面向安全隔离的SMTP透明代理服务器研究与实现
|
摘要
随着电子邮件的广泛应用,公司、企业内部网络通过SMTP代理服务器与外界进行邮件交流越来越频繁,人们在享受益处的同时,也要面对电子邮件带来的安全方面的挑战。如何有效地防止病毒入侵,如何有效地防止机密泄露,正日益引起重视,迫切需要建立一种安全可靠的机制来保障内部邮件系统的安全运行,网络隔离技术应运而生,网络隔离技术能有效地隔离内外网络,保证内外网络数据的安全传输。本文对面向安全隔离的SMTP透明代理服务器技术进行了深入的研究,着重讨论了其关键技术之一――线程池。
论文首先介绍了面向安全隔离的SMTP透明代理相关技术,分析了透明代理的优点,并提出了面向安全隔离的透明代理服务器的总体结构、组成和主要功能。
其次,对透明代理服务器中的关键技术――透明模式和并发应用服务进行了深入研究,归纳分析了当前的多线程技术,提出了一种新型的线程池技术――扩展线程池。对扩展线程池的形式化分析表明,该技术相对于传统线程池技术,扩展线程池在满足并发连接的基础上,具有更高的吞吐量,可更好地满足代理服务器的性能要求。
然后,本文对面向安全隔离的SMTP透明代理服务器实现技术进行了研究,着重讨论了其具体的实现流程、配置管理模块、访问控制模块、协议解析模块、内容过滤模块和日志审计模块,并在此基础上实现了一个原型系统。
最后,对该系统的功能和性能进行了测试,测试结果表明了面向安全隔离的SMTP透明代理服务器技术的有效性,并对进一步的研究进行了展望。
With the wider use of e-mail, communication between enterprises and outsideworld become more and more frequent by E-mail which is exchanged through SMTPproxyservers.Peoplefacethesecuritychallenges whilethey enjoythebenefits.Howtoeffectively prevent virus attacks, how to effectively prevent the leakage of secrets, arebecoming more and more attention. It’s a very urgent need to establish a safe andreliable mechanism to protect the safe operation of the internal mail system. Networkisolation technologyhasemerged, which effectivelyisolates inside network andoutsidenetwork and ensures security of network data transmission. In this paper, the SMTPtransparent proxy server for security isolation has been studied in-depth, and one ofkeytechnologies-ThreadPool,hasbeenemphasizedon.
Firstly, technologies of SMTP transparent proxy server for security isolation wereintroduced. The merits of transparent proxy were analyzed, and then the architecture,constitutionand main function of SMTP transparent proxy server for security isolationwasproposed.
Secondly, the paper studied transparent model and the concurrent applicationserver technology in-depth, analyzed the current multithreading technology, thenproposeda new technology of thread pool -- expanded thread pool. Formalanalysis ofthe expanded thread pool, indicated that technology could get higher throughput whilefulfillingtheneedofconcurrentconnections,andgetbetterperformancethantraditionalthreadpooltechnologies.
Then, the implementation of transparent proxy server for security isolation wasstudied. The paper discussed emphatically its concrete realization flow, configurationmanagement module, access control module, protocol processing module, contentfilteringmoduleandauditlogmodule.Andaprototypesystemhasbeenimplemented.
Finally, the function and performance of the prototype system was tested, andanalyze the results. At the same time, we get further research in the future on theexistingbasis.
论文首先介绍了面向安全隔离的SMTP透明代理相关技术,分析了透明代理的优点,并提出了面向安全隔离的透明代理服务器的总体结构、组成和主要功能。
其次,对透明代理服务器中的关键技术――透明模式和并发应用服务进行了深入研究,归纳分析了当前的多线程技术,提出了一种新型的线程池技术――扩展线程池。对扩展线程池的形式化分析表明,该技术相对于传统线程池技术,扩展线程池在满足并发连接的基础上,具有更高的吞吐量,可更好地满足代理服务器的性能要求。
然后,本文对面向安全隔离的SMTP透明代理服务器实现技术进行了研究,着重讨论了其具体的实现流程、配置管理模块、访问控制模块、协议解析模块、内容过滤模块和日志审计模块,并在此基础上实现了一个原型系统。
最后,对该系统的功能和性能进行了测试,测试结果表明了面向安全隔离的SMTP透明代理服务器技术的有效性,并对进一步的研究进行了展望。
With the wider use of e-mail, communication between enterprises and outsideworld become more and more frequent by E-mail which is exchanged through SMTPproxyservers.Peoplefacethesecuritychallenges whilethey enjoythebenefits.Howtoeffectively prevent virus attacks, how to effectively prevent the leakage of secrets, arebecoming more and more attention. It’s a very urgent need to establish a safe andreliable mechanism to protect the safe operation of the internal mail system. Networkisolation technologyhasemerged, which effectivelyisolates inside network andoutsidenetwork and ensures security of network data transmission. In this paper, the SMTPtransparent proxy server for security isolation has been studied in-depth, and one ofkeytechnologies-ThreadPool,hasbeenemphasizedon.
