基于SPI和NDIS HOOK的包过滤型防火墙
摘要
在网络技术飞速发展的今天,网络的安全性也变得日益突出,黑客和病毒每年给互联网用户带来了巨大的损失,个人防火墙有着巨大的应用前景。个人防火墙一般都是采用包过滤的方式来实现的。包过滤型防火墙是一种通用、廉价、有效的安全手段。它不针对各个具体的网络服务采取特殊的处理方式。
包过滤型防火墙有很多种,有的防火墙在应用层过滤数据包,这样会使得程序开发周期变短,实现起来变的简单,对CPU占用比较少,能够获得进程的详细信息,但是这种防火墙的缺点也是很明显的:不能捕获所有的数据包,安全性比较低,而且网络使用效率也变的很低;有的防火墙工作在NDIS层,这就能对所有数据包进行过滤,安全性比较好,但是由于工作在比较底层,导致防火墙开发周期变长。
结合以上的分析,本系统采用了SPI层和NDIS层两层HOOK的方式来实现一个防火墙,主要是利用了NDIS层的安全性和SPI层设计的简单性。在NDIS层实现对所有数据包的解析和捕获,对不经过SPI层的数据包进行过滤。在SPI层对通过SOCKET通信的数据包进行过滤。因此本系统跨越四个网络层次:应用层,网络层,传输层和链路层,HOOK机制将是系统需要着重设计的一个方面。通过对网站访问,应用程序,ICMP和网上邻居访问的限制,最大程度上保护了用户电脑数据的安全。
目前市场上流行的防火墙往往比较强调安全性,而网络包的处理速度和系统资源占用上有着缺陷。对于大部分个人电脑用户来说,系统响应时间某种程度上说比数据的安全性更为重要。本系统的可扩展性好,速度快,是一种比较值得信赖的防火墙。
With the fast development in the network technique, the safety of the network becomes increasingly outstanding. The hackers and virus brought huge damage to the Internet customers annually, and the personal firewall has huge foreground to apply. Personal firewalls generally adopt packet filtering to carry out. And packet filtering firewall is a kind of cheap and valid means in general use which doesn't adopt special treatment to each concrete network service.
Packet filtering firewalls contain a lot of kind. Some firewalls filtrate data packets at application layer. It makes the procedure development period become shorter and is easier to carry out. This kind of firewalls also takes up less CPU and can acquire detailed information of progress. But the weakness of this kind of firewall is also very obvious. It can't catch all data packets, and the safety is lower. Besides, it makes the efficiency of network usage become very low. Some firewalls work in the NDIS layer so that they can carry on filtration to all data packets, and their safety is better. But because they work at comparatively lower layer, the development period of them is longer.
Combine above analysis, based on the safety of NDIS layer and the simple design of SPI layer, this system adopted a HOOK mode in these 2 layers to carry out a firewall. It can catch and parse all data packets at NDIS layer, especially realize the filtration of data packets which don't pass through the SPI layer. It also can carry on filtration of the data packets which communicate through SOCKET at the SPI layer. So this system crosses over four network layers: the application layer, the network layer, transport layer and link layer. And the share of memory will be one of the difficult points that the system needs to emphasize in design. Through the restriction of website visiting, application, the ICMP and on-line neighbor interview, it will protect the safety of the customer computer data in the biggest degree.
The firewalls spreading on the market currently usually emphasize safety relatively, but they have some limitations in the speed of network packets processing and system resources occupation. To greatly parts of personal computer customers, the system responding time is more important than the safety to a certain degree. This system has good expansibility and relatively high speed. It is a kind of firewall that deserves trust of.
