基于状态检测的个人防火墙系统
摘要
随着Internet的迅速发展,网络安全问题引起了人们的高度关注,防火墙技术成为目前应用最为广泛的一种网络安全技术。传统防火墙对每个流经的数据包进行规则检查,效率较低。基于状态检测技术的防火墙只在建立时进行规则检测,后续的连接只进行状态检测,从而大大提高了防火墙系统的工作效率。
本文介绍了防火墙技术的发展历史及研究现状,阐述了三种典型的防火墙技术,探讨了Windows环境下的数据包截获技术。在此基础上,设计并实现了一个基于状态检测的个人防火墙系统。
该防火墙系统具有如下特点:
1.通过上层协议(TCP、UDP、ICMP)的动态连接,以关联的IP数据流的观点来处理数据包,若IP包属于某个已建立的连接,则直接“越过”协议栈中的规则检测,从而提高了系统效率。
2.采用NDIS (Network Driver Interface Specification)中间层驱动程序技术来截获进出主机的数据包,截获效果好,从而有效的保护了主机系统。
3.实现防御SYN攻击的机制。动态调控TCP的连接时间,当状态表的记录数达到上限时,删除状态表中的半连接记录,从而避免遭受SYN攻击。
4.以源地址、目的地址、源端口、目的端口作为UDP包的状态信息,从而实现了对无连接的UDP包进行状态检测。
最后,对设计的防火墙系统进行了测试,测试内容包括:协议过滤测试、端口扫描测试、功能测试和传输速度测试。测试结果表明,该防火墙系统比传统的包过滤防火墙在安全性和效率上有着明显的优势。
With the development of Internet, information security problem is paid more and more attention,the firewall technology becomes the most popular network security technology at the present time. The traditional firewalls have to implement the rule inspection for every passing packet, which strongly influences their efficiency. While the Stateful Inspection Firewall enjoys high efficiency because the firewall based on the state inspection technology only implements the rule inspection at the beginning of the connection construction, and carries on the state inspection in the following connection.
This thesis introduces the history and the present situation of the firewall technology, expounds three typical firewall technologies, discusses packet capture technology in the Windows environment, and finally designs and implements a PC firewall system based on the state inspection.
This firewall system has the following characters:
1.Process packets according to the dynamic connection of higher layer protocol(TCP、UDP、ICMP) and the viewpoints of the related IP data flow so that to improve the efficiency. If the IP packet belongs to the connection that has been set up, it can directly surmount the rule inspection in the protocol stack.
2.Adopt the technology of NDIS intermediate driver to capture the packets going into and out from the host and the capturing result is so good that the host system is effectively protected.
3.Realize a mechanism to defend the SYN attack. This mechanism can dynamically control the connecting time of TCP. When the items in the state table reach the maximum limit, half-connection items is deleted to avoid the SYN attack.
4.Take source address, destination address, source port, and destination port as the state information of UDP packet so that to realize the state inspection toward the connectionless UDP packet.
Finally, test this PC Stateful Inspection Firewall system,which includes protocol filter testing, port scan testing, function testing, and transmission rate testing, and the results show that this PC Stateful Inspection Firewall enjoys more distinct advantages than the traditional packet filter firewall in efficiency and security.
本文介绍了防火墙技术的发展历史及研究现状,阐述了三种典型的防火墙技术,探讨了Windows环境下的数据包截获技术。在此基础上,设计并实现了一个基于状态检测的个人防火墙系统。
该防火墙系统具有如下特点:
1.通过上层协议(TCP、UDP、ICMP)的动态连接,以关联的IP数据流的观点来处理数据包,若IP包属于某个已建立的连接,则直接“越过”协议栈中的规则检测,从而提高了系统效率。
2.采用NDIS (Network Driver Interface Specification)中间层驱动程序技术来截获进出主机的数据包,截获效果好,从而有效的保护了主机系统。
3.实现防御SYN攻击的机制。动态调控TCP的连接时间,当状态表的记录数达到上限时,删除状态表中的半连接记录,从而避免遭受SYN攻击。
4.以源地址、目的地址、源端口、目的端口作为UDP包的状态信息,从而实现了对无连接的UDP包进行状态检测。
最后,对设计的防火墙系统进行了测试,测试内容包括:协议过滤测试、端口扫描测试、功能测试和传输速度测试。测试结果表明,该防火墙系统比传统的包过滤防火墙在安全性和效率上有着明显的优势。
With the development of Internet, information security problem is paid more and more attention,the firewall technology becomes the most popular network security technology at the present time. The traditional firewalls have to implement the rule inspection for every passing packet, which strongly influences their efficiency. While the Stateful Inspection Firewall enjoys high efficiency because the firewall based on the state inspection technology only implements the rule inspection at the beginning of the connection construction, and carries on the state inspection in the following connection.
