【摘要】：網(wǎng)絡(luò)技術(shù)極大的方便了人們的生活,但是網(wǎng)絡(luò)安全問題也給人們帶來極大的威脅。防火墻是保護(hù)網(wǎng)絡(luò)安全的重要措施之一,而防火墻的配置策略是其最核心的功能。防火墻的策略配置是否正確與合理直接影響到防火墻的性能。向防火墻配置策略中添加規(guī)則往往會(huì)引起防火墻規(guī)則產(chǎn)生沖突,而防護(hù)墻中冗余規(guī)則的存在,又會(huì)增加數(shù)據(jù)包的匹配時(shí)間,二者都會(huì)嚴(yán)重降低防火墻的性能,因此針對上述兩種情況,本文重點(diǎn)研究了以下兩個(gè)關(guān)鍵技術(shù):引起防火墻策略發(fā)生錯(cuò)誤的一個(gè)主要原因就是對防火墻配置策略的更改。網(wǎng)絡(luò)是不斷發(fā)展變化的,網(wǎng)絡(luò)安全問題也是層出不窮的,防火墻背后的用戶經(jīng)常需要防火墻規(guī)則管理員修改原有的防火墻配置策略,以便允許或者保護(hù)一些新服務(wù)的運(yùn)行。本文首先提出一種基于trie樹的防火墻規(guī)則沖突檢測算法,該算法將一條新規(guī)則加入到防火墻已有配置中,并將該規(guī)則對原有防火墻造成的精確效果改變提交給管理員。管理員可以根據(jù)改變的效果對防火墻進(jìn)行評估,然后考慮該條規(guī)則的添加位置甚至是否有必要添加該條規(guī)則。防火墻的配置策略以序號(hào)為優(yōu)先級進(jìn)行排列,序號(hào)越靠前的規(guī)則優(yōu)先級越高,數(shù)據(jù)包在與防火墻規(guī)則進(jìn)行匹配時(shí),從前往后進(jìn)行順序匹配。因此可以通過縮小防火墻的配置策略來提高防火墻的匹配效率。隨著企業(yè)規(guī)模的逐漸變大,防火墻的規(guī)則可以達(dá)到上百條甚至上千條,由于同一個(gè)防火墻的策略可能由不同的管理員進(jìn)行配置,因此規(guī)則之間發(fā)生冗余覆蓋是在所難免的。目前對冗余規(guī)則的沖突檢測都是基于兩兩規(guī)則之間,多條規(guī)則之間的冗余覆蓋只能用蠻力法或者窮舉法來查找,在此基礎(chǔ)上,本文對冗余規(guī)則給出一個(gè)全新的定義,并在此基礎(chǔ)上提出了一種基于改進(jìn)的判定樹模型的四元組判定樹算法,該算法能夠檢測出多條規(guī)則之間的冗余覆蓋。
[Abstract]:Network technology greatly facilitates people's life, but network security also brings great threat to people. Firewall is one of the important measures to protect network security, and the configuration strategy of firewall is its core function. Whether the policy configuration of firewall is correct and reasonable directly affects the performance of firewall. Adding rules to firewall configuration policy often leads to the conflict of firewall rules, while the existence of redundant rules in the protection wall will increase the matching time of data packets. Both of them will seriously reduce the performance of firewall. In view of the above two cases, this paper focuses on the following two key technologies: one of the main causes of firewall policy errors is the change of firewall configuration policy. The network is constantly developing and changing, and network security problems emerge endlessly. The users behind the firewall often need the firewall rules administrator to modify the original firewall configuration strategy in order to allow or protect the operation of some new services. In this paper, a firewall rule conflict detection algorithm based on trie tree is proposed. The algorithm adds a new rule to the existing firewall configuration, and presents the exact effect of the rule to the administrator. The administrator can evaluate the firewall based on the effect of the change, and then consider whether it is even necessary to add the rule. The configuration policy of firewall is arranged with the priority of ordinal number. The higher the priority of the rule is, the higher the priority of the rule is. When the data packet matches the firewall rule, the sequence matching is carried out before and after. Therefore, the matching efficiency of firewall can be improved by reducing the configuration strategy of firewall. With the increasing size of the enterprise, the firewall rules can reach hundreds or even thousands. Because the same firewall policy may be configured by different administrators, it is inevitable that redundant overlay will occur between the rules. At present, the conflict detection of redundant rules is based on pairwise rules, and the redundant overlay between multiple rules can only be found by brute force method or exhaustive method. On this basis, this paper gives a new definition of redundant rules. An improved decision tree model based on the improved decision tree model is proposed, which can detect redundant coverage between multiple rules.
【學(xué)位授予單位】：哈爾濱工程大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【引證文獻(xiàn)】

相關(guān)碩士學(xué)位論文 前1條

1 陳貴寶;高性能高可用的數(shù)據(jù)中心同步軟件的研究與實(shí)現(xiàn)[D];西安電子科技大學(xué);2017年

，

本文編號(hào)：2386975