【作者】 陆国栋；

【导师】 黄国兴；

【作者基本信息】 华东师范大学 ， 软件工程， 2006， 硕士

【摘要】 因特网技术和服务的迅速发展，为人们信息交换和共享提供了便利，但同时也带来了前所未有的安全隐患。IP协议的易操作性和规范性使之成为了因特网数据交换的标准协议，但由于它先天缺乏安全性保障，针对它缺陷产生的网络攻击层出不穷。 本文围绕五个基本安全特性(机密性、完整性、可用性、可控性、不可否认性)展开对IP安全的讨论。针对几种常见的攻击手段提出了相应的应对措施，特别是针对普通DoS攻击，提出了一种基于指数增长时间的冻结IP的方法。 IPSec协议有效地保证了IP通信的安全性，采用IPSec技术构筑的VPN系统提供了完善的数据加密、数据完整性验证、通信实体不可抵赖等服务。本文分析比较了几种主流的VPN隧道协议，详细论证了IPSec协议在安全性保障方面的重要性。 本文最主要的特色是在IPSec VPN的基础上引入分级防护思想：对数据进行安全等级分类，设置访问控制权限；防火墙采用历史相关的信誉度策略来提供访问控制服务，系统中各防火墙采用强度分级和逻辑调用的配置策略，提供了灵活高效的可控性防护，并采用添加标记头的方法解决了防火墙和IPSec的冲突问题。而这种思想也是遵循了PDRR模型。更多还原

【Abstract】 The rapid development of Internet techniques and services provides conveniences in the exchange and sharing of information, but meanwhile it takes unprecedented hidden troubles to the security of network. The operability and normalization of IP(Internet Protocol) makes itself the standard of data exchange in Internet. But because of its inborn security vulnerabilities, it becomes the, target of kinds of network attacks.According to the five basic elements of information security (confidentiality, integrality, availability, controllability, non-denial), this dissertation discusses the security of IP. It presents solutions to several most common network attacks, especially brings forward a general method towards the DoS attack, which freezes illegal IP addresses based on exponent increasing frozen time.IPSec protocol provides efficient security assurance in the IP communications. IPSec VPN provides mature mechanism in data encryption, data-integrality validation, and non-denial of communicating entities. This dissertation makes a analysis and comparison between several main tunnel protocols, and particularly discusses the importance of IPsec in the aspect of security assurance.This dissertation mainly develops an idea of classified protection based on IPSec VPN, which has the following characters: make a classification to the data according to different security requirements, set access limits to different people; use history interrelated credit policy to a single firewall, use intensity classification and logic call policy between firewalls, this kind of classified firewall mechanism to provider flexible and efficient protections; use tag method to make firework and IPSec compatible. All of this complies with the PDRR model.更多还原