基于网络处理器的防火墙规则匹配模块及入侵检测系统预处理模块的设计与实现
|
摘要
随着人们对语音、视频等多媒体业务的需求不断增加,网络得到了迅猛的发展。学校、企业、银行、政府机关等单位都拥有了自己的局域网。这些局域网最终都通过因特网实现互联,并通过它来传递一些商业信息及其他重要数据。而互联网飞速发展的同时,网络犯罪案件也在急剧的上升,网络安全已经作为一个非常严峻的问题摆在人们面前,受到越来越多的关注与重视。因此,保护局域网的安全成为一项十分重要的课题。
防火墙是如今最主要的网络安全设备之一。它部署在可信网络和不可信网络之间,并对经过的网络流量进行检查,它是不同网络或网络安全域之间信息的唯一出入口,能根据企业的安全政策控制出入网络的心细流,且本身具有较强的抗攻击能力。防火墙在受信任的网络和不受信任的网络之间占据了一个独一无二的位置。
入侵检测系统则是防火墙的有力补充。它能够检测到网络上的攻击行为,如果采用异常检测技术,还能够发现新的网络攻击行为。由于入侵检测系统和其它主机是并联工作的,所以对应用层的检测不会对网络性能造成什么样的影响。因此入侵检测是防火墙的有力补充,最终实现与防火墙的联动。
然而,与路由器、交换机不同的是,防火墙和入侵检测系统需要对经过的数据包进行复杂的处理,因此,对性能有着很高的要求,要求处理速度足够快。面对千兆网络的安全需求,人们提出了不少的解决方案,主要有基于通用中央处理器(CPU)实现、基于专用集成电路(ASIC)实现和基于网络处理器实现这三种。这些方案各有优缺点,基于通用中央处理器(CPU)实现起来最为简单,但是处理速度成为很大的瓶颈;基于专用集成电路(ASIC)实现则处理速度快,但灵活性差、开发周期长;而基于网络处理器实现既有高速处理能力,又有很好的可编程特性。实验室研究开发的防火墙和入侵检测系统是基于英特尔IXP2400网络处理器来实现的,本文第一章便对网络处理器进行了介绍,并且详细介绍了英特尔IXP2400网络处理器。
本文作者在防火墙和入侵检测系统的研究与开发项目中,具体设计的是防火墙中的规则匹配模块和入侵检测系统中的解码预处理模块。因此,在第二章介绍了防火墙技术和入侵检测技术、第三章介绍了研发系统的整体设计之后,重点在第四章阐述了防火墙规则匹配模块中各子模块的功能设计和实现流程,在第五章阐述了入侵检测系统中解码预处理模块的功能设计和实现流程。
此外,本文的第二部分(第六章)介绍了作者在实验室另一个项目“基于GSM/GPRS网络的混合定位系统的研究开发”中做的工作。第六章首先介绍了定位业务的发展;接着介绍了混合定位终端的总体设计;最后详细阐述了中央处理模块的设计与实现。
With the rapid increase of demands for multimedia, such as voice, video, the network has got swift and violent development. Many units such as School, enterprise and bank, all have LANs. These LANs all realize being interconnected through Internet finally, and transmit some commercial information or other important data through it. While Internet develops at full speed, the crime case of the network is in rapid rising, the online security has already been put in front of people as a very severe problem, have received more and more concern and attention. So, the security of protecting the LAN becomes a very important subject.
Nowadays firewall is the most important Network Security Device. Firewall is located between internal network and internet, carry out complex handling for the packets that pass it in order to protect internal network effectively.
Intrusion Detection System is an effective supplement for firewall. It can detect network attacks, using anomaly detection technology, but also to discover new network attacks. Intrusion Detection System and other mainframe are due to the parallel. Therefore, the testing of the application layer will not cause any kind of impact on network performance. So IDS is an effective supplement for firewall, the IDS eventual get a linkage to the firewall.
However, be different to router and switcher, firewall should carry out complex handling for the packets that pass it in order to protect internal network effectively, for example, state inspection needs to analyses the transmission layer of the packet. So the performance of the firewall is requested to be excellent. Especially in gigabit network, we desire the firewall to be fast enough to forward packets at wire-speed. This is a great challenge to firewall.
