状态检测防火墙研究与设计
|
摘要
正文:网络信息安全问题不仅越来越受到生活在网络信息社会中的个人与公司的重视,而且已涉及到社会生活的方方面面。为了建立安全可靠的信息网络,进行安全技术的研究与设计应用是必要与迫切的。嵌入式Linux源代码的公开性以及它方便的可用性大大推动了基于嵌入式Linux的安全技术的研究及其相关安全产品的开发。本论文将研究基于嵌入式Linux平台的状态检测机制以及如何利用该机制实现动态NAT防火墙技术。
由于传统防火墙如包过滤防火墙、应用网关防火墙逐渐不能适应新的网络安全需求。因此,一种基于状态检测的防火墙成为网络安全的研究热点。对于某一通信连接,通信状态(以前的通信信息)和应用状态(其他的应用信息)是对该连接做出控制决定的关键因素。因此,为了保证高层的安全,防火墙必须能够访问、分析和利用以下四种信息:所有应用层的数据包信息;以前的通信状态信息;其它应用的状态信息;基于上述三种信息的、灵活的、表达式的估算信息。本论文首先结合Linux源代码分析了状态检测的基本原理和所实现的功能,详细地讨论了Linux中基于Ipv4所定义的数据包之间的连接状态、获取这些状态的方法、这些状态的相互影响以及这些状态的相互变迁以及这些连接的状态是如何记录到相应的表结构中,然后利用Linux所实现的状态检测机制实现了源地址NAT和目的地址NAT以及包速率限制等防火墙功能。本项目是基于Ipv4进行研究和设计的,在分析状态检测机制以及设计NAT时本文将协议划分为TCP、UDP、ICMP三种协议进行讨论,充分利用Linux的模块机制进行分析和设计,所以该套软件具有高度模块化、可扩展性好的特点。
Content: Information Security problem in the network has been not only paid attention by individuals and companies of network information society increasingly, but also involved in all aspects. For building reliable and secure information networks, it is of great necessity and urgency to make research on security technology. Open in its source code and convenient usability of the embedded linux greatly impel the research of security technique and the development of security product based on the embedded linux.The thesis will research the mechanism of connection tracking and how to achieve dynamic NAT based on it.
Because traditional firewall such as Packet Filtering firewall, application gateway can't suit the requirement of security in the network gradually, a kind of firewall based on connection tracking become a researchful hotspot in network security. For a certain communication connection, communication state (former communication information) and application state (other application information) are the key factors when control the communication connection. Thereafter, for assuring the high-layer security, the firewall must be able to access, analyze and make use of the following four kinds of information: the whole datagram information of application layer, the former state information of the communication, other application state information, the agile expression appraisive information based on the former three kinds of information. The thesis firstly analyze the basic principle and completive function according to linux source code, and discuss detailedly the connection state between datagram based on Ipv4 in linux, the method to obtain these states, the influence and the variance among these connection states, and record every connetion state to the table, and then based on the mechanism of connection tracking carry out these firewall function such as the Source NAT, Destination NAT, restriction of datagram speed, and so on. The item is researched and designed based on Ipv4. When analyze the mechanism of connection tracking and design NAT, the protocol is compartmentalized to three parts namely TCP,UDP,ICMP. Because take full advantage of module mechanism of linux when analysis and design, the set of software is of high modularization and good expansibility.
由于传统防火墙如包过滤防火墙、应用网关防火墙逐渐不能适应新的网络安全需求。因此,一种基于状态检测的防火墙成为网络安全的研究热点。对于某一通信连接,通信状态(以前的通信信息)和应用状态(其他的应用信息)是对该连接做出控制决定的关键因素。因此,为了保证高层的安全,防火墙必须能够访问、分析和利用以下四种信息:所有应用层的数据包信息;以前的通信状态信息;其它应用的状态信息;基于上述三种信息的、灵活的、表达式的估算信息。本论文首先结合Linux源代码分析了状态检测的基本原理和所实现的功能,详细地讨论了Linux中基于Ipv4所定义的数据包之间的连接状态、获取这些状态的方法、这些状态的相互影响以及这些状态的相互变迁以及这些连接的状态是如何记录到相应的表结构中,然后利用Linux所实现的状态检测机制实现了源地址NAT和目的地址NAT以及包速率限制等防火墙功能。本项目是基于Ipv4进行研究和设计的,在分析状态检测机制以及设计NAT时本文将协议划分为TCP、UDP、ICMP三种协议进行讨论,充分利用Linux的模块机制进行分析和设计,所以该套软件具有高度模块化、可扩展性好的特点。
Content: Information Security problem in the network has been not only paid attention by individuals and companies of network information society increasingly, but also involved in all aspects. For building reliable and secure information networks, it is of great necessity and urgency to make research on security technology. Open in its source code and convenient usability of the embedded linux greatly impel the research of security technique and the development of security product based on the embedded linux.The thesis will research the mechanism of connection tracking and how to achieve dynamic NAT based on it.
