多用户并发控制DFW教学实验系统的设计和实现
|
摘要
随着计算机网络技术的飞速发展,社会生活信息化的程度不断提高。人们通过互联网越来越容易获取需要的信息,但同时也带来了信息丢失、泄漏等安全问题。提高信息传递的安全等级是解决问题的途径之一,同样不可忽略的是针对用户的计算机网络与信息安全技术的学习、培训和实践。
在此背景下,国家科技部先后设立的两个863计划信息安全重大项目《信息安全工程实践综合实验平台研究与集成》和《信息安全增值服务平台(东部)》,就是为了实现服务国家信息安全保障体系建设,推进全民信息安全意识的普及与提高的目标,旨在解决信息安全领域实践教育与培训相关的实用化关键技术难点。
目前网络保护技术中的传统防火墙技术已经发展得比较成熟,分布式防火墙(Distributed Firewall, DFW)在安全性、系统性能和扩展性等方面相对于传统防火墙具有更安全、更高效和更易扩展性等优点,但是DFW仍处于发展阶段,当前的DFW产品都是基于商业需求研制的,注重结果,交互性不强,而且只适于一个管理员配置,相对于教学实验中多用户,交互性等要求,DFW产品难以满足教学实验需求。因此,本文设计并实现了一个基于DFW的教学实验系统。
With the development of computer network and information technology, it is more convenient to get access to Internet so as the data transmission. The fact also should not be ignored is that people are facing the dangers of their privacy leaking, virus threating and hacker’s attacking when they connect to Internet. On one hand, the information security level has to be improved; on the other hand, we should learn something about computer network and information security technology. So, today, more researchers are working on how to providing a platform for these technologies’learning, training and practising.
In order to serve for the construction of national information security safeguard system and fasten the popularization and enhancement of all people’s information security consciousness, the National Science and Technology Department activated two information security projects of National 863 Plans successively. One is the project of Research and Integration of Compsitive Experiment Platform of Information Security Engineering Practising, and the other project is the Increment Service Platform of Information Security (East), which are for the purpose of
在此背景下,国家科技部先后设立的两个863计划信息安全重大项目《信息安全工程实践综合实验平台研究与集成》和《信息安全增值服务平台(东部)》,就是为了实现服务国家信息安全保障体系建设,推进全民信息安全意识的普及与提高的目标,旨在解决信息安全领域实践教育与培训相关的实用化关键技术难点。
目前网络保护技术中的传统防火墙技术已经发展得比较成熟,分布式防火墙(Distributed Firewall, DFW)在安全性、系统性能和扩展性等方面相对于传统防火墙具有更安全、更高效和更易扩展性等优点,但是DFW仍处于发展阶段,当前的DFW产品都是基于商业需求研制的,注重结果,交互性不强,而且只适于一个管理员配置,相对于教学实验中多用户,交互性等要求,DFW产品难以满足教学实验需求。因此,本文设计并实现了一个基于DFW的教学实验系统。
With the development of computer network and information technology, it is more convenient to get access to Internet so as the data transmission. The fact also should not be ignored is that people are facing the dangers of their privacy leaking, virus threating and hacker’s attacking when they connect to Internet. On one hand, the information security level has to be improved; on the other hand, we should learn something about computer network and information security technology. So, today, more researchers are working on how to providing a platform for these technologies’learning, training and practising.
