基于负载均衡机制的防火墙技术研究与实现
摘要
网络安全始终是计算机科学技术领域引人注目的重大研究课题。防火墙作为互联网络安全必需的基础设备,其技术在过去近十年里经历了不断的完善和更新。在对防火墙一直追求的安全、灵活、可用等性能指标中,高可用性始终是防火墙技术发展的主要方向。
本文作者以国家“十五”科技攻关项目:“银行信息系统安全保密平台”的子课题——“基于负载均衡机制的防火墙技术研究”为背景,开展了大量的研发工作,在理论和实践方面都获得了很大收益。
结合实际课题,论文概要论述了防火墙的基本概念、特点、分类、关键技术及其发展。按照把负载均衡机制用于防火墙的策略,探讨了负载均衡的概念、传输链路聚合、交换技术,并参照防火墙系统的体系结构,详细介绍了LVS集群策略和各种均衡算法。
论文进而从设计目标出发,根据作者在项目研发中所取得的成果,全面阐述了设计思路,系统平台的构建,采用的核心技术,并以此为基础深入讨论了服务负载均衡模块和双机热备份模块的设计和实现方法,其中包括DNAT技术、LC(最少连接)算法、心跳检测技术、同步配置策略。
尽管加入服务负载均衡模块和双击热备份模块大大提高了防火墙系统的性能,但没改变防火墙单点接入的现状。为了更好地改善整个系统性能,在分布式防火墙和防火墙集群的基础上,论文给出了防火墙集群系统的开发原型,指出了可能存在的问题、实现的难点及未来的研究方向。
Network security was an important issue in Computer Science. Firewall, as the basic structure on the network security, have improved and updated in the recent ten years. In the characters of firewall, such as security, flexibility and availability, high availability is a target in the future of firewall.
Research of loading balance on firewall is a sub-project of researching and implementing on the security platform of banking information system, a key state-level technology development project in the Tenth Five Year Plan period. Based on this project, we do lots of research, thus benefit from both theory and practice.
In this paper, we gave the definition, character, class, key technology of firewall and its development. According to loading balance on firewall, we described loading balance's conception, transport link polymerization, exchange technology, especially LVS cluster and balance algorithms.
From the design object of this sub-project, we expound the design thinking, system structure and core technology. And based on this, we address the design and method of Servers Loading Balance module and Hot Standby module, including DNAT, LC algorithms, heartbeat inspection, and synchronization policy.
Although we have improved performance of firewall using modules of Servers Loading Balance and Hot Standby, we can't settle single entry point of firewall. In order to more improve firewall performance, after researching and analyzing distributed firewall and firewall cluster, we present the development prototype of firewall cluster system,
difficulties.
At last, we summarize of our design and purpose the development direction of future
firewall.
本文作者以国家“十五”科技攻关项目:“银行信息系统安全保密平台”的子课题——“基于负载均衡机制的防火墙技术研究”为背景,开展了大量的研发工作,在理论和实践方面都获得了很大收益。
结合实际课题,论文概要论述了防火墙的基本概念、特点、分类、关键技术及其发展。按照把负载均衡机制用于防火墙的策略,探讨了负载均衡的概念、传输链路聚合、交换技术,并参照防火墙系统的体系结构,详细介绍了LVS集群策略和各种均衡算法。
论文进而从设计目标出发,根据作者在项目研发中所取得的成果,全面阐述了设计思路,系统平台的构建,采用的核心技术,并以此为基础深入讨论了服务负载均衡模块和双机热备份模块的设计和实现方法,其中包括DNAT技术、LC(最少连接)算法、心跳检测技术、同步配置策略。
尽管加入服务负载均衡模块和双击热备份模块大大提高了防火墙系统的性能,但没改变防火墙单点接入的现状。为了更好地改善整个系统性能,在分布式防火墙和防火墙集群的基础上,论文给出了防火墙集群系统的开发原型,指出了可能存在的问题、实现的难点及未来的研究方向。
Network security was an important issue in Computer Science. Firewall, as the basic structure on the network security, have improved and updated in the recent ten years. In the characters of firewall, such as security, flexibility and availability, high availability is a target in the future of firewall.
