【作者】 钟夏；

【导师】 陈建勋；

【作者基本信息】 武汉科技大学 ， 计算机应用技术， 2008， 硕士

【摘要】 互联网己经进入一个崭新的时代,日益成为我们日常生活的一部分,但同时,带来的安全问题也日益突出,成为一个不得不重视的问题。嵌入式平台作为一种安全、高效、低成本的平台,已经被广泛的运用到各个领域,这其中当然也包含网络安全领域。传统的杀毒软件依赖于庞大的病毒库来提供对计算机的防御和保护,但随着近年来病毒数量和类型的剧增,病毒库呈现出巨大的膨胀,而且病毒库的更新永远赶不上病毒的传播,这种网络的防御方式呈现出极大的缺陷。国内的硬件防火墙多是基于Intel X86系列架构的产品,由于X86架构本身的缺陷,使它的性能无法实现突破。而采用ASIC专用硬件加速的防火墙虽然可以明显提升防火墙的吞吐性能,但对于升级维护的灵活性和扩展性不够,而且开发费用高,开发周期长。网络处理器结合了通用处理器可编程和ASIC的优点。网络处理器是专门为网络设备处理网络流量而设计的处理器,其体系结构和指令集对于防火墙常用的包过滤、转发等算法和操作都进行了专门的优化,可以高效地完成TCP/IP栈的常用操作,并对网络流量进行快速的并发处理。本文提出一种将网络处理器与嵌入式Linux相结合的防火墙,采用默认禁止一切,明确地允许被选择的数据包通过的数据包默认策略,设计出一种能够很大程度上保护内网安全的包过滤防火墙。本设计在全面分析IXP425硬件开发平台的基础上,定制了Redboot作为启动引导程序,采用经过剪裁的Linux2.4作为操作系统平台,为上层软件实现提供了稳定可靠的支持。并深入研究了Linux防火墙内核,掌握Linux防火墙内核框架的实现机制,在集成IXP425网络处理器的硬件平台上,实现了一个拥有基本包过滤功能的嵌入式防火墙,并设计出人性化的图形化配置界面,能够使用户方便的实时配置防火墙,加入用户的自定义规则。更多还原

【Abstract】 The Internet has entered a new era, and becomes a part of our life day by day; however, the security problem it brings has also became increasingly inevitable, which we have to pay attention to. Embedded System as a safety, low-cost, efficient platform has been widely used in various fields, and of course network security is one of them.Traditional antivirus softwares protect the computer depend on huge antivirus character library, but along with the increasing virus, the library become more and more expanded, and the library’s update can not match up the diffusion of virus. The style of network protection presents a world of limitations.And most of the firewall products inner were based on Intel X86 series architecture. For the limitation of X86, it’s performance can’t be exceed. Though the firewall accelerated by hardware using ASIC can improve the throughput capability,the flexibility and extention of the update is inadequate, the cost of development is high and the development cycle is long.Network Processor combine the advantages of both programmable of General Processor and ASIC. It is designed specialty for the network device to manage the network traffic. It’s architecture and instructions were optimized for the arithmetic and operation of package filtrate, transmit etc. it can implement the generan operation of TCP/IP protocol stack with high efficiency, and deal with the network traffic in high speed subsequently.This thesis gives a firewall which combines the network processor and embedded Linux operating system,It uses the policy that forbidden all the packages as default, and users can give rules to allow packages they had been chosen, and implements the function of the fireware can protect the inner network on high level. This design is based on the full analyse of IXP425 hardware develop platform, customize the bootloader Redboot, customize the Linux kernel as the operating system, give steady support. We study the thorey and mastery the architecture of Linux firewall. This project implementes a embedded firewall which has the package filtrate function based on the platform integrated the IXP425 network processor, and developes the manage interface for users to customize the firewall, and add rules.更多还原