摘要
随着Internet的飞速发展,越来越多的个人计算机接入到互联网中。但是,人们在充分享受网络所带来方便的同时,网络安全事件也在不断增加。在当前个人网络安全产品中,个人防火墙是一个非常重要的网络安全产品。本文在比较了当前几种流行的个人防火墙技术后,提出了一种新的实现方法,即NDIS-HOOK与SPI相结合,并利用该技术在Windows下设计了一个基于NDIS-HOOK与SPI的个人防火墙。
Windows使用NDIS函数库实现NDIS接口,所有的网络通信最终必须通过NDIS完成。NDIS-HOOK的工作原理是直接替换NDIS函数库中的函数地址,这样,向NDIS的请求就会先经过自定义函数处理,处理完后再转发给系统函数,因此,利用NDIS-HOOK可以实现底层的数据包捕获。SPI是利用Winsock 2服务提供者接口实现个人防火墙,SPI是新的Windows套接字所引入的一种新的编程接口,利用这种技术可以方便地捕获应用层的数据包。本文利用NDIS-HOOK与SPI相结合,在应用层利用SPI进行封包来过滤各种应用程序,而在核心层利用NDIS-HOOK来过滤各种非Socket通信的数据包。
本文首先讲述了网络安全和个人防火墙知识,并讨论了个人防火墙技术及发展;继而比较了几种现实个人防火墙的技术,并提出了自己的技术选择;接着阐述了本防火墙的总体结构及功能。另外,本文还对核心公用模块、控管规则文件、日志文件进行了设计,对今后的工作做出了进一步的展望。
With the rapid development of Internet, more and more personal computers have been connected to Internet. But while people enjoy the convenience brought by Internet, problems of network security are increasing. In the current personal network security products, personal firewall is a very important network security one. Compared with the popular personal firewall technologies, a new method which is based on NDIS-HOOK and SPI is suggested. Using this method, the author has designed a personal firewall based on NDIS-HOOK and SPI on Windows platform.
Windows uses NDIS function library to realize the NDIS interface, thus, all network communication must use NDIS. The work principle of NDIS-HOOK is that by means of replacing directly the address of function in NDIS database, the request for NDIS would be first passed to the user-defined function, then transmitted to the system function. Using NDIS-HOOK, the lower-layer data packets can be captured. SPI uses Winsock Service Provider Interface to realize the personal firewall, which is a new programming interface offered by the Windows Socket 2.0. Using this method, the data packets of application layer can be captured. This thesis combines the NDIS-HOOK with SPI. In application layer, the system uses SPI to filter all kinds of application program. In kernel layer, the system uses NDIS-HOOK to filter all kinds of non-socket data packets.
First, the knowledge of network security and personal firewall are introduced in the thesis, and development of personal firewall technologies is discussed. Then the technologies of personal firewall are compared, and the method used in this thesis is chosen. Thirdly, the whole structure and function are expatiated. At last, the kernel common module, file of control rule and log file are designed, and the next-step work of system is viewed.
引文
[1] 刘东华等著.网络与通信安全.第一版,北京:人民邮电出版社,2002.11
[2] 卢昱,林琪著.网络安全技术.第一版,北京:中国物资出版社,2001.2
[3] 龚俭,陆晟,王倩著.计算机网络安全导论.第一版,南京:东南大学出版社,2000.8
[4] 楚狂等著.网络安全与防火墙技术.第一版,北京:人民邮电出版社,2000.4
[5] Chris Brenton Cameron Hunt著.网络安全积极防御从入门到精通.马树奇,金燕译.电子工业出版社,2001
[6] http://tech.sina.com.cn/c/2003-11-25/24821.html
[7] qie si wei ke W. R, CheswickWilliam R等著.防火墙与因特网安全.戴宗坤,罗万伯译.机械工业出版社,2000
[8] Gang Ka Wei SiM, GoncalvesMarcus著.防火墙技术指南.宋民书译.机械工业出版社,2000.11
[9] OgletreeTerry William著.防火墙原理与实施.李之棠译.电子工业出版社,2001.2
[10] 北京启明星辰信息技术限公司著.防火墙原理与实用技术.电子工业出版社,2002
[11] 朱雁辉著.Windows防火墙与网络封包截获技术.电子工业出版社,2002
[12]fu deJ. L.; FordJerry Lee著.个人防火墙.段云所译.人民邮电出版社,2002
[13] BrentonChris著.网络安全从入门到精通.马树奇,金燕译.电子工业出版社,1999.5
[14] 宁章著.计算机及网络安全与防护基础.北京航空航天大学出版社,1999.10
[15] McClureStuart著.网络安全从入门到精通.杨继张译.清华大学出版社,2000.9
[16] KaeoMerike著.网络安全性设计.潇湘工作室译.人民邮电出版社,2000.10
[17] Comer, Douglas E.著. Internetworking with TCP/IP Principles,Protocols,and Architectures.
[18] Comer, Douglas E. and Stevens,Davide L.著. Internetworking with TCP/IP Vol. Ⅲ: Client-Server Programming And Applications.
