基于规则可编程机制的有状态防火墙设计
|
摘要
防火墙是防御网络攻击最常使用的技术手段之一,其理论与技术在与网络攻击的对抗中得到了长足的发展。在各种类型的防火墙中,有状态防火墙与最早期的包过滤防火墙相比,具有灵活性好,对攻击防御能力更强的优势,因此在保护用户网络时起到举足轻重的作用。然而,随着网络攻击手段的日益多样化与差异化,防火墙面对各种新型攻击逐渐显得捉襟见肘。为了使防火墙技术得到进一步的发展,必须在现有的理论框架基础上进行改进与创新,并从技术可实现的角度给出验证。
本文在深入分析传统防火墙理论与技术优缺点的基础上,重点研究了克服其缺点的方法,设计并实现了规则可编程机制的有状态防火墙。
首先,本文从对传统防火墙原理技术的总结出发,分析各类传统防火墙的优缺点,并着重讨论传统有状态技术—状态检测。针对状态检测技术中状态类型单一、包过滤逻辑不够灵活的缺点,提出一种改进的有状态模型,该模型对有状态技术中状态与状态更新逻辑两个概念进行了扩展与深化。在此模型的基础上,提出规则可编程的有状态防火墙。文中从整体结构、规则库结构、规则接口、规则语言、规则编译器等几方面详细研究了规则可编程防火墙的设计方案。其中,重点研究了两方面的内容:一是以高效规则匹配为原则的规则库结构设计,二是用于描述状态与状态更新逻辑的规则语言的设计。
其次,文中给出了该方案在PC机Windows 7操作系统环境下的具体实现,对于实现中存在的难点进行了详细的讨论,给出了各自相应的解决方案。文章以一个暴力破解FTP用户密码的具体攻击为例,以可编程规则的方式部署相应的防御策略。实验表明,该方案有较好的灵活性与可扩展性,能适应部署复杂防御策略的需求。
最后,本文分析了采用规则可编程机制的有状态防火墙的发展与应用前景,并提出了进一步研究方向。
Firewalls are common security equipment defending against network attacks. The theories and technology have made remarkable progress. Among all types of firewalls, stateful firewalls, compared against early packet-filtering firewalls, have better flexibility and more powerful defense capabilities and thus playing an important role in protecting user hosts. However, as network attacks present themselves with more diversity, traditional firewalls are beginning to suffer from failure to defend against them. In order for the firewall technology to improve, innovation must be up based on current theories.
Based on a summary on traditional firewall theories, the article focuses on looking for ways to conquer its defects, leading to our design and implementation of rule-programmable methodology.
The paper begins with a summary to traditional firewall theories and technology, which analyzes their advantages and short-comings. The traditional stateful technology--state inspection is discussed with priority. Based on that, we explore its defects and its possible development. After that, the concept 'State' and 'State Update Logics' are extended and a more general stateful firewall model is presented. Based on the model, the rule-programmable stateful firewall is proposed. The design of its structure, rule factory, rule interface, rule language and rule compiler is covered in detail, among which two parts are given priority. One is the design of rule factory in an aim of high-performance rule matching process. The other is the design of rule language that is used to describe state and state update logics.
The article also presents an implementation of the idea under Windows 7 environment. The difficulties and covered in detail, giving solutions respectively. A defense strategy that defends against password-guessing brutal force attack is given and deployed, as a test case to prove the validity of our implementation. Experiment results indicated that the scheme has better flexibility and responds well to the request to implement complex defense strategies.
Finally, the article covers the future development and application prospects of rule-programmable stateful firewalls. Possible further research ideas are also proposed.
本文在深入分析传统防火墙理论与技术优缺点的基础上,重点研究了克服其缺点的方法,设计并实现了规则可编程机制的有状态防火墙。
首先,本文从对传统防火墙原理技术的总结出发,分析各类传统防火墙的优缺点,并着重讨论传统有状态技术—状态检测。针对状态检测技术中状态类型单一、包过滤逻辑不够灵活的缺点,提出一种改进的有状态模型,该模型对有状态技术中状态与状态更新逻辑两个概念进行了扩展与深化。在此模型的基础上,提出规则可编程的有状态防火墙。文中从整体结构、规则库结构、规则接口、规则语言、规则编译器等几方面详细研究了规则可编程防火墙的设计方案。其中,重点研究了两方面的内容:一是以高效规则匹配为原则的规则库结构设计,二是用于描述状态与状态更新逻辑的规则语言的设计。
其次,文中给出了该方案在PC机Windows 7操作系统环境下的具体实现,对于实现中存在的难点进行了详细的讨论,给出了各自相应的解决方案。文章以一个暴力破解FTP用户密码的具体攻击为例,以可编程规则的方式部署相应的防御策略。实验表明,该方案有较好的灵活性与可扩展性,能适应部署复杂防御策略的需求。
最后,本文分析了采用规则可编程机制的有状态防火墙的发展与应用前景,并提出了进一步研究方向。
Firewalls are common security equipment defending against network attacks. The theories and technology have made remarkable progress. Among all types of firewalls, stateful firewalls, compared against early packet-filtering firewalls, have better flexibility and more powerful defense capabilities and thus playing an important role in protecting user hosts. However, as network attacks present themselves with more diversity, traditional firewalls are beginning to suffer from failure to defend against them. In order for the firewall technology to improve, innovation must be up based on current theories.
Based on a summary on traditional firewall theories, the article focuses on looking for ways to conquer its defects, leading to our design and implementation of rule-programmable methodology.
The paper begins with a summary to traditional firewall theories and technology, which analyzes their advantages and short-comings. The traditional stateful technology--state inspection is discussed with priority. Based on that, we explore its defects and its possible development. After that, the concept 'State' and 'State Update Logics' are extended and a more general stateful firewall model is presented. Based on the model, the rule-programmable stateful firewall is proposed. The design of its structure, rule factory, rule interface, rule language and rule compiler is covered in detail, among which two parts are given priority. One is the design of rule factory in an aim of high-performance rule matching process. The other is the design of rule language that is used to describe state and state update logics.
The article also presents an implementation of the idea under Windows 7 environment. The difficulties and covered in detail, giving solutions respectively. A defense strategy that defends against password-guessing brutal force attack is given and deployed, as a test case to prove the validity of our implementation. Experiment results indicated that the scheme has better flexibility and responds well to the request to implement complex defense strategies.
Finally, the article covers the future development and application prospects of rule-programmable stateful firewalls. Possible further research ideas are also proposed.
引文
[1] James C. Foster.缓冲区溢出攻击—检测、剖析与预防.清华大学出版社,2006
[2] Stuart McClure, Joel Scambray ,George Kurtz. Hacking Exposed: Network Security Secrets & Solutions(5th Edition). McGraw-Hill, 2005.
[3]辛志东.局域网中的ARP重定向攻击及防御措施.微计算机信息. 2005
[4]唐正军.网络入侵检测系统的设计与实现.电子工业出版社, 2002
[5] W.Richard Stevens. TCP/IP Illustrated[M]. Volume 1:The Protocols. Addison Wesley,1994
[6] Steven M. Bellovin. Distributed Firewalls. Login: Magazine, special issue on security, 1999
[7]何海宾.基于Linux包过滤的防火墙技术及应用.电子科技大学学报,2004年第33卷第1期:75-78
[8]刘更楼,丁常福,姜建国.基于状态检测的防火墙系统研究.航空计算技术,2004年第34卷第1期:122-125
[9] Linux iptables manual, 2002.
[10] P Ning, Y Cui, DS Reeves.Constructing Attack Scenarios through Correlation of Intrusion Alerts. Proceedings of the 9th ACM Conference,2002.
[11] MG Gouda, AX Liu. A Model of Stateful Firewalls and its Properties[C]//IEEE. DSN05. United States:IEEE Publications, 2005
[12]陈波,于泠. DoS攻击原理与对策的进一步研究.计算机工程与应用,2001年10期:30-33
[13] Stanley B.Lippman,Josée LaJoie,Barbara E.Moo. C++ Primer中文版(第四版).人民邮电出版社,2006
[14] Niklaus Wirth. Algorithms + Data Structures = Programs. Prentice Hall, 1978
[15] J Lemon. Resisting SYN flood DoS attacks with a SYN cache. BSDCon 2002 Paper, 2002
[16]魏家好.包分类算法研究及其在Linux防火墙中的应用.合肥工业大学硕士学位论文,2006
[17]殷人昆,陶永雷,谢若阳,盛绚华.数据结构(用面向对象方法与C++描述).清华大学出版社,1999
[18] Mark Allen Weiss.数据结构与算法分析--C语言描述.机械工业出版社,2004
[19] Andrew Koenig. C陷阱与缺陷.人民邮电出版社. 2008
[20] Brian W. Kernighan,Dennis M.Ritchie. The C Programming Language,2nd edition.机械工业出版社,2004
[21]张世永.网络安全原理与应用.科学出版社. 2006
[22] J. Postel, J. Reynolds. IETF.RFC959. FILE TRANSFER PROTOCOL (FTP). October 1985
[23]张幸儿.计算机编译原理(第二版).科学出版社. 2003
[24]朱雁辉. Windows防火墙与网络封包截获技术.电子工业出版社,2002
[25] Jeffrey Richter,Christophe Nasarre. Windows Via C/C++. Microsoft Press,2008
[26] Walter Oney. Programming the Microsoft Windows Driver Model. Microsoft Press,2003
[27] Microsoft Corporation. Windows Driver Kit. 2009
[28] MSDN. DeviceIoControl Function. http://msdn.microsoft.com/en-us/library/aa363216(VS.85).aspx
[29] Wikipedia. Application binary interface. http://en.wikipedia.org/wiki/Application_binary_interface
[30] Intel Corporation. IA-32 Intel Architecture Software Developer’s Manual, Volume 2:Instruction Set Reference
[31] Michael Howard,David LeBlanc. Writing Secure Code for Windows Vista. Microsoft Press,2007
[32]卢开澄.计算机密码学.科学出版社, 1999
[33]冯美玉,张勖,崔丙峰,丁炜.基于网络处理器的硬件防火墙设计和分析.计算机应用研究,2004年第7期:191-193
[34]杨劲.状态防火墙受攻击导致状态表溢出故障的解决.重庆大学学报,2004年第27卷第6期:13-16
[35]苏伟,张宏科.基于网络处理器的防火墙实现方案的研究.北方交通大学学报,2002年第26卷第3期:40-43
[36]李鼎,鲁柯等.一种基于逻辑编程的防火墙规则形式化分析方法.信息工程大学学报,2009年第10卷第2期:195-199
[37]崔建清,陆松年,杨树堂.基于攻击图的网络安全分析方法研究.信息安全与通信保密,2008年第04期:44-46
[38] Check Point Software Technologies Ltd. Stateful Inspection Technology. 2004
[39]王瑞军,王洪君等.一种有状态防火墙实现算法的研究.第三届中国信息和通信安全学术会议,2003年第3卷:97-104
[2] Stuart McClure, Joel Scambray ,George Kurtz. Hacking Exposed: Network Security Secrets & Solutions(5th Edition). McGraw-Hill, 2005.
[3]辛志东.局域网中的ARP重定向攻击及防御措施.微计算机信息. 2005
[4]唐正军.网络入侵检测系统的设计与实现.电子工业出版社, 2002
[5] W.Richard Stevens. TCP/IP Illustrated[M]. Volume 1:The Protocols. Addison Wesley,1994
[6] Steven M. Bellovin. Distributed Firewalls. Login: Magazine, special issue on security, 1999
[7]何海宾.基于Linux包过滤的防火墙技术及应用.电子科技大学学报,2004年第33卷第1期:75-78
[8]刘更楼,丁常福,姜建国.基于状态检测的防火墙系统研究.航空计算技术,2004年第34卷第1期:122-125
[9] Linux iptables manual, 2002.
