嵌入式小型安全网关的研究与实现
|
摘要
Linux源代码的公开性以及它的方便可用性大大推动了基于嵌入式Linux操作系统平台的安全技术研究及其相关安全产品开发。本文主要研究基于嵌入式Linux操作系统平台的防火墙技术开发和分布式拒绝服务攻击防御技术,描述了一个集合基本包过滤、状态检测、网络地址转换、日志、拒绝服务攻击防御等功能为一体,支持多种因特网接入方式、支持非武装区接口的嵌入式小型安全网关的设计与实现。文章首先对嵌入式技术进行阐述,重点讨论如何定制嵌入式Linux操作系统。继而深入研究了Linux内核中的Netfilter框架,提炼出重要数据结构、数据处理流程,掌握Linux防火墙内核框架的实现机制,以此为基础在应用Linux内核原有的包过滤机制时加入状态检测模块,充分利用连接的相关状态信息,构建出了基于状态检测的动态包过滤,又以状态检测机制为基础实现了源地址NAT和目的地址NAT等防火墙功能。分析目前主流防火墙采用的两种技术:基本包过滤和状态检测。前者虽然速度较快,但存在着安全漏洞;而后者虽然安全性高,但受物理内存大小限制,可能无法满足用户量大的情况。课题中实现的动态包过滤技术将二者的优势有效地结合起来,能够提取更多的信息,在一定程度上简化了安全规则,避免了安全漏洞,具有较快的处理速度。同时,文章剖析了防火墙在抵御拒绝服务攻击方面的不足,设计出一种能抵御常见攻击的防御系统。分析并改进了抵御SYN洪泛攻击算法,增强了网关抵御SYN洪泛攻击的能力。文中针对防火墙脚本进行了效率和安全性问题的分析,并给出实际的测试过程和问题解决办法。测试证明过滤规则集满足高安全性和灵活性的要求,实现了既定安全策略。
In this thesis, we research replanting embedded Linux, firewall based on embedded Linux and defending Distributed Denial of Service attacks. We present a mimiature embedded safety gateway that hold out several kinds of connection modes with internet, and integrate many advance firewall technologies, such as packet filter, state inspection, log and network address translation. Open in its source code and convenient usability of the embedded Linux greatly impel the research of security technique and the development of security product based on the embedded Linux. The development of embedded technology is discussed and the procedures to customize a embedded Linux system are described. Next, the thesis analyzes how netfilter, namely Linux firewall's kernel level component, implements firewall's functions and abstracts important data structure and data stream. Based on knowledge above, a state inspection packet filtering system in which we add the state inspection function to the original packet filter mechanism in the Linux OS is proposed. Then the network address translation based on the state inspection is practiced. The simple packet filter mechanism works fast, but it has security problem. Though the state inspection mechanism works securily, it is limited with memory's size and perhaps it can't meet the need of the situation when there are a lot of clients to visit. The state inspection packet filtering can get more information about the security. So we can make full use of the advantages of the two firewall technolgies and avoid the disadvantage in the original packet filtering system, the security policy can be simplified. Firewall have drawbacks to defend DDoS attacks. Therefore a defence mechanism which can meet the requirements and protect against DDoS attacks effectively is designed. Especially, a key detection algorithm for SYN Flood is analyzed and improved on. Finally, the author has tested the firewall script about the eficiency and security. Actual test process and solution to the problems is particularly presented. It is proved by the test that this script claims high-degree security and flexibility. The expected requirements have been fulfilled.
In this thesis, we research replanting embedded Linux, firewall based on embedded Linux and defending Distributed Denial of Service attacks. We present a mimiature embedded safety gateway that hold out several kinds of connection modes with internet, and integrate many advance firewall technologies, such as packet filter, state inspection, log and network address translation. Open in its source code and convenient usability of the embedded Linux greatly impel the research of security technique and the development of security product based on the embedded Linux. The development of embedded technology is discussed and the procedures to customize a embedded Linux system are described. Next, the thesis analyzes how netfilter, namely Linux firewall's kernel level component, implements firewall's functions and abstracts important data structure and data stream. Based on knowledge above, a state inspection packet filtering system in which we add the state inspection function to the original packet filter mechanism in the Linux OS is proposed. Then the network address translation based on the state inspection is practiced. The simple packet filter mechanism works fast, but it has security problem. Though the state inspection mechanism works securily, it is limited with memory's size and perhaps it can't meet the need of the situation when there are a lot of clients to visit. The state inspection packet filtering can get more information about the security. So we can make full use of the advantages of the two firewall technolgies and avoid the disadvantage in the original packet filtering system, the security policy can be simplified. Firewall have drawbacks to defend DDoS attacks. Therefore a defence mechanism which can meet the requirements and protect against DDoS attacks effectively is designed. Especially, a key detection algorithm for SYN Flood is analyzed and improved on. Finally, the author has tested the firewall script about the eficiency and security. Actual test process and solution to the problems is particularly presented. It is proved by the test that this script claims high-degree security and flexibility. The expected requirements have been fulfilled.