[19] Douglas E. Comer & David I. Intermetworking with TCP/IP Vol. Ⅱ :design,implementation,and internals.
[20] Microsoft 著. Microsoft windows 2000 server TCP/IP core networking.
[21] Uyless Black 著. TCP/IP and related protools. BeijingWOrld Bublishing Corporation 1999.3
[22] L.Stevens, Douglas E.Comer & D;Series.;Falk, Walther 著. Internetworking with TCP-IP.Vol.Ⅱdesign, implementation, and internals. Englewood CliffPrentice Hall 1991
[23] E.Comer, Douglas;Series.;Falk, .Walther 著. Internetworking with TCP/IP.Vol. Ⅰ Principles, protocols, and architecture. Englewood CliffPrentice Hall 1991
[24] 钟向群,杨继张著.网络安全机密与解决方案.清华大学出版社,2002
[25] 中国人民公安大学著.网络安全技术与应用.网络安全技术与应用杂志社,2001
[26] 钟向群,杨继张著.:网络安全机密与解决方案.清华大学出版社,2002
[27] 常建平著.网络安全与计算机犯罪.中国人民公安大学出版社,2002
[28] 北京启明星辰信息技术限公司著.防火墙原理与实用技术.电子工业出版社,2002
[29] 常建平著.网络安全与计算机犯罪.中国人民公安大学出版社,2002
[30] 张曜著.加密解密与网络安全技术.冶金工业出版社,2002
[31] 董玉格著.攻击与防护.网络安全与实用防护技术.人民邮电出版社,2002
[32] tallings,William著.Network security essentials: applications and standards.清华大学出版社,2002
[33] 张千里,陈光英著.网络安全新技术.人民邮电出版社,2003
[34] 姚顾波,刘焕金著.黑客终结网络安全完全解决方案.电子工业出版
社,2003
[35] Andrew S. Tanenbau著.Computer Networks, Fourth Edition.清华大学出版社,2003
[36] W. Richard Stevens著.TCP/IP Illustrated, Volum 1
[37] Gray R. Wright著.TCP/IP Illustrated,Volum2
[38] http://www.ntndis.com
[39] http://msdn.microsoft.com
[40] Win2000 DDK Document. Microsoft Corporation
[41] RFC 791. Internet Protocol. 1981
[42] RFC 792. Internet Control Message Protocol
[43] RFC 2616. Hypertext Transfer Protocol—HTTP/1.1.1999
[44] RFC 768. User Datagram Protocol. 1980
[45] Douglas E.Comer著.用TCP/IP进行网际互联第一卷:原理、协议与结构(第四版).林瑶,将慧、杜蔚轩译.电子工业出版社,2001
[46] 飞思科技产品研发中心著.Delphi下深入Windows核心编程.电子工业出版社,2003
[47] 朱友芹等编.新编Windows API参考大全.电子工业出版社,2000
[48] 卢昌龙著.网络安全与防火墙体系.天津通信技术,2003,03期,14-17
[49] 卿斯汉著.防火墙的现状与发展趋势.信息化建设,2003,09期,11-13
[50] Douglas E.Comer著.用TCP/IP进行网际互联第二卷:原理、协议与结构(第四版).林瑶,将慧、杜蔚轩译.电子工业出版社,2001
[51] 李广儒,邹云松著.防火墙技术的几个发展趋势.河南师范大学学报(自然科学版),2003,01期,36-39
[52] 李永进著.浅谈防火墙.中国金融电脑,2003,02期,34-35页
[53] 彭倩岚,李之棠著.分布式防火墙系统的安全机制设计.计算机工程与科学,2003,02期,11-15
[54] 韩德志著.防火墙模型及系统设计.计算机工程与应用,2001,06期,71-73
[55] 郭伟著.数据包过滤技术与防火墙的设计.江汉大学学报,2001,03期,56-59
[56] 王岩梅,顾训穰著.单机版防火墙系统中数据包过滤技术的研究.计算机工程,2001,11期,191-193
[57] 徐济仁,陈家松著.防火墙的原理与设计技术.中国数据通信,2001,05期,9-11
[58] 徐济仁,陈家松著.个人计算机防火墙的原理与运用实例.中国数据通信,2001,11期,45-47
[59] Anthony Jones, Jim Ohlund著.Windows网络编程技术.京京工作室译.机械工业出版社,2000
[60] Microsoft公司著.Microsoft Windows驱动程序模型设计.北京大学出版社,2000
[61] Baker,A., Lozano,J.著.Windows 2000设备驱动程序设计指南.机械工业出版社,2001
[62] 张惠娟等著.Windows环境下的设备驱动程序设计.西安电子科技大学出版社,2002
[63] 谢希仁著.计算机网络(第二版).电子工业出版社,1999
[64] Jon Bates, Tim Tompkins著.实用Visual C++6.0教程.何健辉,董方鹏等译.清华大学出版社,2000
[65] Marshal Brain等著.深入学习:Win32系统服务开发与实例.张锦,张俊等译.电子工业出版社,2001
[66] Jon C. Snader著.高级TCPHP编程.刘江林译.中国电力出版社,2001