摘 要xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
随着Interent的飞速发展,网络安全问题越来越受到人们的关注,防火墙己经成网络安全的重要产品,边界防火墙作为一种有效的网络安全技术,提供了对企业内部网络的保护,但在不断扩大的网络规模和日益多样化的网络技术面前,边界防火墙的缺也日益突出,它很难实现网络的安全性和网络性能之间的均衡。
为了 克 服 传统防火墙的缺陷,而又保留其优点,人们提出了分布式防火墙的概念分布式防火墙的本质特征可概括为“策略集中制定分散实施,日志分散产生集中保存安全策略必须有管理员统一制定,策略必须被推到网络的边缘即主机上实施,日志必统一收集、集中管理。
本文首先分析了目前传统防火墙的作用和存在的问题,接着对分布式防火墙的经构、关键技术以及优势进行了深入地研究,并对分布式防火墙的相关技术以及研究领较有代表性的几种模型进行了比较总结。
其次,通过对防火墙策略的定义、实施和分发机制的研究,对分布式防火墙的略管理进行了探讨,并对策略执行器的功能、特点和相关技术做了系统的分析。
再次,通过对策略执行器的实施方案的比较,以及结构,处理流程和稳定性的分并结合我国目前网络的实际状况,实现了一个分布式防火墙系统,给出了系统中包过滤模块的软件实现。
最后,总结了全文并提出了一些值得研究的问题。
关键词:分布式防火墙,包过滤,策略执行器,NDIS
The Deign and Research of the Distributed Firewall
Abstract
With the rapid development of Interent network security issues more and more people''s attention, firewall, network security has been a major product, the border firewall as an effective network security technology, provides an internal network protection, but in the Expansion of the network size and increasing diversity in front of the network technology, lack of border firewall also have become increasingly prominent, it''s difficult to achieve network security and the balance between network performance.
In order to overcome the shortcomings of traditional firewall, and retain its advantages, people put forward the concept of distributed firewall distributed the essential feature of the firewall can be summarized as "the implementation of decentralization strategy on the development, preservation of logs scattered on a security strategy must develop a unified administrator , The strategy must be pushed to the edge of networks that host implementation of the log will be unified collection, centralized management.
This paper first analysis of the current traditional firewall and the role of the existing problems, and then distributed through the firewall configuration, the key advantages of the technology and in-depth research, and distributed firewall technology and research from several more representative Kind of model was compared concluded.
Secondly, through the firewall strategy for the definition, implementation and distribution mechanism of the slightly distributed firewall management were discussed and strategies for the implementation of the functions, features and related technology to do a systematic analysis.
Once again, through the implementation of the strategy for the implementation of the programme, and the structure, processes and stability of the sub-combined with China''s current network of the actual situation and achieve a distributed firewall systems, the system is in the packet filtering software modules To achieve.
Finally, summed up the text and made a number of issues worthy of study.
Key Words: Distributed Firewall,Packet-filtering, rule executer,NDIS
1 绪论 1
1.1 课题背景 1
1.2 国内外研究现状 1
2. 分布式防火墙技术基础 3
2.1防火墙概述: 3
2.2传统防火墙的体系结构和实现技术 4
2.2.1防火墙的体系结构 4
2.2.2防火墙实现技术 4
2.2.3防火墙的作用 6
2.2.4边界防火墙的局限性 7
2.3 分布式防火墙的提出 8
2.4分布式防火墙性能分析 8
2.5分布式防火墙的基本原理 9
2.6分布式防火墙的体系结构及基本功能 11
2.6.1分布式防火墙的体系结构 11
2.6.2分布式防火墙的功能 12
2.7分布式防火墙实现的关键技术 12
3 分布式防火墙的总体设计 14
3.1设计目标 14
3.1.1概述 14
3.1.2设计目标的需求和安全状况 14
3.2 系统体系结构 15
3.3 管理控制中心 16
3.4策略文件 16
3.5 IP过滤策略执行器 17
3.5.1包过滤 18
3.5.2 日志 18
4. 分布式防火墙的实现 19
4.1 开发平台与开发工具 19
4.2 包过滤模块的实现 19
4.2.1中间层设计原理 19
4.2.2编写中间层驱动程序 21
4.2.3Passthru流程分析 21
4.2.4在Passthru中实现过滤功能 23
4.3日志上传功能的实现 26
4.3.1客户端程序 26
4.3.2服务器端程序 32
5. 结论与展望 37
5.1结论 37
5.2展望 37
参考文献 39
致 谢 40