新型软件防火墙的设计与实现

【作者】 陈朝阳；

【导师】 潘雪增； 平玲娣；

【作者基本信息】 浙江大学 ， 计算机系统结构， 2002， 硕士

【摘要】 随着计算机网络的飞速发展和网上交易、生活的日益普及，网络的安全成为了一个焦点问题。而防火墙为网络安全解决方案中的重要组成部分日益显得重要，现在市场上已经有了许许多多的防火墙强产品，然而针对于中小用户、要求操作简单但功能又要强大的防火墙并不多，本文所论述的防火墙就是在这样的背景下设计的。 首先本文在介绍了该防火墙的体系结构时，重点介绍了它的新颖性，就是实现一个增强SSN模型的防火墙，它可以提供无数的子网，也可以定义任何一个或多个子网作为安全服务器网络，你可以为任何两个子网间定义安全策略。此外，它虽然功能强大，但只需要一台普通的PC，当然为了性能要求和避免单失效点等原因你可以使用几台计算机并行来运行该防火墙。接下来分别论述了该防火墙的组成部分，最主要的是：1．综合包过滤系统 这里综合了无状态包过滤与有状态包过滤，并且提供了分层次的过滤规则表结构来满足本文论述的防火墙体系结构的要求，另外用户还可以自定义规则表，此外还介绍了一些常用规则。这里还涉及到Windows平台下驱动程序编写。2．NAT 这里介绍了网络地址翻译在本系统的位置，并且阐述了怎么实现负载均衡等功能。3．多代理系统 这里介绍了常见的几种代理，比如Http和FTP代理。在HTTP代理中，还论述了为了加快访问速度提供的新技术，如Cache技术，主动代理技术，重点讲述了前一种。4．身份认证系统 现在的身份认证方法很多，为了满足不同的用户要求，这里集成了不同的身份认证机制到防火墙中。这里主要讲了两个较强认证功能的机制：Kerberos系统和OTP系统。 最后展望了随着网络技术的发展，今后该防火墙要加入的新功能：防病毒功能、主动代理功能、全方面并行功能。总之，要为用户提供一个可扩充、适应新网络安全要求、功能强大的新型防火墙。更多还原

【Abstract】 With the rapidly development of the computer network and the prosperity of e-business, the security of network becomes more and more important. Firewall, the key component of network security solution, is being concerned and researched. Now there are many firewalls. Some are powerful and complex, the others are simple bat of few functions. There are so few suitable firewalls for department users and even single users that we design the new firewall this paper describes.The first, this paper introduces the architecture of the new firewall, and emphasizes the creativity of it, which is the model breaking the frame of SSN (secure server network). Using the firewall, you can define the one or more security sever network freely, and the same time, you can setup the security policy between one sub network and any other sub network. On the other hand, though it is powerful, the need of it is little. It can run on one pc just as you now use. Of course, if you want to get the high performance and avoid the single key point, you can use more than one pc to run our firewall parallel to resolve them.The second, the paper describes the components of the firewall one by one. The primary components include:Packet Filter. It makes up of the stateless and the stateful packet filter. In order to meet the request of the firewall architecture, the system filter rule tables are organized with the hierarchical structure. At the same time, users can define themselves filter rule table. The windows drivers programming is involved here.NAT (network address translate). NAT is a component, which is close and relevant with packet filter. The load balance is involved here.Proxy. The paper introduces some familiar proxies such as Http proxy, ftp proxy etc. while introducing the http proxy, the cache technique and self-active technique are described, especially the fistAuthentication. Recently there are many authentication systems. In order to satisfy the different users, the new firewall integrates some popular authentication techniques. Two high security and performance techniques, Kerberos and OTP are described in detail.In the end, this paper forecasts the future of the firewall. It will grow with the development of network security. Three functions including anti-virus, self-active proxy, parallel running will be implemented in the next version. To sum up, we provide a new powerful, extendible, user-defined firewall to satisfy different users.更多还原