基于嵌入式系统的安全网关的设计
|
摘要
随着Internet的发展,Internet已经成为人们获取信息的重要手段之一。Internet正不断增强着人类社会的生产力,改变着人类社会的生产方式,也因此Internet成为上个世纪最伟大的人类发明之一。
然而,由于Internet最初的设计初衷并未全面考虑到今天Internet发展的现状,因此在最初设计时,设计人员并没有清楚地意识到网络安全对于今天人们进行网络通信的重要性。目前,随着电子商务和电子政务的提出,网络安全问题已经成为Internet发展的巨大障碍,各国政府、公司和科研机构都加大了对网络安全技术的研究和对网络安全产品的开发。与安全网关相关的技术研究成为各公司和科研单位所热衷的课题之一。国外安全网关的相关技术和产品市场已经相当成熟,而国内在这方面还处在起步阶段,虽然有一些公司提出了一些解决方案,但总体上还处在技术探索阶段,没有成熟的产品。自从国家颁布了一系列有关安全的法律法规以来,网络安全逐渐受到人们的重视,其相关市场也逐渐发展起来。
本文在研究嵌入式系统及安全网关理论与技术的基础上,结合多种网络安全技术,提出了一种嵌入式安全网关的解决方案。该方案不仅具备通常安全网关所使用的防火墙技术、虚拟专用网技术等技术的特点外,还突出体现了结构紧凑、性能稳定、配置方便等嵌入式体系结构的特点。硬件上,本文充分考虑了嵌入式安全网关的应用特点,采用POWERPC同DSP协同工作的双CPU的结构,形成了安全网关的一个特色。我们提出的这种双CPU的结构,很好地解决了网络交换和加解密运算的矛盾,从而大大提高了网关性能。
It's well known that with the rapid development of Internet, internet is turning to be one of the most important instruments of getting information. More and more official network, personal computer and portable equipment have become the knots of the network; therefore it has turned into one of the greatest inventions in the last century.
However, the original design of Internet hasn't considered the importance of the net security. At present with the appearance of the E-commerce and E-government, the security of Internet has become a great barrier in the development of Internet. Governments, companies and research institutions in various countries have strengthened the research and the development of the Internet security products. The research connected with gateway technology is popular nowadays. The correlative technology of security and product market overseas is mature, but in domestic market, we are just in the fundamental phase. Most companies have not developed mature products. Since the legislature has been enacted, the circumstance changed. People pay much more attention to the net security and the home security market gradually developed.
This paper successfully presents a design plan of the embedded security gateway based on the research of the embedded system, concerning the theory and the technology, which not only entails the firewall, the technology of VPN, but also manifests the structure specialties, including the compacted-structure, stable-capability and convenient-configuring. To the hardware, the paper adopts the co-work structure of POWERPC and DSP, forming a conspicuous trait of this security gateway, which has considered the application characteristic of the embedded security gateway.
然而,由于Internet最初的设计初衷并未全面考虑到今天Internet发展的现状,因此在最初设计时,设计人员并没有清楚地意识到网络安全对于今天人们进行网络通信的重要性。目前,随着电子商务和电子政务的提出,网络安全问题已经成为Internet发展的巨大障碍,各国政府、公司和科研机构都加大了对网络安全技术的研究和对网络安全产品的开发。与安全网关相关的技术研究成为各公司和科研单位所热衷的课题之一。国外安全网关的相关技术和产品市场已经相当成熟,而国内在这方面还处在起步阶段,虽然有一些公司提出了一些解决方案,但总体上还处在技术探索阶段,没有成熟的产品。自从国家颁布了一系列有关安全的法律法规以来,网络安全逐渐受到人们的重视,其相关市场也逐渐发展起来。
本文在研究嵌入式系统及安全网关理论与技术的基础上,结合多种网络安全技术,提出了一种嵌入式安全网关的解决方案。该方案不仅具备通常安全网关所使用的防火墙技术、虚拟专用网技术等技术的特点外,还突出体现了结构紧凑、性能稳定、配置方便等嵌入式体系结构的特点。硬件上,本文充分考虑了嵌入式安全网关的应用特点,采用POWERPC同DSP协同工作的双CPU的结构,形成了安全网关的一个特色。我们提出的这种双CPU的结构,很好地解决了网络交换和加解密运算的矛盾,从而大大提高了网关性能。
It's well known that with the rapid development of Internet, internet is turning to be one of the most important instruments of getting information. More and more official network, personal computer and portable equipment have become the knots of the network; therefore it has turned into one of the greatest inventions in the last century.
