【作者】 张开宇；

【导师】 陆松年；

【作者基本信息】 上海交通大学 ， 通信与信息系统， 2009， 硕士

【摘要】 防火墙是防御网络攻击最常使用的技术手段之一,其理论与技术在与网络攻击的对抗中得到了长足的发展。在各种类型的防火墙中,有状态防火墙与最早期的包过滤防火墙相比,具有灵活性好,对攻击防御能力更强的优势,因此在保护用户网络时起到举足轻重的作用。然而,随着网络攻击手段的日益多样化与差异化,防火墙面对各种新型攻击逐渐显得捉襟见肘。为了使防火墙技术得到进一步的发展,必须在现有的理论框架基础上进行改进与创新,并从技术可实现的角度给出验证。本文在深入分析传统防火墙理论与技术优缺点的基础上,重点研究了克服其缺点的方法,设计并实现了规则可编程机制的有状态防火墙。首先,本文从对传统防火墙原理技术的总结出发,分析各类传统防火墙的优缺点,并着重讨论传统有状态技术—状态检测。针对状态检测技术中状态类型单一、包过滤逻辑不够灵活的缺点,提出一种改进的有状态模型,该模型对有状态技术中状态与状态更新逻辑两个概念进行了扩展与深化。在此模型的基础上,提出规则可编程的有状态防火墙。文中从整体结构、规则库结构、规则接口、规则语言、规则编译器等几方面详细研究了规则可编程防火墙的设计方案。其中,重点研究了两方面的内容:一是以高效规则匹配为原则的规则库结构设计,二是用于描述状态与状态更新逻辑的规则语言的设计。其次,文中给出了该方案在PC机Windows 7操作系统环境下的具体实现,对于实现中存在的难点进行了详细的讨论,给出了各自相应的解决方案。文章以一个暴力破解FTP用户密码的具体攻击为例,以可编程规则的方式部署相应的防御策略。实验表明,该方案有较好的灵活性与可扩展性,能适应部署复杂防御策略的需求。最后,本文分析了采用规则可编程机制的有状态防火墙的发展与应用前景,并提出了进一步研究方向。更多还原

【Abstract】 Firewalls are common security equipment defending against network attacks. The theories and technology have made remarkable progress. Among all types of firewalls, stateful firewalls, compared against early packet-filtering firewalls, have better flexibility and more powerful defense capabilities and thus playing an important role in protecting user hosts. However, as network attacks present themselves with more diversity, traditional firewalls are beginning to suffer from failure to defend against them. In order for the firewall technology to improve, innovation must be up based on current theories.Based on a summary on traditional firewall theories, the article focuses on looking for ways to conquer its defects, leading to our design and implementation of rule-programmable methodology.The paper begins with a summary to traditional firewall theories and technology, which analyzes their advantages and short-comings. The traditional stateful technology--state inspection is discussed with priority. Based on that, we explore its defects and its possible development. After that, the concept ’State’ and ’State Update Logics’ are extended and a more general stateful firewall model is presented. Based on the model, the rule-programmable stateful firewall is proposed. The design of its structure, rule factory, rule interface, rule language and rule compiler is covered in detail, among which two parts are given priority. One is the design of rule factory in an aim of high-performance rule matching process. The other is the design of rule language that is used to describe state and state update logics.The article also presents an implementation of the idea under Windows 7 environment. The difficulties and covered in detail, giving solutions respectively. A defense strategy that defends against password-guessing brutal force attack is given and deployed, as a test case to prove the validity of our implementation. Experiment results indicated that the scheme has better flexibility and responds well to the request to implement complex defense strategies.Finally, the article covers the future development and application prospects of rule-programmable stateful firewalls. Possible further research ideas are also proposed.更多还原