防火墙实验系统日志管理与规则优化研究
|
摘要
随着计算机网络技术的飞速发展,社会生活信息化的程度不断提高。人们通过互联网越来越容易获取需要的信息,但同时也带来了信息丢失、泄漏等安全问题。提高信息传递的安全等级是解决问题的途径之一,同样不可忽略的是针对用户的计算机网络与信息安全技术的学习、培训和实践。
目前虽然网络保护技术中的传统防火墙技术已经发展得比较成熟,但是用于教学实验的防火墙系统基本仍是处于起步阶段。受国家863计划资助,新近的研究成果支持多用户并发控制的防火墙教学实验系统,也正式填补该领域的空白,但是其本身的日志管理系统和其规则匹配速度缺陷对系统仍造成一定的性能问题。本文正是为了对该防火墙教学实验系统进行完善工作,对其薄弱技术环节进行研究和改进。其中重点正是日志管理技术与规则优化。
本文首先分析了教学实验特点,防火墙功能特点,并结合这些特点分析了防火墙教学实验系统的特点,并针对此设计了实验系统的实现框架,并对各种实现关键技术进行了探讨。接着文章介绍了防火墙教学实验系统中的大规模并发控制技术,从根本上探讨了防火墙教学系统与一般防火墙在规则上的不同之处。再接着文章教学系统特点设计和实现防火墙教学系统中的日志管理模块,解决了原系统中的日志访问无法统一管理和访问效率低下的问题。最后,基于对日志管理系统的应用,文章对防火墙规则优化问题进行了研究,并通过实验结果证明了其对防火墙规则的优化结果。
文章中研究的算法和技术有效地解决防火墙实验教学系统中日志管理和运行效率的诸多问题等,提高了了整个系统的运行效率,从而为一个支持多用户并发控制的防火墙教学实验系统的完整实现扫清了诸多障碍。
With the development of computer network and information technology, it is more convenient to get access to Internet so as the data transmission. The fact also should not be ignored is that people are facing the dangers of their privacy leaking, virus threating and hacker’s attacking when they connect to Internet. On one hand, the information security level has to be improved; on the other hand, we should learn something about computer network and information security technology. So, today, more researchers are working on how to providing a platform for these technologies’learning, training and practising.
Though, among the current network protection technologies, the tranditional firewall technology is retlatively developped, the experiment firewall system which is for educational experiment is still in developing phase. The newly reseach achievement, multi-user concurrent control supported experiment firewall system, sponosored by national 863 project, fills this gap. And this paper is aimed at research and improvement of the weakness of the experiment firewall system in order to perfect this system. The improvement focuses on log management technology and firewall rules optimization.
At the beginning, this paper analyzes the features of educational experiment and firewall function. Based on these features, we analyze the traits of experiment firewall system, design the framework of the system, and discuss the key technologies for the implementation. After that, this paper introduces the multi-user concurrent technology in the experiment firewall system to discuss the basic differences between tranditional firewall and experiment firewall system. Further more, this paper designs and implements the universal log management module of the experiment system, thus solving the problem of difficult universal management and low efficiency in the original log management. At last, based on the universal log management system’s usage, this paper does reseahces on the firewall rules’optimization to improve the experiment firewall system’s performance. The prositive result of performance improvmenet by this technology is proved by experiments.
The algorithm and techonologies in this paper effectively improve the expereiment firewall system’s log management and rules matching performance, thus improving the overall performance of the system and helping perfect the multi-user concurrent control supported experiment firewall system.
