【作者】 刘刚；

【导师】 孙志仁；

【作者基本信息】 东华大学 ， 计算机应用技术， 2004， 硕士

【摘要】 目前，互联网的速率在飞速增长，宽带网络静悄悄地走进千家万户，人们在享受网络带来的便利性的同时，也面临着黑客入侵、网络病毒等诸多安全性问题。面对日益增长的网络安全需求和令人堪忧的安全现状，防火墙产品成为当前研究热点。 本文的核心是设计和实现基于IXP1200网络处理器(Network Processor,NP)的千兆硬件防火墙，在开发过程中，解决了多层体系结构、防火墙工作模式、微引擎分配、攻击防范策略、图形用户界面等多方面的问题，在今后网络处理器应用的推广和防火墙产品开发方面都提出了独特的见解。 传统的防火墙一般采用专用硬件芯片或者基于纯粹的软件方案，很难兼顾性能与灵活性两方面的要求。NP是用于实现报文处理、协议分析、路由、语音数据集成和QoS等通信工作的可编程硬件。它综合两者优点，摒弃它们的不足，提出了全新的软硬件联合解决方案。基于NP来设计网络设备符合中国国情。 Intel公司推出了一系列并行可编程的网络处理器IXP425、IXP1200、IXP2400和IXP2800，其中IXP1200是面向企业网络设备的入门级NP芯片，它具有一个通用处理器和六个微引擎，非常适合IP宽带网接入设备，是千兆防火墙核心处理器的理想选择。 本文从网络安全现状及NP应用角度出发，介绍了Intel网络处理器硬件和软件开发平台，设计了防火墙多层并行结构、剖析了防火墙基本工作模式，实现了TCP中继、ARP代理透明模式、WebUI防火墙控制界面等关键模块，并通过三个性能对比实验，确定了最佳微引擎分配方式，最后完成了NetChannel5000系列防火墙的研制工作，并展望了未来的发展方向。 本论文的创新点体现在如下三个方面： ·提出了基于NP的TCP中继方法，在保证吞吐率的前提下避免内网遭受恶意SYN攻击。基于网络处理器的千兆防火墙设计与实现摘要通过微引擎分配的三个实验，提出了优于参考设计的微引擎分配方案，在NP快通道性能研究方面作出一定贡献。实现了高度人性化的V几b图形管理界面，提出了配置向导，使普通网络管理人员能有效配置防火墙。更多还原

【Abstract】 With the rapid increasing of Internet nowadays, Broadband network comes into people’s daily life. Meanwhile, people have to suffer security problems as they enjoy the convenience brought by Network such as hacker intrusion and network virus. Therefore, firewall product playes an important role and is of great interest in meeting the increasing demands of network security.This paper explores the research work on how to design a Giga-bit firewall based on intel’s network processor IXP1200, which presents both high-performance and security functionality. During the developing period, the author and his friends solved many critical problems, including Multiple Layer Architecture, Working Modes, Allocation of Micro-engine, Attack Defence Policies and Web Uuser Interface. Also new ideas of improvement on both future network processors and firewall products have been well presented.Compared with the traditional firewall, which cannot make a good tradeoff between performance and flexibility, the NetChannel 5000 Series Firewall uses NP as its core processor. NP is a programmable hardware and it is optimized for packet processing, protocol analysis, routing, voice integration and QoS. In china, NP is the best choice to design network devices.Intel Co., Ltd invented a series of parallel programmable network processors, including IXP425, IXP1200, IXP2400 and IXP2800. IXP1200, one of the intel’s Network Processors, is a primary product which is suitable for enterprise usage. It has a general purpose process and six micro engines. IXP1200 fits the requirements of Broad Band access device and it is the best choice of Giga-bit firewall.This paper begins with the introduction of the current situation of network security and the network processor’s application. The author introduces hardware and software development platform of Intel IXP1200. He puts forward TCP Relay module, ARP Proxy module and WebUI module etc. He also develops the best allocation way of micro-engine through three experiments. In the end, the conclusion is made on the whole project and gives an expectation for the development of network security devices in .the future.The main innovative ideas in this paper are presented as follows:First, TCP Relay method is applied to defend SYN Flooding attack and control the whole process of TCP connection.Second, this paper provides new micro-engine allocation methods through three experiments. It puts forward a new idea to accelerate the performance of fast path.Third, a Config Wizard is put forward, which can help users to config firewall easily. Every common operator can config firewall efficiently with the Wizard.更多还原