包过滤型防火墙有很多种,有的防火墙在应用层过滤数据包,这样会使得程序开发周期变短,实现起来变的简单,对CPU占用比较少,能够获得进程的详细信息,但是这种防火墙的缺点也是很明显的:不能捕获所有的数据包,安全性比较低,而且网络使用效率也变的很低;有的防火墙工作在NDIS层,这就能对所有数据包进行过滤,安全性比较好,但是由于工作在比较底层,导致防火墙开发周期变长。
结合以上的分析,本系统采用了SPI层和NDIS层两层HOOK的方式来实现一个防火墙,主要是利用了NDIS层的安全性和SPI层设计的简单性。在NDIS层实现对所有数据包的解析和捕获,对不经过SPI层的数据包进行过滤。在SPI层对通过SOCKET通信的数据包进行过滤。因此本系统跨越四个网络层次:应用层,网络层,传输层和链路层,HOOK机制将是系统需要着重设计的一个方面。通过对网站访问,应用程序,ICMP和网上邻居访问的限制,最大程度上保护了用户电脑数据的安全。
目前市场上流行的防火墙往往比较强调安全性,而网络包的处理速度和系统资源占用上有着缺陷。对于大部分个人电脑用户来说,系统响应时间某种程度上说比数据的安全性更为重要。本系统的可扩展性好,速度快,是一种比较值得信赖的防火墙。
With the fast development in the network technique, the safety of the network becomes increasingly outstanding. The hackers and virus brought huge damage to the Internet customers annually, and the personal firewall has huge foreground to apply. Personal firewalls generally adopt packet filtering to carry out. And packet filtering firewall is a kind of cheap and valid means in general use which doesn't adopt special treatment to each concrete network service.
Packet filtering firewalls contain a lot of kind. Some firewalls filtrate data packets at application layer. It makes the procedure development period become shorter and is easier to carry out. This kind of firewalls also takes up less CPU and can acquire detailed information of progress. But the weakness of this kind of firewall is also very obvious. It can't catch all data packets, and the safety is lower. Besides, it makes the efficiency of network usage become very low. Some firewalls work in the NDIS layer so that they can carry on filtration to all data packets, and their safety is better. But because they work at comparatively lower layer, the development period of them is longer.
Combine above analysis, based on the safety of NDIS layer and the simple design of SPI layer, this system adopted a HOOK mode in these 2 layers to carry out a firewall. It can catch and parse all data packets at NDIS layer, especially realize the filtration of data packets which don't pass through the SPI layer. It also can carry on filtration of the data packets which communicate through SOCKET at the SPI layer. So this system crosses over four network layers: the application layer, the network layer, transport layer and link layer. And the share of memory will be one of the difficult points that the system needs to emphasize in design. Through the restriction of website visiting, application, the ICMP and on-line neighbor interview, it will protect the safety of the customer computer data in the biggest degree.
The firewalls spreading on the market currently usually emphasize safety relatively, but they have some limitations in the speed of network packets processing and system resources occupation. To greatly parts of personal computer customers, the system responding time is more important than the safety to a certain degree. This system has good expansibility and relatively high speed. It is a kind of firewall that deserves trust of.