目前虽然网络保护技术中的传统防火墙技术已经发展得比较成熟,但是用于教学实验的防火墙系统基本仍是处于起步阶段。受国家863计划资助,新近的研究成果支持多用户并发控制的防火墙教学实验系统,也正式填补该领域的空白,但是其本身的日志管理系统和其规则匹配速度缺陷对系统仍造成一定的性能问题。本文正是为了对该防火墙教学实验系统进行完善工作,对其薄弱技术环节进行研究和改进。其中重点正是日志管理技术与规则优化。
本文首先分析了教学实验特点,防火墙功能特点,并结合这些特点分析了防火墙教学实验系统的特点,并针对此设计了实验系统的实现框架,并对各种实现关键技术进行了探讨。接着文章介绍了防火墙教学实验系统中的大规模并发控制技术,从根本上探讨了防火墙教学系统与一般防火墙在规则上的不同之处。再接着文章教学系统特点设计和实现防火墙教学系统中的日志管理模块,解决了原系统中的日志访问无法统一管理和访问效率低下的问题。最后,基于对日志管理系统的应用,文章对防火墙规则优化问题进行了研究,并通过实验结果证明了其对防火墙规则的优化结果。
文章中研究的算法和技术有效地解决防火墙实验教学系统中日志管理和运行效率的诸多问题等,提高了了整个系统的运行效率,从而为一个支持多用户并发控制的防火墙教学实验系统的完整实现扫清了诸多障碍。
With the development of computer network and information technology, it is more convenient to get access to Internet so as the data transmission. The fact also should not be ignored is that people are facing the dangers of their privacy leaking, virus threating and hacker’s attacking when they connect to Internet. On one hand, the information security level has to be improved; on the other hand, we should learn something about computer network and information security technology. So, today, more researchers are working on how to providing a platform for these technologies’learning, training and practising.
Though, among the current network protection technologies, the tranditional firewall technology is retlatively developped, the experiment firewall system which is for educational experiment is still in developing phase. The newly reseach achievement, multi-user concurrent control supported experiment firewall system, sponosored by national 863 project, fills this gap. And this paper is aimed at research and improvement of the weakness of the experiment firewall system in order to perfect this system. The improvement focuses on log management technology and firewall rules optimization.
At the beginning, this paper analyzes the features of educational experiment and firewall function. Based on these features, we analyze the traits of experiment firewall system, design the framework of the system, and discuss the key technologies for the implementation. After that, this paper introduces the multi-user concurrent technology in the experiment firewall system to discuss the basic differences between tranditional firewall and experiment firewall system. Further more, this paper designs and implements the universal log management module of the experiment system, thus solving the problem of difficult universal management and low efficiency in the original log management. At last, based on the universal log management system’s usage, this paper does reseahces on the firewall rules’optimization to improve the experiment firewall system’s performance. The prositive result of performance improvmenet by this technology is proved by experiments.
The algorithm and techonologies in this paper effectively improve the expereiment firewall system’s log management and rules matching performance, thus improving the overall performance of the system and helping perfect the multi-user concurrent control supported experiment firewall system.
引文
[1] Elizabeth D.Zwicky, Simon Cooper, D.Brent Chapman. Building Intemet Firewalls. SeocndEdition. O’Reilly & Assoeiates Inc, 2000
[2] Bartal Y, Mayer A, Nissim K, et al. A Novel Firewall ManagementToolkit. In Proceedings of the IEEE Computer Society Symposium on Security and Privacy, 1999:17-31
[3] “基于网络平台虚拟实验室技术的研究和实现”,胡成文,计算机应用,2005.12
[4] 李铎锋,“支持远程多用户并发控制的虚拟网络模型研究”,上海交通大学硕士毕业论文,2006.1
[5] Jerry Ford 著,段云所,王昭,唐礼勇,陈钟译 个人防火墙 人民邮电出版社,2002 年 8 月
[6] John Wack, Ken Cutler, Jamie Pole.Guidelines on Firewalls and Firewall Policy, National Institute of Standards and Technology, Special Publication 800-41, January 2002
[7] Ioannidis S, Keromytis A D, Bellovin S M, et al. Implementing a Distributed Firewall.In: 7th ACM Conference on Computer and Communications Security, Athens, Greece, 2000-11: 190-199
[8] (美) Hare C, Siyan K. Internet 防火墙与网络安全. 北京: 机械工业出版社,1998
[9] Elizabeth D.Zwicky, Simon Cooper & D.Brent chapman building internet firewalls,2nd Edition〔M〕.O’Reilly & Associates,Inc, USA June 2000
[10] E.Al-Shaer and Hamed. Management and translation of filtering security policies. In IEEE International Conference on Communications. 2003.5:156~161
[11] S. Patton, D. Doss, W. Yurcik. Open source versus commercial firewalls: functional comparison. 25th Annual IEEE International Conference on Local Computer Networks (LCN'00), P. 223
[12] 商桑,顾德均,姜茂仁,虚拟现实技术在网络教育中的应用,中国远程教育研究,7/2000
[13] S .M .Bellovin, W. R. Cheswick. Firewalls and Internet Security. Addison-Wesley Publishing Co., 1994
[14] 朱鹏. 基于状态包过滤的防火墙技术. 微计算机信息, 第 03 期
[15] R.N. Smith, S. Bhattacharya. Firewall placement in a large network topology. 6th IEEE Workshop on Future Trends of Distributed Computing Systems (FTDCS '97) p. 40
[16] 董剑安,王永刚,吴秋峰.iptables 防火墙的研究与实现[J],计算机工程与应用,2003, 39(17): 161 一 164
[17] 刘华,颜国正,丁国清.在 linux 下用 iptables 建立防火墙的方法[J],计算机工程,2003,29 (10): 129-131
[18] 张惠卿,严峰,沈金龙.在 linux 下用 iptables 构建防火墙[J],中国数据通信,2002,4(8): 55-58
[19] 彭晖,王宇栋,刘金旺.基于 WEB 的同步协同虚拟实验室设计与实现.计算机工程与应用,2004.40(7):155~157
[20] “Online Sessions through Java Servlets”, Remoeo A. Dumitrescu.2sp, 1998
[21] Larry Wall, Tom Christiansen & Jon Orwant. Programming Perl, 3nd Edition〔M〕. O’Reilly & Associates,Inc, December 2001
[22] 周书锋, 孟晗. Java RMI 在分布计算中的应用. 微计算机信息, 2005 年,第 33期
[23] 唐宁,金连莆,陈平.基于 Linux 的最新防火墙技术的研究[J],计算机应用研究,2002 ,12: 76-78
[24] V. Fuller,T. Li,J. Yu,K. Varadhan.An Address Assignment and Aggregation Strategy. RFC 1519, September 1993.
[25] 赵平,汪海航. 基于防火墙日志的网络隔离安全审计系统设计与实现. 计算机应用研究, 2007 年 7 期
[26] 周华平,林浩伟. 基于 Linux 防火墙的日志审计系统的研究与实现. 自动化技术与应用,2005 年 11 期
[27] 梁洪波,吴玉. 网络边界安全与日志文件分析 电脑知识与技术 2007 年,第09 期
[28] 黄锦.基于防火墙日志信息的入侵检测系统的研究与实现.上海交通大学硕士学位论文,2001
[29] D. New, M. Rose. Reliable Delivery for syslog. RFC 3195, November 2001
[30] 陈锦,张建军. AJAX 技术中 Session 服务的改进. 计算机技术与发展 2006年,第 12 期
[31] 梁冰,杨岳湘. 防火墙技术和性能测试. 南华大学学报(自然科学版). 2006年,第 01 期
[32] 李乐,侯整风. 高速防火墙的设计与实现. 计算机安全 2006 年,第 11 期
[33] Lyu, M.R.; Lau, L.K.Y. Firewall security: policies, testing and performance evaluation[C]. Computer Software and Applications Conference, 2000. COMPSAC 2000. The 24th Annual International
[34] Korosh Golnabi, Richard K. Min, Latifur Khan, Ehab Al-Shaer. Analysis of Firewall Policy Rules Using Data Mining Techniques[C]. Network Operations and Management Symposium,2006. NOMS 2006. 10th IEEE/IFIP
[35] Scott Hazelhurst, Adi Attar, Raymond Sinnappan. Algorithms for Improving the Dependability of Firewall and Filter Rule Lists International Conference on Dependable Systems and Networks (DSN 2000) p. 576
[36] 任安西,杨寿保,李宏伟. 一种基于统计分析的防火墙规则匹配优化方法[J]. 《计算机工程与应用》2006 年 04 期
[37] Mohamed G. Gouda, Alex X. Liu. A Model of Stateful Firewalls and Its Properties. 2005 International Conference on Dependable Systems and Networks (DSN'05) pp. 128-137
[38] Lihua Yuan, Jianning Mai, Zhendong Su. FIREMAN: A Toolkit for FIREwall Modeling and ANalysis[C].In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, 2006 IEEE.
[39] 王卫平,陈文惠. 防火墙规则配置错误快速检测算法. 计算机工程, 2007 年11 期
[40] E. W. Fulp. Optimization of network firewall policies using ordered sets and directed acyclical graphs[C].Technical report, Computer Science Department, Wake Forest University, 2004.
[41] Wenhui Chen, Weiping Wang, Zhepeng Li, Huaping Chen. Dynamic Update of Firewall Policy Based on MFDT[C]. Computational Intelligence and Security, 2006 International Conference on Volume 2, Nov. 2006
[2] Bartal Y, Mayer A, Nissim K, et al. A Novel Firewall ManagementToolkit. In Proceedings of the IEEE Computer Society Symposium on Security and Privacy, 1999:17-31
[3] “基于网络平台虚拟实验室技术的研究和实现”,胡成文,计算机应用,2005.12
[4] 李铎锋,“支持远程多用户并发控制的虚拟网络模型研究”,上海交通大学硕士毕业论文,2006.1
[5] Jerry Ford 著,段云所,王昭,唐礼勇,陈钟译 个人防火墙 人民邮电出版社,2002 年 8 月
[6] John Wack, Ken Cutler, Jamie Pole.Guidelines on Firewalls and Firewall Policy, National Institute of Standards and Technology, Special Publication 800-41, January 2002
[7] Ioannidis S, Keromytis A D, Bellovin S M, et al. Implementing a Distributed Firewall.In: 7th ACM Conference on Computer and Communications Security, Athens, Greece, 2000-11: 190-199
[8] (美) Hare C, Siyan K. Internet 防火墙与网络安全. 北京: 机械工业出版社,1998
[9] Elizabeth D.Zwicky, Simon Cooper & D.Brent chapman building internet firewalls,2nd Edition〔M〕.O’Reilly & Associates,Inc, USA June 2000
[10] E.Al-Shaer and Hamed. Management and translation of filtering security policies. In IEEE International Conference on Communications. 2003.5:156~161
[11] S. Patton, D. Doss, W. Yurcik. Open source versus commercial firewalls: functional comparison. 25th Annual IEEE International Conference on Local Computer Networks (LCN'00), P. 223
[12] 商桑,顾德均,姜茂仁,虚拟现实技术在网络教育中的应用,中国远程教育研究,7/2000
[13] S .M .Bellovin, W. R. Cheswick. Firewalls and Internet Security. Addison-Wesley Publishing Co., 1994
[14] 朱鹏. 基于状态包过滤的防火墙技术. 微计算机信息, 第 03 期
[15] R.N. Smith, S. Bhattacharya. Firewall placement in a large network topology. 6th IEEE Workshop on Future Trends of Distributed Computing Systems (FTDCS '97) p. 40
[16] 董剑安,王永刚,吴秋峰.iptables 防火墙的研究与实现[J],计算机工程与应用,2003, 39(17): 161 一 164
[17] 刘华,颜国正,丁国清.在 linux 下用 iptables 建立防火墙的方法[J],计算机工程,2003,29 (10): 129-131
[18] 张惠卿,严峰,沈金龙.在 linux 下用 iptables 构建防火墙[J],中国数据通信,2002,4(8): 55-58
[19] 彭晖,王宇栋,刘金旺.基于 WEB 的同步协同虚拟实验室设计与实现.计算机工程与应用,2004.40(7):155~157
[20] “Online Sessions through Java Servlets”, Remoeo A. Dumitrescu.2sp, 1998
[21] Larry Wall, Tom Christiansen & Jon Orwant. Programming Perl, 3nd Edition〔M〕. O’Reilly & Associates,Inc, December 2001
[22] 周书锋, 孟晗. Java RMI 在分布计算中的应用. 微计算机信息, 2005 年,第 33期
[23] 唐宁,金连莆,陈平.基于 Linux 的最新防火墙技术的研究[J],计算机应用研究,2002 ,12: 76-78
[24] V. Fuller,T. Li,J. Yu,K. Varadhan.An Address Assignment and Aggregation Strategy. RFC 1519, September 1993.
