节点文献

基于网络处理器的防火墙规则匹配模块及入侵检测系统预处理模块的设计与实现

The Design and Implement of Rule Matching Core Component of Firewall and the Preprocessors Module of IDS

【作者】 王钰

【导师】 武穆清;

【作者基本信息】 北京邮电大学 , 通信与信息系统, 2007, 硕士

【摘要】 随着人们对语音、视频等多媒体业务的需求不断增加,网络得到了迅猛的发展。学校、企业、银行、政府机关等单位都拥有了自己的局域网。这些局域网最终都通过因特网实现互联,并通过它来传递一些商业信息及其他重要数据。而互联网飞速发展的同时,网络犯罪案件也在急剧的上升,网络安全已经作为一个非常严峻的问题摆在人们面前,受到越来越多的关注与重视。因此,保护局域网的安全成为一项十分重要的课题。防火墙是如今最主要的网络安全设备之一。它部署在可信网络和不可信网络之间,并对经过的网络流量进行检查,它是不同网络或网络安全域之间信息的唯一出入口,能根据企业的安全政策控制出入网络的心细流,且本身具有较强的抗攻击能力。防火墙在受信任的网络和不受信任的网络之间占据了一个独一无二的位置。入侵检测系统则是防火墙的有力补充。它能够检测到网络上的攻击行为,如果采用异常检测技术,还能够发现新的网络攻击行为。由于入侵检测系统和其它主机是并联工作的,所以对应用层的检测不会对网络性能造成什么样的影响。因此入侵检测是防火墙的有力补充,最终实现与防火墙的联动。然而,与路由器、交换机不同的是,防火墙和入侵检测系统需要对经过的数据包进行复杂的处理,因此,对性能有着很高的要求,要求处理速度足够快。面对千兆网络的安全需求,人们提出了不少的解决方案,主要有基于通用中央处理器(CPU)实现、基于专用集成电路(ASIC)实现和基于网络处理器实现这三种。这些方案各有优缺点,基于通用中央处理器(CPU)实现起来最为简单,但是处理速度成为很大的瓶颈;基于专用集成电路(ASIC)实现则处理速度快,但灵活性差、开发周期长;而基于网络处理器实现既有高速处理能力,又有很好的可编程特性。实验室研究开发的防火墙和入侵检测系统是基于英特尔IXP2400网络处理器来实现的,本文第一章便对网络处理器进行了介绍,并且详细介绍了英特尔IXP2400网络处理器。本文作者在防火墙和入侵检测系统的研究与开发项目中,具体设计的是防火墙中的规则匹配模块和入侵检测系统中的解码预处理模块。因此,在第二章介绍了防火墙技术和入侵检测技术、第三章介绍了研发系统的整体设计之后,重点在第四章阐述了防火墙规则匹配模块中各子模块的功能设计和实现流程,在第五章阐述了入侵检测系统中解码预处理模块的功能设计和实现流程。此外,本文的第二部分(第六章)介绍了作者在实验室另一个项目“基于GSM/GPRS网络的混合定位系统的研究开发”中做的工作。第六章首先介绍了定位业务的发展;接着介绍了混合定位终端的总体设计;最后详细阐述了中央处理模块的设计与实现。

【Abstract】 With the rapid increase of demands for multimedia, such as voice, video, the network has got swift and violent development. Many units such as School, enterprise and bank, all have LANs. These LANs all realize being interconnected through Internet finally, and transmit some commercial information or other important data through it. While Internet develops at full speed, the crime case of the network is in rapid rising, the online security has already been put in front of people as a very severe problem, have received more and more concern and attention. So, the security of protecting the LAN becomes a very important subject.Nowadays firewall is the most important Network Security Device. Firewall is located between internal network and internet, carry out complex handling for the packets that pass it in order to protect internal network effectively.Intrusion Detection System is an effective supplement for firewall. It can detect network attacks, using anomaly detection technology, but also to discover new network attacks. Intrusion Detection System and other mainframe are due to the parallel. Therefore, the testing of the application layer will not cause any kind of impact on network performance. So IDS is an effective supplement for firewall, the IDS eventual get a linkage to the firewall.However, be different to router and switcher, firewall should carry out complex handling for the packets that pass it in order to protect internal network effectively, for example, state inspection needs to analyses the transmission layer of the packet. So the performance of the firewall is requested to be excellent. Especially in gigabit network, we desire the firewall to be fast enough to forward packets at wire-speed. This is a great challenge to firewall.To meet gigabit network’s security requirement, people give several solutions, including implement based on general CPU, implement based on ASIC and implement based on network processor. These solutions have own advantages and disadvantages each. Firewall based on general CPU can be implemented very easily, but speed is a great bottleneck. And that based on ASIC can reach a high speed, but with poor flexibility and development cycle. Firewall based on network processor is a tradeoff of the other two ways. Chapter one introduces the characteristics and functions of Network Processor, mainly describes the architecture and IXA software framework of Intel IXP2400 Network Processor.This article introduces what the author has done about implementing firewall based on network processor during graduate student period. Chapter two briefly introduces Firewall Technologies and Intrusion Detection Technologies. Chapter three introduces function design of The Giga-bit Packet Filter Firewall. As the author is responsible for the design of rule matching core component and the preprocessors module of Intrusion Detection System, chapter four describes the design, coding and testing of Rule Matching Subsystem in detail; chapter five function design of The Intrusion Detection System, then describes the design, coding and testing of Preprocessor Subsystem in detail.The other part of the dissertation (chapter six) first introduces function design of A-GPS/CELL-ID Mix Location System Based on GSM/GPRS Network, then describes the design, coding and testing of core function module in detail.

  • 【分类号】TP393.08
  • 【被引频次】6
  • 【下载频次】200
节点文献中: