【作者】 李家春；

【导师】 郭世泽；

【作者基本信息】 北京邮电大学 ， 信息安全， 2013， 硕士

【摘要】 防火墙处在可信网络和非可信网络之间,扮演者保卫安全的角色,它的性能高低直接影响着内外网之间数据传输和资源共享的效率,这也是当今NG Firewall(下一代防火墙的简称)市场上研究的重点问题之一。当今的互联网发展速度之快、新业务新协议数量之多令人惊叹不已,这给当今的防火墙带来了前所未有的压力和挑战,传统的防火墙已经越来越无法满足现在的安全需求。现在下一代防火墙的研究方向都瞄准了应用识别上,这不难理解,因为网络上的任何威胁从根本上来说都是一种网络应用,都可以通过数据分析从其他流量中识别出来。因此对各种网络威胁的监控都统一到应用识别上来,这也是下一代防火墙生存立足的根本所在。下一代防火墙必须能够满足基于应用识别的需求。流量检测技术是信息安全特别是网络安全领域进行网络监测、防护、管理的重要技术手段。针对传统防火墙的弊端,本文将现今比较流行的几种流量检测技术引入到新的防火墙系统中,仔细分析了各种流量检测技术和控制技术的优缺点,并应用到了自己设计的系统中。本文重点研究了基于AC的多模字符串匹配算法,对现今比较流行的AC-BM算法进行了改进,并通过实例匹配验证了改进后的算法性能。在这些基础上本文设计了一个网络防火墙系统,并仔细设计了各个子模块的功能和实现机制、方法。总体而言,通过对多种不同种类的协议的检测试验结果表明本系统达到了设计的初衷,虽然在某些方面存在不少的瑕疵,但总体的结果还是令人满意的。具体本文主要完成了以下几方面的工作：1、分析了传统防火墙所在的不足,比较了传统防火墙和下一代防火墙的差异和研究重点。2、分析了现有的各种网络流量识别技术和控制技术,并总结了各种技术的实现方案和各自的优缺点。3、重点研究了各种字符串匹配算法的性能,对AC-BM算法进行了适当改进,最后通过实例匹配和实验验证了改进算法的性能更好。4、对互联网上流行的几种典型应用业务进行了分析和研究,并结合具体应用软件分析和归纳了各个协议的通信原理、流量特点及主要的分析方法等。5、设计了一套下一代防火墙系统,实现了对网络流量的识别与控制。系统采用多种检测技术结合的方法提高协议识别的准确率,并依托Linux系统的Netfilter架构设计出流量控制方案,提出了针对流量控制的限流算法,实现了对具体流量的控制作用。6、本文对不同业务种类的多种软件进行流量特征分析,提取特征并写入特征规则库中,对系统的流量识别和控制功能进行了测试,并对测试结果进行了分析。结果分析表明本系统可以实现对各种流量进行准确识别及有效控制,并具有较高的检测效率,基本达到了下一代防火墙的基本功能需求。更多还原

【Abstract】 Firewall acts as the role of the actor to defend the security between the trusted network and non-trusted network. Its performance will directly affect the efficiency of data transfer and sharing of resources between the inside and outside the network, which is one of the key issues of today’s NG Firewall (referred to next-generation firewall) market research. What amazed us is that today’s Internet grows so fast and the sheer number of new business, which brings unprecedented pressures and challenges. Traditional firewalls have become increasingly unable to meet the security requirements. Research direction of the next-generation firewall now turns to targeting the application identification, which is not difficult to understand. Because any threat from the fundamental network is a network application, and it can be identified from other traffics through data analysis. So monitoring of a variety of network threats are unified to application identification, which is the essence of survival of the next-generation firewall. Next-generation firewalls must be able to meet the demand of application identification.Traffic detection technology is one of the important technical means in the field of information security, especially for network security to do network monitoring, protection and management. According to the drawbacks of traditional firewall, the paper introduces today’s several popular traffic detection technologies into the new firewall system, and carefully studies the advantages and disadvantages of various.detection techniques, and applies them into my system. This paper focuses on the research of the multimode string matching algorithm based on AC and improvement of today’s popular AC-BM algorithm. Then the paper verifies the improved performance of the algorithm through example matching. The paper designs a network firewall system, and carefully designed features and mechanisms of the various sub-modules. Overall, the agreement on a variety of different types of testing results shows that the system reaches the original intention of the design, though there are a lot of flaws in some aspects, but the overall result is satisfy. The specific main works of the paper are the following aspects:1. The paper analyzes the lack of the traditional firewall and compares the differences and focus between the traditional firewall and the next-generation firewall.2. The paper analyzes the existing network traffic identification technology and control technology, and summarizes the implementation of the various technologies and their advantages and disadvantages.3. The paper focuses on the performance of the various string matching algorithm and analyzes and makes a few appropriate improvements of AC-BM algorithm. Then the paper verifies the improved performance of the algorithm through example matching and experiment.4. The paper researches several typical business applications which are popular on the Internet, and analyzes and summarizes communication theory、flow characteristics and analysis methods of each protocol combined with specific instances.5. The paper designs a next-generation firewall systems and implements identification and control of network traffic. The method of using a variety of detection technologies is used to improve the recognition accuracy rate of the agreement. The paper gives a flow control algorithm based on the traffic control program of the Netfilter framework in the Linux system, and implements traffic control of the specific traffic.6. The paper gives a variety of different types of business software flow analysis, finds their features and writes them to characteristic rule database. Then the paper tests traffic identification and control functions of the system, and analyzes the test results:The analysis of the results shows that the system can accurately identify and effectively control a variety of flow and has a good detection efficiency, basically reaches the basic functional requirements for next-generation firewall.更多还原