In order to serve for the construction of national information security safeguard system and fasten the popularization and enhancement of all people’s information security consciousness, the National Science and Technology Department activated two information security projects of National 863 Plans successively. One is the project of Research and Integration of Compsitive Experiment Platform of Information Security Engineering Practising, and the other project is the Increment Service Platform of Information Security (East), which are for the purpose of
引文
[1] Bartal Y, Mayer A, Nissim K, et al. A Novel Firewall ManagementToolkit. In Proceedings of the IEEE Computer Society Symposium on Security and Privacy, 1999:17-31
[2] Bellovin S M. Distributed Firewalls.login: Magazine, Special Issue on Security, 1999-11:37-39
[3] Ioannidis S, Keromytis A D, Bellovin S M, et al. Implementing a Distributed Firewall.In: 7th ACM Conference on Computer and Communications Security, Athens, Greece, 2000-11: 190-199
[4] Crosbie M, Spoard E. Defending A Computer System Using Autonomous Agents. In: Processing of 18th National Information System Security Conference, 1995: 549-558
[5] Grosof C B, Harrison C, Levine D, et al. Itinerant Agents for Mobile Computing. IEEE Personal Communications Magazine, 1995, 2(5):34-49
[6] Keith E.Strassberg, et al. Firewalls:The Complete Reference,机械工业出版社 2003. 3
[7] http://duba.xaonline.com/c/2002/0725/13973.htm
[8] The CERT Coordination Center, Overview of Attack Trends, USA:Carnegie MellonUniversity, 2002, 1-7
[9] Ming-Yuh Huang, Thomas M.Wicks.A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis. Technical Report,Boeing Company, Seattle, WA. U.S.A,250-158
[10] (美) Hare C, Siyan K. Internet 防火墙与网络安全. 北京: 机械工业出版社,1998
[11] Jerry Ford 著,段云所,王昭,唐礼勇,陈钟译个人防火墙人民邮电出版社,2002年 8 月
[12] (美) Ziegler R L . Linux 防火墙. 北京:人民邮电出版社,2000
[13] Sandeep Kumar. Computer Intrusions Classification and Detection. PhD dissertation. PurdueUniversity, 1995: 115-119
[14] 商桑,顾德均,姜茂仁,虚拟现实技术在网络教育中的应用,中国远程教育研究,7/2000
[15] S.M Bellovin Distributed Firewall login:magazine,special issueon security,November 1999.
[16] M.Blaze, J.Feigenbaum, J.Ioannidis, A.Keromyltis.The KeyNote Trust-Management System Version 2, RFC2704, 1999
[17] Charles Payne, Tom Markham. Architecture and Applications for a Distributed Embeded Firewall [J), Secure Computing Corporation, 2001
[18] Smith R.N, Yu Chen, Bhattacharya S. Cascade of distributed and cooperating firewalls in a secure data network. Knowledge and Data Engineering, IEEE Transactionson, Issue: 5, Sept.-Oct. 2003.Volume: 15. Pages:1307 - 1315
[19] Meredith L.M. A summary of the Autonomic Distributed Firewalls (ADF) project. DARPA Information Survivability Conference and Exposition. Proceedings. 22-24, April 2003. Volume: 2Pages:260 - 265
[20] Payne C, Markham T. Architecture and applications for a distributed embedded firewall. Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual,10-14 Dec. 2001. Pages:329 - 336
[21] Tom.Markham, Charlie Payne. Security at the Network Edge: A Distributed Firewall Architecture DARPA Information Survivability Conference June 12-14 2001
[22] BELLOVINSM.DistributedFirewalls[EB/OL].http://www.research.att.com/~smb/pap ers/distfw.html.1999.39~47.
[23] BLAZEM, FEIGENBAUMJ,LOANNIDISJ.TheKeyNoteTrust-ManagementSystemV ersion2[S].September1999.RFC27041
[24] 陈春玲,雷世荣,陈丹伟.分布式防火墙的原理,实现及应用.南京邮电学院学报(自然科学版),2002,(4):5~10.
[25] BLAZE M, IOANNIDIS J, KEROMYTIS A.Trust Management for IPSec[A]. In:Proceedi ngs of the Internet Society Symposium on Net-work and Distributed Systems Security (SNDSS2001) [C].SanDeigo, CA, Feb2001.139~151.
[26] Elizabeth D.Zwicky, Simon Cooper & D.Brent chapman building internet firewalls,2nd Edition〔M〕.O’Reilly & Associates,Inc, USA June 2000
[27] Kidd E. XML-RPC HOWTO. http://www.xml-rpc.org
[28] MARKHAM T ,PAYNE C.Security at the Network Edge:A Distributed Firewall Architecture[EB/OL].http://www.mnlab.cs.depaul.edu/seminar/fall2001/distributed2firealls.pdf
[29] PAYNE C,MARKHAM T.Architecture and Applications for a Distributed Embedded Firewall [EB/OL].http://www.acsac.org/2001/papers/73.pdf
[30] IOANNIDIS S, KEROM YTIS A D, BELLOVINSM. Implementing a Distributed Firewall[EB/OL]. http://www.securecom-puting.com/pdf/dist_firewall_arch.pdf
[31] BLAZEM , FEIGENBAUM J, IOANNIDIS J. The KeyNote Trust-Management System Version2[S] . RFC2704 ,IETF , September 1999.