To meet gigabit network's security requirement, people give several solutions, including implement based on general CPU, implement based on ASIC and implement based on network processor. These solutions have own advantages and disadvantages each. Firewall based on general CPU can be implemented very easily, but speed is a great bottleneck. And that based on ASIC can reach a high speed, but with poor flexibility and development cycle. Firewall based on network processor is a tradeoff of the other two ways. Chapter one introduces the characteristics and functions of Network Processor, mainly describes the architecture and IXA software framework of Intel IXP2400 Network Processor.
This article introduces what the author has done about implementing firewall based on network processor during graduate student period. Chapter two briefly introduces Firewall Technologies and Intrusion Detection Technologies. Chapter three introduces function design of The Giga-bit Packet Filter Firewall. As the author is responsible for the design of rule matching core component and the preprocessors module of Intrusion Detection System, chapter four describes the design, coding and testing of Rule Matching Subsystem in detail; chapter five function design of The Intrusion Detection System, then describes the design, coding and testing of Preprocessor Subsystem in detail.
The other part of the dissertation (chapter six) first introduces function design of A-GPS/CELL-ID Mix Location System Based on GSM/GPRS Network, then describes the design, coding and testing of core function module in detail.
防火墙是如今最主要的网络安全设备之一。它部署在可信网络和不可信网络之间,并对经过的网络流量进行检查,它是不同网络或网络安全域之间信息的唯一出入口,能根据企业的安全政策控制出入网络的心细流,且本身具有较强的抗攻击能力。防火墙在受信任的网络和不受信任的网络之间占据了一个独一无二的位置。
入侵检测系统则是防火墙的有力补充。它能够检测到网络上的攻击行为,如果采用异常检测技术,还能够发现新的网络攻击行为。由于入侵检测系统和其它主机是并联工作的,所以对应用层的检测不会对网络性能造成什么样的影响。因此入侵检测是防火墙的有力补充,最终实现与防火墙的联动。
然而,与路由器、交换机不同的是,防火墙和入侵检测系统需要对经过的数据包进行复杂的处理,因此,对性能有着很高的要求,要求处理速度足够快。面对千兆网络的安全需求,人们提出了不少的解决方案,主要有基于通用中央处理器(CPU)实现、基于专用集成电路(ASIC)实现和基于网络处理器实现这三种。这些方案各有优缺点,基于通用中央处理器(CPU)实现起来最为简单,但是处理速度成为很大的瓶颈;基于专用集成电路(ASIC)实现则处理速度快,但灵活性差、开发周期长;而基于网络处理器实现既有高速处理能力,又有很好的可编程特性。实验室研究开发的防火墙和入侵检测系统是基于英特尔IXP2400网络处理器来实现的,本文第一章便对网络处理器进行了介绍,并且详细介绍了英特尔IXP2400网络处理器。
本文作者在防火墙和入侵检测系统的研究与开发项目中,具体设计的是防火墙中的规则匹配模块和入侵检测系统中的解码预处理模块。因此,在第二章介绍了防火墙技术和入侵检测技术、第三章介绍了研发系统的整体设计之后,重点在第四章阐述了防火墙规则匹配模块中各子模块的功能设计和实现流程,在第五章阐述了入侵检测系统中解码预处理模块的功能设计和实现流程。
此外,本文的第二部分(第六章)介绍了作者在实验室另一个项目“基于GSM/GPRS网络的混合定位系统的研究开发”中做的工作。第六章首先介绍了定位业务的发展;接着介绍了混合定位终端的总体设计;最后详细阐述了中央处理模块的设计与实现。
With the rapid increase of demands for multimedia, such as voice, video, the network has got swift and violent development. Many units such as School, enterprise and bank, all have LANs. These LANs all realize being interconnected through Internet finally, and transmit some commercial information or other important data through it. While Internet develops at full speed, the crime case of the network is in rapid rising, the online security has already been put in front of people as a very severe problem, have received more and more concern and attention. So, the security of protecting the LAN becomes a very important subject.
Nowadays firewall is the most important Network Security Device. Firewall is located between internal network and internet, carry out complex handling for the packets that pass it in order to protect internal network effectively.
Intrusion Detection System is an effective supplement for firewall. It can detect network attacks, using anomaly detection technology, but also to discover new network attacks. Intrusion Detection System and other mainframe are due to the parallel. Therefore, the testing of the application layer will not cause any kind of impact on network performance. So IDS is an effective supplement for firewall, the IDS eventual get a linkage to the firewall.
However, be different to router and switcher, firewall should carry out complex handling for the packets that pass it in order to protect internal network effectively, for example, state inspection needs to analyses the transmission layer of the packet. So the performance of the firewall is requested to be excellent. Especially in gigabit network, we desire the firewall to be fast enough to forward packets at wire-speed. This is a great challenge to firewall.
To meet gigabit network's security requirement, people give several solutions, including implement based on general CPU, implement based on ASIC and implement based on network processor. These solutions have own advantages and disadvantages each. Firewall based on general CPU can be implemented very easily, but speed is a great bottleneck. And that based on ASIC can reach a high speed, but with poor flexibility and development cycle. Firewall based on network processor is a tradeoff of the other two ways. Chapter one introduces the characteristics and functions of Network Processor, mainly describes the architecture and IXA software framework of Intel IXP2400 Network Processor.
This article introduces what the author has done about implementing firewall based on network processor during graduate student period. Chapter two briefly introduces Firewall Technologies and Intrusion Detection Technologies. Chapter three introduces function design of The Giga-bit Packet Filter Firewall. As the author is responsible for the design of rule matching core component and the preprocessors module of Intrusion Detection System, chapter four describes the design, coding and testing of Rule Matching Subsystem in detail; chapter five function design of The Intrusion Detection System, then describes the design, coding and testing of Preprocessor Subsystem in detail.
The other part of the dissertation (chapter six) first introduces function design of A-GPS/CELL-ID Mix Location System Based on GSM/GPRS Network, then describes the design, coding and testing of core function module in detail.
引文
[1] Intel IXP2400 Network Processor Hardware Reference Manual, October 2004.
[2] Intel Internet Exchange Architecture Software Development Kit Software Framework Tutorial, November 2004.
[3] Intel Internet Exchange Architecture Software Building Blocks Applications Design Guide, November 2004.
[4] Intel Internet Exchange Architecture Portability Framework Developer's Manual, November 2004.
[5] Intel Internet Exchange Architecture Software Building Blocks Developer's Manual, November 2004.
[6] Intel IXP2XXX Product Line of Network Processors Development Tools User's Guide, November 2004.
[7] Intel IXP2400 Network Processor Programmer's Reference Manual, October 2004.
[8] 张宏科等著,《网络处理器原理与技术》,北京邮电大学出版社,2004
[9] 张春红,《IXP2400防火墙系统结构》,网络处理器项目组,2005年
[10] Douglas E.Comer,《网络处理器与网络系统设计》,机械工业出版社,2004
[11] Douglas E.Comer,《用TCP/IP进行网际互联》,电子工业出版社,2001
[12] 贡萨尔维斯,《防火墙技术指南》,机械工业出版社,1998
[13] 刘占全,《网络管理与防火墙技术》,人民邮电出版社,1999
[14] 楚狂,《网络安全与防火墙技术》,人民邮电出版社,2000
[15] 贾贺,张旭等,《防火墙原理与使用技术》,电子工业出版社,
[16] 田立勤,林闯,肖人毅,《基于IXP1200的快速报文分类算法的设计与实现》,计算机研究与发展,2003年
[17] 王如章,《状态检测包过滤技术在基于IXDP2400的千兆防火墙中的实现及基于NP的嵌入式Linux开发》,北邮宽带通信网络实验室,2005
[18] 唐兴艳,汪纪峰,《一种高效的多维数据包分类算法》,重庆邮电学院学报,2005
[19] 郑爱蓉,施恩,《基于IXP2400千兆防火墙包分类算法的设计与实现》计算机应用研究,2004
[20] 阎啸天,王钰,《防火墙模块功能设计书》,网络处理器项目组,2005 年
[21] 徐恪,徐明伟,吴建平,吴剑,《路由查找算法研究综述》,软件学报,2002年
[22] 李若学,《基于网络处理器的防火墙的设计与实现》,北京邮电大学硕士学位论文,2004年
[23] 刘刚,《基于网络处理器的千兆防火墙设计与实现》,东华大学硕士学位论文,2004年
[24] 王松等,《防火墙技术探密,国防工业出版社》,2002
[25] 周学广,刘艺,《信息安全学》,机械工业出版社,2003
[26] 刘峥嵘等,《嵌入式Linux应用开发详解》,机械工业出版社,2004
[27] 王学龙,《嵌入式Linux系统设计与应用》,清华大学出版社,2001
[28] 王文宇,赵柏隽《利用网络辅助全球定位技术实现定位测量》,现代电信科技,2004
[29] 刘鹰,《几种定位技术的比较研究》,应用科技学报,2005
[30] 彭博,冯勇,刘洪臣《基于GPS与GSM的车辆定位追踪系统》,沈阳理工大学学报,2005
[31] 刘从新,袁建伟,《基于GPRS的分布式监控系统的研究》,电力系统通信,2003
[32] 韩冰,李芬华,《GPRS技术在数据采集与监控系统中的应用》,电子技术,2003
[2] Intel Internet Exchange Architecture Software Development Kit Software Framework Tutorial, November 2004.
