分布式防火墙及安全联动技术研究与实现
摘要
网络信息安全的意识已被各方接受和认同,防火墙、入侵检测、防病毒、安全审计等安全技术已经得到了广泛的应用。在此基础上,如何构建一个动态的、全方位的安全防护体系,成为网络安全中研究的热点。
本文把研究重点放在了分布式防火墙和安全联动技术的研究上,研究以分布式防火墙为中心,构建开放式安全联动框架,将防火墙嵌入到已有的网络平台,实施安全联动交换协议,为其他安全产品提供一个开放的、通用的、可扩展的安全框架,实现全方位的网络安全系统。
本文选题来源于国家高技术研究发展计划(国家863计划)资助项目“网络协同安全技术研究”,并作为已完成的国家高技术研究发展计划资助项目“黑客监控技术研究”的进一步深入研究。
首先,本文研究了现有的分布式防火墙关键技术和系统模型,确立了本文分布式防火墙系统的设计目标;其次分析了目前的安全联动技术,提出了本文安全联动的设计目标;然后构建了开放式安全联动框架,主要包括安全联动交换协议和安全联动信息交换格式;最后,本文完成了分布式防火墙的设计,并给出了关键组件策略执行组件和安全联动管理组件的软件实现方案。
The importance of network information security has already been widely recognized. Meanwhile, diverse security technologies such as firewall, intrusion detection, anti-virus and security audit have been widely applied. Based on the facts above, how to constructure a dynamic and comprehensive security protection system, becomes hot in the area of network security.
This paper focuses on the research on distributed firewall technology and security interaction technology. A comprehensive network security system is achieved, which regards distributed firewall (DFW) as the center and constructures an open security interaction framework (OSIF). An open, general and scalable security framework for other security products is provided by OSIF, which fixes the firewall into existing network platform, and sets out Security Interaction Exchange Protocol (SIEP).
This paper is supported by the National "High Technology Research and Development Program of China (863 Program), Network Cooperative Security Technology Research, and is a further research for Hacker Monitoring Technology Research (863 Program).
First, the distributed firewall technologies and system models are introduced, and a plan of the distributed firewall is established. Secondly, the Security Interaction technologies are discussed, and a solution to security interaciton is given. Meanwhile, open security interaciton framework is presented, which includes the design of security interaction exchange protocol and definition of security interaction message exchange format (SIMEF). In the end, this paper gives detailed descriptions of the design of DFW, implemention of policy perform module (PPM) and security interaction manage module (SIMM).
本文把研究重点放在了分布式防火墙和安全联动技术的研究上,研究以分布式防火墙为中心,构建开放式安全联动框架,将防火墙嵌入到已有的网络平台,实施安全联动交换协议,为其他安全产品提供一个开放的、通用的、可扩展的安全框架,实现全方位的网络安全系统。
本文选题来源于国家高技术研究发展计划(国家863计划)资助项目“网络协同安全技术研究”,并作为已完成的国家高技术研究发展计划资助项目“黑客监控技术研究”的进一步深入研究。
首先,本文研究了现有的分布式防火墙关键技术和系统模型,确立了本文分布式防火墙系统的设计目标;其次分析了目前的安全联动技术,提出了本文安全联动的设计目标;然后构建了开放式安全联动框架,主要包括安全联动交换协议和安全联动信息交换格式;最后,本文完成了分布式防火墙的设计,并给出了关键组件策略执行组件和安全联动管理组件的软件实现方案。
The importance of network information security has already been widely recognized. Meanwhile, diverse security technologies such as firewall, intrusion detection, anti-virus and security audit have been widely applied. Based on the facts above, how to constructure a dynamic and comprehensive security protection system, becomes hot in the area of network security.
This paper focuses on the research on distributed firewall technology and security interaction technology. A comprehensive network security system is achieved, which regards distributed firewall (DFW) as the center and constructures an open security interaction framework (OSIF). An open, general and scalable security framework for other security products is provided by OSIF, which fixes the firewall into existing network platform, and sets out Security Interaction Exchange Protocol (SIEP).
This paper is supported by the National "High Technology Research and Development Program of China (863 Program), Network Cooperative Security Technology Research, and is a further research for Hacker Monitoring Technology Research (863 Program).
First, the distributed firewall technologies and system models are introduced, and a plan of the distributed firewall is established. Secondly, the Security Interaction technologies are discussed, and a solution to security interaciton is given. Meanwhile, open security interaciton framework is presented, which includes the design of security interaction exchange protocol and definition of security interaction message exchange format (SIMEF). In the end, this paper gives detailed descriptions of the design of DFW, implemention of policy perform module (PPM) and security interaction manage module (SIMM).
