防火墙体系下的IPSEC及其策略

【作者】 袁勋；

【导师】 倪惜珍；

【作者基本信息】 中国科学院软件研究所 ， 计算机应用技术， 2001， 硕士

【摘要】 本文采取链式结构，对一个以防火墙为主体的整体的网络安全架构进行了 描述，并重点讨论了网络安全体系中的网络层安全IPSec与新型的状态检测型 防火墙的结合使用，进一步地，对其策略管理进行了探讨性的研究。 首先，从传统防火墙解决方案的不足，我们引出了对两种先进技术的讨 论：网络跟踪技术（连接跟踪技术）和状态检测技术。 网络跟踪技术实现在网络层，它为每一个网络连接建立连接跟踪项，收集 与安全有关的信息。之后，该连接上通过的所有网络包都将被跟踪。各种安全 机制，如包过滤，认证，地址转换等都在连接跟踪项中有相应的接口，通过连 按跟踪模块的网络包可以直接进入各层策略检测模块。 状态检测技术则以不同的服务区分应用类型，汲取相关的通讯和应用程 序的状态信息。根据网络通讯中的状态转换，它不断动态地更新连接跟踪表 中的状态信息，结合预定义好的规则，实现安全策略。 其次，文章介绍了运用以上两种技术的状态检测防火墙，并拓展地描绘了 以该防火墙为主体的安全体系架构。从而引出了这个架构中的另一个重要的部 分──网络层安全IPSec。对于一个完整的安全解决方案，提供端对端的安全是 必不可少的。但是，当IPSec实现在状态检测防火墙中，与连接跟踪技术结合 时，又产生了一些新的情况。 第三部分，说明了IPSec是如何适当地契合入状态检测防火墙中的。连接 跟踪项中安全关联链的使用，使得对IPSec的处理与其他安全机制保持了统 一，模块更清晰。但是，如果要充分发挥IPSec的长处，其策略管理的规范化 必将是进一步发展的趋势。 第四部分，IPSec的策略管理。文章介绍了“可信管理”的概念。这是一 个具有普遍推广意义的管理策略模式。它使用一种统一的“安全策略说明语 言”来描述应用的安全策略。可信管理机构接收应用提交的使用安全策略说明 语言书写的行为请求以及其自身策略，进行一致性检查，以确定该行为是否被 允许以及有何种限制条件。文章进一步分析了目前已经实现了的一个可信管理 系统──KeyNote。通过对其设计与实现的研究，为今后在我们的防火墙体系 中实施这种更完善的策略模式做好了前期的准备。更多还原

【Abstract】 This chain-structured thesis describes a total network security framework whoseprincipal part is firewall. It also specially discusses the combination between InternetProtocol Security - IPSec and the newly developing stateful inspection firewall.Farther, it probes into the field of policy management.The thesis begins with the deficiencies of traditional firework and leads to thediscussion on two advanced technologies: network tracking and stateful inspection.Network tracking is implemented on network layer. It builds connection trackingcontrol block and direction control block for every connection and collects security-related information. Then, all the successively packets will be tracked. Each securitymechanism, such as packet filtering, authentication and net address translation, etc,has its interface in connection tracking control block through which the passingnetwork packet can enter directly into policy checking models.Stateful inspection technology distinguishes application type by different servicesand extracts status information about communication and application program. Basedon status transformations of network communication, stateful inspection moduledynamically modifies the status information in connection tracking control block andbrings security policies into effect with predetermined rules.Next, the thesis makes a description on stateful inspection firewall using theabove two technologies and extends it to a security framework. This brings anotherimportant part in this framework, IPSec. For an integrate solution for networksecurity, port-to-port security is absolutely necessary. But, when IPSec isimplemented in a stateful inspection firewall and combines with connection tracking,things will be different.The third part gives the answer how IPSec agrees with our firewall. The use ofsecurity association chain in connection tracking unifies the management to IPSecand other security mechanisms, thus makes the modular structure more clear.However, to fully bring into play the advantages of IPSec, the standardization of itspolicy management by all means will be the developing trend.The final part is IPSec’s policy management. It presents the notion of Trust-Management which is a meaningful management mode worth of being generalized.Trust-Management uses a uniform "Security Policy Specification Language" todescribe security policy. And its organization accepts the query along with policieswhich are both written in that language and submitted by application, makescompliance checking and determines whether the action shouId be allowed. Finally,an implemented trust-management system, KeyNote, is ana1yzed. Through this, wemake a good preparation for further putting it into our firewall system.更多还原