基于Intel IXA架构的防火墙技术
摘要
防火墙技术是建立在现代通信网络技术和信息安全技术基础上的应用性安全技术,越来越多地应用于专用网络与公用网络的互联环境之中。但是,防火墙作为必备的安全手段,其性能直接决定了网络速度。例如传统的代理型防火墙虽然可以提供较高级别的安全保护,但它同时也成为限制网络带宽的瓶颈,这极大地制约了在网络中的实际应用。新一代防火墙系统不仅应该能更好地保护防火墙后面内部网络的安全,而且应该具有更为优良的整体性能。
本文总结了在基于Intel公司的IXA(Intel Internet Exchange)架构上开发一种高性能防火墙的所涉及的若干关键技术。该防火墙具有包过滤、NAT、VPN以及应用代理等功能。其中, 最基本的功能是包过滤,主要是根据定义好的过滤规则审查每个数据包,根据匹配过滤规则来确定对数据包如何动作。与一般包过滤不同的还有动态包过滤,它是根据数据包前面的报文描述的会话状态来检查包,从而确定如何对包进行过滤。网络地址转换(NAT)是为了解决传统1P网络地址紧张的问题而产生的它将每个局域网节点的地址转换成一个IP地址,反之亦然,从而可隐藏内部网络地址。VPN是虚拟专用网络,是在公司网中形成企业专用的链路。应用代理也叫应用层网关,通过一种代理(Proxy)技术参与到一个TCP连接的全过程,能达到隐藏内部网结构的作用。此外,该防火墙还具有健全的日志和审计功能。本系统采用模块化层次化设计,具有高性能性、健壮性、可靠性等特点。
本文具体介绍了基于Intel公司IXA架构的防火墙的设计思想和实现,具体内容分为如下5个章节来说明:
第一章介绍了设计背景,包括防火墙技术的发展和现状,Intel IXA架构,本人承担的工作。
第二章是防火墙的需求分析,指出了防火墙的设计目标,安全特性。
第三章描述了防火墙的总体设计,包括硬件和软件的设计,以及接口描述。
第四章是详细设计,阐述了防火墙各功能的实现,详述如何实现包过滤和NAT功能。
第五章总结了系统现状,特色,创新,需要进一步探讨的问题和系统的发展改进方向。
As a basic application security technology based on modern communication and information security, firewall is more and more applied in Internet. However, the performance of traditional firewalls can be bottleneck as it limits the bandwidth of the net, though they provide high-level security protection. This problem restricts practical application. A firewall of new generation should not only protect better the net behind firewall but also provide better performance.
The basic function of firewall is packet filter, which checks every packet according to specified filter rules, so that to determine how to act to the packet. The filter rules are established based on packet header information such as IP source address, IP destination address, transmission protocol, TCP/UDP port, ICMP information type, etc. Dynamic filter checks packets according to the session state, which means its action should depend on the previous packets. NAT is a way to solve the intense demanding of Internet IP address, and can hide LAN address. NAT has two types which are static translation and dynamic translation. Proxy is a sophisticated firewall function which can implement security check of application layer. Moreover, perfect log and audit function are needed on a firewall of soundness.
This thesis introduces a high performance firewall developed based on Intel IXA.Intel(r) IXA is a packet processing architecture that provides a foundation for software portability across multiple generations of network processors. Intel(r) IXA focuses on Intel(r) network processors and is based on microengine technology, the Intel(r) XScale(tm) microarchitecture and the Intel(r) IXA Hardware Abstraction Layer. Intel(r) IXA is an end-to-end family of high-performance, flexible and scalable hardware and software development building blocks designed to meet the growing performance requirements of today’s networks. Based on programmable silicon and software building blocks, Intel(r) IXA solutions enable faster development, more cost-effective deployment and future upgradability of network and communications systems.
Firstly this thesis introduces technology and knowledge relative to security and firewall, and illustrats Intel IXA, specially the structure and
function of IXP1200 network processor. Afterwards, the thesis presents the whole hardware and software system of the firewall designed basing on Intel IXA, and emphasizes on dynamic filter and NAT. At the end of the thesis is the conclusion, and some improvement advice and solvent are given.
本文总结了在基于Intel公司的IXA(Intel Internet Exchange)架构上开发一种高性能防火墙的所涉及的若干关键技术。该防火墙具有包过滤、NAT、VPN以及应用代理等功能。其中, 最基本的功能是包过滤,主要是根据定义好的过滤规则审查每个数据包,根据匹配过滤规则来确定对数据包如何动作。与一般包过滤不同的还有动态包过滤,它是根据数据包前面的报文描述的会话状态来检查包,从而确定如何对包进行过滤。网络地址转换(NAT)是为了解决传统1P网络地址紧张的问题而产生的它将每个局域网节点的地址转换成一个IP地址,反之亦然,从而可隐藏内部网络地址。VPN是虚拟专用网络,是在公司网中形成企业专用的链路。应用代理也叫应用层网关,通过一种代理(Proxy)技术参与到一个TCP连接的全过程,能达到隐藏内部网结构的作用。此外,该防火墙还具有健全的日志和审计功能。本系统采用模块化层次化设计,具有高性能性、健壮性、可靠性等特点。
本文具体介绍了基于Intel公司IXA架构的防火墙的设计思想和实现,具体内容分为如下5个章节来说明:
第一章介绍了设计背景,包括防火墙技术的发展和现状,Intel IXA架构,本人承担的工作。
第二章是防火墙的需求分析,指出了防火墙的设计目标,安全特性。
第三章描述了防火墙的总体设计,包括硬件和软件的设计,以及接口描述。
第四章是详细设计,阐述了防火墙各功能的实现,详述如何实现包过滤和NAT功能。
第五章总结了系统现状,特色,创新,需要进一步探讨的问题和系统的发展改进方向。
As a basic application security technology based on modern communication and information security, firewall is more and more applied in Internet. However, the performance of traditional firewalls can be bottleneck as it limits the bandwidth of the net, though they provide high-level security protection. This problem restricts practical application. A firewall of new generation should not only protect better the net behind firewall but also provide better performance.