However, the original design of Internet hasn't considered the importance of the net security. At present with the appearance of the E-commerce and E-government, the security of Internet has become a great barrier in the development of Internet. Governments, companies and research institutions in various countries have strengthened the research and the development of the Internet security products. The research connected with gateway technology is popular nowadays. The correlative technology of security and product market overseas is mature, but in domestic market, we are just in the fundamental phase. Most companies have not developed mature products. Since the legislature has been enacted, the circumstance changed. People pay much more attention to the net security and the home security market gradually developed.
This paper successfully presents a design plan of the embedded security gateway based on the research of the embedded system, concerning the theory and the technology, which not only entails the firewall, the technology of VPN, but also manifests the structure specialties, including the compacted-structure, stable-capability and convenient-configuring. To the hardware, the paper adopts the co-work structure of POWERPC and DSP, forming a conspicuous trait of this security gateway, which has considered the application characteristic of the embedded security gateway.
引文
[1] 中国互联网络发展状况统计报告CNNICh http://www.cnnic.net.cn
[2] 我国网络安全现状及解决途径调查 赛迪顾问 http://it.rising.com.cn
[3] 国家信息安全报告 倪健民主编 http://www.edu.cn/20011011
[4] 我国计算机违法犯罪案件统计 王远 北京晚报 2003年03月06日
[5] 关于维护互联网络安全的决定 全国人大常委会 第九届全国人民代表大会常务委员会第十九次会议
[6] 张耀疆,聚焦黑客 -攻击手段与防护策略,人民邮电出版社,2002年9月
[7] 周学广 刘艺 编著,信息安全学,机械工业出版社,2003年3月
[8] Bruse Schneier,吴世忠 译,应用密码学(协议算法与C源程序),械工业出版社,2000年1月
[9] Andrew.Nash,William Duane,et al.,张玉清 陈建奇 等译,公钥基础设施(PKI)实现和管理电子安全,清华大学出版社,2002年12月
[10] 董玉格 金海 赵振 著,攻击与防护网络安全与实用防护技术,人民邮电出版社,2002年8月
[11] J.Hennessy, "The Future of Systems Research. Computer,", 1999.8,27-33
[12] R.Gupta. "Co-synthesis of Hardware and Software for Digital Embedded systems,",Kluwer Academic Publishers 1995
[13] 王航,嵌入式通信平台的硬件设计与实现,国防科学技术大学研究生院,2002年1月,1-5
[14] http://www.cs.berkeley.edu/pervasive Computing
[15] http://www.ccident.com/~tech
[16] Sorin cotofana, Stephan wang. Embedded processors: Characteristics and Trends
[17] 沈绪榜,计算机的发展与技术,全国第11次微机学术交流会,1998年11月
[18] Embedded Systems Development Trends: Asia Vivek Nanda, Executive Editor Electronic Engineering Times -Asia
[19] 孙正兴 戚鲁 编著,电子政务原理与技术,人民邮电出版社,2003年4月
[20] TeleChoice, "TeleChoice VPN Market Report,", TeleChoice, Inc. http://www.teleChoice.com
[21] 谢华刚,Linux IP防火墙及其原理,国家智能机研发中心,1999.8.30
[22] Sophia.Scoggins,戴浩诈 译,开放式网络和开放系统互联,电子工业出版社,1994年
[23] 李玮,防DoS攻击新技术,微电脑世界,2003年第01期
[24] 常新 编译,使用RADIUS的VPN客户认证,微电脑世界,2001年52期
[25] Rebecca.Gurley.Bace,陈明奇 吴秋新 张振清 杨晓兵译,入侵检测,人民邮电出版社,2001年6月
[26] 海天,防火墙综述,http://www.haitian.com.cn/safety/wall.htm,2002年9月7日
[27] VPN与网络安全 戴宗坤 唐三平 编著 电子工业出版社 2002年9月 10-39,58-64
[28] K.Hamzeh, G.S.Pall, W. Verthein, J. Taarud, and W.A.Little, "Point-to-Point Tunneling Protocol," Internet Draft, IETF, Jul 1997.
