基于PDA智能终端的信息安全防火墙的研究
摘要
随着PDA等智能终端的不断普及和互联网的飞速发展,利用手机或PDA等智能终端浏览网页、上网购物越来越成为引领现代人生活的时代潮流,人们在充分享受着互联网所带来的方便和高效的同时,PDA的网络安全问题也日益突出,在PDA等智能终端上安装信息安全防火墙是大势所趋。然而,市场上却没有出现成熟的智能终端防火墙,究其原因,一方面,由于当前3G网络还没开始运行,另一方面,基于智能终端的嵌入式开发也有一定的技术难度,并受到相应开发工具的制约。针对这种情况,本文提出并设计了一个Windows Mobile操作系统下的PDA防火墙软件。本防火墙软件采用基于应用层的封包截获方法,即利用Winsock 2服务提供者接口SPI[1](Service Provider Interface)程序实现防火墙。SPI是新的Windows套接字(Windows Sockets 2.0)所引入的一种新的编程接口。利用这种技术可以在Socket中插入一层,从而可以完成诸如封包截获、传输质量控制、扩展TCP/IP协议栈、URL过滤及网络安全控制等功能。
本文首先从PDA智能终端的操作系统和防火墙技术谈起,从课题研究的意义到国内外研究发展的现状,继而引入了PDA所面临的安全问题及合适的解决方法。接着,介绍了信息安全防火墙的相关技术和平台,重点分析了三种防火墙封包截获技术,在详细剖析和比较SPI、TDI、NDIS技术后,针对PDA的自身特点,选择运用SPI技术截获封包。在此基础上,本文详细叙述了本防火墙软件的总体框架结构,并在后续章节分别阐述各个功能模块的具体设计和实现过程。最后通过系统测试和分析提出了本系统的改进方案。
Thanks for the fast innovation of intelligent handheld communication technologies for PDA and the World Wide Web, the cutting edge applications like handheld based web page browse and online shopping are leading people towards a much more flexible and interesting future, which enables people to enjoy the fast and convenient services brought by the World Wide Web; while at the same time, it is an absolute industrial trend that protector like information security firewall be installed on handheld terminals due to the out coming network security risk issues. While unfortunately, as a matter of fact, mature network information firewalls for intelligent handheld terminals are not seen in the market, for the reasons below:
1. 3G network is not been commercial launched;
2. It is still a difficult task to develop embedded applications for intelligent handheld terminals, which is limited by the related developing utilities.
For the reasons above, a firewall solution for Windows Mobile based PDA is raised and given by this dissertation. The firewall application adopts encased package capture means on application layer, which uses Winsock 2 SPI[1](Service Provider Interface) to realize network firewall facilities. SPI is a new programming interface introduced by Windows Sockets 2.0, and by using this new technology, programmers are allowed to insert a new layer in Socket, which enables the functions as encased package capture , transmission quality control, extended TCP/IP protocol stack as well as URL filter and network security control.
This dissertation covers from research meaning to the existing research situation globally. And it starts from intelligent handheld terminal OS and firewall technology, and introduces the network information security issues of PDA and the corresponding solution. Besides this, platform and technology of this information security firewall design are also introduced, and as a dedicated application for PDA, SPI based encased package capture is adopted after deep analyisis and comparison amaong SPI, TDI as well as NDIS, considering the unique features of PDA. Based on these fundamental understandings, this dissertation discussed the infrastructure and general architecture of this firewall application, and the design and realization of each functional module are expatiated in different chapters. And at last, optimized solution of this application is given by careful system test and analysis.
本文首先从PDA智能终端的操作系统和防火墙技术谈起,从课题研究的意义到国内外研究发展的现状,继而引入了PDA所面临的安全问题及合适的解决方法。接着,介绍了信息安全防火墙的相关技术和平台,重点分析了三种防火墙封包截获技术,在详细剖析和比较SPI、TDI、NDIS技术后,针对PDA的自身特点,选择运用SPI技术截获封包。在此基础上,本文详细叙述了本防火墙软件的总体框架结构,并在后续章节分别阐述各个功能模块的具体设计和实现过程。最后通过系统测试和分析提出了本系统的改进方案。
Thanks for the fast innovation of intelligent handheld communication technologies for PDA and the World Wide Web, the cutting edge applications like handheld based web page browse and online shopping are leading people towards a much more flexible and interesting future, which enables people to enjoy the fast and convenient services brought by the World Wide Web; while at the same time, it is an absolute industrial trend that protector like information security firewall be installed on handheld terminals due to the out coming network security risk issues. While unfortunately, as a matter of fact, mature network information firewalls for intelligent handheld terminals are not seen in the market, for the reasons below:
1. 3G network is not been commercial launched;
2. It is still a difficult task to develop embedded applications for intelligent handheld terminals, which is limited by the related developing utilities.
