基于IXP425网络处理器的嵌入式防火墙设计
摘要
互联网己经进入一个崭新的时代,日益成为我们日常生活的一部分,但同时,带来的安全问题也日益突出,成为一个不得不重视的问题。嵌入式平台作为一种安全、高效、低成本的平台,已经被广泛的运用到各个领域,这其中当然也包含网络安全领域。
传统的杀毒软件依赖于庞大的病毒库来提供对计算机的防御和保护,但随着近年来病毒数量和类型的剧增,病毒库呈现出巨大的膨胀,而且病毒库的更新永远赶不上病毒的传播,这种网络的防御方式呈现出极大的缺陷。
国内的硬件防火墙多是基于Intel X86系列架构的产品,由于X86架构本身的缺陷,使它的性能无法实现突破。而采用ASIC专用硬件加速的防火墙虽然可以明显提升防火墙的吞吐性能,但对于升级维护的灵活性和扩展性不够,而且开发费用高,开发周期长。
网络处理器结合了通用处理器可编程和ASIC的优点。网络处理器是专门为网络设备处理网络流量而设计的处理器,其体系结构和指令集对于防火墙常用的包过滤、转发等算法和操作都进行了专门的优化,可以高效地完成TCP/IP栈的常用操作,并对网络流量进行快速的并发处理。
本文提出一种将网络处理器与嵌入式Linux相结合的防火墙,采用默认禁止一切,明确地允许被选择的数据包通过的数据包默认策略,设计出一种能够很大程度上保护内网安全的包过滤防火墙。本设计在全面分析IXP425硬件开发平台的基础上,定制了Redboot作为启动引导程序,采用经过剪裁的Linux2.4作为操作系统平台,为上层软件实现提供了稳定可靠的支持。并深入研究了Linux防火墙内核,掌握Linux防火墙内核框架的实现机制,在集成IXP425网络处理器的硬件平台上,实现了一个拥有基本包过滤功能的嵌入式防火墙,并设计出人性化的图形化配置界面,能够使用户方便的实时配置防火墙,加入用户的自定义规则。
The Internet has entered a new era, and becomes a part of our life day by day; however, the security problem it brings has also became increasingly inevitable, which we have to pay attention to. Embedded System as a safety, low-cost, efficient platform has been widely used in various fields, and of course network security is one of them.
Traditional antivirus softwares protect the computer depend on huge antivirus character library, but along with the increasing virus, the library become more and more expanded, and the library’s update can not match up the diffusion of virus. The style of network protection presents a world of limitations.
And most of the firewall products inner were based on Intel X86 series architecture. For the limitation of X86, it’s performance can’t be exceed. Though the firewall accelerated by hardware using ASIC can improve the throughput capability,the flexibility and extention of the update is inadequate, the cost of development is high and the development cycle is long.
Network Processor combine the advantages of both programmable of General Processor and ASIC. It is designed specialty for the network device to manage the network traffic. It’s architecture and instructions were optimized for the arithmetic and operation of package filtrate, transmit etc. it can implement the generan operation of TCP/IP protocol stack with high efficiency, and deal with the network traffic in high speed subsequently.
This thesis gives a firewall which combines the network processor and embedded Linux operating system,It uses the policy that forbidden all the packages as default, and users can give rules to allow packages they had been chosen, and implements the function of the fireware can protect the inner network on high level. This design is based on the full analyse of IXP425 hardware develop platform, customize the bootloader Redboot, customize the Linux kernel as the operating system, give steady support. We study the thorey and mastery the architecture of Linux firewall. This project implementes a embedded firewall which has the package filtrate function based on the platform integrated the IXP425 network processor, and developes the manage interface for users to customize the firewall, and add rules.