This thesis introduces the history and the present situation of the firewall technology, expounds three typical firewall technologies, discusses packet capture technology in the Windows environment, and finally designs and implements a PC firewall system based on the state inspection.
This firewall system has the following characters:
1.Process packets according to the dynamic connection of higher layer protocol(TCP、UDP、ICMP) and the viewpoints of the related IP data flow so that to improve the efficiency. If the IP packet belongs to the connection that has been set up, it can directly surmount the rule inspection in the protocol stack.
2.Adopt the technology of NDIS intermediate driver to capture the packets going into and out from the host and the capturing result is so good that the host system is effectively protected.
3.Realize a mechanism to defend the SYN attack. This mechanism can dynamically control the connecting time of TCP. When the items in the state table reach the maximum limit, half-connection items is deleted to avoid the SYN attack.
4.Take source address, destination address, source port, and destination port as the state information of UDP packet so that to realize the state inspection toward the connectionless UDP packet.
Finally, test this PC Stateful Inspection Firewall system,which includes protocol filter testing, port scan testing, function testing, and transmission rate testing, and the results show that this PC Stateful Inspection Firewall enjoys more distinct advantages than the traditional packet filter firewall in efficiency and security.
引文
[1]王胜文.防火墙技术的研究与探讨[J].哈尔滨理工大学学报,1998.3:78-81
[2]王文蔚.协议分析及其在网络管理中的应用[J].信息技术与信息化,2009.02:31-32
[3](美)HareC, SiyanK著,Internet防火墙与网络安全[M].北京机械工业出版社,1998.5
[4]冯运波.防火墙技术的演变[J].计算机安安全,2005.5:13-15
[5]张熹.计算机网络病毒[J].网络与信息,2008.05:27
[6]陈君霖.新技术下的网络安全[J].应用与安全,2009.06:46-47
[7]周祥.浅析防火墙技术及应用[J].广西农业机械化,2005.06:34-37
[8]周曦.浅析校网网安全问题及对策[J].电脑知识与技术,2008.8:1941-1942
[9]李兵.计算机局域网的安全性研究[J].计算机安全,2007.11:53-58
[10]汪贵生,夏阳.计算机安全漏洞分类研究[J].计算机安全,2008.11:68-72
[11]原符,卿斯汉.在IP包过滤中状TCP包的过滤研究与设计[J].计算机工程与应用,2002.07:162-164
[12]马新,黄羿,李丹宁.可信计算发展研究[J].计算机应用,2009.04:920-923
[13]谢希仁.计算机网络(第二版)[M].电子工业出版社
[14]杨富国,吕志军.网络设备安全与防火墙[M].清华大学出版社,2005:82-86
[15]李月欠.漫谈防火墙的选择[J].中国数字电视,2008.09:68-69
[16]王家业,荆继武,朱森存.包过滤防火墙的安全研究[J].计算机科学,1999
[17]王家玲,基于HTTP的网络数据包还原技术研究[J].计算机技术与发展,2007.06:176-178
[18]陈家庆,刘俊,张大方.网络安全管理系统的生存性建模与分析方法[J].计算机应用,2007.12:2947-2950
[19]刘云峰.三种常见防火墙实现技术之对比与研究[J].山西科技,2007.06:43-44
[20]阎慧,王伟,宁宇鹏.防火墙原理与技术[M].机械工业出版社,2004:45-52
[21]秦勇.一种基于QoS度量的Pareto并行路由寻优方法[J].计算机学报,2009.3:463-472