The basic function of firewall is packet filter, which checks every packet according to specified filter rules, so that to determine how to act to the packet. The filter rules are established based on packet header information such as IP source address, IP destination address, transmission protocol, TCP/UDP port, ICMP information type, etc. Dynamic filter checks packets according to the session state, which means its action should depend on the previous packets. NAT is a way to solve the intense demanding of Internet IP address, and can hide LAN address. NAT has two types which are static translation and dynamic translation. Proxy is a sophisticated firewall function which can implement security check of application layer. Moreover, perfect log and audit function are needed on a firewall of soundness.
This thesis introduces a high performance firewall developed based on Intel IXA.Intel(r) IXA is a packet processing architecture that provides a foundation for software portability across multiple generations of network processors. Intel(r) IXA focuses on Intel(r) network processors and is based on microengine technology, the Intel(r) XScale(tm) microarchitecture and the Intel(r) IXA Hardware Abstraction Layer. Intel(r) IXA is an end-to-end family of high-performance, flexible and scalable hardware and software development building blocks designed to meet the growing performance requirements of today’s networks. Based on programmable silicon and software building blocks, Intel(r) IXA solutions enable faster development, more cost-effective deployment and future upgradability of network and communications systems.
Firstly this thesis introduces technology and knowledge relative to security and firewall, and illustrats Intel IXA, specially the structure and
function of IXP1200 network processor. Afterwards, the thesis presents the whole hardware and software system of the firewall designed basing on Intel IXA, and emphasizes on dynamic filter and NAT. At the end of the thesis is the conclusion, and some improvement advice and solvent are given.
引文
(1)[美] Russell Lusignan, Oliver Steudler, Jacques Allison. CISCO网络安全管理,王勇译. 北京:中国电力出版社,7/2001
(2)[美] Terry William Ogletree. Practical Firewalls, 李之堂 李伟明 陈琳 译:电子工业出版社:2/2001
(3)[美] Douglas E.Comer. 用TCP/IP进行网际互联. 北京:电子工业出版社,3/2001
(4)[美] 拉斯.克兰德. Hacker Proof-The Ultimate Guide to Network Security. 北京:电子工业出版社,6/2000
(11)北京启明星辰信息技术有限公司. 防火墙原理与实用技术. 北京:电子工业出版社,1/2002
(5)Michael Greenwald, Sandeep K.Singhal, Jonathan R.Stone, David R.Cheriton. Designing an Academic Firewall
(6)Steffen Stempel, IpAccess - An Internet Service Access System for Firewall Installations
(7)RFC1613 The IP Network Address Translator (NAT)
(8)Roger Knobbe, Andrew Purtell, Stephen Schwab. An Architecture and Implementation for High Performance Network Firewalls
(9)Intel IXP1200 Hardware Reference Manual
(10)Intel IXP1200 Programmer's Reference Manual
(12)IXP1200 Network Processor ATM OC-3 / Ethernet IP Router Example Design
(13)IXP1200 Network Processor Microengine C RFC1812 Layer 3
Forwarding Example Design
(14)S.Cobb. Establishing Firewall Policy
(15)IXP1200 Network Processor RFC 1812 Compliant Layer 3 Forwarding Example Design
(2)[美] Terry William Ogletree. Practical Firewalls, 李之堂 李伟明 陈琳 译:电子工业出版社:2/2001
(3)[美] Douglas E.Comer. 用TCP/IP进行网际互联. 北京:电子工业出版社,3/2001
(4)[美] 拉斯.克兰德. Hacker Proof-The Ultimate Guide to Network Security. 北京:电子工业出版社,6/2000
(11)北京启明星辰信息技术有限公司. 防火墙原理与实用技术. 北京:电子工业出版社,1/2002
(5)Michael Greenwald, Sandeep K.Singhal, Jonathan R.Stone, David R.Cheriton. Designing an Academic Firewall
(6)Steffen Stempel, IpAccess - An Internet Service Access System for Firewall Installations
(7)RFC1613 The IP Network Address Translator (NAT)
(8)Roger Knobbe, Andrew Purtell, Stephen Schwab. An Architecture and Implementation for High Performance Network Firewalls
(9)Intel IXP1200 Hardware Reference Manual
(10)Intel IXP1200 Programmer's Reference Manual
(12)IXP1200 Network Processor ATM OC-3 / Ethernet IP Router Example Design
(13)IXP1200 Network Processor Microengine C RFC1812 Layer 3
Forwarding Example Design
(14)S.Cobb. Establishing Firewall Policy
(15)IXP1200 Network Processor RFC 1812 Compliant Layer 3 Forwarding Example Design
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |