【摘要】：隨著信息技術(shù)的發(fā)展、企業(yè)信息化的普及、電子政務(wù)的優(yōu)化,使得企事業(yè)單位都邁入了互聯(lián)網(wǎng)技術(shù)的時(shí)代快車,充分利用信息技術(shù)、計(jì)算機(jī)技術(shù)、網(wǎng)絡(luò)技術(shù)來(lái)提升單位的生產(chǎn)、工作效率。但也帶來(lái)了網(wǎng)絡(luò)性能下降、網(wǎng)絡(luò)利用率低下、網(wǎng)絡(luò)病毒流行等問(wèn)題。對(duì)企事業(yè)單位而言,識(shí)別并控制網(wǎng)絡(luò)應(yīng)用無(wú)論是對(duì)提高單位的管理水平還是對(duì)保障單位信息系統(tǒng)的正常高效運(yùn)行都至關(guān)重要。 以傳統(tǒng)防火墻為代表的應(yīng)用識(shí)別控制系統(tǒng)基于數(shù)據(jù)包五元組進(jìn)行安全檢測(cè),這種僅依靠判斷IP地址和端口的方法早已無(wú)法識(shí)別具體的應(yīng)用類型,更難以對(duì)同一應(yīng)用軟件進(jìn)行細(xì)粒度的功能識(shí)別和控制,已經(jīng)無(wú)法滿足當(dāng)前的網(wǎng)絡(luò)管理和安全防護(hù)需求。本文重點(diǎn)研究下一代防火墻的關(guān)鍵技術(shù),其中著重研究了DPI和網(wǎng)絡(luò)應(yīng)用識(shí)別控制這兩類在下一代防火墻中起重要作用的核心技術(shù)。網(wǎng)絡(luò)應(yīng)用識(shí)別控制系統(tǒng)將作為DPI應(yīng)用識(shí)別技術(shù)的實(shí)現(xiàn)平臺(tái),可以準(zhǔn)確識(shí)別網(wǎng)絡(luò)中各類應(yīng)用協(xié)議,并對(duì)相應(yīng)的網(wǎng)絡(luò)協(xié)議實(shí)現(xiàn)精細(xì)控制,同時(shí)該系統(tǒng)可以進(jìn)行模塊擴(kuò)展。 本課題旨在為企業(yè)用戶解決如何控制員工有效上網(wǎng)保證網(wǎng)絡(luò)安全的問(wèn)題提供了一種有效的技術(shù)手段,在尋求系統(tǒng)安全與使用便捷的契合點(diǎn)方面作出了積極的探索。本課題對(duì)防火墻技術(shù)和網(wǎng)絡(luò)訪問(wèn)控制現(xiàn)狀和發(fā)展趨勢(shì)進(jìn)行研究,通過(guò)對(duì)市場(chǎng)上常見(jiàn)的防火墻系統(tǒng)產(chǎn)品進(jìn)行了對(duì)比與研究,提出“基于下一代防火墻技術(shù)的網(wǎng)絡(luò)應(yīng)用識(shí)別控制系統(tǒng)”的設(shè)計(jì)目標(biāo)和功能需求,對(duì)系統(tǒng)的整體架構(gòu)和工作流程進(jìn)行設(shè)計(jì),并簡(jiǎn)要介紹了系統(tǒng)開(kāi)發(fā)的關(guān)鍵技術(shù)以及方案實(shí)施條件。具體地,本文完成的的主要工作如下： 1、分析比較傳統(tǒng)的防火墻的關(guān)鍵技術(shù)及其面臨的挑戰(zhàn),指出下一代防火墻必須具備的新特性及關(guān)鍵技術(shù)。 2、基于下一代防火墻的特性,提出利用DPI技術(shù)識(shí)別網(wǎng)絡(luò)應(yīng)用并對(duì)應(yīng)用進(jìn)行細(xì)粒度控制的方案。 3、研究并設(shè)計(jì)應(yīng)用識(shí)別和控制的系統(tǒng)架構(gòu)。該系統(tǒng)能夠精確識(shí)別網(wǎng)絡(luò)應(yīng)用,對(duì)不同的應(yīng)用制定控制策略。
[Abstract]:With the development of information technology, the popularization of enterprise informatization and the optimization of e-government, enterprises and institutions have stepped into the era of Internet technology, making full use of information technology, computer technology and network technology to promote the production of units. Working efficiency. But it also brings some problems, such as network performance decline, network utilization rate low, network virus prevalence and so on. For enterprises and institutions, it is very important to identify and control the network application, not only to improve the management level of the unit, but also to ensure the normal and efficient operation of the unit information system. The application identification control system represented by the traditional firewall is based on the five-tuple packet for security detection. The method of judging the address and port of IP has long been unable to identify the specific application type. It is more difficult to identify and control the fine granularity function of the same application software, which can not meet the current network management and security requirements. This paper focuses on the key technologies of the next generation firewall, including DPI and network application identification control, which play an important role in the next generation firewall. The network application identification control system will be used as the implementation platform of DPI application identification technology. It can accurately identify all kinds of application protocols in the network, and realize fine control of the corresponding network protocols. At the same time, the system can be extended by modules. The purpose of this paper is to provide an effective technical means for the enterprise users to solve the problem of how to control the employees to access the Internet effectively to ensure the network security, and to make an active exploration in seeking the connection between the system security and the convenient use of the system. This paper studies the current situation and development trend of firewall technology and network access control, and compares and studies the common firewall system products in the market. This paper puts forward the design goal and function requirement of the network application identification control system based on the next generation firewall technology, and designs the whole structure and workflow of the system. The key technology of the system development and the implementation conditions of the scheme are briefly introduced. Specifically, the main work of this paper is as follows: 1. Analyze the key technologies of traditional firewall and the challenges it faces. The new features and key technologies of the next generation firewall are pointed out. 2. Based on the characteristics of the next generation firewall, This paper presents a scheme to identify and control network applications using DPI technology. 3. The system architecture of application identification and control is studied and designed. The system can accurately identify network applications and formulate control strategies for different applications.
【學(xué)位授予單位】：中國(guó)科學(xué)院大學(xué)（工程管理與信息技術(shù)學(xué)院）
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 楊路明,肖瀟;網(wǎng)絡(luò)安全與防火墻技術(shù)[J];電腦與信息技術(shù);2004年03期

2 李增雷;;淺析傳統(tǒng)防火墻的防護(hù)不足與發(fā)展趨勢(shì)[J];電腦知識(shí)與技術(shù);2012年18期

3 孔佳泉;;淺談下一代防火墻及其應(yīng)用[J];信息安全與技術(shù);2012年11期

4 胡波;;下一代防火墻技術(shù)探析[J];保密科學(xué)技術(shù);2012年02期

5 董劍安,王永剛,吳秋峰;iptables防火墻的研究與實(shí)現(xiàn)[J];計(jì)算機(jī)工程與應(yīng)用;2003年17期

6 李惠娟;王汝傳;任勛益;;基于Netfilter的數(shù)據(jù)包捕獲技術(shù)研究[J];計(jì)算機(jī)科學(xué);2007年06期

7 汪立東,錢(qián)麗萍,蔣重響;一次性口令認(rèn)證及其在防火墻上的實(shí)現(xiàn)[J];計(jì)算機(jī)與通信;1998年04期

8 唐寧,金連甫,陳平;基于Linux的最新防火墻技術(shù)的研究[J];計(jì)算機(jī)應(yīng)用研究;2002年12期

9 曹漢平,馮啟明,吳春蕾;Linux防火墻技術(shù)研究[J];武漢理工大學(xué)學(xué)報(bào)(交通科學(xué)與工程版);2002年01期

10 胡安磊,周大水,李大興;Linux中Netfilter/IPtables的應(yīng)用研究[J];計(jì)算機(jī)應(yīng)用與軟件;2004年10期

，

本文編號(hào)：2292839