For the reasons above, a firewall solution for Windows Mobile based PDA is raised and given by this dissertation. The firewall application adopts encased package capture means on application layer, which uses Winsock 2 SPI[1](Service Provider Interface) to realize network firewall facilities. SPI is a new programming interface introduced by Windows Sockets 2.0, and by using this new technology, programmers are allowed to insert a new layer in Socket, which enables the functions as encased package capture , transmission quality control, extended TCP/IP protocol stack as well as URL filter and network security control.
This dissertation covers from research meaning to the existing research situation globally. And it starts from intelligent handheld terminal OS and firewall technology, and introduces the network information security issues of PDA and the corresponding solution. Besides this, platform and technology of this information security firewall design are also introduced, and as a dedicated application for PDA, SPI based encased package capture is adopted after deep analyisis and comparison amaong SPI, TDI as well as NDIS, considering the unique features of PDA. Based on these fundamental understandings, this dissertation discussed the infrastructure and general architecture of this firewall application, and the design and realization of each functional module are expatiated in different chapters. And at last, optimized solution of this application is given by careful system test and analysis.
引文
[1]蒋东兴,林鄂华著.Windows Sockets 网络程序设计指南[M].清华大学出版社,1995
[2]田东风.Windows CE 应用程序设计[M].北京:机械工业出版社,2003.10
[3]何宗键.Windows CE 嵌入式系统[M].北京:北京航空航天大学出版社,2006.9
[4]楚狂等著.网络安全与防火墙[M].人民邮电出版社,2000
[5]朱雁辉.Windows 防火墙与网络封包截获技术[M].北京:电子工业出版社,2002.7
[6]W illiamS tallings 著.操作系统—内核与设计原理.魏迎梅,王涌等译.第四版.电子工业出版社,2001
[7]Rolf Oppliger.Internet security:Firewall and beyond Communication of ACM. 1997,40(5):92-102
[8]Joel Scambray, Stuart McClure, George Kurtz 著.黑客大曝光:网络安全机密与解决方案钟向群[M],杨继张等译.第二版.清华大学出版社,2002
[9] Fratto Mike.APPLICATION 一 LEVEL FIREWALLS:Smaller Net,Tighter Filter.Network ComPuting,2003,14(5):57-64
[10]王岩梅,顾训镶.单机版防火墙系统中网络包过滤技术的研究[J].计算机工程, 2001,27(11)
[11]CarltonR .Davis 著.IPSec:VPN 的安全实施.周永彬,冯登国等译.清华大学出版社,2002 年
[12]朱琳杰,刘东红,王海涛著.Windows9X/NT/2000 注册表使用及编程指南[M]电子工业出版社,2000
[13]Douglas E.Comer 著.用 TCP/IP 进行网际互连[M].林瑶,蒋慧等译.电子工业出版社,1999
[14]Microsoft 公司著.Windows 2000 Server 资源大全[M],第 3 卷,TCP/IP 连网核心技术.前导工作室译.机械工业出版社.2001
[15]Smith Robert N,Yu Chen,Bhattacharya Sourav.Cascade of Distributed and CooPerating Firewalls in a Secure Data Network.IEEE Transactions on Knowledge& Data Engineering,2003,15(5):1307-1316
[16]施炜等著.WindowsSockets 规范及应用[M].电子工业出版社.1997
[17]昌明,欧阳昆等著.Windows 98/2000 注册表技术内幕[M].人民邮电出版社,2001
[18]Monitoring Ethernet Network Activity With NDIS Drivers -Whitepaper. http://www.cswl.com/whiteppr/white/ethernet.htm
