
(1)研究了Windows内核的I/O机制,分析试验了在TDI层、NDIS层捕获、过滤以及控制网络请求包的方法;
(2)设计实现了基于TDI层的网络包过滤控制。在TDI层可以获得IP地址、端口、协议、用户、进程等多方面的信息,从而能够实现针对特定用户和特定应用程序的精确控制;
(3)设计实现了基于NDIS层,应用深度包检测技术的网络包过滤控制。利用深度包检测技术,全面地分析这些协议内容,以发现网络通信过程中可疑或异常的行为,并结合状态检测技术,判断应用层的会话状态,实现及时阻断;
(4)对论文中设计的系统进行了系统测试。包括TDI层的基于应用进程的七元组过滤控制的测试,以及NDIS层的HTTP协议深度包检测控制测试。测试表明,本文提出并实现的基于TDI层过滤驱动和基于NDIS-HOOK技术的深度包检测双重防护型防火墙架构实现了在各自层次的网络访问控制和深度包检测,提高了主机的安全性。
In the recent several years, attacks from network are growing greatly year by year. These attacks which aim at loopholes in application layer, such as worm and trojan horse, have bring a great challenge to network security, but traditional firewall technologies, such as packets filter firewall and stateful inspection firewall, can't defense them efficiently.As an important part of network secuity system, firewalls must improve their abilities and new technology and motheds must be developed in order to defend these attacks which aim at application layer.
Based on circumstances talked above, this paper puts forward a new-style, double-defence firewall framework based on TDI filter driver and NDIS-HOOK deep packet inspection technology, and implement it in windows kernel. The main works of this paper are as follows:
(1) Researched I/O mechanism in windows kernel. Analysed and tested how to capture, analyze, filtrate and control IRP packets in TDI layer and NDIS layer of windows network protocol stack by means of attaching drivers.
(2) Designed and implemented the filtration and control of network IRP in TDI layer. Many kinds of information, such as IP address, port, protocol, user and process, can be easily got in TDI layer, so TDI filter driver module can implement network access control which aims at special processes and users.
(3) Designed and implemented the filtration and control of network packets by deep packet inspection in NDIS layer. Implemented the capture and protocol analysis of these packets based on NDIS-HOOK technology. The module analyzes the principles and characteristics of protocols in application layer, uses stateful inspection technology to maintain the state of packets, checks illegal network requirement and network attacks, and finally denies them in time.
(4) Tested the firewall designed and implemented in this paper systematicly, including the test of the filteration and control of network IRP based on application and user information in TDI layer, and the deep packet inspection and control of HTTP protocol based on NDIS layer.Test results show that this new-style, double-defence firewall framework based on TDI filter driver and NDIS-HOOK deep packet inspection technology can implement network access control and deep packet inspection in their different layers, and finally improves the security of computer.
基于此,本文提出了新型的、基于TDI层过滤驱动和基于NDIS-HOOK技术的深度包检测双重防护型防火墙架构,并在windows内核实现了防火墙系统。论文的主要工作包括:
(1)研究了Windows内核的I/O机制,分析试验了在TDI层、NDIS层捕获、过滤以及控制网络请求包的方法;
(2)设计实现了基于TDI层的网络包过滤控制。在TDI层可以获得IP地址、端口、协议、用户、进程等多方面的信息,从而能够实现针对特定用户和特定应用程序的精确控制;
(3)设计实现了基于NDIS层,应用深度包检测技术的网络包过滤控制。利用深度包检测技术,全面地分析这些协议内容,以发现网络通信过程中可疑或异常的行为,并结合状态检测技术,判断应用层的会话状态,实现及时阻断;
(4)对论文中设计的系统进行了系统测试。包括TDI层的基于应用进程的七元组过滤控制的测试,以及NDIS层的HTTP协议深度包检测控制测试。测试表明,本文提出并实现的基于TDI层过滤驱动和基于NDIS-HOOK技术的深度包检测双重防护型防火墙架构实现了在各自层次的网络访问控制和深度包检测,提高了主机的安全性。
In the recent several years, attacks from network are growing greatly year by year. These attacks which aim at loopholes in application layer, such as worm and trojan horse, have bring a great challenge to network security, but traditional firewall technologies, such as packets filter firewall and stateful inspection firewall, can't defense them efficiently.As an important part of network secuity system, firewalls must improve their abilities and new technology and motheds must be developed in order to defend these attacks which aim at application layer.
