【摘要】：防火墻是位于私有網(wǎng)絡(luò)和外部網(wǎng)絡(luò)入口點(diǎn)之間的安全衛(wèi)士,所有傳入和傳出的數(shù)據(jù)包必須通過(guò)它。它是保護(hù)大多數(shù)網(wǎng)絡(luò)安全的關(guān)鍵系統(tǒng)。防火墻中的錯(cuò)誤不僅會(huì)泄漏網(wǎng)絡(luò)中的秘密信息,而且會(huì)破壞網(wǎng)絡(luò)和其他互聯(lián)網(wǎng)之間的合法通信。因此,如何正確的設(shè)計(jì)防火墻是一個(gè)重要的問(wèn)題。我們知道網(wǎng)絡(luò)中大部分的安全策略的實(shí)施都是使用訪問(wèn)控制列表(Access Control List,即ACL)來(lái)配置數(shù)據(jù)包分類的策略的。一個(gè)網(wǎng)關(guān)設(shè)備要執(zhí)行流量過(guò)濾至少需要ACL部署數(shù)千條規(guī)則。由于ACL配置語(yǔ)言存在眾多的困難,大型ACL規(guī)則集容易變得冗余,不一致,難以優(yōu)化甚至難以理解。防火墻是網(wǎng)絡(luò)安全的核心元素。但是,管理防火墻規(guī)則已經(jīng)變得復(fù)雜且容易出錯(cuò)。為了正確實(shí)施安全策略,必須仔細(xì)地編寫和組織防火墻過(guò)濾規(guī)則。此外,插入或修改過(guò)濾規(guī)則需要對(duì)此規(guī)則與其他規(guī)則之間的關(guān)系進(jìn)行徹底分析,以確定此規(guī)則的正確順序并提交更新。在本文中,我們提出了一套技術(shù)和算法,提供(1)自動(dòng)異常檢測(cè),用于發(fā)現(xiàn)傳統(tǒng)防火墻中的規(guī)則沖突和潛在問(wèn)題,(2)規(guī)則插入,修改和刪除的無(wú)異常策略編輯,(3)將過(guò)濾規(guī)則簡(jiǎn)潔的翻譯成用于用戶可視化和驗(yàn)證的高級(jí)文本描述。這是在一個(gè)名為“防火墻策略顧問(wèn)”的用戶友好工具中實(shí)現(xiàn)的。防火墻策略顧問(wèn)大大簡(jiǎn)化了作為過(guò)濾規(guī)則編寫的任何通用防火墻策略的管理,同時(shí)將由于防火墻規(guī)則配置錯(cuò)誤引起的網(wǎng)絡(luò)漏洞最小化。本文也實(shí)現(xiàn)了關(guān)于沖突規(guī)則和冗余規(guī)則的ACL的優(yōu)化方法。在現(xiàn)有的防火墻策略圖(Firewall Decision Diagram,即FDD)的構(gòu)造算法中忽略了 ACL規(guī)則中的沖突和冗余問(wèn)題。我們?cè)诜阑饓Σ呗詧D的基礎(chǔ)上研究了檢測(cè)ACL規(guī)則的沖突和冗余的算法,并在此基礎(chǔ)上對(duì)原有的防火墻策略圖的構(gòu)造算法進(jìn)行了優(yōu)化,提出了一種新的防火墻決策圖的算法,通過(guò)減少冗余和免除沖突來(lái)減少同構(gòu)節(jié)點(diǎn),使訪問(wèn)控制列表的規(guī)則數(shù)有了大幅度的減少,查詢性能也得到了很大的提升。我們通過(guò)具體的實(shí)驗(yàn)驗(yàn)證了我們的改進(jìn)的防火墻決策圖的算法是切實(shí)可行的,效率也提高了很多。
[Abstract]:A firewall is a security guard between a private network and an external network entry point through which all incoming and outgoing packets must pass. It is the key system to protect most network security. An error in a firewall not only leaks secret information in the network, but also destroys legitimate communication between the network and other networks. Therefore, how to design the firewall correctly is an important problem. We know that most of the security policies in the network are implemented using the access control list (Access Control List, (ACL) to configure packet classification policies. At least thousands of rules need to be deployed by ACL to perform traffic filtering on a gateway device. Because of many difficulties in ACL configuration language, large-scale ACL rule sets are easy to become redundant, inconsistent, difficult to optimize or even difficult to understand. Firewall is the core element of network security. However, managing firewall rules has become complex and error-prone. In order to implement security policies correctly, firewall filtering rules must be carefully written and organized. In addition, inserting or modifying a filtering rule requires a thorough analysis of the relationship between this rule and other rules to determine the correct order of the rule and submit updates. In this paper, we propose a set of techniques and algorithms that provide (1) automatic anomaly detection to discover rule conflicts and potential problems in traditional firewalls, (2) rule insertion, modification and deletion of exception-free policy editing, (3) translate the filtering rules into high-level text descriptions for user visualization and validation. This is done in a user-friendly tool called Firewall Policy Advisor. Firewall Policy Advisor greatly simplifies the management of any common firewall policies written as filtering rules and minimizes network vulnerabilities due to misconfiguration of firewall rules. This paper also implements the ACL optimization method for conflict rules and redundant rules. The conflicts and redundancy problems in ACL rules are ignored in the existing construction algorithms of firewall policy graph (Firewall Decision Diagram, (FDD). On the basis of firewall policy graph, we study the algorithm of detecting conflicts and redundancy of ACL rules, and on this basis, we optimize the construction algorithm of firewall policy graph, and propose a new algorithm of firewall decision graph. By reducing redundancy and avoiding collision, the number of rules in access control list is greatly reduced, and the query performance is greatly improved. Experimental results show that our improved firewall decision graph algorithm is feasible and efficient.
【學(xué)位授予單位】：華中師范大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2017
【分類號(hào)】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前5條

1 楊偉;;防火墻技術(shù)研究[J];科技信息;2013年18期

2 秦拯;歐露;張大方;Alex X.Liu;;高吞吐量協(xié)作防火墻的雙向去冗余方法[J];湖南大學(xué)學(xué)報(bào)(自然科學(xué)版);2013年01期

3 張昭理;洪帆;肖海軍;;一種防火墻規(guī)則沖突檢測(cè)算法[J];計(jì)算機(jī)工程與應(yīng)用;2007年15期

4 安智斌 ,鄭炎雄 ,向妮;在Lotus Notes中實(shí)現(xiàn)Internet安全性[J];湖北成人教育學(xué)院學(xué)報(bào);2001年06期

5 徐斌,徐悅;防火墻技術(shù)與Internet信息安全[J];現(xiàn)代電子技術(shù);2001年01期

相關(guān)碩士學(xué)位論文 前5條

1 劉振宇;基于令牌桶算法的網(wǎng)絡(luò)流量控制技術(shù)的研究與實(shí)現(xiàn)[D];內(nèi)蒙古大學(xué);2012年

2 劉博文;優(yōu)化防火墻過(guò)濾域排序的研究[D];中國(guó)科學(xué)技術(shù)大學(xué);2009年

3 丁健;基于Netfilter框架的Linux防火墻技術(shù)研究及應(yīng)用[D];武漢理工大學(xué);2009年

4 高志強(qiáng);下一代軟件防火墻研究與設(shè)計(jì)[D];華中科技大學(xué);2007年

5 杜雨;防火墻遠(yuǎn)程配置管理系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)[D];四川大學(xué);2006年

，

本文編號(hào)：2455226