[19]Relatori,Candidato,Ing. Mario Baldi Loris, Degioanni. Development of an Architecture for Packet Capture and Network TrafficAnalysis.2000
[20]Berman,Stuart.The Death of a Firewall.Nelwork Magazine,2005,20(6):88-89
[21]Frolick,Mark N.ANEW WEBMASTER’S GUIDE TO FIREWALLS AND SECURITY.2003,20(1):29-35
[22]Venezia Paul.Building a Better Firewall,InfoWorld,2003,25(31):40-42
[23]Miastkowski Stan.BulletProof Your PC With a Software Firewall.PC World,2003,21(8):158-159
[24]Bruce Eckel 著.C++编程思想[M].刘宗等译.机械工业出版社,2000
[25]张力著.Visual C++高级编程[M].人民邮电出版社,2002
[26]蔡宝忠,彭吉敏.深入 Visual C++编程[M].中国电力出版社,2001
[27]David J.Kruglinski,Scot Wingo 等著.Visuall C++ 6.0 技术内幕[M].希望图书创作室译.北京希望电子出版社,1999 年
[28]Anthony Jones,Jim Ohlund 著.Windows 网络编程技术[M].机械工业出版社,2000
[29]PetzoldCharles 著.Windows 程序设计[M].北京博彦科技发展有限公司译,第五版. 北京大学出版社,1999
[30]Prosisejeff 著.MFC Windows 程序设计[M].北京博彦科技发展有限公司译.第二版.清华大学出版社,2001 年
[31]Windows Network Data and Packet Filtering. http://www.ndis.com
[32]Gilmer,Brad.Firewalls and security.Broadcast Engineering,2001,43(8):36-38
[33]贾晶著.信息系统的安全与保密[M].清华大学出版社,1999
[34]H Debar,M Dacier,A WESPI.Towards a taxonomy of Intrusion-detection System.ComPuterNetworks,1999:31(8):805-822
[35] William R.Cheswick 著.防火墙与因特网安全[M].戴宇坤译.机械工业出版社,2000
[36]Munro Jay.COMMUNICATION PROTECTOR:FIREWALLS.PC Magazine,2003,22(17): 87-89
[37]Terry William Ogletree 著.防火墙原理与实施[M].李之棠,李伟明,陈琳等译.电子工业出版社,2001
[38]杨义先等著.网络信息安全与保密[M].北京邮电大学出版,.2001
[39]ShiPley,Greg.FIREWALL BLOWOUT.Network ComPuting,2005,16(8):39-53
[40]顾巧论,蔡振山,贾春福著.计算机网络安全[M].科学出版社,2003
[41]王睿,林海波等著.网络安全与防火墙技术[M].清华大学出版社,2000
[42]戴英侠,连一峰,王航著.系统安全与入侵检测[M].清华大学出版社,2002
[43]唐正军等著.网络入侵检测系统的设计与实现[M].电子工业出版社,2002
[44]Dacier M,Jackson K.Intrution detection.ComPuter networks,1999,31(23):2433-2434
[45]Verwoerd Theuns,Hunt Ray.Security architecture testing using IDS-a case Study.ComPuter Communications,2002,25(15):1402-1413
[46]聂元铭,丘平著,网络信息安全技术[M].科学出版社,2001
[47]Douglas E.Comer.Computer networks and internets[M].BeijingTsinghua University Press. 1998
[48]习杨波著.网络安全理论与应用[M].电子工业出版社,2002
[49]Marcus Goncalves 著.防火墙技术指南[M].宋书民,朱智强,徐开勇等译.机械工业出版社,2000
[50]颜友宁..NET Compact Framework 移动开发指南[M].北京:清华大学出版社,2006.11
[2]田东风.Windows CE 应用程序设计[M].北京:机械工业出版社,2003.10
[3]何宗键.Windows CE 嵌入式系统[M].北京:北京航空航天大学出版社,2006.9
[4]楚狂等著.网络安全与防火墙[M].人民邮电出版社,2000
[5]朱雁辉.Windows 防火墙与网络封包截获技术[M].北京:电子工业出版社,2002.7
[6]W illiamS tallings 著.操作系统—内核与设计原理.魏迎梅,王涌等译.第四版.电子工业出版社,2001
[7]Rolf Oppliger.Internet security:Firewall and beyond Communication of ACM. 1997,40(5):92-102
[8]Joel Scambray, Stuart McClure, George Kurtz 著.黑客大曝光:网络安全机密与解决方案钟向群[M],杨继张等译.第二版.清华大学出版社,2002
[9] Fratto Mike.APPLICATION 一 LEVEL FIREWALLS:Smaller Net,Tighter Filter.Network ComPuting,2003,14(5):57-64
[10]王岩梅,顾训镶.单机版防火墙系统中网络包过滤技术的研究[J].计算机工程, 2001,27(11)
