基于下一代防火墙技术的网络应用识别控制系统设计与实现
发布时间:2018-10-25 06:10
【摘要】:随着信息技术的发展、企业信息化的普及、电子政务的优化,使得企事业单位都迈入了互联网技术的时代快车,充分利用信息技术、计算机技术、网络技术来提升单位的生产、工作效率。但也带来了网络性能下降、网络利用率低下、网络病毒流行等问题。对企事业单位而言,识别并控制网络应用无论是对提高单位的管理水平还是对保障单位信息系统的正常高效运行都至关重要。 以传统防火墙为代表的应用识别控制系统基于数据包五元组进行安全检测,这种仅依靠判断IP地址和端口的方法早已无法识别具体的应用类型,更难以对同一应用软件进行细粒度的功能识别和控制,已经无法满足当前的网络管理和安全防护需求。本文重点研究下一代防火墙的关键技术,其中着重研究了DPI和网络应用识别控制这两类在下一代防火墙中起重要作用的核心技术。网络应用识别控制系统将作为DPI应用识别技术的实现平台,可以准确识别网络中各类应用协议,并对相应的网络协议实现精细控制,同时该系统可以进行模块扩展。 本课题旨在为企业用户解决如何控制员工有效上网保证网络安全的问题提供了一种有效的技术手段,在寻求系统安全与使用便捷的契合点方面作出了积极的探索。本课题对防火墙技术和网络访问控制现状和发展趋势进行研究,通过对市场上常见的防火墙系统产品进行了对比与研究,提出“基于下一代防火墙技术的网络应用识别控制系统”的设计目标和功能需求,对系统的整体架构和工作流程进行设计,并简要介绍了系统开发的关键技术以及方案实施条件。具体地,本文完成的的主要工作如下: 1、分析比较传统的防火墙的关键技术及其面临的挑战,指出下一代防火墙必须具备的新特性及关键技术。 2、基于下一代防火墙的特性,提出利用DPI技术识别网络应用并对应用进行细粒度控制的方案。 3、研究并设计应用识别和控制的系统架构。该系统能够精确识别网络应用,对不同的应用制定控制策略。
[Abstract]:With the development of information technology, the popularization of enterprise informatization and the optimization of e-government, enterprises and institutions have stepped into the era of Internet technology, making full use of information technology, computer technology and network technology to promote the production of units. Working efficiency. But it also brings some problems, such as network performance decline, network utilization rate low, network virus prevalence and so on. For enterprises and institutions, it is very important to identify and control the network application, not only to improve the management level of the unit, but also to ensure the normal and efficient operation of the unit information system. The application identification control system represented by the traditional firewall is based on the five-tuple packet for security detection. The method of judging the address and port of IP has long been unable to identify the specific application type. It is more difficult to identify and control the fine granularity function of the same application software, which can not meet the current network management and security requirements. This paper focuses on the key technologies of the next generation firewall, including DPI and network application identification control, which play an important role in the next generation firewall. The network application identification control system will be used as the implementation platform of DPI application identification technology. It can accurately identify all kinds of application protocols in the network, and realize fine control of the corresponding network protocols. At the same time, the system can be extended by modules. The purpose of this paper is to provide an effective technical means for the enterprise users to solve the problem of how to control the employees to access the Internet effectively to ensure the network security, and to make an active exploration in seeking the connection between the system security and the convenient use of the system. This paper studies the current situation and development trend of firewall technology and network access control, and compares and studies the common firewall system products in the market. This paper puts forward the design goal and function requirement of the network application identification control system based on the next generation firewall technology, and designs the whole structure and workflow of the system. The key technology of the system development and the implementation conditions of the scheme are briefly introduced. Specifically, the main work of this paper is as follows: 1. Analyze the key technologies of traditional firewall and the challenges it faces. The new features and key technologies of the next generation firewall are pointed out. 2. Based on the characteristics of the next generation firewall, This paper presents a scheme to identify and control network applications using DPI technology. 3. The system architecture of application identification and control is studied and designed. The system can accurately identify network applications and formulate control strategies for different applications.
【学位授予单位】:中国科学院大学(工程管理与信息技术学院)
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2292839
[Abstract]:With the development of information technology, the popularization of enterprise informatization and the optimization of e-government, enterprises and institutions have stepped into the era of Internet technology, making full use of information technology, computer technology and network technology to promote the production of units. Working efficiency. But it also brings some problems, such as network performance decline, network utilization rate low, network virus prevalence and so on. For enterprises and institutions, it is very important to identify and control the network application, not only to improve the management level of the unit, but also to ensure the normal and efficient operation of the unit information system. The application identification control system represented by the traditional firewall is based on the five-tuple packet for security detection. The method of judging the address and port of IP has long been unable to identify the specific application type. It is more difficult to identify and control the fine granularity function of the same application software, which can not meet the current network management and security requirements. This paper focuses on the key technologies of the next generation firewall, including DPI and network application identification control, which play an important role in the next generation firewall. The network application identification control system will be used as the implementation platform of DPI application identification technology. It can accurately identify all kinds of application protocols in the network, and realize fine control of the corresponding network protocols. At the same time, the system can be extended by modules. The purpose of this paper is to provide an effective technical means for the enterprise users to solve the problem of how to control the employees to access the Internet effectively to ensure the network security, and to make an active exploration in seeking the connection between the system security and the convenient use of the system. This paper studies the current situation and development trend of firewall technology and network access control, and compares and studies the common firewall system products in the market. This paper puts forward the design goal and function requirement of the network application identification control system based on the next generation firewall technology, and designs the whole structure and workflow of the system. The key technology of the system development and the implementation conditions of the scheme are briefly introduced. Specifically, the main work of this paper is as follows: 1. Analyze the key technologies of traditional firewall and the challenges it faces. The new features and key technologies of the next generation firewall are pointed out. 2. Based on the characteristics of the next generation firewall, This paper presents a scheme to identify and control network applications using DPI technology. 3. The system architecture of application identification and control is studied and designed. The system can accurately identify network applications and formulate control strategies for different applications.
【学位授予单位】:中国科学院大学(工程管理与信息技术学院)
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前10条
1 杨路明,肖潇;网络安全与防火墙技术[J];电脑与信息技术;2004年03期
2 李增雷;;浅析传统防火墙的防护不足与发展趋势[J];电脑知识与技术;2012年18期
3 孔佳泉;;浅谈下一代防火墙及其应用[J];信息安全与技术;2012年11期
4 胡波;;下一代防火墙技术探析[J];保密科学技术;2012年02期
5 董剑安,王永刚,吴秋峰;iptables防火墙的研究与实现[J];计算机工程与应用;2003年17期
6 李惠娟;王汝传;任勋益;;基于Netfilter的数据包捕获技术研究[J];计算机科学;2007年06期
7 汪立东,钱丽萍,蒋重响;一次性口令认证及其在防火墙上的实现[J];计算机与通信;1998年04期
8 唐宁,金连甫,陈平;基于Linux的最新防火墙技术的研究[J];计算机应用研究;2002年12期
9 曹汉平,冯启明,吴春蕾;Linux防火墙技术研究[J];武汉理工大学学报(交通科学与工程版);2002年01期
10 胡安磊,周大水,李大兴;Linux中Netfilter/IPtables的应用研究[J];计算机应用与软件;2004年10期
,本文编号:2292839
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2292839.html
