摘要
人们为了防范信息系统遭受入侵或攻击,常会使用各种网络安全系统如防火墙、入侵检测系统建构防御系统,然而以现今的技术及现实状况,防御系统仍需要管理者紧密的配合才能正确的阻断攻击,为了让网络安全系统能更为灵敏且自动化针对攻击进行正确的防御动作,本文将研究与设计一个效能及安全性兼顾的联动型网络安全系统。主要包括以下三部分工作:
第一,设计开发防火墙分派器。当网络流量逐步增加到防火墙系统不能负担时,更换更高阶的防火墙不仅非常昂贵而且费时费力,所以如果能以类似集群的概念,以一群防火墙主机,平均分担一部主机所负责的工作,将会使效能的扩充非常具有弹性,而如何在负载平衡的概念下平均分给一群主机也是重点研究的课题。
第二,研究开发规则调整系统。入侵检测系统虽能告知管理者相关的攻击信息,但管理者仍必须自行变动规则,这样就丧失了第一时间防御攻击的可能性,该研究能让入侵检测系统在发现攻击信息后,动态的变更防火墙主机的规则,阻断攻击者进一步的行动。
第三,搭建网络安全实验平台。根据该研究方案的具体要求,设计搭建一个网络安全综合实验平台,利用该平台,比较应用联动型网络安全系统前后防火墙负担,拦截效率等的不同之处。
For integrated security, we often integrate several network security systems such as firewall and intrusion detection system as a defensive system to prevent our information system being intruded. But according to current developed technology and practical situation, network administrator and the defensive system still have to work cooperatively to block intruders. In order to make the defensive system more sensitive and automatic and let it response to intrusions correctly, it will be the major objective for this project to research and design a secure, efficient and intelligent defensive system.
The intelligent defensive system is composed of the following parts.
The first,Firewall dispatcher.As the network activities grown up, firewall often become a bottleneck of network communication. Some attacking tricks, like DOS, will make the problem more serious. And when firewall system can not handle the increasing network communications, it will take much of time and cost a lot. If we can use the concept similar to cluster, we replace a single expensive firewall by a group of general firewalls and let them have the same function. The expansibility of firewall will be very elastic. So, our research objective will be how to dispatch the jobs into firewall group approaching the concept of load balance.
The second,Self-adapting rule system.Although the intrusion detection system can provide the information about attacks for network administrator, but the administrator still have to change the firewall rules by himself to block the intruders. It will be minute and complicated and the chance to defend just in time will be lost. If the intrusion detection system can dynamically and automatically change the rules of firewall in order to block the attacker as quickly as possible when find alerts of attacks, it will make the defensive system more intelligent responding to attacks.
The third, the platform of experiment. According to request of the project, the design will build the safe comprehensive experiment terrace of a network.
引文
[1]蔡国栋,“ 因特网的守门神:防 火墙,”网络生活杂志 27 期,Apr.1998.
[2]Gergor N.Purdy,“LINUX iptables POCKET REFERENCE,”published by O'REILLY, ISBN:986-7794-39-7,Aug.2004.
[3]Robert L.Ziegler,“LINUX FIREWALLS,2nd Edition,”published by Pearson Education,ISBN:0735710996,2002.
[4] 洛 林 ,“Linux 防 火 墙 :iptables”published by 碁 峰 信 息,ISBN:986-421-443-8,Nov.2003.
[5]M.Mahoney, “Computer Security:A survey of Attacks and Defenses” http://docshow.net/ids.htm, 2000.
[6]Aurobindo Sundaram An Intrusion to Intrusion Detection.http://www.cs. purdue.edu/homes/sundaram/papers/intrus.htm
[7]A. Sundaram, “An Introduction to Intrusion Detection,”Crossroads: The ACM Student Magazine,2/4 1996.
[8]S. Lodin, “Intrusion Detection Product Evaluation Criteria,” Ernst & Young LLP, http://docshow.net/ids.htm, 1998.
[9]U.Lindquist and E.Jonsson, “How to Systematically Classify Computer Security Intrusions,”Proceedings IEEE Symposium Research in Security and Privacy,Oakland,CA,1997.
[10]K.Jackson, D.DuBois and C.Stallings, “A phased Approach to Network Intrusion Detection,” Proceedings of the United States Department of Energy Computer Group Conference,1991.
[11]K.Jackson,D.DuBois and C.Stallings, “An Expert System Application for Network Intrusion Detection,” Proceedings of 14th Department of Energy Computer Security Group Conference, Washington, DC 1991.
[12]K.Jackson, M.C.Neumann, D.Simmonds, C.Stallings, J.Thompson and G. Christoph, “An Automated Computer Misuse Detection System forUNICOS,” Proceedings of the Cray Users Group Conference, Tours, France, 1994.
[13]Enterasys Networks, “Intrusion Detection System: Hackers Are Getting Smarter,” Enterasys Networks, 2001.
[14]L. Zirkle, “What is host-based intrusion detection ” Virginia Tech CNS. SANS Institute Resources, Intrusion Detection FAQ, 2000.
[15]Raven Alder, Jacob Babbin, Adam Doxtater, James C. Foster, Toby Kohlenberg and Michael Rash, “Snort 2.1 Second Edition,” Published by Syngress, ISBN 1-931836-04-3, 2004.
[16]黄志雄,邱兆民,林志鸿,蔡镇宇,“PHP5 网络数据库程序大 全,”published by ACORE, ISBN:986-7489-17-9,Aug.2004.
[17]Mohammed J. Kabir,“Apache Server 2 Bible,”published by DrMaster Press Co.,Ltd,ISBN:957-527-525-X,2002.
[18]nmap,“Nmap-Free Security Scanner for Network Exploration & Security Audits,” http://www.insecure.org/nmap/.
[19]libpcap,http://sourceforge.net/projects/libpcap/.
[20]Serv-U,http://www.serv-u.com/.
[21]CuteFTP,http://www.cuteftp.com/.
[22]HackBot,http://freshmeat.net/projects/hackbot/.
[23]Andre Zuequete,“Improving the Functionality of SYN Cookies,” Proceedings of 6th IFIP Communications and Multimedia Security Conference, pp.57-77, Sep.2002.
[24]Anonymous,“Maximum Linux Security, 2nd Edition,”published by Pearson Education,2001.
[25]Rob Flickenger,“Linux Server Hacks,”published by O’REILLY, ISBN: 986-7794-19-2, Jan.2003.
[26]Michael D.Baure, “Building Secure Servers with Linux,” published byO’REELLY, Oct.2002.
[27]Brian hatch, James Lee and George Kurtz, “Hacking Linux Exposed: Linux Security Secrets & Solutions,” published by McGraw-Hill, ISBN: 0-07-213140-3,2001.
[28]Joel Scambray and Stuart McClure,“Hacking Exposed Windows 2000: Network Security Secrets & Solutions,” published by McGraw-Hill,ISBN: 0-07-219262-3, 2001.