[11]CarltonR .Davis 著.IPSec:VPN 的安全实施.周永彬,冯登国等译.清华大学出版社,2002 年
[12]朱琳杰,刘东红,王海涛著.Windows9X/NT/2000 注册表使用及编程指南[M]电子工业出版社,2000
[13]Douglas E.Comer 著.用 TCP/IP 进行网际互连[M].林瑶,蒋慧等译.电子工业出版社,1999
[14]Microsoft 公司著.Windows 2000 Server 资源大全[M],第 3 卷,TCP/IP 连网核心技术.前导工作室译.机械工业出版社.2001
[15]Smith Robert N,Yu Chen,Bhattacharya Sourav.Cascade of Distributed and CooPerating Firewalls in a Secure Data Network.IEEE Transactions on Knowledge& Data Engineering,2003,15(5):1307-1316
[16]施炜等著.WindowsSockets 规范及应用[M].电子工业出版社.1997
[17]昌明,欧阳昆等著.Windows 98/2000 注册表技术内幕[M].人民邮电出版社,2001
[18]Monitoring Ethernet Network Activity With NDIS Drivers -Whitepaper. http://www.cswl.com/whiteppr/white/ethernet.htm
[19]Relatori,Candidato,Ing. Mario Baldi Loris, Degioanni. Development of an Architecture for Packet Capture and Network TrafficAnalysis.2000
[20]Berman,Stuart.The Death of a Firewall.Nelwork Magazine,2005,20(6):88-89
[21]Frolick,Mark N.ANEW WEBMASTER’S GUIDE TO FIREWALLS AND SECURITY.2003,20(1):29-35
[22]Venezia Paul.Building a Better Firewall,InfoWorld,2003,25(31):40-42
[23]Miastkowski Stan.BulletProof Your PC With a Software Firewall.PC World,2003,21(8):158-159
[24]Bruce Eckel 著.C++编程思想[M].刘宗等译.机械工业出版社,2000
[25]张力著.Visual C++高级编程[M].人民邮电出版社,2002
[26]蔡宝忠,彭吉敏.深入 Visual C++编程[M].中国电力出版社,2001
[27]David J.Kruglinski,Scot Wingo 等著.Visuall C++ 6.0 技术内幕[M].希望图书创作室译.北京希望电子出版社,1999 年
[28]Anthony Jones,Jim Ohlund 著.Windows 网络编程技术[M].机械工业出版社,2000
[29]PetzoldCharles 著.Windows 程序设计[M].北京博彦科技发展有限公司译,第五版. 北京大学出版社,1999
[30]Prosisejeff 著.MFC Windows 程序设计[M].北京博彦科技发展有限公司译.第二版.清华大学出版社,2001 年
[31]Windows Network Data and Packet Filtering. http://www.ndis.com
[32]Gilmer,Brad.Firewalls and security.Broadcast Engineering,2001,43(8):36-38
[33]贾晶著.信息系统的安全与保密[M].清华大学出版社,1999
[34]H Debar,M Dacier,A WESPI.Towards a taxonomy of Intrusion-detection System.ComPuterNetworks,1999:31(8):805-822
[35] William R.Cheswick 著.防火墙与因特网安全[M].戴宇坤译.机械工业出版社,2000
[36]Munro Jay.COMMUNICATION PROTECTOR:FIREWALLS.PC Magazine,2003,22(17): 87-89
[37]Terry William Ogletree 著.防火墙原理与实施[M].李之棠,李伟明,陈琳等译.电子工业出版社,2001
[38]杨义先等著.网络信息安全与保密[M].北京邮电大学出版,.2001
[39]ShiPley,Greg.FIREWALL BLOWOUT.Network ComPuting,2005,16(8):39-53
[40]顾巧论,蔡振山,贾春福著.计算机网络安全[M].科学出版社,2003
[41]王睿,林海波等著.网络安全与防火墙技术[M].清华大学出版社,2000
[42]戴英侠,连一峰,王航著.系统安全与入侵检测[M].清华大学出版社,2002
[43]唐正军等著.网络入侵检测系统的设计与实现[M].电子工业出版社,2002
[44]Dacier M,Jackson K.Intrution detection.ComPuter networks,1999,31(23):2433-2434
[45]Verwoerd Theuns,Hunt Ray.Security architecture testing using IDS-a case Study.ComPuter Communications,2002,25(15):1402-1413
[46]聂元铭,丘平著,网络信息安全技术[M].科学出版社,2001
[47]Douglas E.Comer.Computer networks and internets[M].BeijingTsinghua University Press. 1998
[48]习杨波著.网络安全理论与应用[M].电子工业出版社,2002
[49]Marcus Goncalves 著.防火墙技术指南[M].宋书民,朱智强,徐开勇等译.机械工业出版社,2000
[50]颜友宁..NET Compact Framework 移动开发指南[M].北京:清华大学出版社,2006.11