基于千兆网的网络安全审计系统
|
摘要
要保证网络信息和内部信息的内容安全,必须要有相应的安全技术的发展。基于内容的安全审计系统可以在被监控对象毫无察觉的情况下,对网络信息的内容进行实时的处理和分析,记录各种信息。这些信息可以让系统管理人员和有关人员事后进行审计和分析,以便及时发现系统存在的问题并采取相应的安全管理措施,同时还能对系统本身可能存在的安全漏洞或缺陷进行预测。
本文对网络安全审计的相关技术进行了研究,针对中大规模企业网环境设计和实现了一个基于网络嗅探器技术的网络安全审计系统。论文研究了以下几个方面。
首先介绍了网络安全审计系统的研究背景和研究意义,给出了论文的研究目标。从系统结构、数据来源以及网络服务控制等方面对网络安全审计系统涉及的相关技术进行了研究,并详细分析了网络安全审计系统。
其次详细介绍了中小规模企业网环境对网络安全审计系统的功能需求及系统体系结构的设计,按照功能划分分别介绍了数据采集、数据解析与处理、网络服务控制和用户界面等各个子系统的设计,介绍了数据采集与存储策略、数据解析与处理等关键技术的研究成果。针对网络安全审计系统应用的实际需求,分别给出了相应的解决方案。
然后对系统实现的过程进行了详细的分析,并在此基础上设计和实现了一个分层的协议分析模块。在协议分析模块中,分析和比较了常见协议的解析过程。通过规范接口与内部分层,使得该模块具有良好的可重用性和可扩展性。
最后介绍了网络安全审计系统的总体实现模型,以及各个子系统的功能结构和实现机制,具体实现了一个网络安全审计系统,为企业网管理人员提供了一个良好的网络安全审计平台。通过对系统参数进行设置,可以灵活方便地将网络安全审计系统应用于各种不同的实际环境中,以满足不同用户的具体需求。
In order to ensure security of data on net, we must develop the corresponding security technology. The security audit system based on content could process and analyze data with no consciousness of clients under monitor. The information then is used by system manager to audit and analyze. So we can find the malfunctions as soon as possible and take action to fix them. Sometimes the information we get from net can help us predict the malfunction and bugs.
This paper designs a framework of network security audit based on network sniffer which is suite for medium and big enterprise network environment. And then apply the framework into a real project. This paper contains several parts as following:
Firstly, this paper introduces the research background and meaning, and then gives the objective of our research. In this paper some research from the aspects as system structure, data source and network service control concerned with network audit system has been done. And also analyze our audit system in detail.
Secondly, this paper introduces the requirements under small-medium enterprise network environment. Then it gives the structure of the security audit system. According to functions, the system can be divided into several parts as data collection, data analyzing and processing, network service control and user interface. This paper focuses on several crucial technology used on data collection and storage, data analyzing and processing. After studying the existed crucial technologies, this paper gives a solution to the practical requirement of network security audit system.
Then this paper gives the details of the implement of this audit system and shows a leveled protocol analysis model. In this model, the comparison and analysis among different common protocols are done. This model has a good reusability and expansibility by Standardizing interfaces and internal delamination.
At last, this paper introduces the general implementation model of this security audit system, the functions and the implementation of the sub-function units. This System provides a good platform for network manager to audit. It could fit into different environment and serve for different user by different parameter settings.
本文对网络安全审计的相关技术进行了研究,针对中大规模企业网环境设计和实现了一个基于网络嗅探器技术的网络安全审计系统。论文研究了以下几个方面。
首先介绍了网络安全审计系统的研究背景和研究意义,给出了论文的研究目标。从系统结构、数据来源以及网络服务控制等方面对网络安全审计系统涉及的相关技术进行了研究,并详细分析了网络安全审计系统。
其次详细介绍了中小规模企业网环境对网络安全审计系统的功能需求及系统体系结构的设计,按照功能划分分别介绍了数据采集、数据解析与处理、网络服务控制和用户界面等各个子系统的设计,介绍了数据采集与存储策略、数据解析与处理等关键技术的研究成果。针对网络安全审计系统应用的实际需求,分别给出了相应的解决方案。
然后对系统实现的过程进行了详细的分析,并在此基础上设计和实现了一个分层的协议分析模块。在协议分析模块中,分析和比较了常见协议的解析过程。通过规范接口与内部分层,使得该模块具有良好的可重用性和可扩展性。
最后介绍了网络安全审计系统的总体实现模型,以及各个子系统的功能结构和实现机制,具体实现了一个网络安全审计系统,为企业网管理人员提供了一个良好的网络安全审计平台。通过对系统参数进行设置,可以灵活方便地将网络安全审计系统应用于各种不同的实际环境中,以满足不同用户的具体需求。
In order to ensure security of data on net, we must develop the corresponding security technology. The security audit system based on content could process and analyze data with no consciousness of clients under monitor. The information then is used by system manager to audit and analyze. So we can find the malfunctions as soon as possible and take action to fix them. Sometimes the information we get from net can help us predict the malfunction and bugs.