Firstly, technologies of SMTP transparent proxy server for security isolation wereintroduced. The merits of transparent proxy were analyzed, and then the architecture,constitutionand main function of SMTP transparent proxy server for security isolationwasproposed.
Secondly, the paper studied transparent model and the concurrent applicationserver technology in-depth, analyzed the current multithreading technology, thenproposeda new technology of thread pool -- expanded thread pool. Formalanalysis ofthe expanded thread pool, indicated that technology could get higher throughput whilefulfillingtheneedofconcurrentconnections,andgetbetterperformancethantraditionalthreadpooltechnologies.
Then, the implementation of transparent proxy server for security isolation wasstudied. The paper discussed emphatically its concrete realization flow, configurationmanagement module, access control module, protocol processing module, contentfilteringmoduleandauditlogmodule.Andaprototypesystemhasbeenimplemented.
Finally, the function and performance of the prototype system was tested, andanalyze the results. At the same time, we get further research in the future on theexistingbasis.
引文
[1] 蒙杨,高安全等级防火墙核心技术研究、设计与实现,北京:中国科学院软件研究所博士学位论文,2001
[2] 陈锡彬,物理隔离数据交换系统研究与实现,哈尔滨:哈尔滨工程大学硕士学位论文,2005
[3] 万平国编著,网络隔离与网闸,北京:机械工业出版社,2004
[4] 侯伯毅,具有免疫能力的状态检测个人防火墙研究与实现,成都:成都理工大学硕士学位论文,2005
[5] 涂维嘉,物理隔离网闸Linux内核安全模块的设计,武汉:华中科技大学硕士学位论文,2005
[6] 李正茂,网络隔离理论与关键技术研究,上海:同济大学硕士学位论文,2006
[7]JonathanB.Postel,SimpleMailTransferProtocol,RFC821,August1982
[8] 李海聪,防火墙技术研究-透明代理服务器的实现,成都:电子科技大学硕士学位论文,2003
[9]AT&TLaboratories,SimpleMailTransferProtocol,RFC2821,April2001
[10] 张德庆,防火墙 HTTP 服务的安全性研究,安徽:中国科技大学硕士学位论文,2002
[11] 钱伟中,桑达(SED-FW2003)防火墙技术的研究-NAT 及透明代理的设计与实现,成都:电子科技大学硕士学位论文,2002
[12]http://tech.ccidnet.com/art/1060/20040326/98512_1.html
[13] 周永明,网络隔离与安全交换原型研究,上海:同济大学硕士学位论文,2006
[14]http://tech.ccidnet.com/art/322/20040326/98499_1.html
[15]http://biz.chinabyte.com/477/1932477.shtml
[16] 张永辉、吴小红、李俊,Linux下防火墙透明模式的原理及实现[J],微电子学与计算机,2004,10(21)
[17] 申风兰、张会汀,透明模式防火墙优点、关键技术ARP 及其网络操作系统实现[J],微型电脑应用,2003,3(19)
[18] 文秀林,Web 代理服务器的研究与实现,成都:电子科技大学硕士学位论文,2002
[19]DongpingXu,Performancestudyanddynamicoptimizationdesignforthreadpool system,美国爱荷华州:爱荷华州立大学硕士学位论文 ,2004,http://www.scl.ameslab.gov/Publications/Brett/CCCTFinal-color. pdf,December 2004
[20]W.vanderWeij、R.D.vanderMei、B.M.M.Gijsen、F.Phillipson,OptimalServer Assignment in a Two-layered Tandem of Multi-Server Queues,http://www.comp.brad.ac.uk/het-net/HET-NETs05/ReadCamera05/P51.pdf
[21] John Calcote,Thread pools and server performance,Dr.Dobb’s Journal,pp.60-64,July1997
[22] Douglas C.Schmidi,Evaluating Architecture for Multithreaded ObjectRequestBrokers,CommunicationofACM,October1998
[23]HantakKwak、BenLee、AliR.Hurson、Suk-HanYoon、Woo-JongHahn,Effects of Multithreading on Cache Performance,IEEE Transactions on Computers,Vol48,no.2,pp.176-184,February1999
[24] W. van der Weij、N.M. van Dijk、R.D. van der Mei、J. van der Wal,Ontandem queues with threadpool sharing,http://www.math.vu.nl/~mei/articles/2005/uva/art.pdf,2005
[25] Robert Love,What’s New (and Interesting) in the 2.5 Kernel,http://rlove.org/talks/rml_scale_talk.pdf
[26]YibeiLing、TracyMullen、XiaoLin,AnalysisofOptimalThreadPoolSize[A],ACMSIGOPSOprationSystemReview,Vol.34,No.2,pp.42-55,2000
[27] 唐应辉、唐小我,排队论-基础与分析技术,北京:科学出版社,2006
[28] W.Richard Stevens、Bill Fenner、Andrew M.Rudoff,UNIX NetworkProgramming,volume 1:The Socket Networking API(Third Edition), 北京:机械工业出版社,2004
[29]J.Klensin、WGChair、N.Freed、M.Rose、E.Stefferud、D.Crocker,SMTPServiceExtensions,RFC1869,November1995
[30]J. Klensin、WG Chair、N. Freed、K. Moore,SMTP Service Extension forMessageSizeDeclaration,RFC1870,November1995
[31]N.Freed、N.Borenstein,MultipurposeInternetMailExtensions(MIME)PartOne:FormatofInternetMessageBodies,RFC2045,November1996
[32]N.Freed、N.Borenstein,MultipurposeInternetMailExtensions(MIME)PartTwo:MediaTypes,RFC2046,November1996
[33] 李辰,基于纠错编码的公钥体制在身份认证应用中的研究,南京:南京邮电学院硕士学位论文,2003
[34]K.Moore,MultipurposeInternetMailExtensions(MIME)Part Three:MessageHeaderExtensionsforNon-ASCIIText,RFC2047,November1996
[35]N.Freed、J.Klensin、J.Postel,MultipurposeInternetMailExtensions(MIME)PartFour:RegistrationProcedures,RFC2048,November1996
[36]N.Freed、N.Borenstein,MultipurposeInternetMailExtensions(MIME)PartFive: ConfromanceCriteriaandExamples,RFC2049,November1996
[37] J. Palme、A.Hopmann ,MIME E-mail Encapsulation of AggregateDocuments,suchasHTML(MHTML),RFC2110,March1997
[38]Steinber,Joseph,IntroducingAirGapTechnology,Price waterhouseCoopersCrytographicCentersofExcellenceJournal,Issue#6,March2002.5~9
[39]Y.Bartal、A.J.Mayer、K.Nissimetal,Anovelfirewallmanagementtoolkit,In:Proc.ofIEEESymp.onSecurityandPrivacy,1999.17~31
[40] Shahid H.Bokhari,The Linux Operating System,Computing Practices,0018-9162/95/54.00,IEEE,1995
[41]MohamedG.Gouda、Xiang-YangAlexLiu,FirewallDesign:Consistency,completeness,andCompactness.in:proceedingsofthe24thInternetionalConferenceonDistributedComputingSystems(ICDCS’04)1063-6927/04,IEEE,2004
[42]AlexX.Liu、MohamedG.Gouda,DiverseFirewallDesign.in:Proceedingsofthe 2004 International Conference on Dependable Systems and Networks (DSN’04)0-7695-2052-9/04,IEEE,2004
[43] 楚狂,网络安全和防火墙技术,北京:人民邮电出版社 1999
[44] 袁津生、吴砚农,计算机网络安全基础,北京:人民邮电出版社 2002
[2] 陈锡彬,物理隔离数据交换系统研究与实现,哈尔滨:哈尔滨工程大学硕士学位论文,2005
[3] 万平国编著,网络隔离与网闸,北京:机械工业出版社,2004
[4] 侯伯毅,具有免疫能力的状态检测个人防火墙研究与实现,成都:成都理工大学硕士学位论文,2005
[5] 涂维嘉,物理隔离网闸Linux内核安全模块的设计,武汉:华中科技大学硕士学位论文,2005
[6] 李正茂,网络隔离理论与关键技术研究,上海:同济大学硕士学位论文,2006
[7]JonathanB.Postel,SimpleMailTransferProtocol,RFC821,August1982
[8] 李海聪,防火墙技术研究-透明代理服务器的实现,成都:电子科技大学硕士学位论文,2003
[9]AT&TLaboratories,SimpleMailTransferProtocol,RFC2821,April2001
[10] 张德庆,防火墙 HTTP 服务的安全性研究,安徽:中国科技大学硕士学位论文,2002
[11] 钱伟中,桑达(SED-FW2003)防火墙技术的研究-NAT 及透明代理的设计与实现,成都:电子科技大学硕士学位论文,2002
[12]http://tech.ccidnet.com/art/1060/20040326/98512_1.html
[13] 周永明,网络隔离与安全交换原型研究,上海:同济大学硕士学位论文,2006
[14]http://tech.ccidnet.com/art/322/20040326/98499_1.html
[15]http://biz.chinabyte.com/477/1932477.shtml
[16] 张永辉、吴小红、李俊,Linux下防火墙透明模式的原理及实现[J],微电子学与计算机,2004,10(21)
[17] 申风兰、张会汀,透明模式防火墙优点、关键技术ARP 及其网络操作系统实现[J],微型电脑应用,2003,3(19)
[18] 文秀林,Web 代理服务器的研究与实现,成都:电子科技大学硕士学位论文,2002