[29] J.Lau, M.Townsley, I.Goyret, "Layer Two Tunneling Protocol (Version 3),", Internet Draft, IETF, February 2003
[30] IPSec VPN的安全实施Carlton R.Davis 周永彬等译 清华大学出版社
[31] M.Leech, M.ganis, Y. Lee, R.Kuris,et al., "SOCKS Protocol Version 5,", Internet Draft, IETF, March 1996
[32] Cheswich, William and Steven Bellovin, "Firewalls & Internet Security, Repelling the Wily Hacker," Addison Wesley Professional Computing Series, 1994.
[33] Ioannidis S., A.D.keromytis, S.M.Bellovin and J.M. Smith, "Implementing a Distributed FireWall," Proceedings of Computer and Communications Security (CCS) 2000, pp. 190-199
[34] 郑炜民 汤志忠 编著,计算机系统结构,清华大学出版社,1998年9月,102-124
[35] 马忠梅,马广云,等编著,ARM嵌入式处理器结构与应用基础,北京航空航天大学出版社,2002年1月,1-51
[36] Motorola, "MPC8260 PowerQUICC II~(TM) User's Manual,", Motorola, Inc. http://mot.com/PowerPC
[37] 张雄伟 曹铁勇 编著,DSP芯片的原理与开发应用(第2版),电子工业出版社,2000年9月
[38] M.wahl, T. Howes, S.Kille, "Lightweight Directory Access Protocol(v3),", Internet Draft, IETF, December 1997
[39] Scott, Charlie, Paul Wolfe and Mike Erwin, "Virtual Private Networks," O'Relly & Associates, Inc. 1998.
[40] Prevelakis, Vassilis "A Secure Station for Network Monitoring and Control," The 8th USENIX Security Symposium, Washington, D.C.,USA, August 1999.
[41] 李善平 刘文峰 王焕龙,Linux与嵌入式操作系统,清华大学出版社,2003年1月
[42] damogyz,实时系统的设计,http://www.china-pub.com/computers/emook/wzq/077/info.htm,2003年3月12日
[43] Jean.J.L.Labrosse,邵贝贝译,uC/OS-Ⅱ-源码公开的实时嵌入式操作系统,中国电力出版社2001年8月
[44] Victor Yodaiken, Michael. Barabanov, "A Real-Time Linux,",New Mexico Institute of Technology, http://www.rtlinux.org
[45] QNX, "QNX RTOS v4,",QNX Software Systems, 1td.,www.qnx.com
[46] 灰狐,微内核Microkernel,灰狐动力,http://www.huihoo.com/os/kernel/
[47] Jean J.Labrosse,袁勤勇 黄绍金 唐菁等译,嵌入式系统构件,机械工业出版社
[48] W.Richard Stevens,范建华译,TCP/IP详解 卷1:协议,机械工业出版社,2000年4月
[49] Gary R.Wright,W.Richard Stevens,陆雪莹 蒋 慧 等译,TCP/IP详解 卷2:实现,机械工业出版社,2000年7月
[50] Stubblefield, Adam, John Ioannidis and Aviel D.Rubin, "Using the Fluhrer, Man- itin, and Shamir Attack to Break WEP," Proceedings of the 2002 Network and Distributed System Security Symposium San Diego, California February 2002.
[51] Boscia, Nichole K. and Derek G. Shaw, "Wireless Firewall Gateway White Pa- per," NASA Advanced Supercomputing Division, Moffett Field, CA 94035.
[52] K.Egevang, P. Fancis, "The IP Network Address Translator(NAT),", Internet Draft, IETF, May 1994
[53] Motorola,"MPC8250 PowerQUICC Ⅱ Techical Summary,",Motorola http://motorola.com 2001年11月
[54] Texas Instruments, "TMS320C6202 Fixed-point Digital signal Processor,"Texas Instruments, Inc., SPRS072A, JANUARY 1999
[55] Wind River Systems, Tornado~(TM) BSP Training Workshop, Wind RiverSystems, Inc. 1010 Atlantic Avenue Alameda, CA 94501 http://www.wrs.com/training
[56] 孔祥营 柏桂枝 编著,嵌入式实时操作系统及其开发环境Tornado,中国电力出版社 2002年1月
[57] Wind River Systems, "Network Protocol Toolkit User's Guide 5.4,", Wind River Systems
[58] Carlton R.Davis,周永彬 冯登国 徐震 李德全 等译,IPSec VPN的安全实施,清华大学出版社,2002年1月
[59] 共创软件联盟 基于Linux和IPSec的VPN网关 共创软件联盟http://linuxipsecvpn.cosoft.org.cn
[60] Wind River Systems, "VxWorks Network Programmer's Guide 5.4 ,", Wind River Systems.