[32] RFC1510. The Kerberos network authentication service(V5)S〕.1993.5
[33] Deperous 著 王锐 等译. 网络最高安全技术指南〔M〕.北京:机械工业出版社,1998.5
[34] William R.Cheswick, StevenM.Bellovin. Firewalls and inter-net security〔M〕.1997.11
[35] Derek A tkins.Internet 网络安全专业参考手册〔M〕.北京:机械工业出版社 1999.3
[36] David M. Martin, Sivaramarkrishnan proceedings of the sympo-sium on network and distributed system security〔DE/OL〕.http//:csis.pace.edu/csis
[37] Comer D E. Internetworking with TCP/IP, Volume I: Principle,Protocols. and Architecture. NJ: Prentice-Hall International Inc..1998
[38] Dcrek ALkins.InLcrneL 网络安全专业参考工册 M}.北京:机械工业出版社 1999.3
[39] Kent SA tkinson R. Security architecture for the internet protocols, Novemberl998 IETF RFC 2401.
[40] Kent S,A tkinson R. IP authentication headers. Novembe r 1998 IETF RFC 2402.
[41] KentS,A thinson R.IP encapsulating security payload (ESP) Novemberl998 IETF RFC 2406
[42] HarkinsD,CarrID. Intenetkey exchangeS Novemberl998, IFTF RFC 2409.
[43] 周巍松.Linux 系统分析与高级编程技术[M].第一版,机械工业出版社,1999
[44]NaganadDoraswamy,DanHarkins.IPSec:新一代因特网安全标准,京京工作室译,机械工业出版社,2000.1
[45]RustyRussell . Linux netfilter Hacking HOW TO .www.netfilter.org,2002.2
[46] 关振胜.公钥基础设施 PKI 与认证机构 CA[M].北京:电子工业出版社.2002.
[47]Zuccherato R. Using A PKI Based Upon Elliptic Curve Cryptography [Z]. http://www.entrust.com, 2003.
[48] Korver B. The Internet IP Security PKI Profile of IKE/ISAKMP and PKIX[Z]. draft-ietf-IPsec-pki-profile-04.txt, IETF Internet Draft:pki4 IPsec, 2004.
[49] The Internet Key Exchange (IKE)[S]. RFC 2409, 1999.
[50] A Traffic-based Method of Detecting Dead Internet Key Exchange (IKE)Peers[S]. RFC 3706, 2004.
[51] Karnik Neeran. Security in Mobile Agent Systems. PhD dissertation. University of Minnesota,1998: 89-90
[52] 周艳,虚拟现实与教育,开放教育研究,2000 年第 3 期
[53] 董剑安,王永刚,吴秋峰.iptables 防火墙的研究与实现[J],计算机工程与应用,2003, 39(17): 161 一 164
[54] 刘华,颜国正,丁国清.在 linux 下用 iptables 建立防火墙的方法[J],计算机工程,2003,29 (10): 129-131
[55] 张惠卿,严峰,沈金龙.在 linux 下用 iptables 构建防火墙[J],中国数据通信,2002,4(8): 55-58
[56] 唐宁,金连莆,陈平.基于 Linux 的最新防火墙技术的研究[J],计算机应用研究,2002 ,12: 76-78
[57] 陈五友,刘万里,尹治本.利用 Netfilter 构建防火墙[J],通信技术,2003,1:113-115
[58] 姚晓宇,赵晨,Linux 内核防火墙 Netfilter 实现与应用研究,计算机工程,2003年 5 月,第 29 卷第 8 期,112-113 页
[2] Bellovin S M. Distributed Firewalls.login: Magazine, Special Issue on Security, 1999-11:37-39
[3] Ioannidis S, Keromytis A D, Bellovin S M, et al. Implementing a Distributed Firewall.In: 7th ACM Conference on Computer and Communications Security, Athens, Greece, 2000-11: 190-199