引文
[1]Seteven M.Bellovin,William R.Cheswick.Network firewalls[J].IEEE Communications Magazine,1994,32(9):50-57.
[2]Intel,Inc.Intel IXP425 Network Processor Product Brief[EB/OL].:Intel公司官方网站,2004-9-21.
[3]刘峥嵘,张智超.嵌入式Linux应用开发详解[M].北京:机械工业出版社,2005:31-32.
[4]Kwan Lowe.Kernel Rebuild Guide[EB/OL].:http://www.digitalhermit.com/~kwan/kernel.html,2006-9-3.
[5]Erik Andersen.BusyBox Mailing Lists[EB/OL].:http://busybox.net/lists.html,2006-9-15.
[6]William R.Cheswick,Seteven M.Bellovin.Firewalls and Internet Security:Repelling the Wily Hacker[M].Boston:Addison-Wesley,1994:23-25.
[7]李洋.Linux下的SSH(一)[J].网管员世界,2006,(7):157-158.
[8]Karim Yaghmour著,O'Reilly Taiwan公司译.构建嵌入式Linux系统[M].北京:中国电力出版社,2006:303-308.
[9]Red Hat,Inc.Geting Started with eCos ARM edition[EB/OL].:Red Hat公司网站,2001-7.
[10]Intel,Inc.Intel IXP400 sofware:RedBoot v1.94 Software[EB/OL].:Intel公司官方网站,2006-6-28.
[11]Anne Carasik-Henmi著,李华飚,柳振良等译.防火墙核心技术精解[M].北京:中国水利水电出版社,2005:21-32.
[12]Rusty Russell,Harald Welte.Linux Netfilter Hacking HOWTO[EB/OL].:http://www.net-filter.org/documention/HOWTO/netfilter-h,2002-7-2.
[13]Rusty Russell.Linux 2.4 packet filtering HOWTO[EB/OL].:http:WWW.netfilter.org/documention/HOWTO/en/packet-filtering-HOWTO.html,2002-1-24.
[14]李善平,刘文峰等.Linux内核2.4版源代码分析大全[M].北京:机械工业出版社,2002:177-201.
[15]Y.Rekhter,B.Moskowitz,etc.RFC 1918-Address Allocation for Private Internets[S].http://www.faqs.org/rfc1918.rfc1918.html,1996-2.
[16]Paulson,L.D.Stopping intruders outside the gates[J].IEEE Journal Computer,2002,35(11)∶20-22.
[17]Rusty Russell,Writing a Module for netfilter[J/OL].:Linux Magazine,2000-6.
[18]Douglas E.Comer.Internetworking With TCP/IP Vol I:Principles,Protocols,and Archi-tecture[M].New York:Prentice-Hall,1995:273-277.
[19](美)David A.Bandel 著,游华云,耿岳等译.Linux安全开发工具[M].北京:电子工业出版社,2000:365-376.
[20]Rusty Russell.iptables man[EB/OL].:http://www.knowplace.org/netfiter/index.html,2000-5-20.
[21](美)匿名著,王东霞,李蔚虹等译.最高安全机密[M].北京:机械工业出版社,2004:134-135.
[22]Reynolds,M.S.Next Generation DDoS Web based Attacks[A].In:Proceedings of the 2003 IEEE Workshop on Information Assurance[C],Washingtoff,DC:IEEE,2003:211-215.
[23]CNN.Immense network assault takes down yahoo[EB/OL].:http://www.cnn.com/2000/TECH/computing/02/08/yahoo.assault.idg/index.html,2000-2.
[24]DaVid Moore,Geoffrey M.Voelker,etc.Inferring Internet Denial-of-SerVice ActiVity[A].In:Steve Bellovin.Proceedings of 10th USENIX Security Symposium[C].Berkeley:The USENIX AssociatiOn,2001:9-22.
[25]曹铮,傅文卿等.互联网流量成分及运营策略分析[J].中国新通信,2006,(3):76-78.
[26]Eric Schenk,Bernstein D.J.syn cookies mailinglist,syncookies-archive@koobera.ma-th.uic.edu[EB/OL].:http://cr.yp.to/syncookies/archive,2006-9-28.