This paper designs a framework of network security audit based on network sniffer which is suite for medium and big enterprise network environment. And then apply the framework into a real project. This paper contains several parts as following:
Firstly, this paper introduces the research background and meaning, and then gives the objective of our research. In this paper some research from the aspects as system structure, data source and network service control concerned with network audit system has been done. And also analyze our audit system in detail.
Secondly, this paper introduces the requirements under small-medium enterprise network environment. Then it gives the structure of the security audit system. According to functions, the system can be divided into several parts as data collection, data analyzing and processing, network service control and user interface. This paper focuses on several crucial technology used on data collection and storage, data analyzing and processing. After studying the existed crucial technologies, this paper gives a solution to the practical requirement of network security audit system.
Then this paper gives the details of the implement of this audit system and shows a leveled protocol analysis model. In this model, the comparison and analysis among different common protocols are done. This model has a good reusability and expansibility by Standardizing interfaces and internal delamination.
At last, this paper introduces the general implementation model of this security audit system, the functions and the implementation of the sub-function units. This System provides a good platform for network manager to audit. It could fit into different environment and serve for different user by different parameter settings.
引文
[1] 龚俭,陆最,王倩.计算机网络安全导论.南京:东南大学出版社,2000.
[2] Kemmerer R A, Vigna G. Internet security and intrusion detection. 25th International Conference on Software Engineering, Portland Oregon USA, 2003, 5: 748-749.
[3] 胡东辉,周学海.计算机安全模型研究.小型微型计算机系统.2005,26(4):561-562.
[4] 吴承荣,廖健,张世永.网络安全审计系统的设计和实现.计算机工程.1999,25(特刊):171-174.
[5] 王时德.校园网信息过滤系统探讨.邵阳学院学报(自然科学版).2005,2(2):39-40.
[6] Stevens W R. TCP/IP illustrated volumel:the protocols. NewYork: Addison-Wesley Publishing Company, 1993.
[7] 白英彩,田小鹏,杨锐.计算机网络管理系统设计与应用.北京:清华大学出版社,1998.
[8] 郭红建,余小兵.安全从内部开始—基于应用过程信息审计的远程终端监控系统的功能及应用.计算机安全.2004,(12):16-17.
[9] Papadopoulos C, Parulkar G M. Experimental evaluation of SUNOS IPC and TCP/IP protocol implementation. IEEE/ ACM Trans Networking. 1993, 1(2): 199-216.
[10] Rail O. Asynchronous transfer mode networking. USA: Prentice Hall, 2002.
[11] Alberto L G. Communication networks: fundamental concepts and key architectures. IRWIN. 2003(2): 235-412.
[12] 柳利军,周敏锋.干兆以太网交换芯片DMA单元的FPGA实现.光通信技术.2005,6(4):47-48.
[13] 刘清,国海欣.IP软核的VHDL设计与复用方法研究.武汉理工大学学报(交通科学与工程版).2003,27(5):628-620.
[14] 向可民,龚正虎,夏建东.零拷贝技术及其实现研究.计算机工程与科学.2000,22(5):17-24.
[15] 王佰玲,方滨兴,云小春.零拷贝报文捕获平台的研究与实现.计算机学报.2005,28(1):46-50.
[16] Voneicken T, Vogels W. Evolution of the virtual interface architecture. Computer. 1998, 31(11): 61-68.
[17] 李刚,金蓓弘.两种线程池的实现和性能评价.计算机工程与设计.2007,28(7):89-94.
[18] 冯玮,刘心松.基于线程池技术的文件传输模型的改进.微计算机信息.2006,22(7):72-73.
[19] 赵海,李志蜀,韩学为.线程池的优化设计.四川大学学报.2005,42(1):63-67.
[20] Schmidt D C,Stal M,Rohnert H et al.面向模式的软件体系结构用于并发和网络化对象的模式.北京:机械工业出版社,2003.
[21] 贾斌著.网络编程技巧与实例.北京:人民邮电出版社,2003.
[22] 施振川,周利民,孙宏晖.UNIX网络编程.北京:清华大学出版社,1999.
[23] Gane C, Sarson T. Structured systems analysis. USA: Prentice-Hall, 1979.
[24] Lai L, Benjarmin M. Broadband network & device security. USA: McGraw-Hill, 2002.