传统的杀毒软件依赖于庞大的病毒库来提供对计算机的防御和保护,但随着近年来病毒数量和类型的剧增,病毒库呈现出巨大的膨胀,而且病毒库的更新永远赶不上病毒的传播,这种网络的防御方式呈现出极大的缺陷。
国内的硬件防火墙多是基于Intel X86系列架构的产品,由于X86架构本身的缺陷,使它的性能无法实现突破。而采用ASIC专用硬件加速的防火墙虽然可以明显提升防火墙的吞吐性能,但对于升级维护的灵活性和扩展性不够,而且开发费用高,开发周期长。
网络处理器结合了通用处理器可编程和ASIC的优点。网络处理器是专门为网络设备处理网络流量而设计的处理器,其体系结构和指令集对于防火墙常用的包过滤、转发等算法和操作都进行了专门的优化,可以高效地完成TCP/IP栈的常用操作,并对网络流量进行快速的并发处理。
本文提出一种将网络处理器与嵌入式Linux相结合的防火墙,采用默认禁止一切,明确地允许被选择的数据包通过的数据包默认策略,设计出一种能够很大程度上保护内网安全的包过滤防火墙。本设计在全面分析IXP425硬件开发平台的基础上,定制了Redboot作为启动引导程序,采用经过剪裁的Linux2.4作为操作系统平台,为上层软件实现提供了稳定可靠的支持。并深入研究了Linux防火墙内核,掌握Linux防火墙内核框架的实现机制,在集成IXP425网络处理器的硬件平台上,实现了一个拥有基本包过滤功能的嵌入式防火墙,并设计出人性化的图形化配置界面,能够使用户方便的实时配置防火墙,加入用户的自定义规则。
The Internet has entered a new era, and becomes a part of our life day by day; however, the security problem it brings has also became increasingly inevitable, which we have to pay attention to. Embedded System as a safety, low-cost, efficient platform has been widely used in various fields, and of course network security is one of them.
Traditional antivirus softwares protect the computer depend on huge antivirus character library, but along with the increasing virus, the library become more and more expanded, and the library’s update can not match up the diffusion of virus. The style of network protection presents a world of limitations.
And most of the firewall products inner were based on Intel X86 series architecture. For the limitation of X86, it’s performance can’t be exceed. Though the firewall accelerated by hardware using ASIC can improve the throughput capability,the flexibility and extention of the update is inadequate, the cost of development is high and the development cycle is long.
Network Processor combine the advantages of both programmable of General Processor and ASIC. It is designed specialty for the network device to manage the network traffic. It’s architecture and instructions were optimized for the arithmetic and operation of package filtrate, transmit etc. it can implement the generan operation of TCP/IP protocol stack with high efficiency, and deal with the network traffic in high speed subsequently.
This thesis gives a firewall which combines the network processor and embedded Linux operating system,It uses the policy that forbidden all the packages as default, and users can give rules to allow packages they had been chosen, and implements the function of the fireware can protect the inner network on high level. This design is based on the full analyse of IXP425 hardware develop platform, customize the bootloader Redboot, customize the Linux kernel as the operating system, give steady support. We study the thorey and mastery the architecture of Linux firewall. This project implementes a embedded firewall which has the package filtrate function based on the platform integrated the IXP425 network processor, and developes the manage interface for users to customize the firewall, and add rules.
引文
[1] 王睿, 林海波等. 网络安全与防火墙技术[M]. 北京:清华大学出版社, 2000:1-20.
[2] ComerD.E., 张建忠等译. 网络处理器与网络系统设计[M]. 机械工业出版社, 2004.7: 106-110.
[3] 蔡一兵, 石晶林. 下一代网络设备核心单元——网络处理器应用研究[J]. 电子技术应用, 2004: 1-3..
[4] 谭章熹, 林闯, 任丰源等. 网络处理器的分析与研究[J]. 软件学报, 2003:14.
[5] 胡道元, 阂京华. 网络安全[M]. 北京:清华大学出版社, 2005.9.
[6] 唐宁, 金连甫, 陈平. 基于 Linux 的最新防火墙技术的研究[J]. 浙江大学,2002.
[7] Craig Rodrigues. Netfiler Paper[M]. 2000.
[8] Steve Suehring, Robert L.ziegler. 何泾沙译. Linux 防火墙[M]. 北京:机械工业出版社, 2006.6
[9] 孙冰心. Linux 内核下基于内容过滤的防火墙的研究与实现 [J]. 哈尔滨理工大学, 2004: 1-18.
[10] 陈 果. Linux 防火墙研究与设计[J]. 成都:西南交通大学, 2004:1-6.
[11] IntelRIXP42X Product Line of Network Processors and IXC1100 Control Plane Processor Datasheet[M]. Intel , Inc, March 2005.
[12] IntelRIXP42X Product Line of Network Processors and IXC1100 Control Plane Processor User's Guide[M]. Intel, Inc, September 2004.
[13] IntelR IXP42X Product Line of Network Processors and IXC1100 Contorl Plane Processor Hardware Design Guidelines[M]. Intel, Inc, June 2004.
[14] Intel○R IXP425 Network Processor Family Technical Overview [M]. Intel, Inc, 2003:1-20.
[15] Intel○R IXP425 Development Platform-Quick Start Guide[M]. Intel, Inc, 2003:1-16.
[16] Intel○R IXP425 Development Platform-User’s Guide[M]. Intel, Inc, 2003:1-76.
[17] HY57V641620HG 4-BanksxlMx16Bits Synchronous DRAM,www.hynix.com.
[18] RTL8039AS Data Sheet[M]. REALTEK SEMI-CONDUCTOR CO.LTD, 2000.
[19] RTL8201AS Data Sheet[M]. REALTEK SEMI-CONDUCTOR CO.LTD, 2000.
[20] Intel StrataFlash Memory Datasheet, Intel, Inc, March 2005.
[21] MAX3222/MAX3232/MAX3237/MAX3241, 3.0V to 5.5V, Low-Power, up to 1Mbps, True RS-232 Transceivers Using Four 0.1μF External Capacitors, www.maxim-ic.com, 1999.
[22] IEEE Joint Test Avtion Group. IEEE Std 1149.1-1990.
[23] SnapGear Linux, http://www.snapgear.Org.
[24] Intel, Inc. Intel○R IXP425 Development Platform-Boot-Loader Convertion Guide[M]. 2003:1-10.
[25] RedBoot User’s Guide[M]. Redhat, Inc. 2001:1-49.
[26] 田 泽. 嵌入式系统开发与应用教程[M]. 北京航空航天大学出版社, 2005.3.
[27] 孙纪坤, 张小全. 嵌入式 Linux 系统开发技术详解—基于 ARM[M]. 北京:人民邮电出版社, 2006: 1-66.
[28] 石秀民, 魏洪兴. 嵌入式系统原理与应用—基于 Xscale 与 Linux [M]. 北京:航空航天大学出版社, 2007.8.
[29] 马忠梅, 李善平, 康慨等. ARM & Linux 嵌入式系统教程[M]. 北京:航空航天大学出版社,2004 .9.
[30] Markham T, Payne C. Security at the network edge: A distributed firewall[J]. In DISCEX II, Anaheim, CA, DARPA, IEEE. 2001.6.
[31] 王灏, 王换招, 李健. 网络已知攻击类型的防御方法[J].西安交通大学学报,2003.3:171-174.
[32] Yue Hu, Fangmin Li. Hardened VPN on IXP425[C]. DCABES 2004 Proceedings, 128-130.
[33] Rusty Russell. Linux 2.4 Pachet Filtering HOWTO, http://www.netfilter.org/documenta-tion/HOWTO/packet-filtering-HOWTO.html, 2002.
[34] Boa Web Sever, http://www.boa.org. 2005
[35] 薛宁, 王汉飞, 钱程, 王斌. 基于 Web 的防火墙的设计与实现[J]. 计算机工程与设计, 2003.
[36] 杨虎等. CGl 步步高[M]. 机械工业出版社, 2001.
[37] 张移山. CGI 程序设计指南[M]. 中国水利水电出版社 1998.7.
[38] Mickel 著. 詹文军等译. 精通 UNIX Shell 脚本编程[M]. 电子工业出版社, 2005.1.
[39] 郁伟生. 用 UNIX Shell 脚本设计 CGI 程序的方法[J]. 陕西师大学报,1998:58-61.
[40] 冯文惠, 楚朝阳. 网页设计实用教程[M].人民邮电出版社,2006.2.
[2] ComerD.E., 张建忠等译. 网络处理器与网络系统设计[M]. 机械工业出版社, 2004.7: 106-110.
[3] 蔡一兵, 石晶林. 下一代网络设备核心单元——网络处理器应用研究[J]. 电子技术应用, 2004: 1-3..
[4] 谭章熹, 林闯, 任丰源等. 网络处理器的分析与研究[J]. 软件学报, 2003:14.
[5] 胡道元, 阂京华. 网络安全[M]. 北京:清华大学出版社, 2005.9.
[6] 唐宁, 金连甫, 陈平. 基于 Linux 的最新防火墙技术的研究[J]. 浙江大学,2002.
[7] Craig Rodrigues. Netfiler Paper[M]. 2000.
[8] Steve Suehring, Robert L.ziegler. 何泾沙译. Linux 防火墙[M]. 北京:机械工业出版社, 2006.6
[9] 孙冰心. Linux 内核下基于内容过滤的防火墙的研究与实现 [J]. 哈尔滨理工大学, 2004: 1-18.
[10] 陈 果. Linux 防火墙研究与设计[J]. 成都:西南交通大学, 2004:1-6.
[11] IntelRIXP42X Product Line of Network Processors and IXC1100 Control Plane Processor Datasheet[M]. Intel , Inc, March 2005.
[12] IntelRIXP42X Product Line of Network Processors and IXC1100 Control Plane Processor User's Guide[M]. Intel, Inc, September 2004.
[13] IntelR IXP42X Product Line of Network Processors and IXC1100 Contorl Plane Processor Hardware Design Guidelines[M]. Intel, Inc, June 2004.
[14] Intel○R IXP425 Network Processor Family Technical Overview [M]. Intel, Inc, 2003:1-20.
[15] Intel○R IXP425 Development Platform-Quick Start Guide[M]. Intel, Inc, 2003:1-16.
[16] Intel○R IXP425 Development Platform-User’s Guide[M]. Intel, Inc, 2003:1-76.
[17] HY57V641620HG 4-BanksxlMx16Bits Synchronous DRAM,www.hynix.com.
[18] RTL8039AS Data Sheet[M]. REALTEK SEMI-CONDUCTOR CO.LTD, 2000.
[19] RTL8201AS Data Sheet[M]. REALTEK SEMI-CONDUCTOR CO.LTD, 2000.
[20] Intel StrataFlash Memory Datasheet, Intel, Inc, March 2005.
[21] MAX3222/MAX3232/MAX3237/MAX3241, 3.0V to 5.5V, Low-Power, up to 1Mbps, True RS-232 Transceivers Using Four 0.1μF External Capacitors, www.maxim-ic.com, 1999.
[22] IEEE Joint Test Avtion Group. IEEE Std 1149.1-1990.
[23] SnapGear Linux, http://www.snapgear.Org.
[24] Intel, Inc. Intel○R IXP425 Development Platform-Boot-Loader Convertion Guide[M]. 2003:1-10.
[25] RedBoot User’s Guide[M]. Redhat, Inc. 2001:1-49.
[26] 田 泽. 嵌入式系统开发与应用教程[M]. 北京航空航天大学出版社, 2005.3.
[27] 孙纪坤, 张小全. 嵌入式 Linux 系统开发技术详解—基于 ARM[M]. 北京:人民邮电出版社, 2006: 1-66.
[28] 石秀民, 魏洪兴. 嵌入式系统原理与应用—基于 Xscale 与 Linux [M]. 北京:航空航天大学出版社, 2007.8.
[29] 马忠梅, 李善平, 康慨等. ARM & Linux 嵌入式系统教程[M]. 北京:航空航天大学出版社,2004 .9.
[30] Markham T, Payne C. Security at the network edge: A distributed firewall[J]. In DISCEX II, Anaheim, CA, DARPA, IEEE. 2001.6.
[31] 王灏, 王换招, 李健. 网络已知攻击类型的防御方法[J].西安交通大学学报,2003.3:171-174.
[32] Yue Hu, Fangmin Li. Hardened VPN on IXP425[C]. DCABES 2004 Proceedings, 128-130.
[33] Rusty Russell. Linux 2.4 Pachet Filtering HOWTO, http://www.netfilter.org/documenta-tion/HOWTO/packet-filtering-HOWTO.html, 2002.
[34] Boa Web Sever, http://www.boa.org. 2005
[35] 薛宁, 王汉飞, 钱程, 王斌. 基于 Web 的防火墙的设计与实现[J]. 计算机工程与设计, 2003.
[36] 杨虎等. CGl 步步高[M]. 机械工业出版社, 2001.
[37] 张移山. CGI 程序设计指南[M]. 中国水利水电出版社 1998.7.
[38] Mickel 著. 詹文军等译. 精通 UNIX Shell 脚本编程[M]. 电子工业出版社, 2005.1.
[39] 郁伟生. 用 UNIX Shell 脚本设计 CGI 程序的方法[J]. 陕西师大学报,1998:58-61.
[40] 冯文惠, 楚朝阳. 网页设计实用教程[M].人民邮电出版社,2006.2.