协议可控安全交换机技术研究
|
摘要
安全交换机技术旨在解决内部网络日益复杂的安全问题。安全交换机所在的内部网存在的一个显著问题就是网络链路协议不可控,使得任何遵守标准协议的网络访问在底层机制上都是合法的。本文首先综述了安全交换机体系结构技术及其采用的安全策略,提出了一种新型的协议可控安全交换机系统的体系结构,在此基础上提出了其采用的安全策略,包括协议控制与动态切换、数据全字段硬件自主保密传输、基于数据包头和用户自定义字段的硬件数据过滤等,极大提高了内部网络的安全。
作为支撑该体系结构的关键技术,我们提出了基于组帧变换和CRC校验方式变换的秘密局域网SLAN协议,构建了SLAN协议的FSM模型,采用自然语言和形式化的方式描述了SLAN协议,对该协议进行了硬件仿真。仿真结果表明,SLAN协议可实现动态切换和静态配置,灵活的组帧方式和安全的协议更新策略对内部网数据链路层的安全起到了很大的提升作用。我们还分析了不同协议状态下数据帧的处理延迟,协议切换的不同步对丢包率的影响等协议性能指标。
安全交换机防火墙也是该体系结构的安全增强点。在研究了包过滤防火墙技术、状态检测防火墙技术基础上。针对传统包过滤防火墙仅对用户包头数据进行过滤的局限,提出基于用户包头和用户自定义数据字段的硬件包过滤策略;针对有些状态检测防火墙状态表项的Timeout值不能动态改变的缺点,提出一种改进的状态检测防火墙模型,提出一种基于优先级的“老化”算法来控制状态项的“老化”速度,以防控UDP-Flood等拒绝服务攻击。运用该算法,结合NetScreen25防火墙的参数,我们仿真了网络流量每隔100秒,单位时间内数据包递增100个的拒绝服务攻击场景,仿真总时间为300秒。结果表明该算法可有效控制状态表项的数目,达到了动态防控拒绝服务攻击的目的。
最后我们设计并实现了协议可控安全交换机系统的核心部件—安全控制芯片和安全网络适配器芯片,我们对芯片模块进行了SOPC集成,对芯片功能进行了仿真,对其性能进行了评价。
Security-switch technology is aiming to tackle with the ever-complexing security problem within the intra-network. A notable problem is raised that the data link can not be controlled; therefore any access following the standard Ethernet data link layer protocol is recognized as legal. The thesis first summarizes the architecture and security strategies of security switch, and then a brand new architecture namely Protocol Controlled Security-switch System (PCSS) is proposed, including the adopted strategies such as protocol control and dynamic conversion, hardware based full-field security transferring and hardware data filtering strategy based on packet head and self-defined data field as well.
As the key technology of the PCSS architecture, a data link layer protocol- SLAN is proposed, which is based on transformation of frame fields and different CRC checking methods. Not only did we establish the FSM model of SLAN, but described it by using the natural and formal language. The simulation of SLAN proved that it could realize dynamic conversion and static configuration. The flexible SLAN state and security updating strategy greatly improved the security level of intra-network. The analyses such as the delay parameter of every SLAN state and packet loss rate due to the asynchronism of state conversion are also done.
The firewall of the security switch is the intensifier of PCSS. We had a research on packet filtering firewall and state inspection firewall. Aimed at the limitation of traditional packet filtering firewall which filter packet based on the its head, a new hardware-based self-defined data field filtering strategy is proposed; Aimed at the the weakness of some state inspection firewall whose timeout parameter could not be changed, a Priority Aging algorithm is put forward to deal with Denial of Service attack such as UDP-Flood. We referenced to the parameter of NetScreen25 firewall and simulated a DoS attacking scenario, in which the attacking rate increased by 100 packets per 100 seconds, the simulation time was totally 300 seconds. The result proved that the algorithm can effectively control the Entry number and deal with the DoS attacking easily.
Finally we designed and realized the core of PCSS- Security Control Chip for Security Switch and Security Adapter Chip for Security Adapter. By using SOPC technology, we integrated the modules of the chip and finally had it simulated and evaluated.
