基于Linux的分布式因特网监视器系统
摘要
在Internet应用空前增长的今天,计算机管理技术、网络通信技术、资源共享技术却未能得到同步提高。为此,有效的网络安全防护手段是信息与网络安全研究的重要课题。目前,虽然有多种安全产品,但仍然不能满足Internet发展的需要。
因特网监视器是一种新型的网络安全产品。本文针对监视器实时、高效的要求,提出了一种基于Linux系统的Internet网络监视器的设计方案。方案利用了Linux操作系统的多进程、多线程、线程的静态和动态优先级提高监视主机实时性,以多监视主机的分布式数据处理来提高系统吞吐量。实验表明监视器具有高效、安全和可扩充性强等优点。
整个系统采用了分层的设计,整体分为3层:底层部分,截包组装模块实现Internet报文的截取和按连接的组装;中层部分,解码、解压缩和全文检索模块实现了对原始文件的解压缩、编码还原和全文检索;上层部分,用户界面实现基于J2EE的三层结构的系统。另外,在客户端加入了认证和授权机制,同时提供了基于SSL的加密机制。
Although Internet applications are greatly grown, the technologies about computer management, network-communication, resource sharing are not improved accordingly. Thus, effective method to protect the security of network is an important research task in network security field. There are some kinds of security products, but they cannot meet the need of Internet evolution.
Internet Monitor System is a new kind of network security product. This paper puts forward a design of Internet Monitor System based on Linux to meet the demands of real-time and high-efficiency. Real-time performance of the monitor host is enhanced using the multi-process, multithread, priority provided by Linux. Meanwhile, the performance of the system is improved by distributed data processing based on multiple monitor hosts. Its advantage of efficiency, security and scalability is verified by experiments.
The system adopts the layer-dividing method in whole. The main idea is to divide the system into three layers and to set up the databases or local files between layers as interface. The first layer implements Internet packet intercepting and assembling according to TCP link; the middle layer is used to depress, decode the raw files, and to take the full-text researching; the up layer provides the user interface based on there-tier structure. In addition, authentication and authorization mechanism are provide in client side of the system as well as the encryption mechanism based on SSL.
因特网监视器是一种新型的网络安全产品。本文针对监视器实时、高效的要求,提出了一种基于Linux系统的Internet网络监视器的设计方案。方案利用了Linux操作系统的多进程、多线程、线程的静态和动态优先级提高监视主机实时性,以多监视主机的分布式数据处理来提高系统吞吐量。实验表明监视器具有高效、安全和可扩充性强等优点。
整个系统采用了分层的设计,整体分为3层:底层部分,截包组装模块实现Internet报文的截取和按连接的组装;中层部分,解码、解压缩和全文检索模块实现了对原始文件的解压缩、编码还原和全文检索;上层部分,用户界面实现基于J2EE的三层结构的系统。另外,在客户端加入了认证和授权机制,同时提供了基于SSL的加密机制。
Although Internet applications are greatly grown, the technologies about computer management, network-communication, resource sharing are not improved accordingly. Thus, effective method to protect the security of network is an important research task in network security field. There are some kinds of security products, but they cannot meet the need of Internet evolution.
Internet Monitor System is a new kind of network security product. This paper puts forward a design of Internet Monitor System based on Linux to meet the demands of real-time and high-efficiency. Real-time performance of the monitor host is enhanced using the multi-process, multithread, priority provided by Linux. Meanwhile, the performance of the system is improved by distributed data processing based on multiple monitor hosts. Its advantage of efficiency, security and scalability is verified by experiments.
The system adopts the layer-dividing method in whole. The main idea is to divide the system into three layers and to set up the databases or local files between layers as interface. The first layer implements Internet packet intercepting and assembling according to TCP link; the middle layer is used to depress, decode the raw files, and to take the full-text researching; the up layer provides the user interface based on there-tier structure. In addition, authentication and authorization mechanism are provide in client side of the system as well as the encryption mechanism based on SSL.
引文
[1]Ford, W.Computer Communications Security.Englewood Cliffs, New Jersey,PTR Prentice Hall,1994.
[2]Stalling,W.Network Security Essentials:Applications and Standards.Prentice-Hall,1999.
[3]William Stallings.Cryptography and Network Security:Principles and Practice Second Edition.Prentice-Hall,2001.