Because traditional firewall such as Packet Filtering firewall, application gateway can't suit the requirement of security in the network gradually, a kind of firewall based on connection tracking become a researchful hotspot in network security. For a certain communication connection, communication state (former communication information) and application state (other application information) are the key factors when control the communication connection. Thereafter, for assuring the high-layer security, the firewall must be able to access, analyze and make use of the following four kinds of information: the whole datagram information of application layer, the former state information of the communication, other application state information, the agile expression appraisive information based on the former three kinds of information. The thesis firstly analyze the basic principle and completive function according to linux source code, and discuss detailedly the connection state between datagram based on Ipv4 in linux, the method to obtain these states, the influence and the variance among these connection states, and record every connetion state to the table, and then based on the mechanism of connection tracking carry out these firewall function such as the Source NAT, Destination NAT, restriction of datagram speed, and so on. The item is researched and designed based on Ipv4. When analyze the mechanism of connection tracking and design NAT, the protocol is compartmentalized to three parts namely TCP,UDP,ICMP. Because take full advantage of module mechanism of linux when analysis and design, the set of software is of high modularization and good expansibility.
引文
[1] Craig Rodrigues. netfilter paper,2000.02
[2] Song Jiang.Tcp in the linux kernel,2000
[3] Song Jiang. Udp/ip network protocol in the linux kernel,2000
[4] Michael Hasenstein. IP Address Translation, 1997
[5] Harald Welte.The journey of a packet through the linux 2.4 network stack,2000.10
[6] Harald Welte. Netfilter connection tracking and nat helper modules,2000.10
[7] 韩德志、谢长生.一种高性能防火墙系统的设计与实现.《计算机应用》,2000.07
[8] 金西、黄汪.嵌入式Linux技术及其应用.《计算机应用》,2000.07
[9] 刘永军,王彦芳,高占凤.基于IPV6的安全技术及应用.《航空计算技术》,2001.10
[10] 任守奎等译.TCP/IP详解,卷1:协议.北京大学出版社,1999
[11] 周巍松等编著.LINUX系统分析与高级编程技术.机械工业出版社,1999
[12] 尤晋元等译.UNIX环境高级编程.机械工业出版社,2000
[13] (澳)John Lions.莱昂氏UNIX源代码分析.机械工业出版社,2000
[14] 戴宗坤等译.防火墙与因特网安全.机械工业出版社,2000
[15] Scott Maxwell. Linux内核源代码分析.机械工业出版社,2000
[16] Robert L.Ziegler.Linux防火墙.人民邮电出版社,2000
[17] 陈莉君.Linux操作系统内核分析.人民邮电出版社,2000
[2] Song Jiang.Tcp in the linux kernel,2000
[3] Song Jiang. Udp/ip network protocol in the linux kernel,2000
[4] Michael Hasenstein. IP Address Translation, 1997
[5] Harald Welte.The journey of a packet through the linux 2.4 network stack,2000.10
[6] Harald Welte. Netfilter connection tracking and nat helper modules,2000.10
[7] 韩德志、谢长生.一种高性能防火墙系统的设计与实现.《计算机应用》,2000.07
[8] 金西、黄汪.嵌入式Linux技术及其应用.《计算机应用》,2000.07
[9] 刘永军,王彦芳,高占凤.基于IPV6的安全技术及应用.《航空计算技术》,2001.10
[10] 任守奎等译.TCP/IP详解,卷1:协议.北京大学出版社,1999
[11] 周巍松等编著.LINUX系统分析与高级编程技术.机械工业出版社,1999
[12] 尤晋元等译.UNIX环境高级编程.机械工业出版社,2000
[13] (澳)John Lions.莱昂氏UNIX源代码分析.机械工业出版社,2000
[14] 戴宗坤等译.防火墙与因特网安全.机械工业出版社,2000
[15] Scott Maxwell. Linux内核源代码分析.机械工业出版社,2000
[16] Robert L.Ziegler.Linux防火墙.人民邮电出版社,2000
[17] 陈莉君.Linux操作系统内核分析.人民邮电出版社,2000