防火墙脆弱性测试及评估系统设计与实现

发布时间：2018-05-18 14:05

本文选题：防火墙 + 测试　；参考：《北京邮电大学》2017年硕士论文

【摘要】：随着计算机和网络技术的发展,存在于公共网络中的安全风险越来越多样化,对信息安全造成了很大的威胁。如何在访问外部网络的同时保证内部网络资源的安全性是安全技术人员面临的首要问题。因此,在众多网络安全产品之中,作为沟通内部网络和外部网络的第一道关卡,防火墙成为了备受关注的产品之一。作为网络安全防护手段之一,防火墙虽然可以有效保障内部网络的安全,但由于其自身在具体实现方式上存在着不同的安全脆弱点,对网络安全的防护有着自身的局限性,不能成为绝对安全的防护手段。要想提高安全保障的级别,就需要对防火墙安全脆弱性进行分析,更加全面的了解防火墙的安全脆弱点。因此,为了保障网络的安全性,有必要对防火墙设备进行脆弱性测试,并进行结果分析,从而对防火墙的脆弱性做出评估。本文首先对防火墙管理配置和过滤规则可能存在的脆弱性进行分析,并对防火墙测试国家标准、及传统网络测试技术进行研究,基于模糊测试技术方法,有针对性的构造IP、ICMP、TCP、UDP等协议畸形数据包,包括标志位置零、插入特殊字符、标志位随机、构造大数据包等方式,完成对防火墙过滤规则脆弱性的测试。此外,考虑到目前硬件防火墙大多采用Web方式管理,在测试中加入对Web的测试,保证测试工作的完备性。本文重点研究防火墙脆弱性评估技术,通过对传统网络评估技术的研究,结合防火墙测试国家标准,提出了基于指标体系的防火墙脆弱性评估模型。首先,在对防火墙脆弱性分析的基础上,提出层次化的评估指标体系,包括目标层、属性层和指标层,并基于防火墙脆弱性测试结果对指标进行量化;其次,通过专家系统和层次分析法,比较评估指标的重要性并进行分析计算,从而完成对指标的权重赋值;最后,通过灰色聚类方法,得到评估灰类和白化函数,最终实现防火墙脆弱性定性评估。最后,本文设计并实现了防火墙脆弱性测试及评估系统,阐述了该系统的基本组成架构,对其中的关键模块的设计方案和实现过程进行了详细的说明,包括控制模块、测试模块、评估模块和数据库模块。并最终通过实验结果分析验证了指标体系选取的合理性以及测试及评估系统的有效性。
[Abstract]:With the development of computer and network technology, the security risks in public networks are becoming more and more diversified, which pose a great threat to information security. How to access the external network while ensuring the security of internal network resources is the most important problem for security technicians. Therefore, among many network security products, firewall has become one of the most concerned products as the first level of communication between internal network and external network. As one of the means of network security protection, firewall can effectively protect the security of internal network, but it has its own limitations on the protection of network security because of its own different security vulnerabilities in the specific implementation mode. Can not be an absolute security means of protection. In order to improve the security level, it is necessary to analyze the vulnerability of firewall security, and to understand the security fragility of firewall more comprehensively. Therefore, in order to ensure the security of the network, it is necessary to test the vulnerability of firewall devices and analyze the results, so as to evaluate the vulnerability of firewalls. In this paper, the vulnerability of firewall management configuration and filtering rules is analyzed, and the national standards of firewall testing and traditional network testing techniques are studied. In order to test the vulnerability of firewall filtering rules, we construct protocol malformed data packets such as IP / ICMP / TCPU / UDP, including zero flag position, special character insertion, random flag bit, large packet construction and so on. In addition, considering that most of the hardware firewalls are managed by Web at present, the test of Web is added to the test to ensure the completeness of the test work. This paper focuses on firewall vulnerability assessment technology. Through the research of traditional network assessment technology, combined with firewall testing national standards, a firewall vulnerability assessment model based on index system is proposed. Firstly, based on the analysis of firewall vulnerability, a hierarchical evaluation index system is proposed, which includes target layer, attribute layer and index layer, and quantifies the index based on firewall vulnerability test results. Through expert system and Analytic hierarchy process (AHP), the importance of evaluation index is compared and calculated, so that the weight of the index is assigned. Finally, the grey clustering method is used to obtain the grey class and whitening function. Finally, the qualitative evaluation of firewall vulnerability is realized. Finally, this paper designs and implements the firewall vulnerability testing and evaluation system, describes the basic structure of the system, and describes the design scheme and implementation process of the key modules in detail, including the control module. Test module, evaluation module and database module. Finally, the rationality of the index system selection and the effectiveness of the test and evaluation system are verified by the analysis of the experimental results.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】