[4]王育明,刘建伟.通信网的安全——理论与技术,西安:西安电子科技大学出版社,1999.
[5]Coppersmith, D.The Data Encryption Standard(DES) and Its Strength Against Attacks.IBM Journal of Research and Development,1994.
[6]Schneier,B. Applied Cryptography.New York: Wiley,1996.
[7]Simmons,G.,ed.Contemporary Cryptology:The Science of Information Integrity.Piscataway,NJ:IEEE Press,1992.
[8]Diffie, W.The First Ten Years of Public-Key Cryptography.Proceedings of the IEEE,1988.5.
[9]Menezes,A.Elliptic Curve Public Key Cryptosystems.Boston:Kluwer Academic Publishers,1993.
[10]Salomaa,A. Public-Key Cryptography.New York:Springer-Verlag,1996.
[11]Akl,S.Digital Signatures:A Tutorial Survey.Computer,Fearuary 1993.
[12]张铭宋,赵文耘.分布式入侵检测系统的数据采集技术.计算机工
程,2002年第2期.
[13]Balasubramaniyan J S,Garcia-Fernandez J O,Spaddord E,et al.An Architecture for Intrusion Detection Using Autonomous Agents.COAST Laboratory,Purdue University,1998.
[14]Microsoft Corporation,3COM Corporation.NDIS Network Driver Interface Specification.1998.
[15]李晓峰,张玉清,李星.Linux2.4内核防火墙底层结构分析.计算机工程与应用.2002年第14期.
[16]刘海峰,卿斯汉,刘文请.安全操作系统审计的设计与实现.计算机研究与发展,2001年第10期.
[17]Graham Glass.Unix for Programmers and Users,A complete Guide.New York:Prentice-Hall International Inc,1993.
[18]W.Richard Stevens著,尤晋元等译.UNIX环境高级编程.机械工业出版社.
[19]Neil Matthew,Richard Stones著,杨晓云等译.Linux程序设计.机械工业出版社.2002年.
[20]W Richard Stevens.Unix Network Programming.Prentice-Hall.1998.
[21]Linux论坛http://www.linuxforum.net.
[22]http://www.redhat.com.
[23]李冬霞,苏广川.Linux平台下基于DLL的多目通信编程技术.计算机工程与应用.2002年第8期.
[24]W.Richard Stevens著,范建华等译.TCP/IP详解,卷1:协议.机械工业出版社.2000年.
[25]W.Richard Stevens著,陆雪莹等译.TCP/IP详解,卷2:实现.机
械工业出版社.2000年.
[26]Postel,J, B.,ed.Internet Protocol.RFC 791, 45页.1981年.
[27]Amit Cohen & Reuven Cohen,A Dynamic Approach for Efficient TCP Buffer Allocation.IEEE Transactions on Computers,2002.5(vol.51,no.9):303-312.
[28]Kevin Johnson著,科欣翻译组.Internet Email协议开发指南.机械工业出版社.2000年.
[29]TCP/IP协议族RFC文档集.http://WWW.ietf.org/rfc.html.
[30]严蔚敏,吴伟民著.数据结构(C语言版).清华大学出版社,1996年.
[31]Oracle Corporation.http://otn.oracle.com.
[32]Ben Chang著,高波等译.Oracle XML开发手册.机械工业出版社,2001年.
[33]姚国祥等.基于WWW的Browser/Server结构的信息系统研究与设计.计算机科学,1998年第6期.
[34]Urmans.Oracle 8 PL/SQL Programming.McGraw—Hill CompanieS,1997年.
[35]袁磊等.Oracle应用服务器V4原理及Web应用实例.计算机应用,2002年第6期.
[36]Calvin Austin等著,前导工作室译.Java 2高级编程.机械工业出版社,2001年.
[37]Karl Avedal等著,黎文等译.JSP编程指南.电子工业出版社,2001年.
[38]Danny Ayers等著,曾国平等译.Java服务器高级编程.机械工业出版社,2001年.
[39]Steve Bobrowski著,刘艺等译.Oracle8i for Linux实用指南.机械工业出版社,2001年.
[40]Tanenbaum A S.Distributed Operating Systems.Prentice-Hall International Inc,1996.
[2]Stalling,W.Network Security Essentials:Applications and Standards.Prentice-Hall,1999.
