中国科学院软件研究所机构知识库
Advanced  
ISCAS OpenIR  > 中科院软件所  > 中科院软件所
题名:
防火墙体系下的IPSEC及其策略
作者: 袁勋
答辩日期: 2001
专业: 计算机应用技术
授予单位: 中国科学院软件研究所
授予地点: 中国科学院软件研究所
学位: 博士
关键词: 防火墙 ; 连接跟踪 ; 状态检测 ; 状态检测防火墙 ; 认证头 ; 封装安全 ; 载荷 ; 安全关联 ; 可信管理
摘要: 本文采取链式结构,对一个以防火墙为主体的整体网络安全架构进行了描述,并重点讨论了网络安全体系中的网络层安全IPSec与新型的状态检测型防火墙的结合作用,进一步地,对其策略管理进行了探讨性的研究。首先,从传统防火墙解决方案的不足,我们引出了对两种先进技术的讨论:网络跟踪技术(连接跟踪技术)和状态检测技术。网络跟踪技术实现的网络层,它为每一个网络连接建立连接跟踪项,收集与安全有关的信息。之后,该连接上通过的所有网络包都将被跟踪。各种安全机制,如包过滤,认证,地址转换等都在连接跟踪项中有相应的接口,通过连接跟踪模块的网络包可以直接进入各层策略检测模块。状态检测技术则以不同的服务区分应用类型,汲取相关的通讯和应用程序的状态信息。根据网络通讯中的状态转换,它不断动态地更新连接跟踪表中的状态信息,结合预定义好的规则,实现安全策略。其次,文章介绍了运用以上两种技术的状态检测防火墙,并拓展地描绘了以该防火墙为主体的安全体系架构。从而引出了这个架构中的另一个重要的部分-网络层安全IPSec。对于一个完整的安全解决方案,提供端对端的安全是必不可少的。但是,当IPSec实现在状态检测防火墙中,与连接跟踪技术结合时,又产生了一些新的情况。第三部分,说明IPSec是如何适当地契合入状态检测防火墙中的。连接跟踪项中安全关联链的使用,使得对IPSec的处理与其它安全机制保持了统一,模块更清晰。但是,如果要充分发挥IPSec的长处,其策略管理的规范化必将是进一步发展的趋势。第四部分,IPSec的策略管理。文章介绍了“可信管理”的概念。这是一个具有普遍推广意义的管理策略模式。它使用一种统一的“安全策略说明语言”来描述应用的安全策略。可信管理机构接收应用提交的使用安全策略说明语言书定的行为请求以及其自身策略,进行一致性检查,以确定该行为是否被允许以及有何种限制条件。文章进一步分析了目前已经实现了的一个可信管理系统—KeyNote。通过对其设计与实现的研究,为今后在我们的防火墙体系中实施这种更完善的策略模式做好了前期的准备。
英文摘要: This chain-structured thesis describes a total network security framework whose principal part is firewall. It also specially discusses the combination between Internet Protocol Security - IPSec and the newly developing stateful inspection firewall. Farther, it probes into the field of policy management. The thesis begins with the deficiencies of traditional firework and leads to the discussion on two advanced technologies: network tracking and stateful inspection. Network tracking is implemented on network layer. It builds connection tracking control block and direction control block for every connection and collects security-related information. Then, all the successively packets will be tracked. Each security mechanism, such as packet filtering, authentication and net address translation, etc, has its interface in connection tracking control block through which the passing network packet can enter directly into policy checking models. Stateful inspection technology distinguishes application type by different services and extracts status information about communication and application program. Based on status transformations of network communication, stateful inspection module dynamically modifies the status information in connection tracking control block and brings security policies into effect with predetermined rules. Next, the thesis makes a description on stateful inspection firewall using the above two technologies and extends it to a security framework. This brings another important part in this framework, IPSec. For an integrate solution for network security, port-to-port security is absolutely necessary. But, when IPSec is implemented in a stateful inspection firewall and combines with connection tracking, things will be different. The third part gives the answer how IPSec agrees with our firewall. The use of security association chain in connection tracking unifies the management to IPSec and other security mechanisms, thus makes the modular structure more clear. However, to fully bring into play the advantages of IPSec, the standardization of its policy management by all means will be the developing trend. The final part is IPSec's policy management. It presents the notion of Trust-Management which is a meaningful management mode worth of being generalized. Trust-Management uses uniform "Security Policy Specification Language" to describe security policy. And its organization accepts the query along with policies which are both written in that language and submitted by application, makes compliance checking and determines whether the action should be allowed. Finally, an implemented trust-management system, KeyNote, is analyzed. Through this, we make a good preparation for further putting it into our firewall system.
语种: 中文
内容类型: 学位论文
URI标识: http://ir.iscas.ac.cn/handle/311060/7504
Appears in Collections:中科院软件所

Files in This Item:
File Name/ File Size Content Type Version Access License
LW004431.pdf(2132KB)----限制开放-- 联系获取全文

Recommended Citation:
袁勋. 防火墙体系下的IPSEC及其策略[D]. 中国科学院软件研究所. 中国科学院软件研究所. 2001-01-01.
Service
Recommend this item
Sava as my favorate item
Show this item's statistics
Export Endnote File
Google Scholar
Similar articles in Google Scholar
[袁勋]'s Articles
CSDL cross search
Similar articles in CSDL Cross Search
[袁勋]‘s Articles
Related Copyright Policies
Null
Social Bookmarking
Add to CiteULike Add to Connotea Add to Del.icio.us Add to Digg Add to Reddit
所有评论 (0)
暂无评论
 
评注功能仅针对注册用户开放,请您登录
您对该条目有什么异议,请填写以下表单,管理员会尽快联系您。
内 容:
Email:  *
单位:
验证码:   刷新
您在IR的使用过程中有什么好的想法或者建议可以反馈给我们。
标 题:
 *
内 容:
Email:  *
验证码:   刷新

Items in IR are protected by copyright, with all rights reserved, unless otherwise indicated.

 

 

Valid XHTML 1.0!
Copyright © 2007-2017  中国科学院软件研究所 - Feedback
Powered by CSpace