[22]施伟,陈国辉.Windows个人防火墙的设计和实现[J].辽宁工程技术大学学报,2004.2:65-67
[23]金敏.基于NDIS的Windows主机防火墙的构建研究[J].科技信息,2008.08:193-195
[24]张政.Windows NT环境下网卡冗余热备的研究与设计[J].兰州交通大学学报,2009.01:75-78
[25]朱雁辉,朱雁冰.防火墙与网络封包截获技术[M].电子工业出版社,2002
[26]高志伟,毛晚堆,贾玉锋.基于的多级过滤防火墙系统设计与实现[J].计算机系统应用,2004.8:23-26
[27]严鹏,曾文方,于小红.个人防火墙系统的设计与实现[J].应用技术,2001.5:33-35
[28]武安河.windows设备驱动程序(Vxd与wDM)开发实务[M].电子工业出版社,2001:95-103
[29](美)Chris Cant, windows WDM设备驱动程序开发指南[M].机械工业出版社,2001:361-364
[30]王树华,周利华.基于Windows 2000平台的防火墙技术研究与实现[J].微机发展,2004.5:78-80
[31]郭兴阳,高蜂,唐朝京.一种NDIS中间层数据包过滤方法[J].计算机工程,2004.9:102-104
[32]孙少波,许元飞.Windows下个人防火墙设计与实现[J].西安联合大学学报,2003.10:81-83
[33]徐格,吴建平,徐明伟.高等计算机网络一体系结构、协议机制、算法设计与路由器技术[M].机械工业出版社,2003:235-241
[34]Walter Oney. Programming the Windows Driver Model[S]. Microsoft Press,1999
[35]陈幼雷,王张宜.个人防火墙技术的研究与探讨[J].计算机工程与应用,2002.08:136-139
[2]王文蔚.协议分析及其在网络管理中的应用[J].信息技术与信息化,2009.02:31-32
[3](美)HareC, SiyanK著,Internet防火墙与网络安全[M].北京机械工业出版社,1998.5
[4]冯运波.防火墙技术的演变[J].计算机安安全,2005.5:13-15
[5]张熹.计算机网络病毒[J].网络与信息,2008.05:27
[6]陈君霖.新技术下的网络安全[J].应用与安全,2009.06:46-47
[7]周祥.浅析防火墙技术及应用[J].广西农业机械化,2005.06:34-37
[8]周曦.浅析校网网安全问题及对策[J].电脑知识与技术,2008.8:1941-1942
[9]李兵.计算机局域网的安全性研究[J].计算机安全,2007.11:53-58
[10]汪贵生,夏阳.计算机安全漏洞分类研究[J].计算机安全,2008.11:68-72
[11]原符,卿斯汉.在IP包过滤中状TCP包的过滤研究与设计[J].计算机工程与应用,2002.07:162-164
[12]马新,黄羿,李丹宁.可信计算发展研究[J].计算机应用,2009.04:920-923
[13]谢希仁.计算机网络(第二版)[M].电子工业出版社
[14]杨富国,吕志军.网络设备安全与防火墙[M].清华大学出版社,2005:82-86
[15]李月欠.漫谈防火墙的选择[J].中国数字电视,2008.09:68-69
[16]王家业,荆继武,朱森存.包过滤防火墙的安全研究[J].计算机科学,1999
[17]王家玲,基于HTTP的网络数据包还原技术研究[J].计算机技术与发展,2007.06:176-178
[18]陈家庆,刘俊,张大方.网络安全管理系统的生存性建模与分析方法[J].计算机应用,2007.12:2947-2950
[19]刘云峰.三种常见防火墙实现技术之对比与研究[J].山西科技,2007.06:43-44
[20]阎慧,王伟,宁宇鹏.防火墙原理与技术[M].机械工业出版社,2004:45-52
[21]秦勇.一种基于QoS度量的Pareto并行路由寻优方法[J].计算机学报,2009.3:463-472
[22]施伟,陈国辉.Windows个人防火墙的设计和实现[J].辽宁工程技术大学学报,2004.2:65-67
[23]金敏.基于NDIS的Windows主机防火墙的构建研究[J].科技信息,2008.08:193-195
[24]张政.Windows NT环境下网卡冗余热备的研究与设计[J].兰州交通大学学报,2009.01:75-78
[25]朱雁辉,朱雁冰.防火墙与网络封包截获技术[M].电子工业出版社,2002
[26]高志伟,毛晚堆,贾玉锋.基于的多级过滤防火墙系统设计与实现[J].计算机系统应用,2004.8:23-26
[27]严鹏,曾文方,于小红.个人防火墙系统的设计与实现[J].应用技术,2001.5:33-35
[28]武安河.windows设备驱动程序(Vxd与wDM)开发实务[M].电子工业出版社,2001:95-103
[29](美)Chris Cant, windows WDM设备驱动程序开发指南[M].机械工业出版社,2001:361-364
[30]王树华,周利华.基于Windows 2000平台的防火墙技术研究与实现[J].微机发展,2004.5:78-80
[31]郭兴阳,高蜂,唐朝京.一种NDIS中间层数据包过滤方法[J].计算机工程,2004.9:102-104
[32]孙少波,许元飞.Windows下个人防火墙设计与实现[J].西安联合大学学报,2003.10:81-83
[33]徐格,吴建平,徐明伟.高等计算机网络一体系结构、协议机制、算法设计与路由器技术[M].机械工业出版社,2003:235-241
[34]Walter Oney. Programming the Windows Driver Model[S]. Microsoft Press,1999
[35]陈幼雷,王张宜.个人防火墙技术的研究与探讨[J].计算机工程与应用,2002.08:136-139