防火墙体系下的IPSEC及其策略
|
摘要
本文采取链式结构,对一个以防火墙为主体的整体的网络安全架构进行了
描述,并重点讨论了网络安全体系中的网络层安全IPSec与新型的状态检测型
防火墙的结合使用,进一步地,对其策略管理进行了探讨性的研究。
首先,从传统防火墙解决方案的不足,我们引出了对两种先进技术的讨
论:网络跟踪技术(连接跟踪技术)和状态检测技术。
网络跟踪技术实现在网络层,它为每一个网络连接建立连接跟踪项,收集
与安全有关的信息。之后,该连接上通过的所有网络包都将被跟踪。各种安全
机制,如包过滤,认证,地址转换等都在连接跟踪项中有相应的接口,通过连
按跟踪模块的网络包可以直接进入各层策略检测模块。
状态检测技术则以不同的服务区分应用类型,汲取相关的通讯和应用程
序的状态信息。根据网络通讯中的状态转换,它不断动态地更新连接跟踪表
中的状态信息,结合预定义好的规则,实现安全策略。
其次,文章介绍了运用以上两种技术的状态检测防火墙,并拓展地描绘了
以该防火墙为主体的安全体系架构。从而引出了这个架构中的另一个重要的部
分──网络层安全IPSec。对于一个完整的安全解决方案,提供端对端的安全是
必不可少的。但是,当IPSec实现在状态检测防火墙中,与连接跟踪技术结合
时,又产生了一些新的情况。
第三部分,说明了IPSec是如何适当地契合入状态检测防火墙中的。连接
跟踪项中安全关联链的使用,使得对IPSec的处理与其他安全机制保持了统
一,模块更清晰。但是,如果要充分发挥IPSec的长处,其策略管理的规范化
必将是进一步发展的趋势。
第四部分,IPSec的策略管理。文章介绍了“可信管理”的概念。这是一
个具有普遍推广意义的管理策略模式。它使用一种统一的“安全策略说明语
言”来描述应用的安全策略。可信管理机构接收应用提交的使用安全策略说明
语言书写的行为请求以及其自身策略,进行一致性检查,以确定该行为是否被
允许以及有何种限制条件。文章进一步分析了目前已经实现了的一个可信管理
系统──KeyNote。通过对其设计与实现的研究,为今后在我们的防火墙体系
中实施这种更完善的策略模式做好了前期的准备。
This chain-structured thesis describes a total network security framework whose
principal part is firewall. It also specially discusses the combination between Internet
Protocol Security - IPSec and the newly developing stateful inspection firewall.
Farther, it probes into the field of policy management.
The thesis begins with the deficiencies of traditional firework and leads to the
discussion on two advanced technologies: network tracking and stateful inspection.
Network tracking is implemented on network layer. It builds connection tracking
control block and direction control block for every connection and collects security-
related information. Then, all the successively packets will be tracked. Each security
mechanism, such as packet filtering, authentication and net address translation, etc,
has its interface in connection tracking control block through which the passing
network packet can enter directly into policy checking models.
Stateful inspection technology distinguishes application type by different services
and extracts status information about communication and application program. Based
on status transformations of network communication, stateful inspection module
dynamically modifies the status information in connection tracking control block and
brings security policies into effect with predetermined rules.
Next, the thesis makes a description on stateful inspection firewall using the
above two technologies and extends it to a security framework. This brings another
important part in this framework, IPSec. For an integrate solution for network
security, port-to-port security is absolutely necessary. But, when IPSec is
implemented in a stateful inspection firewall and combines with connection tracking,
things will be different.
The third part gives the answer how IPSec agrees with our firewall. The use of
security association chain in connection tracking unifies the management to IPSec
and other security mechanisms, thus makes the modular structure more clear.
However, to fully bring into play the advantages of IPSec, the standardization of its
policy management by all means will be the developing trend.
The final part is IPSec's policy management. It presents the notion of Trust-
Management which is a meaningful management mode worth of being generalized.
Trust-Management uses a uniform "Security Policy Specification Language" to
describe security policy. And its organization accepts the query along with policies
which are both written in that language and submitted by application, makes
compliance checking and determines whether the action shouId be allowed. Finally,
an implemented trust-management system, KeyNote, is ana1yzed. Through this, we
make a good preparation for further putting it into our firewall system.