[25] 赵平,汪海航. 基于防火墙日志的网络隔离安全审计系统设计与实现. 计算机应用研究, 2007 年 7 期
[26] 周华平,林浩伟. 基于 Linux 防火墙的日志审计系统的研究与实现. 自动化技术与应用,2005 年 11 期
[27] 梁洪波,吴玉. 网络边界安全与日志文件分析 电脑知识与技术 2007 年,第09 期
[28] 黄锦.基于防火墙日志信息的入侵检测系统的研究与实现.上海交通大学硕士学位论文,2001
[29] D. New, M. Rose. Reliable Delivery for syslog. RFC 3195, November 2001
[30] 陈锦,张建军. AJAX 技术中 Session 服务的改进. 计算机技术与发展 2006年,第 12 期
[31] 梁冰,杨岳湘. 防火墙技术和性能测试. 南华大学学报(自然科学版). 2006年,第 01 期
[32] 李乐,侯整风. 高速防火墙的设计与实现. 计算机安全 2006 年,第 11 期
[33] Lyu, M.R.; Lau, L.K.Y. Firewall security: policies, testing and performance evaluation[C]. Computer Software and Applications Conference, 2000. COMPSAC 2000. The 24th Annual International
[34] Korosh Golnabi, Richard K. Min, Latifur Khan, Ehab Al-Shaer. Analysis of Firewall Policy Rules Using Data Mining Techniques[C]. Network Operations and Management Symposium,2006. NOMS 2006. 10th IEEE/IFIP
[35] Scott Hazelhurst, Adi Attar, Raymond Sinnappan. Algorithms for Improving the Dependability of Firewall and Filter Rule Lists International Conference on Dependable Systems and Networks (DSN 2000) p. 576
[36] 任安西,杨寿保,李宏伟. 一种基于统计分析的防火墙规则匹配优化方法[J]. 《计算机工程与应用》2006 年 04 期
[37] Mohamed G. Gouda, Alex X. Liu. A Model of Stateful Firewalls and Its Properties. 2005 International Conference on Dependable Systems and Networks (DSN'05) pp. 128-137
[38] Lihua Yuan, Jianning Mai, Zhendong Su. FIREMAN: A Toolkit for FIREwall Modeling and ANalysis[C].In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, 2006 IEEE.
[39] 王卫平,陈文惠. 防火墙规则配置错误快速检测算法. 计算机工程, 2007 年11 期
[40] E. W. Fulp. Optimization of network firewall policies using ordered sets and directed acyclical graphs[C].Technical report, Computer Science Department, Wake Forest University, 2004.
[41] Wenhui Chen, Weiping Wang, Zhepeng Li, Huaping Chen. Dynamic Update of Firewall Policy Based on MFDT[C]. Computational Intelligence and Security, 2006 International Conference on Volume 2, Nov. 2006