Based on circumstances talked above, this paper puts forward a new-style, double-defence firewall framework based on TDI filter driver and NDIS-HOOK deep packet inspection technology, and implement it in windows kernel. The main works of this paper are as follows:
(1) Researched I/O mechanism in windows kernel. Analysed and tested how to capture, analyze, filtrate and control IRP packets in TDI layer and NDIS layer of windows network protocol stack by means of attaching drivers.
(2) Designed and implemented the filtration and control of network IRP in TDI layer. Many kinds of information, such as IP address, port, protocol, user and process, can be easily got in TDI layer, so TDI filter driver module can implement network access control which aims at special processes and users.
(3) Designed and implemented the filtration and control of network packets by deep packet inspection in NDIS layer. Implemented the capture and protocol analysis of these packets based on NDIS-HOOK technology. The module analyzes the principles and characteristics of protocols in application layer, uses stateful inspection technology to maintain the state of packets, checks illegal network requirement and network attacks, and finally denies them in time.
(4) Tested the firewall designed and implemented in this paper systematicly, including the test of the filteration and control of network IRP based on application and user information in TDI layer, and the deep packet inspection and control of HTTP protocol based on NDIS layer.Test results show that this new-style, double-defence firewall framework based on TDI filter driver and NDIS-HOOK deep packet inspection technology can implement network access control and deep packet inspection in their different layers, and finally improves the security of computer.
引文
[1] Ido Dubrawsky, Firewall Evolution-Deep Packet Inspection, http://www.securityfocus.com/infocus/1716, Jul,2003
[2] Sarah Granger, Home User Security: Personal Firewalls,http://www.securityfocus.com/infocus/1750,Dec,2003
[3] Karen Kent Frederick,Network Instrusion Detection Signtures, Part three, http://online.securityfocus.com/infocus/1544, Feb, 2002
[4] Karen Kent Frederick,Network Instrusion Detection Signtures, Part four, http://online.securityfocus.com/infocus/1553, Feb, 2002
[5] Karen Kent Frederick, Network Instrusion Detection Signtures, Part five, http://online.securityfocus.com/infocus/1569, Feb, 2002
[6] Postel, J.R eynolds. FILE TRANSFER PROTOCOL (FTP),RFC 959. The Internet Society, 1985
[7] Gartner.Deep packet inspection: The next phase of firewall evolution, http://www.fortinet.com.cn/news/media/techrepublic.html,Jan, 2003
[8] Ia Ibal,Deep Content Inspection: Beyond Deep Packet inspection,http://www.barbedwiretech.com/Technology/wp-pdf/DPI-Whitepaper.pdf ,Oct, 2004
[9] The CERT Coordination Center,Overview of Attack Trends. USA: Carnegie Mellon University, 2002
[10] Seven Schreiber,Undocumented Windows2000 Secrets, Addison-Wesley, May, 2001
[11] Gary Nebbet,Windows NT/2000 API Reference, New Riders Publishing, Feb, 2000
[12] Computer Network and Network Intelligence, The Packet Capture Driver for Windows,http://netgroup-serv.polito.it/winpcap/docs/Default.html, 2001
[13] W.R ichard Stevens.TCP/IP 祥解 I,机械工业出版社,2000 年 1 月
[14] 葛志辉,李陶深,协议分析技术在 NIDS 中的应用,广西科学院学报,第 19卷第 4 期,2003 年 11 月
[15] 张静,陆际光,TCP/IP协议的安全问题分析,中国民族大学学报,2002, 21(2)
[16] 魏利华.状态检测技术在防火墙中的应用邵阳学院学报(自然科学)第二卷 第 5 期,2003 年 10 月
[17] 唐正军, 网络入侵检测系统的设计与实现, 北京:电子工业出版社,2002年
[18] 李赛军,防火墙发展的分析与研究,网络安全技术与应用,2003 年 6 月