[61] Jeff Prosise,北京博彦科技发展有限责任公司译,MFC Windows程序设计第2版,清华大学出版社,2001年9月
[62] 关振胜 编著,公钥基础设施PKI与认证机构CA,电子工业出版社,2002年1月
[2] 我国网络安全现状及解决途径调查 赛迪顾问 http://it.rising.com.cn
[3] 国家信息安全报告 倪健民主编 http://www.edu.cn/20011011
[4] 我国计算机违法犯罪案件统计 王远 北京晚报 2003年03月06日
[5] 关于维护互联网络安全的决定 全国人大常委会 第九届全国人民代表大会常务委员会第十九次会议
[6] 张耀疆,聚焦黑客 -攻击手段与防护策略,人民邮电出版社,2002年9月
[7] 周学广 刘艺 编著,信息安全学,机械工业出版社,2003年3月
[8] Bruse Schneier,吴世忠 译,应用密码学(协议算法与C源程序),械工业出版社,2000年1月
[9] Andrew.Nash,William Duane,et al.,张玉清 陈建奇 等译,公钥基础设施(PKI)实现和管理电子安全,清华大学出版社,2002年12月
[10] 董玉格 金海 赵振 著,攻击与防护网络安全与实用防护技术,人民邮电出版社,2002年8月
[11] J.Hennessy, "The Future of Systems Research. Computer,", 1999.8,27-33
[12] R.Gupta. "Co-synthesis of Hardware and Software for Digital Embedded systems,",Kluwer Academic Publishers 1995
[13] 王航,嵌入式通信平台的硬件设计与实现,国防科学技术大学研究生院,2002年1月,1-5
[14] http://www.cs.berkeley.edu/pervasive Computing
[15] http://www.ccident.com/~tech
[16] Sorin cotofana, Stephan wang. Embedded processors: Characteristics and Trends
[17] 沈绪榜,计算机的发展与技术,全国第11次微机学术交流会,1998年11月
[18] Embedded Systems Development Trends: Asia Vivek Nanda, Executive Editor Electronic Engineering Times -Asia
[19] 孙正兴 戚鲁 编著,电子政务原理与技术,人民邮电出版社,2003年4月
[20] TeleChoice, "TeleChoice VPN Market Report,", TeleChoice, Inc. http://www.teleChoice.com
[21] 谢华刚,Linux IP防火墙及其原理,国家智能机研发中心,1999.8.30
[22] Sophia.Scoggins,戴浩诈 译,开放式网络和开放系统互联,电子工业出版社,1994年
[23] 李玮,防DoS攻击新技术,微电脑世界,2003年第01期
[24] 常新 编译,使用RADIUS的VPN客户认证,微电脑世界,2001年52期
[25] Rebecca.Gurley.Bace,陈明奇 吴秋新 张振清 杨晓兵译,入侵检测,人民邮电出版社,2001年6月
[26] 海天,防火墙综述,http://www.haitian.com.cn/safety/wall.htm,2002年9月7日
[27] VPN与网络安全 戴宗坤 唐三平 编著 电子工业出版社 2002年9月 10-39,58-64
[28] K.Hamzeh, G.S.Pall, W. Verthein, J. Taarud, and W.A.Little, "Point-to-Point Tunneling Protocol," Internet Draft, IETF, Jul 1997.
[29] J.Lau, M.Townsley, I.Goyret, "Layer Two Tunneling Protocol (Version 3),", Internet Draft, IETF, February 2003
[30] IPSec VPN的安全实施Carlton R.Davis 周永彬等译 清华大学出版社
[31] M.Leech, M.ganis, Y. Lee, R.Kuris,et al., "SOCKS Protocol Version 5,", Internet Draft, IETF, March 1996
[32] Cheswich, William and Steven Bellovin, "Firewalls & Internet Security, Repelling the Wily Hacker," Addison Wesley Professional Computing Series, 1994.