引文
[1] ICSA启明星辰公司.INTERNET/INTRANET网络安全结构设计[M].1999
[2] 威廉·R·切思维科.Firewall and Internet Security[M].北京:机械工业出版社,2000
[3] 阎慧.防火墙原理与技术[M].北京:机械工业出版社,2004
[4] 刘永华.网络安全与维护[M].南京大学出版社,2007
[5] 陈锦标.协作型防火墙的包过滤和通信安全的设计与实现[D].中山大学,硕士论文,2003
[6] 理查德·斯蒂夫.TCP/IP详解卷I:协议[M].北京:机械工业出版社,2005
[7] 邝杨波,朱秋萍.Web安全技术综述[J].计算机应用研究,2002(10):1—4
[8] 康弗瑞.网络安全体系结构[M].人民邮电出版社,2005
[9] 布拉格.网络安全完全手册[M].电子工业出版社,2005
[10] 谢辉.包过滤技术在个人安全防御系统的研究与实现[D].西安科技大学,2006
[11] 微软公司.Windows 2000 驱动程序开发大全——第一卷设计.机械工业出版社,2001
[12] 王艳平,张越.Windows 网络与通信程序设计[M].人民有点出版社.2006
[13] 罗斯.深入解析 Windows 操作系统.第4版:Microsoft Windows Server 2003/Windows XP/Windows 2000 技术内幕[M].电子工业出版社,2007
[14] 朱雁辉.Windows 防火墙与网络封包截获技术[M].北京:电子工业出版社,2002
[15] 陈幼击,王张宜等.个人防火墙技术的研究与探讨[J].计算机工程与应用,2002,38(8):136—139
[16] 武安河.Windows 2000/XP WDM 设备驱动程序开发(第2版).电子工业出版社,2005
[17] 刘刚.基于应用层封包过滤技术的防火墙[D].四川大学,硕士论文,2005
[18] 博韦,西斯特.深入理解LINUX内核(第二版)[M].中国电力出版社,2004
[19] 王一川.LINUX黑客大曝光:Linux安全机密与解决方案.清华大学出版社,2002
[20] 宋雁辉.Windows 防火墙与网络封包截获技术.2002
[21] 加利·奈波特.Windows NT/2000 Naive API Reference[M].北京:机械工业出版社,2001
[22] 胡宝刚.基于协议分析的入侵检测系统的设计实现[D].硕士论文,山东工业大学,2005
[23] David Ely, Stefan Savage, David Wethereall. Alpine: A userlevel intrastrucuter for network protocol development [J]. In Proceedings of USENIX Symposium on Internet Technologies and system, 2001 (3):89-109
[24] David Moore, Ken Keys, Ryan Koga, Edoard lagache, K.C. Claffy. The CoralReef Softwrare Suite as a Tool for System and Network Administrators [J]. Proceedings of the 15th USENIX conference on System administration, 2001(12): 287-302
[25] G. Parr. Address resolution for an intelligent filtering bridge running on a subnetted ethemet system [J]. ACM SIGCOMM Computer Communication Review. 1987(17): 48-70
[26] Haxvey M.Deitel & Paul James Deitel.The Complete C++ Training Course [M]. MA: Prentiae Hall, 1998
[27] HO-YEN, CHANG Ericsson. Real-Time Protocol Analysis for Detecting Link-State Routing Protocol Attacks. ACM Transactions on Information and System Security, 2001 (4): 20-34
[28] Jeffrey C. Mogul, Richard F. Rashid, Michael J. Accetta. The Packet Filter: An Efficient Mechanism for User-level Network Code[J] .In Proceedings of the Eleventh ACM Symposium on Operating Systems Principles, 1987(11): 178-236
[29] Matthias A.Blumrich, Cezary Dubnicki, Edward W. Felten, Kai.Li. User-level DMA for the SHRIMP Network Interface [J]. The 2nd International Symposium on High-Performance Computer Architecture (ISCA). 1996(2):397-471
[30] Steven Cheung, Karl N. Levitt. Protecting Routing Infrastuctures from Denial of Service Using Cooperative Intrusion Detection [J]. Proc. New Security Paradigms Workshop, Cumbria, UK, 1997(9): 23-25
