SOCKS防火墙的研究与实现
摘要
随着Internet和Intranet的飞速发展,防火墙已经成为保护网络安全的一个重要措施。SOCKS防火墙技术是一个比较完善的防火墙技术,在国内起步较晚,而国家有关部门指出国家职能部门不得使用国外安全产品,因此SOCKS防火墙的内部实现细节和相关技术是一个迫切需要研究的重要课题。本文首先对各层次的防火墙技术进行了分析和比较,然后介绍了SOCKS防火墙的原理,对SOCKSV5协议和SOCKS技术的安全机制进行了分析和研究。在对协议和安全机制的研究基础上,实现了SOCKS防火墙的基本功能。在文章中对SOCKSV5具有的新功能的实现进行了重点分析:UDP应用的实现和认证机制的实现。其中,认证机制的实现包括用户名密码认证的实现和GSS-API的认证的实现。本文着重分析了GSS,API的原理、过程和主要接口,并在分析SOCKS/GSS-API协议的基础上,实现了SOCKS防火墙中的GSS-API认证。最后,本文总结了系统实现的总体框架和流程,并对系统今后的扩展提出了设想。
With the rapid development of Internet and Intranet, firewall has become an important icasure to protect the security of Intranet. SOCKS firewall technique is a pretty good firewall technique, but it starts lately in our country. Because some departments of country shouldn't use the security products of foreign country, it is an urgent project to research the internal detailed realization and relative technique of SOCKS firewall. Firstly, the thesis analyzes and compares firewall techniques of each levels; after that it introduces the theory of SOCKS firewall, and analyzes and researches the SOCKS V5 protocol and security mechanism of SOCKS technique. On this basis, it realizes the basic functions of SOCKS firewall. This thesis makes emphases on the realization of new functions of SOCKS V5: the realization of UDP application and realization of authorization mechanism. Among that, the realization of authorization mechanism includes the realization of username/password authorization and GSS-API authorization. The thesis analyzes the theory, procedure and interface of GSS-API, and on the basis of analyzing SOCKS/GSS-API protocol, realizes the GSS-API authorization in our SOCKS firewall. Finally, the thesis summarizes the frame and flow of the system, and brings forward the design of the system extension.
With the rapid development of Internet and Intranet, firewall has become an important icasure to protect the security of Intranet. SOCKS firewall technique is a pretty good firewall technique, but it starts lately in our country. Because some departments of country shouldn't use the security products of foreign country, it is an urgent project to research the internal detailed realization and relative technique of SOCKS firewall. Firstly, the thesis analyzes and compares firewall techniques of each levels; after that it introduces the theory of SOCKS firewall, and analyzes and researches the SOCKS V5 protocol and security mechanism of SOCKS technique. On this basis, it realizes the basic functions of SOCKS firewall. This thesis makes emphases on the realization of new functions of SOCKS V5: the realization of UDP application and realization of authorization mechanism. Among that, the realization of authorization mechanism includes the realization of username/password authorization and GSS-API authorization. The thesis analyzes the theory, procedure and interface of GSS-API, and on the basis of analyzing SOCKS/GSS-API protocol, realizes the GSS-API authorization in our SOCKS firewall. Finally, the thesis summarizes the frame and flow of the system, and brings forward the design of the system extension.
引文
1. M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas, L. Jones. SOCKS Protocol Version 5(RFC1928). 1996.4
2. M. Leech. Username/Password Authentication for SOCKS V5(RFC1929). 1996.3
3. P. McMahon. GSS-API Authentication Method for SOCKS Version 5 (RFC1961). 1996.6
4. J. Linn. Generic Security Service Application Program Interface (RFC1508) 1993.9
5. J. Linn. Generic Security Service Application Program Interface,Version 2 (RFC2078) 1997.1
6. J. Wray. Generic Security Service API:C-bindings(RFC1509) 1993.9
