基于NDIS防火墙系统的设计与实现

发布时间：2018-06-15 21:11

本文选题：网络安全 + 防火墙　；参考：《电子科技大学》2014年硕士论文

【摘要】：当前的互联网协议仍然是基于TCP/IP协议族,在几十年的应用和发展当中,TCP/IP协议暴露出来的缺陷和漏洞也越来越多,这使基于TCP/IP协议的计算机网络也极易受到来自网络上的攻击和入侵。TCP/IP协议自身的基本安全机制已经无法保证网络中计算机的信息安全,因此,必须在防火墙这种专门的入侵拦截工具(软件或硬件)的帮助下来解决网络安全上的问题。当前的个人防火墙软件主要是基于LSP和TID这两种包过滤机制来开发的,因此其功能相对受限,而且安全性也不高。本文是通过在防火墙核心层进行数据封包过滤原理来进行研究,具体采用了NDIS中间层驱动过滤与SPI应用层过滤两种方案相结合的方式来进行。通过在操作系统内核工作模式下,利用NDIS中间层过滤数据包实现对网卡原始数据包进行拦截和过滤的办法,过滤功能可以通过访问控制与管理规则的制定来进行控制,从而极大提高了防火墙系统的截包及数据过滤能力,是个人防火墙开发技术的一种新的有益尝试。论文在首先进行了基于NDIS的防火墙系统的分析和设计工作。在系统实现部分,介绍了NDIS驱动拦截功能、管制规则管理功能、日志管理功能、通信模块接口和中间层过滤等核心功能及模块的实现工作。同时,还完成了系统的用户管理和界面设计与实现工作。系统的实现部分还对防火墙驱动的安装与调试工作进行了介绍。本课题所研究防火墙采用visual studio 2008,DDK开发工具进行开发,利用DebugView进行调试,开发使用的操作系统平台为Windows7。经过系统设计、实现和后续的测试工作表明,该防火墙可以在Windows桌面操作系统平台下运行,同时系统提供了良好的用户管理接口,具有设置控管规则和过滤IP包的基本功能。
[Abstract]:The current Internet protocols are still based on the TCP / IP protocol family. In the decades of application and development, the TCP / IP protocol has exposed more and more defects and vulnerabilities. This makes the computer network based on TCP / IP protocol vulnerable to attack and intrusion from the network. The basic security mechanism of the TCP / IP protocol itself can no longer guarantee the information security of the computer in the network. Network security problems must be solved with the help of a dedicated intrusion interceptor (software or hardware) such as a firewall. The current personal firewall software is mainly based on the LSP and tsd packet filtering mechanism, so its function is relatively limited, and the security is not high. In this paper, the principle of data packet filtering in the core layer of firewall is studied, which combines NDIS intermediate layer driver filtering and SPI application layer filtering. In the operating system kernel mode, the filtering function can be controlled by making access control and management rules by using NDIS intermediate layer filter data packet to intercept and filter the original data packet of the network card. It greatly improves the ability of packet cutting and data filtering of firewall system. It is a new and beneficial attempt of personal firewall development technology. Firstly, the thesis analyzes and designs the firewall system based on NDIS. In the part of the system implementation, the core functions such as NDIS driver interception function, regulation rule management function, log management function, communication module interface and middle layer filtering are introduced. At the same time, the user management and interface design and implementation of the system are completed. The implementation of the system also introduces the installation and debugging of firewall driver. The firewall studied in this paper is developed with visual studio 2008 DDK development tool and debugged by DebugView. The operating system platform is Windows 7. The system design, implementation and subsequent testing work show that the firewall can be run on Windows desktop operating system platform, at the same time, the system provides a good user management interface, with the basic function of setting control rules and filtering IP packets.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【共引文献】