多用户并发控制防火墙和IDS联动实验系统的设计和实现
|
摘要
随着计算机网络技术的飞速发展,社会生活信息化的程度不断提高,网络安全越来越重要,同样不可忽略的是针对用户的计算机网络与信息安全技术的学习、培训和实践。
目前网络安全技术中的防火墙技术和入侵检测技术已经发展得比较成熟,但是各有其优缺点。把防火墙与入侵检测系统联动起来进行网络防护,顺应了网络安全发展的需要,弥补了两者的不足之处。当前的防火墙与IDS联动产品都是基于商业需求研制的,注重结果,交互性不强,而且一般只适于一个管理员配置,相对于实验中多用户、交互性等要求,难以满足实验需求。因此,本文设计了一个基于防火墙与IDS联动的实验系统,并给出了具体实现方法。
本文首先介绍了防火墙技术、IDS技术、防火墙与IDS联动技术、防火墙和IDS联动实验的培训意义和现状以及所面临的问题,然后对防火墙和IDS联动的体系结构、关键技术以及几种现存的防火墙和IDS联动模型进行了详细的研究。其次,在此基础上,对多用户并发控制技术、防火墙和IDS联动技术和集中管理技术进行了深入的研究,结合实验的任务和特点,设计了一个充分利用现有技术的多用户并发控制防火墙和IDS联动实验系统。接着,从功能角度详细介绍了此系统各个主要模块的设计思想、体系结构和具体实现方法。最后,研究对防火墙系统性能有着主要影响的规则配置,改进规则异常检测算法,利用日志信息实现对防火墙规则进行优化。
本文设计的系统,有效地满足了信息安全技术人员对于防火墙与IDS联动的实验需求,提高他们的动手能力和解决问题的能力,具有积极的现实意义。
With the development of computer network and information technology, network security becomes more and more important. On one hand, we should learn something about computer network and information security technology. So, today, more researchers are working on how to providing a platform for these technologies’learning, training and practising.
Among all the network security technologies, firewall technology and IDS technology have gained great progress up to now, but they have their own advantages and disadvantages. So, Realizing interaction with the firewall and IDS meets for the network security needs. The firewall and IDS can make up their shortfalls. Most of the current products are designed and developed based on commercial requirements, they focus on function implementation and take no care in interaction, besides, Most of them are operated exclusively. All these characteristics make them unsuitable for experiments or demonstrations. Based on this actuality, this paper analyses related theories and technologies of interaction with the firewall and IDS, then designs a experiment system based on interaction with the firewall and IDS, describes the specific methods.
This paper first introduces firewall technology, IDS technology, technology of interaction with the firewall and IDS, related experiment, then make an in-depth research on interaction with the firewall and IDS architecture, key technology and several existing interaction with the firewall and IDS model. On the ground of this research, the paper discusses several innovative technologies, such as multi-user concurrent control. In association with the task and features of an experiment system, it designs a interaction with the firewall and IDS experiment system which supports large scale, multi-user current control. Then, the system is divided into several function modules, certain important modules are thoroughly discussed in their architectures, designs, and implementations. Finally, because the allocation of rules has a major impact on the performance of the firewall system, it studys the usage of anomaly rules detection and log to achieve rule optimization.
This system meets the requirements of interaction with the firewall and IDS experiments for information security engineers.
目前网络安全技术中的防火墙技术和入侵检测技术已经发展得比较成熟,但是各有其优缺点。把防火墙与入侵检测系统联动起来进行网络防护,顺应了网络安全发展的需要,弥补了两者的不足之处。当前的防火墙与IDS联动产品都是基于商业需求研制的,注重结果,交互性不强,而且一般只适于一个管理员配置,相对于实验中多用户、交互性等要求,难以满足实验需求。因此,本文设计了一个基于防火墙与IDS联动的实验系统,并给出了具体实现方法。
本文首先介绍了防火墙技术、IDS技术、防火墙与IDS联动技术、防火墙和IDS联动实验的培训意义和现状以及所面临的问题,然后对防火墙和IDS联动的体系结构、关键技术以及几种现存的防火墙和IDS联动模型进行了详细的研究。其次,在此基础上,对多用户并发控制技术、防火墙和IDS联动技术和集中管理技术进行了深入的研究,结合实验的任务和特点,设计了一个充分利用现有技术的多用户并发控制防火墙和IDS联动实验系统。接着,从功能角度详细介绍了此系统各个主要模块的设计思想、体系结构和具体实现方法。最后,研究对防火墙系统性能有着主要影响的规则配置,改进规则异常检测算法,利用日志信息实现对防火墙规则进行优化。
本文设计的系统,有效地满足了信息安全技术人员对于防火墙与IDS联动的实验需求,提高他们的动手能力和解决问题的能力,具有积极的现实意义。
With the development of computer network and information technology, network security becomes more and more important. On one hand, we should learn something about computer network and information security technology. So, today, more researchers are working on how to providing a platform for these technologies’learning, training and practising.