Research of loading balance on firewall is a sub-project of researching and implementing on the security platform of banking information system, a key state-level technology development project in the Tenth Five Year Plan period. Based on this project, we do lots of research, thus benefit from both theory and practice.
In this paper, we gave the definition, character, class, key technology of firewall and its development. According to loading balance on firewall, we described loading balance's conception, transport link polymerization, exchange technology, especially LVS cluster and balance algorithms.
From the design object of this sub-project, we expound the design thinking, system structure and core technology. And based on this, we address the design and method of Servers Loading Balance module and Hot Standby module, including DNAT, LC algorithms, heartbeat inspection, and synchronization policy.
Although we have improved performance of firewall using modules of Servers Loading Balance and Hot Standby, we can't settle single entry point of firewall. In order to more improve firewall performance, after researching and analyzing distributed firewall and firewall cluster, we present the development prototype of firewall cluster system,
difficulties.
At last, we summarize of our design and purpose the development direction of future
firewall.
引文
[1] 楚狂:网络安全与防火墙技术,人民邮电出版社,P1-4,P190-225,2000 年4月
[2] 博嘉科技:《Linux防火墙技术探秘》,国防工业出版社,P301-307,2002年10月
[3] Terry William Ogletree著,李之棠等译:防火墙原理与实施,电子工业出版社,2001.2
[4] 杨辉,吴昊:《防火墙-网络安全解决方案》,国防工业出版社,P33-36,2001年9月
[5] NAT 原理及其注意事项,http://www.net130.com/netbass/Route/r120602.htm
[6] Bradner,S.: The Internet Standards Process-Revision 3, BCP 9, RFC2026, October 1996
[7] Egevang, K. and P. Francis: The IP Network Address Translator, RFC1631, May 1994
[8] 黄登玺:基于负载均衡地防病毒防火墙地设计和实现,P1-4,2002年5月
[9] Jie Wu(美).高传善等译:分布式系统设计[M],机械工业出版社,2001.
[10] 刘皓:负载均衡技术概览,http://www.ccidnet.com/tech/network/2001/04/30/network/2001/04/30/58_2105.html,2001.
[11] 谢军安:Quidway S8016的内容交换技术,华为技术报,第148期,2002.07.10
[12] LinuxAid: 多层负载平衡之四,2002.08.23 http://www.neweasier.com/article/2002-08-23/1030092170.html
[13] Rajkumar B: High Performance Cluster Computing. Architectures and Systems, Vol1, Prentice Hall PTR, 2000
[14] 章文嵩:Linux服务器集群系统(一), http://www-900.ibm.com/developerWorks/cn/linux/cluster/lvs/part1/index.htm
[15] J.H. Howard. An Overview of the Andrew File System. In Proceedings of the USENIX Winter Technical Conference, Dallas, TX, USA, February 1998.
[16] Kenneth W. Preslan, Andrew P. Barry, Jonathan E. Brassow, Grant M. Erickson, Erling Nygaard, Christopher J. Sabol, Steven R. Soltis, David C. Teigland, and Matthew T. O'Keefe: A 64-bit, Shared Disk File System for
Linux. In Proceeding of 16th IEEE Mass Storage Systems Symposium, San Diego, CA, USA. March 15-18,, 1999.
[17] Global File System Website, http://www.globalfilesystem.org.
[18] Coda File System Website, http://www.coda.cs.cmu.edu.