[31] White G. B, Pooch U. Cooperating Security Managers Distributed Intrusion Detection Systems [J]. Computers & Security, 1996(5): 441-450
[32] 北京启明星辰信息技术有限公司.防火墙原理与实用技术[M].北京:电子工业出版社,2002
[33] 高兴锁,梅苏文,蔡立斌.协议分析技术在入侵检测系统的应用初探[J].计算机与现代化,2004(9):89—91
[34] 邓吉,柳靖.黑客攻防实战详解——安全技术大系[M].北京:电子工业出版社,2006
[35] 胡昌振,李贵涛.面向21世纪网络安全与防护[M].北京:北京希望电子出版社,2000
[36] 景蕊,刘利军,怀进鹏.基于协议分析的网络入侵检测技术[J].计算机工程与应用,2003(36):152~156
[37] 科波特(美).linux设备驱动第三版[M].中国电力出版社,2006
[38] 李佳静,徐辉,潘爱民.入侵检测系统中的协议分析子系统的设计和实现[J].计算机工程与应用,2003(12):152—156
[39] 李凌.Winsock 2网络编程实用教程[M].北京:清华大学出版社,2003
[40] 李晓莺,曾启铭.利用协议分析提高入侵检测效率[J].计算机工程与应用,2003(6):169—171
[41] 刘渊,乐红兵.因特网防火墙技术[M].北京:机械工业出版社,1998
[42] 路璐,马先立.利用网络入侵检测系统与防火墙的功能结合构建安全网络 模型[J].计算机应用研究,2002(10):93—95
[43] 孙静,曾红卫.网络安全检测与预警[J].计算机工程,2002(7):109—110
[44] 万映辉,张水平等基于TCPIIP信息哄骗技术的研究与实现[J].计算机工程,2004(27):127—128
[45] 网冠科技.Visual C++编程百例[M].北京:机械工业出版社,2002
[46] 王海霞,赵正军,刘纪平.网络防火墙技术浅析[J].计算机工程与设计, 2003(23):14—17
[47] 王岩梅等.单机版防火墙系统种数据包过滤技术的研究[J].计算机工程, 2001(11):191—193
[48] 王永彪.入侵检测系统的研究与实现[J].计算机工程与应用,2005(3):27—33
[49] 徐成,喻飞,李红,朱森良.高速网络环境下的入侵检测[J].中国安全科学学报,2005(1):74—80
[50] 严望佳.21世纪的网络与网络安全[J].计算机世界.2000(10):30
[51] 叶李.网络监听技术研究及入侵检测系统[D].硕士论文,成都理工大学, 2004
[52] 尤晋元,史美林.Windows操作系统原理[M].北京:机械工业出版社,2002
[53] 张然,钱德沛等.防火墙与入侵检测技术[J].计算机应用研究,2001,18(1):4—7
[54] 周南德.基于TCP/IP网络负载平衡的研究[J].现代计算机,2003(9):48—50
[55] 琼斯.奥朗德.Windows 网络编程技术[M].北京:机械工业出版社,2000
[56] 魏亮.路由器原理与应用——现代IP技术丛书[M].人民邮电出版社,2005
[2] 威廉·R·切思维科.Firewall and Internet Security[M].北京:机械工业出版社,2000
[3] 阎慧.防火墙原理与技术[M].北京:机械工业出版社,2004
[4] 刘永华.网络安全与维护[M].南京大学出版社,2007
[5] 陈锦标.协作型防火墙的包过滤和通信安全的设计与实现[D].中山大学,硕士论文,2003
[6] 理查德·斯蒂夫.TCP/IP详解卷I:协议[M].北京:机械工业出版社,2005
[7] 邝杨波,朱秋萍.Web安全技术综述[J].计算机应用研究,2002(10):1—4
[8] 康弗瑞.网络安全体系结构[M].人民邮电出版社,2005
[9] 布拉格.网络安全完全手册[M].电子工业出版社,2005
[10] 谢辉.包过滤技术在个人安全防御系统的研究与实现[D].西安科技大学,2006
[11] 微软公司.Windows 2000 驱动程序开发大全——第一卷设计.机械工业出版社,2001
[12] 王艳平,张越.Windows 网络与通信程序设计[M].人民有点出版社.2006
[13] 罗斯.深入解析 Windows 操作系统.第4版:Microsoft Windows Server 2003/Windows XP/Windows 2000 技术内幕[M].电子工业出版社,2007
[14] 朱雁辉.Windows 防火墙与网络封包截获技术[M].北京:电子工业出版社,2002
[15] 陈幼击,王张宜等.个人防火墙技术的研究与探讨[J].计算机工程与应用,2002,38(8):136—139
[16] 武安河.Windows 2000/XP WDM 设备驱动程序开发(第2版).电子工业出版社,2005
[17] 刘刚.基于应用层封包过滤技术的防火墙[D].四川大学,硕士论文,2005
[18] 博韦,西斯特.深入理解LINUX内核(第二版)[M].中国电力出版社,2004
[19] 王一川.LINUX黑客大曝光:Linux安全机密与解决方案.清华大学出版社,2002
[20] 宋雁辉.Windows 防火墙与网络封包截获技术.2002
[21] 加利·奈波特.Windows NT/2000 Naive API Reference[M].北京:机械工业出版社,2001
[22] 胡宝刚.基于协议分析的入侵检测系统的设计实现[D].硕士论文,山东工业大学,2005
[23] David Ely, Stefan Savage, David Wethereall. Alpine: A userlevel intrastrucuter for network protocol development [J]. In Proceedings of USENIX Symposium on Internet Technologies and system, 2001 (3):89-109