[19]DongpingXu,Performancestudyanddynamicoptimizationdesignforthreadpool system,美国爱荷华州:爱荷华州立大学硕士学位论文 ,2004,http://www.scl.ameslab.gov/Publications/Brett/CCCTFinal-color. pdf,December 2004
[20]W.vanderWeij、R.D.vanderMei、B.M.M.Gijsen、F.Phillipson,OptimalServer Assignment in a Two-layered Tandem of Multi-Server Queues,http://www.comp.brad.ac.uk/het-net/HET-NETs05/ReadCamera05/P51.pdf
[21] John Calcote,Thread pools and server performance,Dr.Dobb’s Journal,pp.60-64,July1997
[22] Douglas C.Schmidi,Evaluating Architecture for Multithreaded ObjectRequestBrokers,CommunicationofACM,October1998
[23]HantakKwak、BenLee、AliR.Hurson、Suk-HanYoon、Woo-JongHahn,Effects of Multithreading on Cache Performance,IEEE Transactions on Computers,Vol48,no.2,pp.176-184,February1999
[24] W. van der Weij、N.M. van Dijk、R.D. van der Mei、J. van der Wal,Ontandem queues with threadpool sharing,http://www.math.vu.nl/~mei/articles/2005/uva/art.pdf,2005
[25] Robert Love,What’s New (and Interesting) in the 2.5 Kernel,http://rlove.org/talks/rml_scale_talk.pdf
[26]YibeiLing、TracyMullen、XiaoLin,AnalysisofOptimalThreadPoolSize[A],ACMSIGOPSOprationSystemReview,Vol.34,No.2,pp.42-55,2000
[27] 唐应辉、唐小我,排队论-基础与分析技术,北京:科学出版社,2006
[28] W.Richard Stevens、Bill Fenner、Andrew M.Rudoff,UNIX NetworkProgramming,volume 1:The Socket Networking API(Third Edition), 北京:机械工业出版社,2004
[29]J.Klensin、WGChair、N.Freed、M.Rose、E.Stefferud、D.Crocker,SMTPServiceExtensions,RFC1869,November1995
[30]J. Klensin、WG Chair、N. Freed、K. Moore,SMTP Service Extension forMessageSizeDeclaration,RFC1870,November1995
[31]N.Freed、N.Borenstein,MultipurposeInternetMailExtensions(MIME)PartOne:FormatofInternetMessageBodies,RFC2045,November1996
[32]N.Freed、N.Borenstein,MultipurposeInternetMailExtensions(MIME)PartTwo:MediaTypes,RFC2046,November1996
[33] 李辰,基于纠错编码的公钥体制在身份认证应用中的研究,南京:南京邮电学院硕士学位论文,2003
[34]K.Moore,MultipurposeInternetMailExtensions(MIME)Part Three:MessageHeaderExtensionsforNon-ASCIIText,RFC2047,November1996
[35]N.Freed、J.Klensin、J.Postel,MultipurposeInternetMailExtensions(MIME)PartFour:RegistrationProcedures,RFC2048,November1996
[36]N.Freed、N.Borenstein,MultipurposeInternetMailExtensions(MIME)PartFive: ConfromanceCriteriaandExamples,RFC2049,November1996
[37] J. Palme、A.Hopmann ,MIME E-mail Encapsulation of AggregateDocuments,suchasHTML(MHTML),RFC2110,March1997
[38]Steinber,Joseph,IntroducingAirGapTechnology,Price waterhouseCoopersCrytographicCentersofExcellenceJournal,Issue#6,March2002.5~9
[39]Y.Bartal、A.J.Mayer、K.Nissimetal,Anovelfirewallmanagementtoolkit,In:Proc.ofIEEESymp.onSecurityandPrivacy,1999.17~31
[40] Shahid H.Bokhari,The Linux Operating System,Computing Practices,0018-9162/95/54.00,IEEE,1995
[41]MohamedG.Gouda、Xiang-YangAlexLiu,FirewallDesign:Consistency,completeness,andCompactness.in:proceedingsofthe24thInternetionalConferenceonDistributedComputingSystems(ICDCS’04)1063-6927/04,IEEE,2004
[42]AlexX.Liu、MohamedG.Gouda,DiverseFirewallDesign.in:Proceedingsofthe 2004 International Conference on Dependable Systems and Networks (DSN’04)0-7695-2052-9/04,IEEE,2004
[43] 楚狂,网络安全和防火墙技术,北京:人民邮电出版社 1999
[44] 袁津生、吴砚农,计算机网络安全基础,北京:人民邮电出版社 2002