描述,并重点讨论了网络安全体系中的网络层安全IPSec与新型的状态检测型
防火墙的结合使用,进一步地,对其策略管理进行了探讨性的研究。
首先,从传统防火墙解决方案的不足,我们引出了对两种先进技术的讨
论:网络跟踪技术(连接跟踪技术)和状态检测技术。
网络跟踪技术实现在网络层,它为每一个网络连接建立连接跟踪项,收集
与安全有关的信息。之后,该连接上通过的所有网络包都将被跟踪。各种安全
机制,如包过滤,认证,地址转换等都在连接跟踪项中有相应的接口,通过连
按跟踪模块的网络包可以直接进入各层策略检测模块。
状态检测技术则以不同的服务区分应用类型,汲取相关的通讯和应用程
序的状态信息。根据网络通讯中的状态转换,它不断动态地更新连接跟踪表
中的状态信息,结合预定义好的规则,实现安全策略。
其次,文章介绍了运用以上两种技术的状态检测防火墙,并拓展地描绘了
以该防火墙为主体的安全体系架构。从而引出了这个架构中的另一个重要的部
分──网络层安全IPSec。对于一个完整的安全解决方案,提供端对端的安全是
必不可少的。但是,当IPSec实现在状态检测防火墙中,与连接跟踪技术结合
时,又产生了一些新的情况。
第三部分,说明了IPSec是如何适当地契合入状态检测防火墙中的。连接
跟踪项中安全关联链的使用,使得对IPSec的处理与其他安全机制保持了统
一,模块更清晰。但是,如果要充分发挥IPSec的长处,其策略管理的规范化
必将是进一步发展的趋势。
第四部分,IPSec的策略管理。文章介绍了“可信管理”的概念。这是一
个具有普遍推广意义的管理策略模式。它使用一种统一的“安全策略说明语
言”来描述应用的安全策略。可信管理机构接收应用提交的使用安全策略说明
语言书写的行为请求以及其自身策略,进行一致性检查,以确定该行为是否被
允许以及有何种限制条件。文章进一步分析了目前已经实现了的一个可信管理
系统──KeyNote。通过对其设计与实现的研究,为今后在我们的防火墙体系
中实施这种更完善的策略模式做好了前期的准备。
This chain-structured thesis describes a total network security framework whose
principal part is firewall. It also specially discusses the combination between Internet
Protocol Security - IPSec and the newly developing stateful inspection firewall.
Farther, it probes into the field of policy management.
The thesis begins with the deficiencies of traditional firework and leads to the
discussion on two advanced technologies: network tracking and stateful inspection.
Network tracking is implemented on network layer. It builds connection tracking
control block and direction control block for every connection and collects security-
related information. Then, all the successively packets will be tracked. Each security
mechanism, such as packet filtering, authentication and net address translation, etc,
has its interface in connection tracking control block through which the passing
network packet can enter directly into policy checking models.
Stateful inspection technology distinguishes application type by different services
and extracts status information about communication and application program. Based
on status transformations of network communication, stateful inspection module
dynamically modifies the status information in connection tracking control block and
brings security policies into effect with predetermined rules.
Next, the thesis makes a description on stateful inspection firewall using the
above two technologies and extends it to a security framework. This brings another
important part in this framework, IPSec. For an integrate solution for network
security, port-to-port security is absolutely necessary. But, when IPSec is
implemented in a stateful inspection firewall and combines with connection tracking,
things will be different.
The third part gives the answer how IPSec agrees with our firewall. The use of
security association chain in connection tracking unifies the management to IPSec
and other security mechanisms, thus makes the modular structure more clear.
However, to fully bring into play the advantages of IPSec, the standardization of its
policy management by all means will be the developing trend.
The final part is IPSec's policy management. It presents the notion of Trust-
Management which is a meaningful management mode worth of being generalized.
Trust-Management uses a uniform "Security Policy Specification Language" to
describe security policy. And its organization accepts the query along with policies
which are both written in that language and submitted by application, makes
compliance checking and determines whether the action shouId be allowed. Finally,
an implemented trust-management system, KeyNote, is ana1yzed. Through this, we
make a good preparation for further putting it into our firewall system.
引文
[1] M. Blaze, J. Feigenbaum, A. Lacy. Decentralized Trust Management. In Proc. of the 17th Symposium on Security and Privacy, pages 164-173. IEEE Computer Society Press, Los Alamitos, 1996.
[2] M. Blaze, J. Feigenbaum, A. Keromytis. Trust Management and Network Layer Security Protocols. In Proceedings of the 1999 Cambridge Security Protocols International Workshop, 1999.
[3] M. Condell, C. Lynn, J. Zao. Security Policy Specification Language. Internet draft, Internet Engineering Task Force, July 1999.