[10] P Ning, Y Cui, DS Reeves.Constructing Attack Scenarios through Correlation of Intrusion Alerts. Proceedings of the 9th ACM Conference,2002.
[11] MG Gouda, AX Liu. A Model of Stateful Firewalls and its Properties[C]//IEEE. DSN05. United States:IEEE Publications, 2005
[12]陈波,于泠. DoS攻击原理与对策的进一步研究.计算机工程与应用,2001年10期:30-33
[13] Stanley B.Lippman,Josée LaJoie,Barbara E.Moo. C++ Primer中文版(第四版).人民邮电出版社,2006
[14] Niklaus Wirth. Algorithms + Data Structures = Programs. Prentice Hall, 1978
[15] J Lemon. Resisting SYN flood DoS attacks with a SYN cache. BSDCon 2002 Paper, 2002
[16]魏家好.包分类算法研究及其在Linux防火墙中的应用.合肥工业大学硕士学位论文,2006
[17]殷人昆,陶永雷,谢若阳,盛绚华.数据结构(用面向对象方法与C++描述).清华大学出版社,1999
[18] Mark Allen Weiss.数据结构与算法分析--C语言描述.机械工业出版社,2004
[19] Andrew Koenig. C陷阱与缺陷.人民邮电出版社. 2008
[20] Brian W. Kernighan,Dennis M.Ritchie. The C Programming Language,2nd edition.机械工业出版社,2004
[21]张世永.网络安全原理与应用.科学出版社. 2006
[22] J. Postel, J. Reynolds. IETF.RFC959. FILE TRANSFER PROTOCOL (FTP). October 1985
[23]张幸儿.计算机编译原理(第二版).科学出版社. 2003
[24]朱雁辉. Windows防火墙与网络封包截获技术.电子工业出版社,2002
[25] Jeffrey Richter,Christophe Nasarre. Windows Via C/C++. Microsoft Press,2008
[26] Walter Oney. Programming the Microsoft Windows Driver Model. Microsoft Press,2003
[27] Microsoft Corporation. Windows Driver Kit. 2009
[28] MSDN. DeviceIoControl Function. http://msdn.microsoft.com/en-us/library/aa363216(VS.85).aspx
[29] Wikipedia. Application binary interface. http://en.wikipedia.org/wiki/Application_binary_interface
[30] Intel Corporation. IA-32 Intel Architecture Software Developer’s Manual, Volume 2:Instruction Set Reference
[31] Michael Howard,David LeBlanc. Writing Secure Code for Windows Vista. Microsoft Press,2007
[32]卢开澄.计算机密码学.科学出版社, 1999
[33]冯美玉,张勖,崔丙峰,丁炜.基于网络处理器的硬件防火墙设计和分析.计算机应用研究,2004年第7期:191-193
[34]杨劲.状态防火墙受攻击导致状态表溢出故障的解决.重庆大学学报,2004年第27卷第6期:13-16
[35]苏伟,张宏科.基于网络处理器的防火墙实现方案的研究.北方交通大学学报,2002年第26卷第3期:40-43
[36]李鼎,鲁柯等.一种基于逻辑编程的防火墙规则形式化分析方法.信息工程大学学报,2009年第10卷第2期:195-199
[37]崔建清,陆松年,杨树堂.基于攻击图的网络安全分析方法研究.信息安全与通信保密,2008年第04期:44-46
[38] Check Point Software Technologies Ltd. Stateful Inspection Technology. 2004
[39]王瑞军,王洪君等.一种有状态防火墙实现算法的研究.第三届中国信息和通信安全学术会议,2003年第3卷:97-104