作为支撑该体系结构的关键技术,我们提出了基于组帧变换和CRC校验方式变换的秘密局域网SLAN协议,构建了SLAN协议的FSM模型,采用自然语言和形式化的方式描述了SLAN协议,对该协议进行了硬件仿真。仿真结果表明,SLAN协议可实现动态切换和静态配置,灵活的组帧方式和安全的协议更新策略对内部网数据链路层的安全起到了很大的提升作用。我们还分析了不同协议状态下数据帧的处理延迟,协议切换的不同步对丢包率的影响等协议性能指标。
安全交换机防火墙也是该体系结构的安全增强点。在研究了包过滤防火墙技术、状态检测防火墙技术基础上。针对传统包过滤防火墙仅对用户包头数据进行过滤的局限,提出基于用户包头和用户自定义数据字段的硬件包过滤策略;针对有些状态检测防火墙状态表项的Timeout值不能动态改变的缺点,提出一种改进的状态检测防火墙模型,提出一种基于优先级的“老化”算法来控制状态项的“老化”速度,以防控UDP-Flood等拒绝服务攻击。运用该算法,结合NetScreen25防火墙的参数,我们仿真了网络流量每隔100秒,单位时间内数据包递增100个的拒绝服务攻击场景,仿真总时间为300秒。结果表明该算法可有效控制状态表项的数目,达到了动态防控拒绝服务攻击的目的。
最后我们设计并实现了协议可控安全交换机系统的核心部件—安全控制芯片和安全网络适配器芯片,我们对芯片模块进行了SOPC集成,对芯片功能进行了仿真,对其性能进行了评价。
Security-switch technology is aiming to tackle with the ever-complexing security problem within the intra-network. A notable problem is raised that the data link can not be controlled; therefore any access following the standard Ethernet data link layer protocol is recognized as legal. The thesis first summarizes the architecture and security strategies of security switch, and then a brand new architecture namely Protocol Controlled Security-switch System (PCSS) is proposed, including the adopted strategies such as protocol control and dynamic conversion, hardware based full-field security transferring and hardware data filtering strategy based on packet head and self-defined data field as well.
As the key technology of the PCSS architecture, a data link layer protocol- SLAN is proposed, which is based on transformation of frame fields and different CRC checking methods. Not only did we establish the FSM model of SLAN, but described it by using the natural and formal language. The simulation of SLAN proved that it could realize dynamic conversion and static configuration. The flexible SLAN state and security updating strategy greatly improved the security level of intra-network. The analyses such as the delay parameter of every SLAN state and packet loss rate due to the asynchronism of state conversion are also done.
The firewall of the security switch is the intensifier of PCSS. We had a research on packet filtering firewall and state inspection firewall. Aimed at the limitation of traditional packet filtering firewall which filter packet based on the its head, a new hardware-based self-defined data field filtering strategy is proposed; Aimed at the the weakness of some state inspection firewall whose timeout parameter could not be changed, a Priority Aging algorithm is put forward to deal with Denial of Service attack such as UDP-Flood. We referenced to the parameter of NetScreen25 firewall and simulated a DoS attacking scenario, in which the attacking rate increased by 100 packets per 100 seconds, the simulation time was totally 300 seconds. The result proved that the algorithm can effectively control the Entry number and deal with the DoS attacking easily.
Finally we designed and realized the core of PCSS- Security Control Chip for Security Switch and Security Adapter Chip for Security Adapter. By using SOPC technology, we integrated the modules of the chip and finally had it simulated and evaluated.
引文
[1] Ponemon Institute PGP? Research Report, Ponemon Institute, November2005.
[2] Estimating Loss from Infrastructure Compromise: A Model Gartner, 2005.
[3] 徐恪,徐明伟,吴建平,分布式拒绝服务攻击研究综述,小型微型计算机系统,2005 Vol25 No.3.
[4] IEEE STD 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks, Institute of Electrical and Electronics Engineers, Inc. 1998.
[5] 蒋建春,马恒太,网络安全入侵检测:研究综述,软件学报,2000,11(11):1460-1466.
[6] IEEE Std 802.1x -Port Based Network Access Control,Institute of Electrical and Electronics Engineers, Inc. 2002.
[7] ASUSGigaX2024X, http://www.asus.com.cn
[8] Nen-Fu Huang, Chih-Hao Chen, Rong-Tai Liu, Chia-Nan Kao, Chih-Chiang Wu,On the Design of a Cost Effective Network Security Switch Architecture,IEEE Globecom 2005,1012-1016.
[9] Advanced Technologies and Applications for Next Generation Information Networks (II), Program for Promoting Academic Excellence of Universities (Phase II), Tsing Hua University, Taiwan, 2004.
[10] 魏传瑾,李清宝,白燕,网络终端信息交换安全机制研究与实现,微计算机信息,2005,21(5)-224-225,215.
[11] Ciongoli, Bernard M., Grisafi, Salvatore, Physical switched network security, United States Patent Application 20020133717.