[24] David Moore, Ken Keys, Ryan Koga, Edoard lagache, K.C. Claffy. The CoralReef Softwrare Suite as a Tool for System and Network Administrators [J]. Proceedings of the 15th USENIX conference on System administration, 2001(12): 287-302
[25] G. Parr. Address resolution for an intelligent filtering bridge running on a subnetted ethemet system [J]. ACM SIGCOMM Computer Communication Review. 1987(17): 48-70
[26] Haxvey M.Deitel & Paul James Deitel.The Complete C++ Training Course [M]. MA: Prentiae Hall, 1998
[27] HO-YEN, CHANG Ericsson. Real-Time Protocol Analysis for Detecting Link-State Routing Protocol Attacks. ACM Transactions on Information and System Security, 2001 (4): 20-34
[28] Jeffrey C. Mogul, Richard F. Rashid, Michael J. Accetta. The Packet Filter: An Efficient Mechanism for User-level Network Code[J] .In Proceedings of the Eleventh ACM Symposium on Operating Systems Principles, 1987(11): 178-236
[29] Matthias A.Blumrich, Cezary Dubnicki, Edward W. Felten, Kai.Li. User-level DMA for the SHRIMP Network Interface [J]. The 2nd International Symposium on High-Performance Computer Architecture (ISCA). 1996(2):397-471
[30] Steven Cheung, Karl N. Levitt. Protecting Routing Infrastuctures from Denial of Service Using Cooperative Intrusion Detection [J]. Proc. New Security Paradigms Workshop, Cumbria, UK, 1997(9): 23-25
[31] White G. B, Pooch U. Cooperating Security Managers Distributed Intrusion Detection Systems [J]. Computers & Security, 1996(5): 441-450
[32] 北京启明星辰信息技术有限公司.防火墙原理与实用技术[M].北京:电子工业出版社,2002
[33] 高兴锁,梅苏文,蔡立斌.协议分析技术在入侵检测系统的应用初探[J].计算机与现代化,2004(9):89—91
[34] 邓吉,柳靖.黑客攻防实战详解——安全技术大系[M].北京:电子工业出版社,2006
[35] 胡昌振,李贵涛.面向21世纪网络安全与防护[M].北京:北京希望电子出版社,2000
[36] 景蕊,刘利军,怀进鹏.基于协议分析的网络入侵检测技术[J].计算机工程与应用,2003(36):152~156
[37] 科波特(美).linux设备驱动第三版[M].中国电力出版社,2006
[38] 李佳静,徐辉,潘爱民.入侵检测系统中的协议分析子系统的设计和实现[J].计算机工程与应用,2003(12):152—156
[39] 李凌.Winsock 2网络编程实用教程[M].北京:清华大学出版社,2003
[40] 李晓莺,曾启铭.利用协议分析提高入侵检测效率[J].计算机工程与应用,2003(6):169—171
[41] 刘渊,乐红兵.因特网防火墙技术[M].北京:机械工业出版社,1998
[42] 路璐,马先立.利用网络入侵检测系统与防火墙的功能结合构建安全网络 模型[J].计算机应用研究,2002(10):93—95
[43] 孙静,曾红卫.网络安全检测与预警[J].计算机工程,2002(7):109—110
[44] 万映辉,张水平等基于TCPIIP信息哄骗技术的研究与实现[J].计算机工程,2004(27):127—128
[45] 网冠科技.Visual C++编程百例[M].北京:机械工业出版社,2002
[46] 王海霞,赵正军,刘纪平.网络防火墙技术浅析[J].计算机工程与设计, 2003(23):14—17
[47] 王岩梅等.单机版防火墙系统种数据包过滤技术的研究[J].计算机工程, 2001(11):191—193
[48] 王永彪.入侵检测系统的研究与实现[J].计算机工程与应用,2005(3):27—33
[49] 徐成,喻飞,李红,朱森良.高速网络环境下的入侵检测[J].中国安全科学学报,2005(1):74—80
[50] 严望佳.21世纪的网络与网络安全[J].计算机世界.2000(10):30
[51] 叶李.网络监听技术研究及入侵检测系统[D].硕士论文,成都理工大学, 2004
[52] 尤晋元,史美林.Windows操作系统原理[M].北京:机械工业出版社,2002
[53] 张然,钱德沛等.防火墙与入侵检测技术[J].计算机应用研究,2001,18(1):4—7
[54] 周南德.基于TCP/IP网络负载平衡的研究[J].现代计算机,2003(9):48—50
[55] 琼斯.奥朗德.Windows 网络编程技术[M].北京:机械工业出版社,2000
[56] 魏亮.路由器原理与应用——现代IP技术丛书[M].人民邮电出版社,2005