[27]Bernstein D.J,Eric Schenk.Liflux Kemel SYN Cookies Firewall Project[EB/OL].http://www.bronzesoft.org/projects/scfw/,2006-9-28.
[28]Stephen Gill.Maximining Firewall Availability[EB/OL].http://www.qorb.net,2002-5.
[29]汤丹,匡晓红等.抵御DDoS攻击的安全管理模型[J].计算机技术与自动化,2006,25(3):115-118.
[30]Akira Kaflaoka,Eiji Okamoto.Multivaricate Statistical Analysis of Network Traffic for Intrution Detection[A].In:Proceedings of the 14th International Workshop on Database and Expert Systems Applications[C].Washington,DC:IEEE,2003:472-476.
[31]Seung-won Shin,Ki-young Kim,etc,D-SAT:Detecting SYN flooding Attack by Two-stage statistical approach[A].In:Proceedings of the 2005 Symposium on Applications and the Internet[C].Washington,DC:IEEE,2005:430-436.
[32]Haining Wang,Danlu Zhang,etc.Detecting SYN flooding attacks[A].In:Proceedings of IEEE INFOCOM'2002[C],Washington,DC:IEEE,2002:1530-1539.
[33]Stevens W.R著,范建华,胥光辉等译.TCP/IP详解,卷1[M].北京:机械工业出版社,2004:175-183.
[34]Kim Y,Lau W.C,etc.PacketScore:Statistics-based Overload Control Against Distributed Denial-of-service Attack[A].In:Proceedings of IEEE INFOCOM'2004[C],Washington,DC:IEEE,2004:2594-2604.
[35]Gil T.M,Poletters M.MULTOPS,adata-structure for bandwidth attack detection[A].In:Steve BeIlovin.Proceedings of 10th USENIX Security Symposium[C].Berkeley:The USENIX ASSOCiation,2001:23-28.
[36]Laura Feinstein,Dan Achnackenberg,etc.Statistical Approachs to DDoS Attack Detection and Response[A].In:Proceedings of the DAPPA Information Survivability Conference and Exposition[C],Washington,DC:IEEE,2003:303-304.
[37]T Darmohray,R Oliver.Hot Spares for DoS Attacks[J].The Magazine of USENIX and SAGE,2000,25(4):3.
[38]M.Basseville,I.Nikiforov.Detection of Abrupt Changes:Theory and Application.Washington,DC:Prentice-Hall,1993:62-87.
[39]杨淼,高燕.嵌入式防火墙上实现防御SYN Flooding攻击[J].电子技术应用,2007,33f(2):129.134.
[2]Intel,Inc.Intel IXP425 Network Processor Product Brief[EB/OL].:Intel公司官方网站,2004-9-21.
[3]刘峥嵘,张智超.嵌入式Linux应用开发详解[M].北京:机械工业出版社,2005:31-32.
[4]Kwan Lowe.Kernel Rebuild Guide[EB/OL].:http://www.digitalhermit.com/~kwan/kernel.html,2006-9-3.
[5]Erik Andersen.BusyBox Mailing Lists[EB/OL].:http://busybox.net/lists.html,2006-9-15.
[6]William R.Cheswick,Seteven M.Bellovin.Firewalls and Internet Security:Repelling the Wily Hacker[M].Boston:Addison-Wesley,1994:23-25.
[7]李洋.Linux下的SSH(一)[J].网管员世界,2006,(7):157-158.
[8]Karim Yaghmour著,O'Reilly Taiwan公司译.构建嵌入式Linux系统[M].北京:中国电力出版社,2006:303-308.
[9]Red Hat,Inc.Geting Started with eCos ARM edition[EB/OL].:Red Hat公司网站,2001-7.
[10]Intel,Inc.Intel IXP400 sofware:RedBoot v1.94 Software[EB/OL].:Intel公司官方网站,2006-6-28.
[11]Anne Carasik-Henmi著,李华飚,柳振良等译.防火墙核心技术精解[M].北京:中国水利水电出版社,2005:21-32.
[12]Rusty Russell,Harald Welte.Linux Netfilter Hacking HOWTO[EB/OL].:http://www.net-filter.org/documention/HOWTO/netfilter-h,2002-7-2.
[13]Rusty Russell.Linux 2.4 packet filtering HOWTO[EB/OL].:http:WWW.netfilter.org/documention/HOWTO/en/packet-filtering-HOWTO.html,2002-1-24.
[14]李善平,刘文峰等.Linux内核2.4版源代码分析大全[M].北京:机械工业出版社,2002:177-201.