[33] Ioannidis S., A.D.keromytis, S.M.Bellovin and J.M. Smith, "Implementing a Distributed FireWall," Proceedings of Computer and Communications Security (CCS) 2000, pp. 190-199
[34] 郑炜民 汤志忠 编著,计算机系统结构,清华大学出版社,1998年9月,102-124
[35] 马忠梅,马广云,等编著,ARM嵌入式处理器结构与应用基础,北京航空航天大学出版社,2002年1月,1-51
[36] Motorola, "MPC8260 PowerQUICC II~(TM) User's Manual,", Motorola, Inc. http://mot.com/PowerPC
[37] 张雄伟 曹铁勇 编著,DSP芯片的原理与开发应用(第2版),电子工业出版社,2000年9月
[38] M.wahl, T. Howes, S.Kille, "Lightweight Directory Access Protocol(v3),", Internet Draft, IETF, December 1997
[39] Scott, Charlie, Paul Wolfe and Mike Erwin, "Virtual Private Networks," O'Relly & Associates, Inc. 1998.
[40] Prevelakis, Vassilis "A Secure Station for Network Monitoring and Control," The 8th USENIX Security Symposium, Washington, D.C.,USA, August 1999.
[41] 李善平 刘文峰 王焕龙,Linux与嵌入式操作系统,清华大学出版社,2003年1月
[42] damogyz,实时系统的设计,http://www.china-pub.com/computers/emook/wzq/077/info.htm,2003年3月12日
[43] Jean.J.L.Labrosse,邵贝贝译,uC/OS-Ⅱ-源码公开的实时嵌入式操作系统,中国电力出版社2001年8月
[44] Victor Yodaiken, Michael. Barabanov, "A Real-Time Linux,",New Mexico Institute of Technology, http://www.rtlinux.org
[45] QNX, "QNX RTOS v4,",QNX Software Systems, 1td.,www.qnx.com
[46] 灰狐,微内核Microkernel,灰狐动力,http://www.huihoo.com/os/kernel/
[47] Jean J.Labrosse,袁勤勇 黄绍金 唐菁等译,嵌入式系统构件,机械工业出版社
[48] W.Richard Stevens,范建华译,TCP/IP详解 卷1:协议,机械工业出版社,2000年4月
[49] Gary R.Wright,W.Richard Stevens,陆雪莹 蒋 慧 等译,TCP/IP详解 卷2:实现,机械工业出版社,2000年7月
[50] Stubblefield, Adam, John Ioannidis and Aviel D.Rubin, "Using the Fluhrer, Man- itin, and Shamir Attack to Break WEP," Proceedings of the 2002 Network and Distributed System Security Symposium San Diego, California February 2002.
[51] Boscia, Nichole K. and Derek G. Shaw, "Wireless Firewall Gateway White Pa- per," NASA Advanced Supercomputing Division, Moffett Field, CA 94035.
[52] K.Egevang, P. Fancis, "The IP Network Address Translator(NAT),", Internet Draft, IETF, May 1994
[53] Motorola,"MPC8250 PowerQUICC Ⅱ Techical Summary,",Motorola http://motorola.com 2001年11月
[54] Texas Instruments, "TMS320C6202 Fixed-point Digital signal Processor,"Texas Instruments, Inc., SPRS072A, JANUARY 1999
[55] Wind River Systems, Tornado~(TM) BSP Training Workshop, Wind RiverSystems, Inc. 1010 Atlantic Avenue Alameda, CA 94501 http://www.wrs.com/training
[56] 孔祥营 柏桂枝 编著,嵌入式实时操作系统及其开发环境Tornado,中国电力出版社 2002年1月
[57] Wind River Systems, "Network Protocol Toolkit User's Guide 5.4,", Wind River Systems
[58] Carlton R.Davis,周永彬 冯登国 徐震 李德全 等译,IPSec VPN的安全实施,清华大学出版社,2002年1月
[59] 共创软件联盟 基于Linux和IPSec的VPN网关 共创软件联盟http://linuxipsecvpn.cosoft.org.cn
[60] Wind River Systems, "VxWorks Network Programmer's Guide 5.4 ,", Wind River Systems.
[61] Jeff Prosise,北京博彦科技发展有限责任公司译,MFC Windows程序设计第2版,清华大学出版社,2001年9月
[62] 关振胜 编著,公钥基础设施PKI与认证机构CA,电子工业出版社,2002年1月