中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
高安全等级防火墙核心技术研究、设计与实现
作者: 蒙杨
答辩日期: 2001
专业: 计算机应用技术
授予单位: 中国科学院软件研究所
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 防火墙 ; 网络安全 ; 操作系统 ; 密钥管理 ; 软件工程
摘要: 本文研究并实现了防火墙的前沿核心技术,同时研究了基于防火墙的网络安全整体解决方案,力求对电子商务的最大化支持。本系统在设计与实现的过程中采用了如下的技术。安全防火墙操作系统:该操作系统已通过国家鉴定,具有自主版权,安全级达到B1安全级,同时在操作性能方面几乎没有损失。状态检测:对所有的经过的IP包的各协议层进行分析,对于TCP包进行状机建立和监视,对UDP包建立虚拟的连接,对基建立方向的概念,同时对ICMP包进行分析,决定其与已有的TCP或UDP连接之间的关系。对应用层,分析其语义。包分类:本采用二维的PATRIE算法,该算法是NET/3中的分类算法PATRIE从一维向二维的扩展,该算法在理论是可能不是目前最好的,但是经过我们的数据测,该算法的性能属于良好。高效密钥管理:采用密钥管理协议SIKE,该协议IKE协议的一个发展版本,该协议具有IKE的所有优点,同时只采用IKE的预分发认证体制,使得系统的效率提高。灵活的认证技术:采用体制与协议分离、认证模块与其他模块分离的思路,认证结果通过相关协议与防火墙其他部分通讯,所以,可以容易地集成所有的认证技术。目前采用的协议有S/key, FWN1。细粒度存取控制:采用列表存取控制技术和强制存取控制技术。强制存取控制定义了粒度更为细的存取控制关系-用户与所执行的操作以及访问对象之间的存取关系,比如可以定义一个用户只读某一URI指定的资源。支持协议与服务的动态管理:根据应用环境的需求动态管理支持协议与服务。网络地址转换、负载平衡以及透明代理:该技术是防火墙向高端发展的关键技术。在系统设计过程中,采用软件工程的设计流程。各个模块在经过严格测试后集成,具有较高的可靠性。同时,我们对防火墙的性能进行了测试之后发现,该系统是性能与功能的合理折中。
英文摘要: The critical technology of firewall is studied and implemented in this paper. At the same time, the total solution for network security is studied and the system do it's best to support EC. In the process of design, there are a few new technology are used. security firewall OS:the OS is authenticated by authority, has own copyright, the level of security approach B1, the performance of OS decrease little,. Stateful inspection: all protocol layers of IP packets which pass through firewall are parsed. State machine are established and monitored for TCP packets. Virtual connections are created for UDP packets. ICMP packets are parsed to decide connections which have the relation to the packets. The semantics of application layer are also parsed. Packet classification technology: 2-dimension PATRIE algorithm is adopted in the system. The algorithm is extended from 1-dimension in NET/3 to 2-dimension. The algorithm is not the best in theory, but it is fine in performance after we test. Efficient key management technology: SIKE is adopted, which is developed from IKE, has all advantageous of IKE. Only pre-shared authentication is used and the efficiency is improved. Authentication technology: the idea that protocol is isolated from scheme, authentication module is isolated from other modules is used. The result of authentication is communicated by related protocols with firewall other parts. It is easy to integrate other authentication modules.Now, we have only use S/KEY and FWN1 as our authentication method. Fine granularity access control :ACL and MAC are implemented in the system. MAC define fine granularity access control - the access control policies for user and the operation objects. for examples, we can define a user can only read a URI resources. Dynamic management for supporting protocols and services: according the need of application, new modules of supporting protocols and services can be added easily. Network address translation, loading-balance and transparent proxy: the technology is the critical for high performance of firewall. In the process of system design, the flow of software engineering is adopted. All modules are integrated after strictly tested and the system is stable. At the same time, we find our firewall is a compromise f functions and performance.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/6190
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
LW004422.pdf(2204KB)----限制开放-- 联系获取全文

Recommended Citation:
蒙杨. 高安全等级防火墙核心技术研究、设计与实现[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2001-01-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[蒙杨]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[蒙杨]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace