基于双栈技术的校园网防火墙设计与实现

发布时间：2018-05-09 12:41

  本文选题：防火墙 + IPv6　； 参考：《电子科技大学》2014年硕士论文

【摘要】：随着IPv4地址的日益枯竭弊端显现,IPv6的普及推广速度越来越快。我校适逢搬迁新校区网络扩容的机遇。为了实现公网的IPv4接入与教育网的IPv6接入,实施网络升级工程。而设计出一个提供IPv4下网络安全防护和IPv6下网络安全防护的防火墙方案就被提上了日程。本文以同时支持IPv4/IPv6双栈协议的防火墙为研究课题,重点研究了双栈下的混合路由、IPv4协议下的iptables与IPv6协议下的ip6tables、以及防火墙性能调优等,主要研究内容分为五部分。首先简单地对IPv6介绍后,讨论了IPv4向IPv6过渡的几种过渡技术,讨论了双栈技术、隧道技术和转换机制这几种常用的过渡技术。对校园网络升级方案中设计采用支持双栈的防火墙进行论证。接着讨论解决了双栈条件下的混合路由问题。对在防火墙上实现混合路由功能进行了分析与设计,使用到了策略路由技术,为以后实现均衡负载打下了技术基础,留有一定的升级空间。同时也在防火墙上安装了Quagga软件,随着以后网络规模的扩大,以及拓扑结构变得更加复杂,这里通过使用开源Quagga软件来实现IPv6的路由功能。同时为将来的技术升级留下了余量。然后从网络层和传输层入手,以协议原理为基础,从数据包头部结构、协议本身、验证、流量四个方面,对攻击实现方法进行分析。虽然IPv6解决了IPv4地址空间的问题,以及协议本身的改进,可以消除一些针对验证和流量的攻击,但是从网络分层模型上来说是类似的,那就意味着攻击可以一定程度上沿用IPv4的思路,并进行拓展,所以IPv6的安全形势也不容乐观。论文分别在IPv4与IPv6协议下,对防火墙的iptables和ip6tables进行了脚本设计与编写,并对完成的策略分别进行TCP和UDP测试。在防火墙各个模块功能正常完成测试后,即开始进行整机入校园网功能测试。并着手进行了防火墙优化工作,同时以OpenSWAN为平台加入了IPsec功能。在防火墙调优工作中,实现了有状态的UDP、TCP、ICMP和FTP会话的检查;有状态的IPv4和IPv6之间翻译分组的检查;处理EH,路由选择、逐跳、选项和分段头部;端口到应用映射(PAM),允许网络管理员定制使用的TCP和UDP端口。这个特征允许它们实行基于内容的接入控制,甚至在一个更宽的端口范围内。
[Abstract]:Along with the IPv4 address increasingly exhausted malpractice manifests the IPv6 popularizing speed is faster and faster. Our school coincides with relocation of the new campus network expansion opportunities. In order to realize IPv4 access of public network and IPv6 access of education network, network upgrade project is carried out. The design of a firewall to provide network security protection under IPv4 and network security protection under IPv6 has been put on the agenda. In this paper, the firewall which supports IPv4/IPv6 dual stack protocol is taken as the research topic. The emphasis is put on the research of iptables and ip6tablesunder the iptables and IPv6 protocols under the dual stack, and the performance tuning of the firewall. The main research contents are divided into five parts. After a brief introduction of IPv6, several transition technologies from IPv4 to IPv6 are discussed, including double stack technology, tunnel technology and conversion mechanism. The firewall supporting double stacks is used to demonstrate the design of campus network upgrade scheme. Then the mixed routing problem under the condition of double stack is discussed. This paper analyzes and designs the implementation of hybrid routing function on the firewall, uses the policy routing technology, lays a technical foundation for the realization of load balancing in the future, and leaves a certain space for upgrading. At the same time, the Quagga software is installed on the firewall. With the expansion of the network scale and the complexity of the topology, the routing function of IPv6 is realized by using open source Quagga software. At the same time for the future technology upgrade left a margin. Then, starting with the network layer and the transport layer, based on the protocol principle, the attack implementation method is analyzed from four aspects: the packet header structure, the protocol itself, the verification, and the traffic. Although IPv6 solves the problem of IPv4 address space and the protocol itself improves to eliminate some attacks against authentication and traffic, it is similar in terms of the network hierarchy model. That means that the attack can to some extent follow the idea of IPv4 and expand, so the security situation of IPv6 is not optimistic. In this paper, the iptables and ip6tables of the firewall are designed and written under the IPv4 and IPv6 protocols, and the completed policies are tested by TCP and UDP, respectively. After each module function of firewall completes the test normally, starts to carry on the whole machine to enter the campus network function test. At the same time, the OpenSWAN is used as the platform to add the IPsec function. In the course of firewall tuning, the checking of stateful UDP / TCP / ICMP and FTP sessions, the checking of translating packets between stateful IPv4 and IPv6, the processing of EHs, routing, hop by hop, options and segmented headers are implemented. Port-to-application mapping allows network administrators to customize the TCP and UDP ports used. This feature allows them to implement content-based access control even within a wider port range.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.18;TP393.08

【参考文献】

相关硕士学位论文 前1条

1 陈炯;基于IPv6/IPv4防火墙技术研究[D];武汉理工大学;2005年

，

本文编号：1866049