[4] Crosbie M, Spoard E. Defending A Computer System Using Autonomous Agents. In: Processing of 18th National Information System Security Conference, 1995: 549-558
[5] Grosof C B, Harrison C, Levine D, et al. Itinerant Agents for Mobile Computing. IEEE Personal Communications Magazine, 1995, 2(5):34-49
[6] Keith E.Strassberg, et al. Firewalls:The Complete Reference,机械工业出版社 2003. 3
[7] http://duba.xaonline.com/c/2002/0725/13973.htm
[8] The CERT Coordination Center, Overview of Attack Trends, USA:Carnegie MellonUniversity, 2002, 1-7
[9] Ming-Yuh Huang, Thomas M.Wicks.A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis. Technical Report,Boeing Company, Seattle, WA. U.S.A,250-158
[10] (美) Hare C, Siyan K. Internet 防火墙与网络安全. 北京: 机械工业出版社,1998
[11] Jerry Ford 著,段云所,王昭,唐礼勇,陈钟译个人防火墙人民邮电出版社,2002年 8 月
[12] (美) Ziegler R L . Linux 防火墙. 北京:人民邮电出版社,2000
[13] Sandeep Kumar. Computer Intrusions Classification and Detection. PhD dissertation. PurdueUniversity, 1995: 115-119
[14] 商桑,顾德均,姜茂仁,虚拟现实技术在网络教育中的应用,中国远程教育研究,7/2000
[15] S.M Bellovin Distributed Firewall login:magazine,special issueon security,November 1999.
[16] M.Blaze, J.Feigenbaum, J.Ioannidis, A.Keromyltis.The KeyNote Trust-Management System Version 2, RFC2704, 1999
[17] Charles Payne, Tom Markham. Architecture and Applications for a Distributed Embeded Firewall [J), Secure Computing Corporation, 2001
[18] Smith R.N, Yu Chen, Bhattacharya S. Cascade of distributed and cooperating firewalls in a secure data network. Knowledge and Data Engineering, IEEE Transactionson, Issue: 5, Sept.-Oct. 2003.Volume: 15. Pages:1307 - 1315
[19] Meredith L.M. A summary of the Autonomic Distributed Firewalls (ADF) project. DARPA Information Survivability Conference and Exposition. Proceedings. 22-24, April 2003. Volume: 2Pages:260 - 265
[20] Payne C, Markham T. Architecture and applications for a distributed embedded firewall. Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual,10-14 Dec. 2001. Pages:329 - 336
[21] Tom.Markham, Charlie Payne. Security at the Network Edge: A Distributed Firewall Architecture DARPA Information Survivability Conference June 12-14 2001
[22] BELLOVINSM.DistributedFirewalls[EB/OL].http://www.research.att.com/~smb/pap ers/distfw.html.1999.39~47.
[23] BLAZEM, FEIGENBAUMJ,LOANNIDISJ.TheKeyNoteTrust-ManagementSystemV ersion2[S].September1999.RFC27041
[24] 陈春玲,雷世荣,陈丹伟.分布式防火墙的原理,实现及应用.南京邮电学院学报(自然科学版),2002,(4):5~10.
[25] BLAZE M, IOANNIDIS J, KEROMYTIS A.Trust Management for IPSec[A]. In:Proceedi ngs of the Internet Society Symposium on Net-work and Distributed Systems Security (SNDSS2001) [C].SanDeigo, CA, Feb2001.139~151.