[3]William Stallings.Cryptography and Network Security:Principles and Practice Second Edition.Prentice-Hall,2001.
[4]王育明,刘建伟.通信网的安全——理论与技术,西安:西安电子科技大学出版社,1999.
[5]Coppersmith, D.The Data Encryption Standard(DES) and Its Strength Against Attacks.IBM Journal of Research and Development,1994.
[6]Schneier,B. Applied Cryptography.New York: Wiley,1996.
[7]Simmons,G.,ed.Contemporary Cryptology:The Science of Information Integrity.Piscataway,NJ:IEEE Press,1992.
[8]Diffie, W.The First Ten Years of Public-Key Cryptography.Proceedings of the IEEE,1988.5.
[9]Menezes,A.Elliptic Curve Public Key Cryptosystems.Boston:Kluwer Academic Publishers,1993.
[10]Salomaa,A. Public-Key Cryptography.New York:Springer-Verlag,1996.
[11]Akl,S.Digital Signatures:A Tutorial Survey.Computer,Fearuary 1993.
[12]张铭宋,赵文耘.分布式入侵检测系统的数据采集技术.计算机工
程,2002年第2期.
[13]Balasubramaniyan J S,Garcia-Fernandez J O,Spaddord E,et al.An Architecture for Intrusion Detection Using Autonomous Agents.COAST Laboratory,Purdue University,1998.
[14]Microsoft Corporation,3COM Corporation.NDIS Network Driver Interface Specification.1998.
[15]李晓峰,张玉清,李星.Linux2.4内核防火墙底层结构分析.计算机工程与应用.2002年第14期.
[16]刘海峰,卿斯汉,刘文请.安全操作系统审计的设计与实现.计算机研究与发展,2001年第10期.
[17]Graham Glass.Unix for Programmers and Users,A complete Guide.New York:Prentice-Hall International Inc,1993.
[18]W.Richard Stevens著,尤晋元等译.UNIX环境高级编程.机械工业出版社.
[19]Neil Matthew,Richard Stones著,杨晓云等译.Linux程序设计.机械工业出版社.2002年.
[20]W Richard Stevens.Unix Network Programming.Prentice-Hall.1998.
[21]Linux论坛http://www.linuxforum.net.
[22]http://www.redhat.com.
[23]李冬霞,苏广川.Linux平台下基于DLL的多目通信编程技术.计算机工程与应用.2002年第8期.
[24]W.Richard Stevens著,范建华等译.TCP/IP详解,卷1:协议.机械工业出版社.2000年.
[25]W.Richard Stevens著,陆雪莹等译.TCP/IP详解,卷2:实现.机
械工业出版社.2000年.
[26]Postel,J, B.,ed.Internet Protocol.RFC 791, 45页.1981年.
[27]Amit Cohen & Reuven Cohen,A Dynamic Approach for Efficient TCP Buffer Allocation.IEEE Transactions on Computers,2002.5(vol.51,no.9):303-312.
[28]Kevin Johnson著,科欣翻译组.Internet Email协议开发指南.机械工业出版社.2000年.
[29]TCP/IP协议族RFC文档集.http://WWW.ietf.org/rfc.html.
[30]严蔚敏,吴伟民著.数据结构(C语言版).清华大学出版社,1996年.
[31]Oracle Corporation.http://otn.oracle.com.
[32]Ben Chang著,高波等译.Oracle XML开发手册.机械工业出版社,2001年.
[33]姚国祥等.基于WWW的Browser/Server结构的信息系统研究与设计.计算机科学,1998年第6期.
[34]Urmans.Oracle 8 PL/SQL Programming.McGraw—Hill CompanieS,1997年.
[35]袁磊等.Oracle应用服务器V4原理及Web应用实例.计算机应用,2002年第6期.
[36]Calvin Austin等著,前导工作室译.Java 2高级编程.机械工业出版社,2001年.
[37]Karl Avedal等著,黎文等译.JSP编程指南.电子工业出版社,2001年.
[38]Danny Ayers等著,曾国平等译.Java服务器高级编程.机械工业出版社,2001年.
[39]Steve Bobrowski著,刘艺等译.Oracle8i for Linux实用指南.机械工业出版社,2001年.
[40]Tanenbaum A S.Distributed Operating Systems.Prentice-Hall International Inc,1996.