【作者】 熊仲健；

【导师】 胡越明；

【作者基本信息】 上海交通大学 ， 计算机系统结构， 2008， 硕士

【摘要】 近年来,网络攻击呈大幅上升趋势,冲击波、震荡波等蠕虫给网络安全带来了很大的挑战。传统的防火墙技术如包过滤防火墙、状态检测防火墙等,都缺乏应对这些新的攻击的能力。作为网络安全体系的重要一环,防火墙技术也需要不断发展,需要增加新的技术手段来应对新出现的威胁。基于此,本文提出了新型的、基于TDI层过滤驱动和基于NDIS-HOOK技术的深度包检测双重防护型防火墙架构,并在windows内核实现了防火墙系统。论文的主要工作包括:(1)研究了Windows内核的I/O机制,分析试验了在TDI层、NDIS层捕获、过滤以及控制网络请求包的方法;(2)设计实现了基于TDI层的网络包过滤控制。在TDI层可以获得IP地址、端口、协议、用户、进程等多方面的信息,从而能够实现针对特定用户和特定应用程序的精确控制;(3)设计实现了基于NDIS层,应用深度包检测技术的网络包过滤控制。利用深度包检测技术,全面地分析这些协议内容,以发现网络通信过程中可疑或异常的行为,并结合状态检测技术,判断应用层的会话状态,实现及时阻断;(4)对论文中设计的系统进行了系统测试。包括TDI层的基于应用进程的七元组过滤控制的测试,以及NDIS层的HTTP协议深度包检测控制测试。测试表明,本文提出并实现的基于TDI层过滤驱动和基于NDIS-HOOK技术的深度包检测双重防护型防火墙架构实现了在各自层次的网络访问控制和深度包检测,提高了主机的安全性。更多还原

【Abstract】 In the recent several years, attacks from network are growing greatly year by year. These attacks which aim at loopholes in application layer, such as worm and trojan horse, have bring a great challenge to network security, but traditional firewall technologies, such as packets filter firewall and stateful inspection firewall, can’t defense them efficiently.As an important part of network secuity system, firewalls must improve their abilities and new technology and motheds must be developed in order to defend these attacks which aim at application layer.Based on circumstances talked above, this paper puts forward a new-style, double-defence firewall framework based on TDI filter driver and NDIS-HOOK deep packet inspection technology, and implement it in windows kernel. The main works of this paper are as follows:(1) Researched I/O mechanism in windows kernel. Analysed and tested how to capture, analyze, filtrate and control IRP packets in TDI layer and NDIS layer of windows network protocol stack by means of attaching drivers.(2) Designed and implemented the filtration and control of network IRP in TDI layer. Many kinds of information, such as IP address, port, protocol, user and process, can be easily got in TDI layer, so TDI filter driver module can implement network access control which aims at special processes and users.(3) Designed and implemented the filtration and control of network packets by deep packet inspection in NDIS layer. Implemented the capture and protocol analysis of these packets based on NDIS-HOOK technology. The module analyzes the principles and characteristics of protocols in application layer, uses stateful inspection technology to maintain the state of packets, checks illegal network requirement and network attacks, and finally denies them in time.(4) Tested the firewall designed and implemented in this paper systematicly, including the test of the filteration and control of network IRP based on application and user information in TDI layer, and the deep packet inspection and control of HTTP protocol based on NDIS layer.Test results show that this new-style, double-defence firewall framework based on TDI filter driver and NDIS-HOOK deep packet inspection technology can implement network access control and deep packet inspection in their different layers, and finally improves the security of computer.更多还原