[15]Y.Rekhter,B.Moskowitz,etc.RFC 1918-Address Allocation for Private Internets[S].http://www.faqs.org/rfc1918.rfc1918.html,1996-2.
[16]Paulson,L.D.Stopping intruders outside the gates[J].IEEE Journal Computer,2002,35(11)∶20-22.
[17]Rusty Russell,Writing a Module for netfilter[J/OL].:Linux Magazine,2000-6.
[18]Douglas E.Comer.Internetworking With TCP/IP Vol I:Principles,Protocols,and Archi-tecture[M].New York:Prentice-Hall,1995:273-277.
[19](美)David A.Bandel 著,游华云,耿岳等译.Linux安全开发工具[M].北京:电子工业出版社,2000:365-376.
[20]Rusty Russell.iptables man[EB/OL].:http://www.knowplace.org/netfiter/index.html,2000-5-20.
[21](美)匿名著,王东霞,李蔚虹等译.最高安全机密[M].北京:机械工业出版社,2004:134-135.
[22]Reynolds,M.S.Next Generation DDoS Web based Attacks[A].In:Proceedings of the 2003 IEEE Workshop on Information Assurance[C],Washingtoff,DC:IEEE,2003:211-215.
[23]CNN.Immense network assault takes down yahoo[EB/OL].:http://www.cnn.com/2000/TECH/computing/02/08/yahoo.assault.idg/index.html,2000-2.
[24]DaVid Moore,Geoffrey M.Voelker,etc.Inferring Internet Denial-of-SerVice ActiVity[A].In:Steve Bellovin.Proceedings of 10th USENIX Security Symposium[C].Berkeley:The USENIX AssociatiOn,2001:9-22.
[25]曹铮,傅文卿等.互联网流量成分及运营策略分析[J].中国新通信,2006,(3):76-78.
[26]Eric Schenk,Bernstein D.J.syn cookies mailinglist,syncookies-archive@koobera.ma-th.uic.edu[EB/OL].:http://cr.yp.to/syncookies/archive,2006-9-28.
[27]Bernstein D.J,Eric Schenk.Liflux Kemel SYN Cookies Firewall Project[EB/OL].http://www.bronzesoft.org/projects/scfw/,2006-9-28.
[28]Stephen Gill.Maximining Firewall Availability[EB/OL].http://www.qorb.net,2002-5.
[29]汤丹,匡晓红等.抵御DDoS攻击的安全管理模型[J].计算机技术与自动化,2006,25(3):115-118.
[30]Akira Kaflaoka,Eiji Okamoto.Multivaricate Statistical Analysis of Network Traffic for Intrution Detection[A].In:Proceedings of the 14th International Workshop on Database and Expert Systems Applications[C].Washington,DC:IEEE,2003:472-476.
[31]Seung-won Shin,Ki-young Kim,etc,D-SAT:Detecting SYN flooding Attack by Two-stage statistical approach[A].In:Proceedings of the 2005 Symposium on Applications and the Internet[C].Washington,DC:IEEE,2005:430-436.
[32]Haining Wang,Danlu Zhang,etc.Detecting SYN flooding attacks[A].In:Proceedings of IEEE INFOCOM'2002[C],Washington,DC:IEEE,2002:1530-1539.
[33]Stevens W.R著,范建华,胥光辉等译.TCP/IP详解,卷1[M].北京:机械工业出版社,2004:175-183.
[34]Kim Y,Lau W.C,etc.PacketScore:Statistics-based Overload Control Against Distributed Denial-of-service Attack[A].In:Proceedings of IEEE INFOCOM'2004[C],Washington,DC:IEEE,2004:2594-2604.
[35]Gil T.M,Poletters M.MULTOPS,adata-structure for bandwidth attack detection[A].In:Steve BeIlovin.Proceedings of 10th USENIX Security Symposium[C].Berkeley:The USENIX ASSOCiation,2001:23-28.
[36]Laura Feinstein,Dan Achnackenberg,etc.Statistical Approachs to DDoS Attack Detection and Response[A].In:Proceedings of the DAPPA Information Survivability Conference and Exposition[C],Washington,DC:IEEE,2003:303-304.
[37]T Darmohray,R Oliver.Hot Spares for DoS Attacks[J].The Magazine of USENIX and SAGE,2000,25(4):3.
[38]M.Basseville,I.Nikiforov.Detection of Abrupt Changes:Theory and Application.Washington,DC:Prentice-Hall,1993:62-87.
[39]杨淼,高燕.嵌入式防火墙上实现防御SYN Flooding攻击[J].电子技术应用,2007,33f(2):129.134.