[19] 韩东海、王超、李群,入侵检测系统及实例剖析,北京:清华大学,2002年 5 月
[20] 郭锡泉,应用层协议分析在状态检测防火墙中的应用,计算机工程, 2007年 3 月
[21] 韩东海、王超、李群,入侵检测系统及实例剖析(第一版),北京:清华大学 2002 年 5 月
[22] 宋志鹏、任佳,基于协议分析的网络入侵检测系统研究,计算机安全,2007年 2 月
[23] 王栋,防火墙深度包检测技术研究,西安电子科技大学,2005 年 4 月
[24] 陈宁、李忠,一种防火墙新技术——深度包检测,重庆科技学院学报(自然科学版),2007 年 3 月
[25] 卢思军、朱宏、李旭伟,深度包检测技术在防火墙中的应用探讨,成都信息工程学院学报,2005 年 1 月
[26] Chris Ries, Inside Windows Rootkits, VigilantMinds, Inc, 2006
[27] KentS, AikinsonR, Security architecture for the Internet protocol, IETF, Internet RFC:2401, November, 1998
[28] John Wiley & Sons, The Shellcoder's Handbook: Discovering and Exploiting Security, Jul,2004
[29] Kris Kaspersky, Shellcoder’s Programming Uncovered, Jan,2005
[24] Moda, Exploit Microsoft INTERNET INFORMATION SERVER, Mar,2002
[30] Peter Silberman and Richard Johnson, A Comparison of Buffer Overflow Prevention Implementations and Weaknesses, Sep,2005
[31] Joanna Rutkowska, Defining the Roadmap for Malware Detection on Windows System, Jun,2005
[2] Sarah Granger, Home User Security: Personal Firewalls,http://www.securityfocus.com/infocus/1750,Dec,2003
[3] Karen Kent Frederick,Network Instrusion Detection Signtures, Part three, http://online.securityfocus.com/infocus/1544, Feb, 2002
[4] Karen Kent Frederick,Network Instrusion Detection Signtures, Part four, http://online.securityfocus.com/infocus/1553, Feb, 2002
[5] Karen Kent Frederick, Network Instrusion Detection Signtures, Part five, http://online.securityfocus.com/infocus/1569, Feb, 2002
[6] Postel, J.R eynolds. FILE TRANSFER PROTOCOL (FTP),RFC 959. The Internet Society, 1985
[7] Gartner.Deep packet inspection: The next phase of firewall evolution, http://www.fortinet.com.cn/news/media/techrepublic.html,Jan, 2003
[8] Ia Ibal,Deep Content Inspection: Beyond Deep Packet inspection,http://www.barbedwiretech.com/Technology/wp-pdf/DPI-Whitepaper.pdf ,Oct, 2004
[9] The CERT Coordination Center,Overview of Attack Trends. USA: Carnegie Mellon University, 2002
[10] Seven Schreiber,Undocumented Windows2000 Secrets, Addison-Wesley, May, 2001
[11] Gary Nebbet,Windows NT/2000 API Reference, New Riders Publishing, Feb, 2000
[12] Computer Network and Network Intelligence, The Packet Capture Driver for Windows,http://netgroup-serv.polito.it/winpcap/docs/Default.html, 2001
[13] W.R ichard Stevens.TCP/IP 祥解 I,机械工业出版社,2000 年 1 月
[14] 葛志辉,李陶深,协议分析技术在 NIDS 中的应用,广西科学院学报,第 19卷第 4 期,2003 年 11 月
[15] 张静,陆际光,TCP/IP协议的安全问题分析,中国民族大学学报,2002, 21(2)
[16] 魏利华.状态检测技术在防火墙中的应用邵阳学院学报(自然科学)第二卷 第 5 期,2003 年 10 月
[17] 唐正军, 网络入侵检测系统的设计与实现, 北京:电子工业出版社,2002年
[18] 李赛军,防火墙发展的分析与研究,网络安全技术与应用,2003 年 6 月
[19] 韩东海、王超、李群,入侵检测系统及实例剖析,北京:清华大学,2002年 5 月
[20] 郭锡泉,应用层协议分析在状态检测防火墙中的应用,计算机工程, 2007年 3 月
[21] 韩东海、王超、李群,入侵检测系统及实例剖析(第一版),北京:清华大学 2002 年 5 月
[22] 宋志鹏、任佳,基于协议分析的网络入侵检测系统研究,计算机安全,2007年 2 月
[23] 王栋,防火墙深度包检测技术研究,西安电子科技大学,2005 年 4 月
[24] 陈宁、李忠,一种防火墙新技术——深度包检测,重庆科技学院学报(自然科学版),2007 年 3 月
[25] 卢思军、朱宏、李旭伟,深度包检测技术在防火墙中的应用探讨,成都信息工程学院学报,2005 年 1 月
[26] Chris Ries, Inside Windows Rootkits, VigilantMinds, Inc, 2006
[27] KentS, AikinsonR, Security architecture for the Internet protocol, IETF, Internet RFC:2401, November, 1998
[28] John Wiley & Sons, The Shellcoder's Handbook: Discovering and Exploiting Security, Jul,2004
[29] Kris Kaspersky, Shellcoder’s Programming Uncovered, Jan,2005
[24] Moda, Exploit Microsoft INTERNET INFORMATION SERVER, Mar,2002
[30] Peter Silberman and Richard Johnson, A Comparison of Buffer Overflow Prevention Implementations and Weaknesses, Sep,2005
[31] Joanna Rutkowska, Defining the Roadmap for Malware Detection on Windows System, Jun,2005