[19] InterMezzo File System Website, http://www.inter-mezzo.org
[20] 胡季敏,雷乃旺:使用动态负载均衡技术的LINUX高性能集群服务器研究,微电脑应用,Vol.17,No.4,2001
[21] 肖钧,庞丽萍:LINUX虚拟服务器WRR调度算法的优化,华中科技大学学报,第二卷 第2期 2001年2月
[22] Zhiruo Cao, Zheng Wang: Performance of Hashing-Based Schemes for Internet Load Balancing, INFOCOM 2000, Volume 1
[23] 吴昕,李之棠:并行防火墙研究,计算机工程与科学,2000年第22卷,第2期
[24] 赵征,马光思:负载均衡在防火墙的应用,西安建筑科技大学学报,2002年第4期
[25] Rusty Russell: Linux 2.4 Packet Filtering HOWTO, Mailing list netfilter@lists.samba.org, vision: 1.22, Date: 2001/11/20
[26] Rusty Russell: Linux netfilter Hacking HOWTO, Mailing list netfilter@lists.samba.org, vision: 1.11, Date:2001/10/31
[27] Paul "Rusty" Russel: a Module for netfilter in Linux Magazine, June 2000 http://www.linux-mag.com/2000-06/gear_01.html
[28] Iptables Tutorial 1.1.16, http://iptables-tutotial.frozentux.net/chunkyhtml/userlandstats.html
[29] Connection tracking, http://www.xinux.de/docs/sicherheit/firewall/iptables/connect-track
[30] hi xueyong: 项目开发计划,2000年3月15日
[31] 用iptables实现NAT,http://LinuxAid.com.cn
[32] 蒙杨:高安全等级防火墙核心技术研究、设计与实现,2001年6月
[33] Bellovin S M.: Distributed Firewalls, login: magazine, special issue on security. November 1999
[34] Wei Li: Distributed Firewall, http://www.cs.helsinki.fi/u/asokan/distsec/documents/li.ps.gz,2000
[35] 赵征:分布式防火墙技术与实现,2002年全国开放式分布与并行计算学术会议论文集,华中科技大学出版社,2002
[36] S.Loannidis and A.D.Keromytis.: Implementing a Distributed Firewall, http://www.cis.upenn.edu/, 2000
[37] Daniel Wan: Distributed Firewall, http://www.sans.org/rr/firewall/dist.php May 28, 2001
①生成树协议——STP STP(SpanningT reep Protocol)能够提供路径冗余,使用STP可以使两个终端中只有一条有效路径。STP在大的网络中定义了一个树,并且迫使一定的备份路径处于备用状态。如果生成树中的网络一部分不可达,或者STP值变化了,生成树算法会重新计算生成树拓扑,并且通过启动备份路径来重新建立连接。STP操作对于终端来说是透明的,而不管终端连在LAN的某一部分或者多个部分。当创建网络时,网络中所有节点存在多条路径。生成树中的算法计算出最佳路径。因为每个VLAN是一个逻辑LAN部分,所以网管员能使STP—次工作在最多64个VLAN中。如果要配置超过64个VLAN,网管员需要将其他VLAN的STP禁止,因为默认的STP可以支持1-64个VLAN。
[2] 博嘉科技:《Linux防火墙技术探秘》,国防工业出版社,P301-307,2002年10月
[3] Terry William Ogletree著,李之棠等译:防火墙原理与实施,电子工业出版社,2001.2
[4] 杨辉,吴昊:《防火墙-网络安全解决方案》,国防工业出版社,P33-36,2001年9月
[5] NAT 原理及其注意事项,http://www.net130.com/netbass/Route/r120602.htm
[6] Bradner,S.: The Internet Standards Process-Revision 3, BCP 9, RFC2026, October 1996
[7] Egevang, K. and P. Francis: The IP Network Address Translator, RFC1631, May 1994
[8] 黄登玺:基于负载均衡地防病毒防火墙地设计和实现,P1-4,2002年5月
[9] Jie Wu(美).高传善等译:分布式系统设计[M],机械工业出版社,2001.
[10] 刘皓:负载均衡技术概览,http://www.ccidnet.com/tech/network/2001/04/30/network/2001/04/30/58_2105.html,2001.
[11] 谢军安:Quidway S8016的内容交换技术,华为技术报,第148期,2002.07.10
[12] LinuxAid: 多层负载平衡之四,2002.08.23 http://www.neweasier.com/article/2002-08-23/1030092170.html
[13] Rajkumar B: High Performance Cluster Computing. Architectures and Systems, Vol1, Prentice Hall PTR, 2000
[14] 章文嵩:Linux服务器集群系统(一), http://www-900.ibm.com/developerWorks/cn/linux/cluster/lvs/part1/index.htm
[15] J.H. Howard. An Overview of the Andrew File System. In Proceedings of the USENIX Winter Technical Conference, Dallas, TX, USA, February 1998.