引文
[1] Valerie heveille, Sarvang Shah, CCSE NG:Check Point Certified Security Expert Study Guide. Sybex, January, 2003
[2] Justin Menga, CCSA NG: Check Point Certified Security Administrator Study Guide. Sybex, February, 2003
[3] Marshall T. Rose, BEEP: The Definitive Guide. O'Reilly, April 2002
[4] The Blocks Extensible Exchange Protocol Core. RFC 3080
[5] draft-ietf-idwg-iap-O5, txt, Internet draft
[6] B.S. Feinstein, G.A. Matthews, J.C.C. White, The Intrusion Detection Exchange Protocol (IDXP). October, 2002.
[7] draft-ietf-idwg-beep-idxp-07, txt, Internet draft
[8] draft-ietf-idwg-idmef-xml-10, txt,Internet draft
[9] Steve M. Bellovin, Distributed Firewalls. http://www.research.att.com/smb/papers/distfw.html
[10] Sotiris loannidis, Angelos D. Keromytis, Steve M. Bellovin,Imple-menting a Distributed Firewall. http://www.securecomputing.com/pdf/dist-firewall-arch.pdf
[11] http://neteye.neusoft.com/Docs/News/html/20011019171037426/html file/20011019171037426.html
[12] http://www. yesky.com/Serverfndex/77131870331994112/20030331/1660268. shtml
[13] http://shanghai.ccw. com. cn/application/2OOlO9/OgO3_01.asp
[14] http://www.ccw. com. cn/htm/net/seminar/O1 12 252. asp
[15] http://www.checkpoint.com. cn/c-o.htm
[16] 阙喜戎,孙锐等,信息安全原理及应用.清华大学出版社,2003.07
[17] 陈春玲等,分布式防火墙的原理、实现及应用.南京邮电学院学报,2002.04
[18] 怀文杰,分布式防火墙的研究、设计和实现.合肥工业大学硕士论文,2002.6
[19] 廉育功,联动防火墙——立体防护体系的新手段.中国信息导报,2002.07
[20] 郑利平,开放式通用网络安全防护联动模型的研究.,2003.05
[21] 史以兵,Windows NT环境下NAT的设计与实现.计算机应用研究,2002.02
[22] 杨毅坚、肖德尘,基于Keberos认证的分布式防火墙.小型微型计算机系统,2001.06
[23] 齐忠厚,Kerberos协议原理及应用.计算机工程与科学,2002.05
[24] 杨毅坚、肖德宝,基于Agent的分布式防火墙.数据通信,2001.02
[25] 李卫等,联动网络安全系统的实现.信息安全与通信保密,2002.02
[2] Justin Menga, CCSA NG: Check Point Certified Security Administrator Study Guide. Sybex, February, 2003
[3] Marshall T. Rose, BEEP: The Definitive Guide. O'Reilly, April 2002
[4] The Blocks Extensible Exchange Protocol Core. RFC 3080
[5] draft-ietf-idwg-iap-O5, txt, Internet draft
[6] B.S. Feinstein, G.A. Matthews, J.C.C. White, The Intrusion Detection Exchange Protocol (IDXP). October, 2002.
[7] draft-ietf-idwg-beep-idxp-07, txt, Internet draft
[8] draft-ietf-idwg-idmef-xml-10, txt,Internet draft
[9] Steve M. Bellovin, Distributed Firewalls. http://www.research.att.com/smb/papers/distfw.html
[10] Sotiris loannidis, Angelos D. Keromytis, Steve M. Bellovin,Imple-menting a Distributed Firewall. http://www.securecomputing.com/pdf/dist-firewall-arch.pdf
[11] http://neteye.neusoft.com/Docs/News/html/20011019171037426/html file/20011019171037426.html
[12] http://www. yesky.com/Serverfndex/77131870331994112/20030331/1660268. shtml
[13] http://shanghai.ccw. com. cn/application/2OOlO9/OgO3_01.asp
[14] http://www.ccw. com. cn/htm/net/seminar/O1 12 252. asp
[15] http://www.checkpoint.com. cn/c-o.htm
[16] 阙喜戎,孙锐等,信息安全原理及应用.清华大学出版社,2003.07
[17] 陈春玲等,分布式防火墙的原理、实现及应用.南京邮电学院学报,2002.04
[18] 怀文杰,分布式防火墙的研究、设计和实现.合肥工业大学硕士论文,2002.6
[19] 廉育功,联动防火墙——立体防护体系的新手段.中国信息导报,2002.07
[20] 郑利平,开放式通用网络安全防护联动模型的研究.,2003.05
[21] 史以兵,Windows NT环境下NAT的设计与实现.计算机应用研究,2002.02
[22] 杨毅坚、肖德尘,基于Keberos认证的分布式防火墙.小型微型计算机系统,2001.06
[23] 齐忠厚,Kerberos协议原理及应用.计算机工程与科学,2002.05
[24] 杨毅坚、肖德宝,基于Agent的分布式防火墙.数据通信,2001.02
[25] 李卫等,联动网络安全系统的实现.信息安全与通信保密,2002.02