[4] L. Sanchez, M. Condell. Security Policy System. Internet draft, work in progress, Internet Engineering Task Force, July 1998.
[5] M. Blaze, J. Feigenbaum, J. Ioannidis, A. D. Keromytis. The KeyNote Trust Management System Version 2. Internet RFC2704, September 1999.
[6] S. Kent, R. Atkinson. IP Authentication Header. Internet RFC2402, November 1998.
[7] S. Kent, R. Atkinson. IP Encapsulating Security Payload. Internet RFC2406, November 1998.
[8] S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. Internet RFC2401, November 1998.
[9] D. Harkins, D. Carrel. The Internet Key Exchange(IKE). Internet RFC2409, November 1998.
[10] Orman, H. The OAKLEY Key Determination Protocol, RFC2412, November 1998.
[11] Krawcyzk, Hugo, SKEME: A Versatile Secure Key Exchange Mechanism for Internet, ISOC Secure Networks and Distributed Systems Symposium, San Diego, 1996
[12] N.Doraswamy,D.Harkins.《IPSec-新一代因特网安全标准》,机械工 业出版社,1999.
[13] T.Lopatic ,J.McDonald,D.Song, A Stateful Inspection of Firewall-1, Black Hat Briefings, 2000.
[14] 张滨,高波等,《Linux网络编程》,清华大学出版社,2000。
[15] M. Blaze, J. loannidis, A. D. Keromytis. Trust Management for IPSec.
[16] J. Postel. Transmission control protocol. Request for Comments(Standard) STD 7, RFC793, Internet Engineering Task Force, September 1981.
[17] J. Postel. Internet protocol. Re quest for Comments(Standard) RFC792, Internet Engineering Task Force, September 1981.
[18] J. Postel. Internet control message protocol. Request for Comments (Standard) STD 5, RFC792, Internet Engineering Task Force, September 1981.
[19] Steven Bellovin, Security Problems in the TCP/IP Protocol Suite, Computer Communication Review, Vol.19, No.2, April 1989.
[20] David A Rusling, The Linux Kernel., 1996-1998.
[21] Glenn Herrin, Linux IP Networking, May 2000.
[2] M. Blaze, J. Feigenbaum, A. Keromytis. Trust Management and Network Layer Security Protocols. In Proceedings of the 1999 Cambridge Security Protocols International Workshop, 1999.
[3] M. Condell, C. Lynn, J. Zao. Security Policy Specification Language. Internet draft, Internet Engineering Task Force, July 1999.
[4] L. Sanchez, M. Condell. Security Policy System. Internet draft, work in progress, Internet Engineering Task Force, July 1998.
[5] M. Blaze, J. Feigenbaum, J. Ioannidis, A. D. Keromytis. The KeyNote Trust Management System Version 2. Internet RFC2704, September 1999.
[6] S. Kent, R. Atkinson. IP Authentication Header. Internet RFC2402, November 1998.
[7] S. Kent, R. Atkinson. IP Encapsulating Security Payload. Internet RFC2406, November 1998.
[8] S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. Internet RFC2401, November 1998.
[9] D. Harkins, D. Carrel. The Internet Key Exchange(IKE). Internet RFC2409, November 1998.
[10] Orman, H. The OAKLEY Key Determination Protocol, RFC2412, November 1998.
[11] Krawcyzk, Hugo, SKEME: A Versatile Secure Key Exchange Mechanism for Internet, ISOC Secure Networks and Distributed Systems Symposium, San Diego, 1996
[12] N.Doraswamy,D.Harkins.《IPSec-新一代因特网安全标准》,机械工 业出版社,1999.
[13] T.Lopatic ,J.McDonald,D.Song, A Stateful Inspection of Firewall-1, Black Hat Briefings, 2000.
[14] 张滨,高波等,《Linux网络编程》,清华大学出版社,2000。
[15] M. Blaze, J. loannidis, A. D. Keromytis. Trust Management for IPSec.
[16] J. Postel. Transmission control protocol. Request for Comments(Standard) STD 7, RFC793, Internet Engineering Task Force, September 1981.
[17] J. Postel. Internet protocol. Re quest for Comments(Standard) RFC792, Internet Engineering Task Force, September 1981.
[18] J. Postel. Internet control message protocol. Request for Comments (Standard) STD 5, RFC792, Internet Engineering Task Force, September 1981.
[19] Steven Bellovin, Security Problems in the TCP/IP Protocol Suite, Computer Communication Review, Vol.19, No.2, April 1989.
[20] David A Rusling, The Linux Kernel., 1996-1998.
[21] Glenn Herrin, Linux IP Networking, May 2000.