[16] Kenneth W. Preslan, Andrew P. Barry, Jonathan E. Brassow, Grant M. Erickson, Erling Nygaard, Christopher J. Sabol, Steven R. Soltis, David C. Teigland, and Matthew T. O'Keefe: A 64-bit, Shared Disk File System for
Linux. In Proceeding of 16th IEEE Mass Storage Systems Symposium, San Diego, CA, USA. March 15-18,, 1999.
[17] Global File System Website, http://www.globalfilesystem.org.
[18] Coda File System Website, http://www.coda.cs.cmu.edu.
[19] InterMezzo File System Website, http://www.inter-mezzo.org
[20] 胡季敏,雷乃旺:使用动态负载均衡技术的LINUX高性能集群服务器研究,微电脑应用,Vol.17,No.4,2001
[21] 肖钧,庞丽萍:LINUX虚拟服务器WRR调度算法的优化,华中科技大学学报,第二卷 第2期 2001年2月
[22] Zhiruo Cao, Zheng Wang: Performance of Hashing-Based Schemes for Internet Load Balancing, INFOCOM 2000, Volume 1
[23] 吴昕,李之棠:并行防火墙研究,计算机工程与科学,2000年第22卷,第2期
[24] 赵征,马光思:负载均衡在防火墙的应用,西安建筑科技大学学报,2002年第4期
[25] Rusty Russell: Linux 2.4 Packet Filtering HOWTO, Mailing list netfilter@lists.samba.org, vision: 1.22, Date: 2001/11/20
[26] Rusty Russell: Linux netfilter Hacking HOWTO, Mailing list netfilter@lists.samba.org, vision: 1.11, Date:2001/10/31
[27] Paul "Rusty" Russel: a Module for netfilter in Linux Magazine, June 2000 http://www.linux-mag.com/2000-06/gear_01.html
[28] Iptables Tutorial 1.1.16, http://iptables-tutotial.frozentux.net/chunkyhtml/userlandstats.html
[29] Connection tracking, http://www.xinux.de/docs/sicherheit/firewall/iptables/connect-track
[30] hi xueyong: 项目开发计划,2000年3月15日
[31] 用iptables实现NAT,http://LinuxAid.com.cn
[32] 蒙杨:高安全等级防火墙核心技术研究、设计与实现,2001年6月
[33] Bellovin S M.: Distributed Firewalls, login: magazine, special issue on security. November 1999
[34] Wei Li: Distributed Firewall, http://www.cs.helsinki.fi/u/asokan/distsec/documents/li.ps.gz,2000
[35] 赵征:分布式防火墙技术与实现,2002年全国开放式分布与并行计算学术会议论文集,华中科技大学出版社,2002
[36] S.Loannidis and A.D.Keromytis.: Implementing a Distributed Firewall, http://www.cis.upenn.edu/, 2000
[37] Daniel Wan: Distributed Firewall, http://www.sans.org/rr/firewall/dist.php May 28, 2001
①生成树协议——STP STP(SpanningT reep Protocol)能够提供路径冗余,使用STP可以使两个终端中只有一条有效路径。STP在大的网络中定义了一个树,并且迫使一定的备份路径处于备用状态。如果生成树中的网络一部分不可达,或者STP值变化了,生成树算法会重新计算生成树拓扑,并且通过启动备份路径来重新建立连接。STP操作对于终端来说是透明的,而不管终端连在LAN的某一部分或者多个部分。当创建网络时,网络中所有节点存在多条路径。生成树中的算法计算出最佳路径。因为每个VLAN是一个逻辑LAN部分,所以网管员能使STP—次工作在最多64个VLAN中。如果要配置超过64个VLAN,网管员需要将其他VLAN的STP禁止,因为默认的STP可以支持1-64个VLAN。