[12] 3Com?Security Switch 6200, http://www.3com.com.cn
[13] 联想天工 iSpirit4504 交换机,http://www.lenovonetworks.com
[14] Cisco Catalyst Express 500 Series Switches, http://www.cisco.com
[15] FlexHammer5210 系列安全智能多层交换机,http://www.chinait.net
[16] 天一银河系列千兆以太网交换机 HMS-3226,湖南科技信息研究所查新库CX220578.
[17] 范红,冯登国 编著,安全协议理论与方法,北京,科学出版社,2003.10.
[18] 龚正虎,计算机网络协议工程,国防科大出版社,1993.8.
[19] C. R. Hore,通信顺序进程,国防工业出版社,1991.12.
[20] 卿斯汉 编著,安全协议,北京,清华大学出版社,2005.12.
[21] Clifford E. Cummings, Peter Alfke, Simulation and Synthesis Techniques for Asynchronous FIFO Design with Asynchronous Pointer Comparisons, SNUG-2002.
[22] Ross N. Williams, A Painless Guide to CRC Error Detection Algorithms,ftp://ftp.rocksoft.com/papers/crc_v3.txt
[23] National Bureau of Standards, NBS FIPS PUB 46–1, Data Encryption Standard, U.S. Department of Commerce, Jan 1988.
[24] National Bureau of Standards, NBS FIPS PUB 74, Guidelines for Implementing and Using the NBS Data Encryption Standard, U.S. Department of Commerce, Apr 1981.
[25] X. Lai and J. Massey, A Proposal for a New Block Encryption Standard, Advances in Cryptology, EUROCRYPT ’90 Proceedings, Springer–Verlag,1991,pp. 389–404.
[26] 千际“一夫”除 DDOS 硬件过滤服务器, http://www.pcsoft.com.cn/HTML/HTML/hot_ddos.htm
[27] Quan Huang,Shenke Qiu,An embedded firewall based on network processor, IEEE Second International Conference on Embedded Software and Systems (ICESS’05) 2005.
[28] Lersak Limwiwatkul, Arnon Rungsawang, Distributed denial of service detection using TCP/IP header and traffic measurement analysis, IEEE International symposium on communications and information technologies (ISCIT’04)2004.
[29] Dmitry Rovniagin, Avishai Wool, The geometric efficient matching algorithm for firewalls, IEEE Proceedings of Electrical and Electronics Engineers in Israel, 2004.
[30] 姚志强,以太网安全交换机技术研究与实现,国防科技大学工学硕士毕业论文,2003.
[31] Mandy Andress, Surviving Security: How to Integrate People, Process and Technology, China Machine Press, 2002.
[32] 胡建伟,网络安全与保密,西安电子科技大学出版社,2003.
[33] Stateful Inspection Technology, Check Point Soft—ware Technologies (White Paper),Check Point, 1999.
[34] Stephen Gill, Maximizing Firewall Availability, Techniques on Improving Resilience to Session Table DoS Attacks, 2002, http://www.cymru.com
[35] 李俊蛾,王婷,雷公武,UDP 状态检测防火墙及实现算法,计算机工程,2004.
[36] Avalon Bus Specification Reference Manual, Ver.3.1, Altera, Jan. 2003, 9-28.
[37] Altera, Cyclone Device Handbook, C5V1-1.9, Altera, 2003.
[38] 802.3? IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements, Part 3: CSMA/CD access method and physical layer specifications .22.2.4.5, New York: The Institute of Electrical and Electronics Engineers, Inc., 2002, 561-594.
[39] 齐星云,安全交换机数据链路层技术研究,国防科技大学工学硕士毕业论文,2003.
[40] W. Diffie, M.E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, v. IT–22, n. 6, Nov 1976, pp. 644–654.
[2] Estimating Loss from Infrastructure Compromise: A Model Gartner, 2005.
[3] 徐恪,徐明伟,吴建平,分布式拒绝服务攻击研究综述,小型微型计算机系统,2005 Vol25 No.3.
[4] IEEE STD 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks, Institute of Electrical and Electronics Engineers, Inc. 1998.
[5] 蒋建春,马恒太,网络安全入侵检测:研究综述,软件学报,2000,11(11):1460-1466.
[6] IEEE Std 802.1x -Port Based Network Access Control,Institute of Electrical and Electronics Engineers, Inc. 2002.