[3] Intel Internet Exchange Architecture Software Building Blocks Applications Design Guide, November 2004.
[4] Intel Internet Exchange Architecture Portability Framework Developer's Manual, November 2004.
[5] Intel Internet Exchange Architecture Software Building Blocks Developer's Manual, November 2004.
[6] Intel IXP2XXX Product Line of Network Processors Development Tools User's Guide, November 2004.
[7] Intel IXP2400 Network Processor Programmer's Reference Manual, October 2004.
[8] 张宏科等著,《网络处理器原理与技术》,北京邮电大学出版社,2004
[9] 张春红,《IXP2400防火墙系统结构》,网络处理器项目组,2005年
[10] Douglas E.Comer,《网络处理器与网络系统设计》,机械工业出版社,2004
[11] Douglas E.Comer,《用TCP/IP进行网际互联》,电子工业出版社,2001
[12] 贡萨尔维斯,《防火墙技术指南》,机械工业出版社,1998
[13] 刘占全,《网络管理与防火墙技术》,人民邮电出版社,1999
[14] 楚狂,《网络安全与防火墙技术》,人民邮电出版社,2000
[15] 贾贺,张旭等,《防火墙原理与使用技术》,电子工业出版社,
[16] 田立勤,林闯,肖人毅,《基于IXP1200的快速报文分类算法的设计与实现》,计算机研究与发展,2003年
[17] 王如章,《状态检测包过滤技术在基于IXDP2400的千兆防火墙中的实现及基于NP的嵌入式Linux开发》,北邮宽带通信网络实验室,2005
[18] 唐兴艳,汪纪峰,《一种高效的多维数据包分类算法》,重庆邮电学院学报,2005
[19] 郑爱蓉,施恩,《基于IXP2400千兆防火墙包分类算法的设计与实现》计算机应用研究,2004
[20] 阎啸天,王钰,《防火墙模块功能设计书》,网络处理器项目组,2005 年
[21] 徐恪,徐明伟,吴建平,吴剑,《路由查找算法研究综述》,软件学报,2002年
[22] 李若学,《基于网络处理器的防火墙的设计与实现》,北京邮电大学硕士学位论文,2004年
[23] 刘刚,《基于网络处理器的千兆防火墙设计与实现》,东华大学硕士学位论文,2004年
[24] 王松等,《防火墙技术探密,国防工业出版社》,2002
[25] 周学广,刘艺,《信息安全学》,机械工业出版社,2003
[26] 刘峥嵘等,《嵌入式Linux应用开发详解》,机械工业出版社,2004
[27] 王学龙,《嵌入式Linux系统设计与应用》,清华大学出版社,2001
[28] 王文宇,赵柏隽《利用网络辅助全球定位技术实现定位测量》,现代电信科技,2004
[29] 刘鹰,《几种定位技术的比较研究》,应用科技学报,2005
[30] 彭博,冯勇,刘洪臣《基于GPS与GSM的车辆定位追踪系统》,沈阳理工大学学报,2005
[31] 刘从新,袁建伟,《基于GPRS的分布式监控系统的研究》,电力系统通信,2003
[32] 韩冰,李芬华,《GPRS技术在数据采集与监控系统中的应用》,电子技术,2003