7. D. Miller. Draft-ietf-aft-socks-gssapi-revisions-01: GSS-API Authentication Method for SOCKS Version 5. 1999.6.24
8. Marc VanHeyningen. Draft-ietf-aft-socks-pro-v5-04: SOCKS Protocol Version 5. 1999.2.22
9. Marc VanHeyningen. Draft-ietf-aft-socks-v6-req-00: SOCKS successor requirements. 1999.9.1
10. NEC Systems Laboratory & Stardust Forums Inc. SOCKS—The Border Service Enabler. 1998.9.18
11. C. Adams. The Simple Public-Key GSS-API Mechanism(SPKM) (RFC2025) 1996.10
12. B. Kaliski. PKCS#1: RSA Encryption Version 1.5 (RFC2313) 1998.3
13. R. Housley, W. Ford, W. Polk, D. Solo. Internet X.509 Public Key Infrastructure Certificate and CRL Profile (RFC2459) 1999.1
14. "How to SOCKSify clients", http://www.socks.nec.com/how2socksify.html
15. "Guidelines for networking applications in the SOCKSv5 environment", http://www.socks.nec.com/guidelines.html
16. "Enable Username/Password Authentication", http://www.socks.nec.com/enable userpassword.htm
17.杨春、刘璟、周明天,SOCKS协议在防火墙中的应用研究,《电子科技大学学报》,1999.4,p199~201
18.杨春,用户名与口令认证在SOCKS中的应用研究,《电子科技大学学报》,2001.4,p162~165
19.丁轶凡、吉逸、翟明玉,基于SOCKS的VPN系统的研究与实现,《东南大学学报》,2000.3,p12~16
20.(美)Aouglas E.Comer著,林瑶、蒋慧、杜蔚轩等译,用TCP/IP进行网际互连第1卷:原理、协议和体系结构(第3版),1998.4
21.张宝社、张宝峰、王艳辉,Windows界面下的网络编程,中国科学技术大学出版社,1997.4
22.(美)David J.Kruglinski著,潘爱民、王国印译,Visual C++技术内幕(第四版),清华大学出版社,1998
23.雷斌、杨建华、黄超、何斌等编著,Visual C++6.0网络编程技术,人民邮电出版社,20001.1
24.楚狂等编著,网络安全与防火墙技术,人民邮电出版社,2000.4
25.聂元铭、丘平编著,网络信息安全技术,科学出版社,2001.2
26.龚俭、陆晟、王倩编著,计算机网络安全导论,东南大学出版社,2000.8
27.(美)Derek Atkins等著,严伟、刘晓丹、王千祥等译,Internet网络安全专业参考手册,机械工业出版社,1998.8
28.冯登国、斐定一编著,密码学导引,科学出版社,1999.4
29.(美)Bruce Schneier著,吴世忠、祝世雄、张文政等译,应用密码学——协议、算法与C源程序,机械工业出版社,2000.1
2. M. Leech. Username/Password Authentication for SOCKS V5(RFC1929). 1996.3
3. P. McMahon. GSS-API Authentication Method for SOCKS Version 5 (RFC1961). 1996.6
4. J. Linn. Generic Security Service Application Program Interface (RFC1508) 1993.9
5. J. Linn. Generic Security Service Application Program Interface,Version 2 (RFC2078) 1997.1
6. J. Wray. Generic Security Service API:C-bindings(RFC1509) 1993.9
7. D. Miller. Draft-ietf-aft-socks-gssapi-revisions-01: GSS-API Authentication Method for SOCKS Version 5. 1999.6.24
8. Marc VanHeyningen. Draft-ietf-aft-socks-pro-v5-04: SOCKS Protocol Version 5. 1999.2.22
9. Marc VanHeyningen. Draft-ietf-aft-socks-v6-req-00: SOCKS successor requirements. 1999.9.1
10. NEC Systems Laboratory & Stardust Forums Inc. SOCKS—The Border Service Enabler. 1998.9.18
11. C. Adams. The Simple Public-Key GSS-API Mechanism(SPKM) (RFC2025) 1996.10
12. B. Kaliski. PKCS#1: RSA Encryption Version 1.5 (RFC2313) 1998.3
13. R. Housley, W. Ford, W. Polk, D. Solo. Internet X.509 Public Key Infrastructure Certificate and CRL Profile (RFC2459) 1999.1
14. "How to SOCKSify clients", http://www.socks.nec.com/how2socksify.html
15. "Guidelines for networking applications in the SOCKSv5 environment", http://www.socks.nec.com/guidelines.html
16. "Enable Username/Password Authentication", http://www.socks.nec.com/enable userpassword.htm
17.杨春、刘璟、周明天,SOCKS协议在防火墙中的应用研究,《电子科技大学学报》,1999.4,p199~201
18.杨春,用户名与口令认证在SOCKS中的应用研究,《电子科技大学学报》,2001.4,p162~165
19.丁轶凡、吉逸、翟明玉,基于SOCKS的VPN系统的研究与实现,《东南大学学报》,2000.3,p12~16
20.(美)Aouglas E.Comer著,林瑶、蒋慧、杜蔚轩等译,用TCP/IP进行网际互连第1卷:原理、协议和体系结构(第3版),1998.4
21.张宝社、张宝峰、王艳辉,Windows界面下的网络编程,中国科学技术大学出版社,1997.4
22.(美)David J.Kruglinski著,潘爱民、王国印译,Visual C++技术内幕(第四版),清华大学出版社,1998
23.雷斌、杨建华、黄超、何斌等编著,Visual C++6.0网络编程技术,人民邮电出版社,20001.1
24.楚狂等编著,网络安全与防火墙技术,人民邮电出版社,2000.4
25.聂元铭、丘平编著,网络信息安全技术,科学出版社,2001.2
26.龚俭、陆晟、王倩编著,计算机网络安全导论,东南大学出版社,2000.8
27.(美)Derek Atkins等著,严伟、刘晓丹、王千祥等译,Internet网络安全专业参考手册,机械工业出版社,1998.8
28.冯登国、斐定一编著,密码学导引,科学出版社,1999.4
29.(美)Bruce Schneier著,吴世忠、祝世雄、张文政等译,应用密码学——协议、算法与C源程序,机械工业出版社,2000.1