Among all the network security technologies, firewall technology and IDS technology have gained great progress up to now, but they have their own advantages and disadvantages. So, Realizing interaction with the firewall and IDS meets for the network security needs. The firewall and IDS can make up their shortfalls. Most of the current products are designed and developed based on commercial requirements, they focus on function implementation and take no care in interaction, besides, Most of them are operated exclusively. All these characteristics make them unsuitable for experiments or demonstrations. Based on this actuality, this paper analyses related theories and technologies of interaction with the firewall and IDS, then designs a experiment system based on interaction with the firewall and IDS, describes the specific methods.
This paper first introduces firewall technology, IDS technology, technology of interaction with the firewall and IDS, related experiment, then make an in-depth research on interaction with the firewall and IDS architecture, key technology and several existing interaction with the firewall and IDS model. On the ground of this research, the paper discusses several innovative technologies, such as multi-user concurrent control. In association with the task and features of an experiment system, it designs a interaction with the firewall and IDS experiment system which supports large scale, multi-user current control. Then, the system is divided into several function modules, certain important modules are thoroughly discussed in their architectures, designs, and implementations. Finally, because the allocation of rules has a major impact on the performance of the firewall system, it studys the usage of anomaly rules detection and log to achieve rule optimization.
This system meets the requirements of interaction with the firewall and IDS experiments for information security engineers.
引文
[1] Jerry Ford 著,段云所,王昭,唐礼勇,陈钟译,个人防火墙人民邮电出版社,2002年 8 月
[2] (美) Hare C,Siyan K. Internet 防火墙与网络安全,北京,机械工业出版社,1998
[3] 薛静锋,宁宇鹏,阎慧,入侵检测技术,北京,机械工业出版社,2004.4
[4] Sandeep Kumar, Computer Intrusions Classification and Detection, PhD dissertation, PurdueUniversity, 1995: 115-119
[5] 商桑,顾德均,姜茂仁,虚拟现实技术在网络教育中的应用,中国远程教育研究,7/2000
[6] 周艳,虚拟现实与教育,开放教育研究,2000 年第 3 期
[7] 李飞,甘刚,陈艾东,基于 Linux 的入侵防御系统的研究与实现[J],计算机应用研究,2007 年第 24 卷 第 9 期,p102-103
[8] 王丽辉,李涛,张晓平等,一种联动防火墙的网络入侵检测系统[J],计算机应用研究,2006 年第 3 期,p95-97
[9] 冯庆煜,防火墙与入侵检测系统的联动[J],计算机应用,2005 年第 25 卷 12 期,p2763-2764
[10] 李健,王玲,董科军等,基于 Linux 的网络入侵检测与防火墙集成系统的设计与实现[J],微电子学与计算机,2006 年第 23 卷第 4 期,p18-22
[11] 张旭,网络入侵检测系统设计及与防火墙的联动处理研究[D],天津:天津大学计算机科学与技术,2005
[12] 张兴东,胡华平,况晓辉等,防火墙与入侵检测系统联动的研究与实现[J],计算机工程与科学,2004 年第 26 卷 第四期,p22-24。
[13] “Research and Design of NIDS Based on Linux Firewall”,Zongpu Jia; Shufen Liu; Guowei Wang;Pervasive Computing and Applications, 2006 1st International Symposium on 3-5 Aug. 2006 Page(s):556 - 560
[14] World Wide Web Consortium,“Extensible Markup Language(XML)1.0”,W3C XML,February 1998,http://www.w3c.org/TR/1998/RFC-xml-19980212
[15] Rescorla E,崔凯译,SSL 与 TLS Designing and Building Secure Systems,北京:中国电力出版社,2002
[16] Check Point Software Technologies Ltd., ”OPSEC Integration Overview”, http://www.checkpoint.com/