[25] 张忠杰,田质广.编写Linux守护进程.山东轻工业学院学报.2001,15(4):5-9.
[26] Hughes C,Hughes T.C++面向对象多线程编程.北京:人民邮电出版社,2001.
[27] Clark D D, Jacobson V, Romkey J et al. An analysis of TCP processing overhead. IEEE Communications Magzine. 1989, 27(6):23-29.
[28] Deitel H M,Deitel P J.C++程序设计教程.薛万鹏等泽.北京:机械工业出版社,2000.
[29] Stevens W R. TCP/IP illustrated volumel:the protocols. NewYork:Addison-Wesley Publishing Company, 1993.
[30] Stevens W R. UNIX network progamming volume1 networking APIs:sockets and XTI. USA: Addison-Wesley Publishing Company, 1999.
[2] Kemmerer R A, Vigna G. Internet security and intrusion detection. 25th International Conference on Software Engineering, Portland Oregon USA, 2003, 5: 748-749.
[3] 胡东辉,周学海.计算机安全模型研究.小型微型计算机系统.2005,26(4):561-562.
[4] 吴承荣,廖健,张世永.网络安全审计系统的设计和实现.计算机工程.1999,25(特刊):171-174.
[5] 王时德.校园网信息过滤系统探讨.邵阳学院学报(自然科学版).2005,2(2):39-40.
[6] Stevens W R. TCP/IP illustrated volumel:the protocols. NewYork: Addison-Wesley Publishing Company, 1993.
[7] 白英彩,田小鹏,杨锐.计算机网络管理系统设计与应用.北京:清华大学出版社,1998.
[8] 郭红建,余小兵.安全从内部开始—基于应用过程信息审计的远程终端监控系统的功能及应用.计算机安全.2004,(12):16-17.
[9] Papadopoulos C, Parulkar G M. Experimental evaluation of SUNOS IPC and TCP/IP protocol implementation. IEEE/ ACM Trans Networking. 1993, 1(2): 199-216.
[10] Rail O. Asynchronous transfer mode networking. USA: Prentice Hall, 2002.
[11] Alberto L G. Communication networks: fundamental concepts and key architectures. IRWIN. 2003(2): 235-412.
[12] 柳利军,周敏锋.干兆以太网交换芯片DMA单元的FPGA实现.光通信技术.2005,6(4):47-48.
[13] 刘清,国海欣.IP软核的VHDL设计与复用方法研究.武汉理工大学学报(交通科学与工程版).2003,27(5):628-620.
[14] 向可民,龚正虎,夏建东.零拷贝技术及其实现研究.计算机工程与科学.2000,22(5):17-24.
[15] 王佰玲,方滨兴,云小春.零拷贝报文捕获平台的研究与实现.计算机学报.2005,28(1):46-50.
[16] Voneicken T, Vogels W. Evolution of the virtual interface architecture. Computer. 1998, 31(11): 61-68.
[17] 李刚,金蓓弘.两种线程池的实现和性能评价.计算机工程与设计.2007,28(7):89-94.
[18] 冯玮,刘心松.基于线程池技术的文件传输模型的改进.微计算机信息.2006,22(7):72-73.
[19] 赵海,李志蜀,韩学为.线程池的优化设计.四川大学学报.2005,42(1):63-67.
[20] Schmidt D C,Stal M,Rohnert H et al.面向模式的软件体系结构用于并发和网络化对象的模式.北京:机械工业出版社,2003.
[21] 贾斌著.网络编程技巧与实例.北京:人民邮电出版社,2003.
[22] 施振川,周利民,孙宏晖.UNIX网络编程.北京:清华大学出版社,1999.
[23] Gane C, Sarson T. Structured systems analysis. USA: Prentice-Hall, 1979.
[24] Lai L, Benjarmin M. Broadband network & device security. USA: McGraw-Hill, 2002.
[25] 张忠杰,田质广.编写Linux守护进程.山东轻工业学院学报.2001,15(4):5-9.
[26] Hughes C,Hughes T.C++面向对象多线程编程.北京:人民邮电出版社,2001.
[27] Clark D D, Jacobson V, Romkey J et al. An analysis of TCP processing overhead. IEEE Communications Magzine. 1989, 27(6):23-29.
[28] Deitel H M,Deitel P J.C++程序设计教程.薛万鹏等泽.北京:机械工业出版社,2000.
[29] Stevens W R. TCP/IP illustrated volumel:the protocols. NewYork:Addison-Wesley Publishing Company, 1993.
[30] Stevens W R. UNIX network progamming volume1 networking APIs:sockets and XTI. USA: Addison-Wesley Publishing Company, 1999.