[26] Elizabeth D.Zwicky, Simon Cooper & D.Brent chapman building internet firewalls,2nd Edition〔M〕.O’Reilly & Associates,Inc, USA June 2000
[27] Kidd E. XML-RPC HOWTO. http://www.xml-rpc.org
[28] MARKHAM T ,PAYNE C.Security at the Network Edge:A Distributed Firewall Architecture[EB/OL].http://www.mnlab.cs.depaul.edu/seminar/fall2001/distributed2firealls.pdf
[29] PAYNE C,MARKHAM T.Architecture and Applications for a Distributed Embedded Firewall [EB/OL].http://www.acsac.org/2001/papers/73.pdf
[30] IOANNIDIS S, KEROM YTIS A D, BELLOVINSM. Implementing a Distributed Firewall[EB/OL]. http://www.securecom-puting.com/pdf/dist_firewall_arch.pdf
[31] BLAZEM , FEIGENBAUM J, IOANNIDIS J. The KeyNote Trust-Management System Version2[S] . RFC2704 ,IETF , September 1999.
[32] RFC1510. The Kerberos network authentication service(V5)S〕.1993.5
[33] Deperous 著 王锐 等译. 网络最高安全技术指南〔M〕.北京:机械工业出版社,1998.5
[34] William R.Cheswick, StevenM.Bellovin. Firewalls and inter-net security〔M〕.1997.11
[35] Derek A tkins.Internet 网络安全专业参考手册〔M〕.北京:机械工业出版社 1999.3
[36] David M. Martin, Sivaramarkrishnan proceedings of the sympo-sium on network and distributed system security〔DE/OL〕.http//:csis.pace.edu/csis
[37] Comer D E. Internetworking with TCP/IP, Volume I: Principle,Protocols. and Architecture. NJ: Prentice-Hall International Inc..1998
[38] Dcrek ALkins.InLcrneL 网络安全专业参考工册 M}.北京:机械工业出版社 1999.3
[39] Kent SA tkinson R. Security architecture for the internet protocols, Novemberl998 IETF RFC 2401.
[40] Kent S,A tkinson R. IP authentication headers. Novembe r 1998 IETF RFC 2402.
[41] KentS,A thinson R.IP encapsulating security payload (ESP) Novemberl998 IETF RFC 2406
[42] HarkinsD,CarrID. Intenetkey exchangeS Novemberl998, IFTF RFC 2409.
[43] 周巍松.Linux 系统分析与高级编程技术[M].第一版,机械工业出版社,1999
[44]NaganadDoraswamy,DanHarkins.IPSec:新一代因特网安全标准,京京工作室译,机械工业出版社,2000.1
[45]RustyRussell . Linux netfilter Hacking HOW TO .www.netfilter.org,2002.2
[46] 关振胜.公钥基础设施 PKI 与认证机构 CA[M].北京:电子工业出版社.2002.
[47]Zuccherato R. Using A PKI Based Upon Elliptic Curve Cryptography [Z]. http://www.entrust.com, 2003.
[48] Korver B. The Internet IP Security PKI Profile of IKE/ISAKMP and PKIX[Z]. draft-ietf-IPsec-pki-profile-04.txt, IETF Internet Draft:pki4 IPsec, 2004.
[49] The Internet Key Exchange (IKE)[S]. RFC 2409, 1999.
[50] A Traffic-based Method of Detecting Dead Internet Key Exchange (IKE)Peers[S]. RFC 3706, 2004.
[51] Karnik Neeran. Security in Mobile Agent Systems. PhD dissertation. University of Minnesota,1998: 89-90
[52] 周艳,虚拟现实与教育,开放教育研究,2000 年第 3 期
[53] 董剑安,王永刚,吴秋峰.iptables 防火墙的研究与实现[J],计算机工程与应用,2003, 39(17): 161 一 164
[54] 刘华,颜国正,丁国清.在 linux 下用 iptables 建立防火墙的方法[J],计算机工程,2003,29 (10): 129-131
[55] 张惠卿,严峰,沈金龙.在 linux 下用 iptables 构建防火墙[J],中国数据通信,2002,4(8): 55-58
[56] 唐宁,金连莆,陈平.基于 Linux 的最新防火墙技术的研究[J],计算机应用研究,2002 ,12: 76-78
[57] 陈五友,刘万里,尹治本.利用 Netfilter 构建防火墙[J],通信技术,2003,1:113-115
[58] 姚晓宇,赵晨,Linux 内核防火墙 Netfilter 实现与应用研究,计算机工程,2003年 5 月,第 29 卷第 8 期,112-113 页