【摘要】：在計(jì)算機(jī)網(wǎng)絡(luò)技術(shù)飛速發(fā)展的今天,政府、軍隊(duì)、金融以及企業(yè)的信息化建設(shè)步伐不斷加速,計(jì)算機(jī)網(wǎng)絡(luò)技術(shù)在其中得到越來(lái)越廣泛的應(yīng)用。信息技術(shù)在給政府、軍隊(duì)、金融以及企業(yè)的建設(shè)與工作帶來(lái)更高的工作效率,同時(shí)也帶來(lái)了巨大的信息安全風(fēng)險(xiǎn)。加強(qiáng)專用網(wǎng)絡(luò)的網(wǎng)絡(luò)安全任務(wù)已經(jīng)變得刻不容緩。 為滿足專用網(wǎng)絡(luò)對(duì)于網(wǎng)絡(luò)的高安全性與通信的高效性的需求,本文提出一種Linux上實(shí)現(xiàn)的專用隔離系統(tǒng)的具體的設(shè)計(jì)與實(shí)現(xiàn)。專用隔離系統(tǒng)為專用網(wǎng)和民用網(wǎng)之間提供隔離服務(wù),可以為專用網(wǎng)和民用網(wǎng)之間的安全通信提供屏障。系統(tǒng)利用包過(guò)濾技術(shù)、協(xié)議分析技術(shù)等技術(shù),可以實(shí)現(xiàn)對(duì)流入專用網(wǎng)的數(shù)據(jù)流的識(shí)別與監(jiān)控,并將檢測(cè)結(jié)果傳入系統(tǒng)維護(hù)模塊,以便于進(jìn)行各種相應(yīng)的分析和決策,以提高網(wǎng)絡(luò)通信質(zhì)量與健康水平。專用隔離系統(tǒng)對(duì)通過(guò)檢測(cè)的數(shù)據(jù)和語(yǔ)音媒體等數(shù)據(jù)包,以最小的延遲路由到專用網(wǎng)內(nèi)對(duì)應(yīng)的主機(jī)或服務(wù)器,從而完成專用網(wǎng)和民用網(wǎng)之間的通信。 鑒于目前常見(jiàn)防火墻系統(tǒng)技術(shù)單一,難以抵御多種復(fù)雜攻擊,配置與使用缺乏靈活性與易用性等問(wèn)題,專用隔離系統(tǒng)結(jié)合多種防護(hù)技術(shù),針對(duì)網(wǎng)絡(luò)體系結(jié)構(gòu)的多層進(jìn)行安全防護(hù)處理,并對(duì)每一層的數(shù)據(jù)包進(jìn)行檢測(cè)與監(jiān)控,同時(shí)提供友好靈活的控制界面。系統(tǒng)被劃分為以下五個(gè)子系統(tǒng)進(jìn)行設(shè)計(jì)與代碼實(shí)現(xiàn)： 1、數(shù)據(jù)交互,負(fù)責(zé)數(shù)據(jù)的透明轉(zhuǎn)發(fā)。 2、網(wǎng)絡(luò)層/傳輸層數(shù)據(jù)防護(hù),完成阻塞管理與流量控制功能。 3、應(yīng)用層數(shù)據(jù)防護(hù),負(fù)責(zé)應(yīng)用層數(shù)據(jù)的檢測(cè)與防護(hù)。該子系統(tǒng)給出了一種基于DPI(深度報(bào)文檢測(cè))技術(shù)的用戶態(tài)防火墻實(shí)現(xiàn)方法,可以對(duì)應(yīng)用層協(xié)議的報(bào)文進(jìn)行特征分析、檢測(cè)與過(guò)濾。系統(tǒng)中以SIP協(xié)議的數(shù)據(jù)安全防護(hù)為例進(jìn)行功能實(shí)現(xiàn)。 4、系統(tǒng)監(jiān)控,負(fù)責(zé)系統(tǒng)運(yùn)行數(shù)據(jù)的記錄、監(jiān)控與分析。 5、系統(tǒng)交互,完成用戶交互功能。 專用隔離系統(tǒng)對(duì)于一些技術(shù)的設(shè)計(jì)解決具有獨(dú)創(chuàng)性,滿足用戶需求,具有實(shí)際的應(yīng)用意義。
[Abstract]:With the rapid development of computer network technology, the information construction of government, army, finance and enterprises is accelerating, and the computer network technology is widely used in it. Information technology brings more efficiency to the construction and work of government, army, finance and enterprises, and also brings great risk of information security. It is urgent to strengthen the network security task of private network. In order to meet the requirements of private network for high security and high efficiency of communication, this paper presents a specific design and implementation of a special isolation system based on Linux. Special isolation system provides isolation service between private network and civil network, and provides a barrier for secure communication between private network and civil network. By using packet filtering technology and protocol analysis technology, the system can identify and monitor the data flow flowing into the private network, and pass the detection results into the system maintenance module, so as to facilitate the corresponding analysis and decision-making. In order to improve network communication quality and health level. The special isolation system can route the data packets through the detected data and voice media to the corresponding host or server in the private network with minimal delay so as to complete the communication between the private network and the civil network. In view of the current common firewall system technology is single, difficult to resist a variety of complex attacks, configuration and use of lack of flexibility and ease of use and other issues, dedicated isolation system combined with a variety of protection technologies, According to the multi-layer of network architecture, security protection processing is carried out, and the data packets of each layer are detected and monitored. At the same time, the friendly and flexible control interface is provided. The system is divided into the following five subsystems for design and code implementation: 1, data interaction, responsible for transparent data forwarding. 2, network layer / transport layer data protection, complete congestion management and flow control function. 3, application layer data protection, responsible for application layer data detection and protection. This sub-system provides a user-state firewall implementation method based on DPI (Deep packet Detection) technology, which can analyze, detect and filter the message of application layer protocol. The system takes the data security protection of SIP protocol as an example to carry on the function realization. 4, system monitoring, responsible for system operation data recording, monitoring and analysis. 5, system interaction, complete user interaction function. The special isolation system is original for the design and solution of some technologies, which meets the needs of users and has practical application significance.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 陳啟美,張國(guó)強(qiáng),薛健;MPLS-VPN工作特性[J];電力自動(dòng)化設(shè)備;2002年10期

2 景峰;;信息系統(tǒng)等級(jí)保護(hù)安全域隔離技術(shù)的探討[J];山西電力;2010年05期

3 劉建志;田志宏;;基于Netfilter框架和IP Queue機(jī)制的輕量級(jí)網(wǎng)絡(luò)防火墻實(shí)現(xiàn)[J];智能計(jì)算機(jī)與應(yīng)用;2012年04期

4 蔡?hào)|蛟;;安全隔離與信息交換系統(tǒng)實(shí)現(xiàn)機(jī)理與應(yīng)用[J];信息技術(shù);2007年12期

5 董昱;馬鑫;;基于netlink機(jī)制內(nèi)核空間與用戶空間通信的分析[J];測(cè)控技術(shù);2007年09期

6 夏峗;李志蜀;;基于Hibernate框架的數(shù)據(jù)持久化層的研究及其應(yīng)用[J];計(jì)算機(jī)應(yīng)用;2008年09期

7 馬永杰,劉建平,陳仲明;網(wǎng)際數(shù)據(jù)隔離器的設(shè)計(jì)與實(shí)現(xiàn)[J];計(jì)算機(jī)應(yīng)用研究;2003年02期

8 馬素剛;;VLAN技術(shù)的研究與仿真[J];制造業(yè)自動(dòng)化;2011年22期

9 吳澤鴻;寇凈磊;魯云軍;;多Agent防火墻研究[J];科技信息;2009年12期

10 孫旭東;盧建軍;任敏;;基于NAT跳轉(zhuǎn)與ACL控制技術(shù)的安全策略研究[J];煤炭技術(shù);2010年08期

，

本文編號(hào)：2433637