[17] 满林松,天融信 TOPSEC 网络安全体系平台,http://www.topsec.com
[18] “天眼”网络入侵侦测系统简介。http://www.infosec.gov.cn
[19] Symantec CIient Security2.0 客户端集成安全解决方案。http://www.Symantec.com
[20] 周华平,林浩伟,基于 Linux 防火墙的日志审计系统的研究与实现[J],自动化技术与应用,2005,24(11):25-27
[21] (美)Keith E.Strassberg,Richard J.Gondek,Gary Rollie,(译)李昂,刘芳萍,杨旭,程鹏.防火墙技术大全(Firewalls: The Complete Reference).机械工业出版社,2003 年 3 月
[22] 董剑安,王永刚,吴秋峰,iptables 防火墙的研究与实现[J],计算机工程与应用,2003, 39(17): 161 一 164
[23] 刘华,颜国正,丁国清,在 linux 下用 iptables 建立防火墙的方法[J],计算机工程,2003,29 (10): 129-131
[24] 张惠卿,严峰,沈金龙,在 linux 下用 iptables 构建防火墙[J],中国数据通信,2002,4(8): 55-58
[25] 姚晓宇,赵晨,Linux 内核防火墙 Netfilter 实现与应用研究,计算机工程,2003年 5 月,第 29 卷第 8 期,112-113 页
[26] 郑小军,赵轶群,构建集成的 Linux 内核防火墙,计算机应用,第 23 卷 12 期,2003 年 12 月:101~105
[27] 彭晖,王宇栋,刘金旺,基于 WEB 的同步协同虚拟实验室设计与实现,计算机工程与应用,2004.40(7):155~157
[28] Snort. http://www.snort.org
[29] “Building intrusion pattern miner for snort network intrusion detection system”,Lih-Chyau Wuu; Sout-Fong Chen;Security Technology, 2003. Proceedings. IEEE 37th Annual 2003 International Carnahan Conference on14-16 Oct. 2003 Page(s):477 - 484
[30] “Simulation study of firewalls to aid improved performance”, Acharya, S.; Jia Wang; Zihui Ge; Znati, T.; Greenberg, A.;Simulation Symposium, 2006. 39th Annual 2-6 April 2006 Page(s):8 pp.
[31] “Firewall design: consistency, completeness, and compactness”: Gouda, M.G.; Liu, X.-Y.A.;Distributed Computing Systems,2004. Proceedings. 24th International Conference on, 2004Page(s):320–327
[32] “Firewall Policy Advisor for anomaly discovery and rule editing” Al-Shaer, E.S.; Hamed, H.H.; Integrated Network Management, 2003. IFIP/IEEE Eighth International Symposium on, 24-28 March 2003 Page(s):17-30
[33] “Traffic-Aware Firewall Optimization Strategies” Acharya, S.; Jia Wang; Zihui Ge; Znati, T.F.;Greenberg, A.;Communications,2006 IEEE International Conference on, Volume5,June 2006Page(s):2225-2230,Digital Object Identifier 10.1109/ICC.2006.255101
[34] John Wack, Ken Cutler, Jamie Pole.Guidelines on Firewalls and Firewall Policy, National Institute of Standards and Technology, Special Publication 800-41, January 2002 http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf
[35] S. M. Bellovin. Distributed firewalls.;login:, pages 37–39, November 1999.
[36] V.Fuller, T.Li, J.Yu, K.Varadhan. RFC 1519 Classless Inter-Domain Routing(CIDR):an Address Assignment and Aggregation Strategy.September 1993.
[37] Prabhaker Mateti.(2003).A Laboratory-Based Course on Internet Security.In Proceedings of the 34th SITGCSE technical symposium on computer science education (pp.252-256).
[38] 夏先波,Java JDK 实例宝典,电子工业出版社,2007 年 1 月
[2] (美) Hare C,Siyan K. Internet 防火墙与网络安全,北京,机械工业出版社,1998
[3] 薛静锋,宁宇鹏,阎慧,入侵检测技术,北京,机械工业出版社,2004.4
[4] Sandeep Kumar, Computer Intrusions Classification and Detection, PhD dissertation, PurdueUniversity, 1995: 115-119
[5] 商桑,顾德均,姜茂仁,虚拟现实技术在网络教育中的应用,中国远程教育研究,7/2000
[6] 周艳,虚拟现实与教育,开放教育研究,2000 年第 3 期
[7] 李飞,甘刚,陈艾东,基于 Linux 的入侵防御系统的研究与实现[J],计算机应用研究,2007 年第 24 卷 第 9 期,p102-103
[8] 王丽辉,李涛,张晓平等,一种联动防火墙的网络入侵检测系统[J],计算机应用研究,2006 年第 3 期,p95-97
[9] 冯庆煜,防火墙与入侵检测系统的联动[J],计算机应用,2005 年第 25 卷 12 期,p2763-2764
[10] 李健,王玲,董科军等,基于 Linux 的网络入侵检测与防火墙集成系统的设计与实现[J],微电子学与计算机,2006 年第 23 卷第 4 期,p18-22
[11] 张旭,网络入侵检测系统设计及与防火墙的联动处理研究[D],天津:天津大学计算机科学与技术,2005
[12] 张兴东,胡华平,况晓辉等,防火墙与入侵检测系统联动的研究与实现[J],计算机工程与科学,2004 年第 26 卷 第四期,p22-24。
[13] “Research and Design of NIDS Based on Linux Firewall”,Zongpu Jia; Shufen Liu; Guowei Wang;Pervasive Computing and Applications, 2006 1st International Symposium on 3-5 Aug. 2006 Page(s):556 - 560
[14] World Wide Web Consortium,“Extensible Markup Language(XML)1.0”,W3C XML,February 1998,http://www.w3c.org/TR/1998/RFC-xml-19980212
[15] Rescorla E,崔凯译,SSL 与 TLS Designing and Building Secure Systems,北京:中国电力出版社,2002
[16] Check Point Software Technologies Ltd., ”OPSEC Integration Overview”, http://www.checkpoint.com/
[17] 满林松,天融信 TOPSEC 网络安全体系平台,http://www.topsec.com
[18] “天眼”网络入侵侦测系统简介。http://www.infosec.gov.cn
[19] Symantec CIient Security2.0 客户端集成安全解决方案。http://www.Symantec.com
[20] 周华平,林浩伟,基于 Linux 防火墙的日志审计系统的研究与实现[J],自动化技术与应用,2005,24(11):25-27
[21] (美)Keith E.Strassberg,Richard J.Gondek,Gary Rollie,(译)李昂,刘芳萍,杨旭,程鹏.防火墙技术大全(Firewalls: The Complete Reference).机械工业出版社,2003 年 3 月
[22] 董剑安,王永刚,吴秋峰,iptables 防火墙的研究与实现[J],计算机工程与应用,2003, 39(17): 161 一 164
[23] 刘华,颜国正,丁国清,在 linux 下用 iptables 建立防火墙的方法[J],计算机工程,2003,29 (10): 129-131
[24] 张惠卿,严峰,沈金龙,在 linux 下用 iptables 构建防火墙[J],中国数据通信,2002,4(8): 55-58
[25] 姚晓宇,赵晨,Linux 内核防火墙 Netfilter 实现与应用研究,计算机工程,2003年 5 月,第 29 卷第 8 期,112-113 页
[26] 郑小军,赵轶群,构建集成的 Linux 内核防火墙,计算机应用,第 23 卷 12 期,2003 年 12 月:101~105
[27] 彭晖,王宇栋,刘金旺,基于 WEB 的同步协同虚拟实验室设计与实现,计算机工程与应用,2004.40(7):155~157
[28] Snort. http://www.snort.org
[29] “Building intrusion pattern miner for snort network intrusion detection system”,Lih-Chyau Wuu; Sout-Fong Chen;Security Technology, 2003. Proceedings. IEEE 37th Annual 2003 International Carnahan Conference on14-16 Oct. 2003 Page(s):477 - 484
[30] “Simulation study of firewalls to aid improved performance”, Acharya, S.; Jia Wang; Zihui Ge; Znati, T.; Greenberg, A.;Simulation Symposium, 2006. 39th Annual 2-6 April 2006 Page(s):8 pp.
[31] “Firewall design: consistency, completeness, and compactness”: Gouda, M.G.; Liu, X.-Y.A.;Distributed Computing Systems,2004. Proceedings. 24th International Conference on, 2004Page(s):320–327
[32] “Firewall Policy Advisor for anomaly discovery and rule editing” Al-Shaer, E.S.; Hamed, H.H.; Integrated Network Management, 2003. IFIP/IEEE Eighth International Symposium on, 24-28 March 2003 Page(s):17-30
[33] “Traffic-Aware Firewall Optimization Strategies” Acharya, S.; Jia Wang; Zihui Ge; Znati, T.F.;Greenberg, A.;Communications,2006 IEEE International Conference on, Volume5,June 2006Page(s):2225-2230,Digital Object Identifier 10.1109/ICC.2006.255101
[34] John Wack, Ken Cutler, Jamie Pole.Guidelines on Firewalls and Firewall Policy, National Institute of Standards and Technology, Special Publication 800-41, January 2002 http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf
[35] S. M. Bellovin. Distributed firewalls.;login:, pages 37–39, November 1999.
[36] V.Fuller, T.Li, J.Yu, K.Varadhan. RFC 1519 Classless Inter-Domain Routing(CIDR):an Address Assignment and Aggregation Strategy.September 1993.
[37] Prabhaker Mateti.(2003).A Laboratory-Based Course on Internet Security.In Proceedings of the 34th SITGCSE technical symposium on computer science education (pp.252-256).
[38] 夏先波,Java JDK 实例宝典,电子工业出版社,2007 年 1 月