[7] ASUSGigaX2024X, http://www.asus.com.cn
[8] Nen-Fu Huang, Chih-Hao Chen, Rong-Tai Liu, Chia-Nan Kao, Chih-Chiang Wu,On the Design of a Cost Effective Network Security Switch Architecture,IEEE Globecom 2005,1012-1016.
[9] Advanced Technologies and Applications for Next Generation Information Networks (II), Program for Promoting Academic Excellence of Universities (Phase II), Tsing Hua University, Taiwan, 2004.
[10] 魏传瑾,李清宝,白燕,网络终端信息交换安全机制研究与实现,微计算机信息,2005,21(5)-224-225,215.
[11] Ciongoli, Bernard M., Grisafi, Salvatore, Physical switched network security, United States Patent Application 20020133717.
[12] 3Com?Security Switch 6200, http://www.3com.com.cn
[13] 联想天工 iSpirit4504 交换机,http://www.lenovonetworks.com
[14] Cisco Catalyst Express 500 Series Switches, http://www.cisco.com
[15] FlexHammer5210 系列安全智能多层交换机,http://www.chinait.net
[16] 天一银河系列千兆以太网交换机 HMS-3226,湖南科技信息研究所查新库CX220578.
[17] 范红,冯登国 编著,安全协议理论与方法,北京,科学出版社,2003.10.
[18] 龚正虎,计算机网络协议工程,国防科大出版社,1993.8.
[19] C. R. Hore,通信顺序进程,国防工业出版社,1991.12.
[20] 卿斯汉 编著,安全协议,北京,清华大学出版社,2005.12.
[21] Clifford E. Cummings, Peter Alfke, Simulation and Synthesis Techniques for Asynchronous FIFO Design with Asynchronous Pointer Comparisons, SNUG-2002.
[22] Ross N. Williams, A Painless Guide to CRC Error Detection Algorithms,ftp://ftp.rocksoft.com/papers/crc_v3.txt
[23] National Bureau of Standards, NBS FIPS PUB 46–1, Data Encryption Standard, U.S. Department of Commerce, Jan 1988.
[24] National Bureau of Standards, NBS FIPS PUB 74, Guidelines for Implementing and Using the NBS Data Encryption Standard, U.S. Department of Commerce, Apr 1981.
[25] X. Lai and J. Massey, A Proposal for a New Block Encryption Standard, Advances in Cryptology, EUROCRYPT ’90 Proceedings, Springer–Verlag,1991,pp. 389–404.
[26] 千际“一夫”除 DDOS 硬件过滤服务器, http://www.pcsoft.com.cn/HTML/HTML/hot_ddos.htm
[27] Quan Huang,Shenke Qiu,An embedded firewall based on network processor, IEEE Second International Conference on Embedded Software and Systems (ICESS’05) 2005.
[28] Lersak Limwiwatkul, Arnon Rungsawang, Distributed denial of service detection using TCP/IP header and traffic measurement analysis, IEEE International symposium on communications and information technologies (ISCIT’04)2004.
[29] Dmitry Rovniagin, Avishai Wool, The geometric efficient matching algorithm for firewalls, IEEE Proceedings of Electrical and Electronics Engineers in Israel, 2004.
[30] 姚志强,以太网安全交换机技术研究与实现,国防科技大学工学硕士毕业论文,2003.
[31] Mandy Andress, Surviving Security: How to Integrate People, Process and Technology, China Machine Press, 2002.
[32] 胡建伟,网络安全与保密,西安电子科技大学出版社,2003.
[33] Stateful Inspection Technology, Check Point Soft—ware Technologies (White Paper),Check Point, 1999.
[34] Stephen Gill, Maximizing Firewall Availability, Techniques on Improving Resilience to Session Table DoS Attacks, 2002, http://www.cymru.com
[35] 李俊蛾,王婷,雷公武,UDP 状态检测防火墙及实现算法,计算机工程,2004.
[36] Avalon Bus Specification Reference Manual, Ver.3.1, Altera, Jan. 2003, 9-28.
[37] Altera, Cyclone Device Handbook, C5V1-1.9, Altera, 2003.
[38] 802.3? IEEE Standard for Information technology—Telecommunications and information exchange between systems—Local and metropolitan area networks—Specific requirements, Part 3: CSMA/CD access method and physical layer specifications .22.2.4.5, New York: The Institute of Electrical and Electronics Engineers, Inc., 2002, 561-594.
[39] 齐星云,安全交换机数据链路层技术研究,国防科技大学工学硕士毕业论文,2003.
[40] W. Diffie, M.E. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, v. IT–22, n. 6, Nov 1976, pp. 644–654.