防火墙配置规则冲突检测关键技术研究
发布时间:2018-12-19 13:20
【摘要】:网络技术极大的方便了人们的生活,但是网络安全问题也给人们带来极大的威胁。防火墙是保护网络安全的重要措施之一,而防火墙的配置策略是其最核心的功能。防火墙的策略配置是否正确与合理直接影响到防火墙的性能。向防火墙配置策略中添加规则往往会引起防火墙规则产生冲突,而防护墙中冗余规则的存在,又会增加数据包的匹配时间,二者都会严重降低防火墙的性能,因此针对上述两种情况,本文重点研究了以下两个关键技术:引起防火墙策略发生错误的一个主要原因就是对防火墙配置策略的更改。网络是不断发展变化的,网络安全问题也是层出不穷的,防火墙背后的用户经常需要防火墙规则管理员修改原有的防火墙配置策略,以便允许或者保护一些新服务的运行。本文首先提出一种基于trie树的防火墙规则冲突检测算法,该算法将一条新规则加入到防火墙已有配置中,并将该规则对原有防火墙造成的精确效果改变提交给管理员。管理员可以根据改变的效果对防火墙进行评估,然后考虑该条规则的添加位置甚至是否有必要添加该条规则。防火墙的配置策略以序号为优先级进行排列,序号越靠前的规则优先级越高,数据包在与防火墙规则进行匹配时,从前往后进行顺序匹配。因此可以通过缩小防火墙的配置策略来提高防火墙的匹配效率。随着企业规模的逐渐变大,防火墙的规则可以达到上百条甚至上千条,由于同一个防火墙的策略可能由不同的管理员进行配置,因此规则之间发生冗余覆盖是在所难免的。目前对冗余规则的冲突检测都是基于两两规则之间,多条规则之间的冗余覆盖只能用蛮力法或者穷举法来查找,在此基础上,本文对冗余规则给出一个全新的定义,并在此基础上提出了一种基于改进的判定树模型的四元组判定树算法,该算法能够检测出多条规则之间的冗余覆盖。
[Abstract]:Network technology greatly facilitates people's life, but network security also brings great threat to people. Firewall is one of the important measures to protect network security, and the configuration strategy of firewall is its core function. Whether the policy configuration of firewall is correct and reasonable directly affects the performance of firewall. Adding rules to firewall configuration policy often leads to the conflict of firewall rules, while the existence of redundant rules in the protection wall will increase the matching time of data packets. Both of them will seriously reduce the performance of firewall. In view of the above two cases, this paper focuses on the following two key technologies: one of the main causes of firewall policy errors is the change of firewall configuration policy. The network is constantly developing and changing, and network security problems emerge endlessly. The users behind the firewall often need the firewall rules administrator to modify the original firewall configuration strategy in order to allow or protect the operation of some new services. In this paper, a firewall rule conflict detection algorithm based on trie tree is proposed. The algorithm adds a new rule to the existing firewall configuration, and presents the exact effect of the rule to the administrator. The administrator can evaluate the firewall based on the effect of the change, and then consider whether it is even necessary to add the rule. The configuration policy of firewall is arranged with the priority of ordinal number. The higher the priority of the rule is, the higher the priority of the rule is. When the data packet matches the firewall rule, the sequence matching is carried out before and after. Therefore, the matching efficiency of firewall can be improved by reducing the configuration strategy of firewall. With the increasing size of the enterprise, the firewall rules can reach hundreds or even thousands. Because the same firewall policy may be configured by different administrators, it is inevitable that redundant overlay will occur between the rules. At present, the conflict detection of redundant rules is based on pairwise rules, and the redundant overlay between multiple rules can only be found by brute force method or exhaustive method. On this basis, this paper gives a new definition of redundant rules. An improved decision tree model based on the improved decision tree model is proposed, which can detect redundant coverage between multiple rules.
【学位授予单位】:哈尔滨工程大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2386975
[Abstract]:Network technology greatly facilitates people's life, but network security also brings great threat to people. Firewall is one of the important measures to protect network security, and the configuration strategy of firewall is its core function. Whether the policy configuration of firewall is correct and reasonable directly affects the performance of firewall. Adding rules to firewall configuration policy often leads to the conflict of firewall rules, while the existence of redundant rules in the protection wall will increase the matching time of data packets. Both of them will seriously reduce the performance of firewall. In view of the above two cases, this paper focuses on the following two key technologies: one of the main causes of firewall policy errors is the change of firewall configuration policy. The network is constantly developing and changing, and network security problems emerge endlessly. The users behind the firewall often need the firewall rules administrator to modify the original firewall configuration strategy in order to allow or protect the operation of some new services. In this paper, a firewall rule conflict detection algorithm based on trie tree is proposed. The algorithm adds a new rule to the existing firewall configuration, and presents the exact effect of the rule to the administrator. The administrator can evaluate the firewall based on the effect of the change, and then consider whether it is even necessary to add the rule. The configuration policy of firewall is arranged with the priority of ordinal number. The higher the priority of the rule is, the higher the priority of the rule is. When the data packet matches the firewall rule, the sequence matching is carried out before and after. Therefore, the matching efficiency of firewall can be improved by reducing the configuration strategy of firewall. With the increasing size of the enterprise, the firewall rules can reach hundreds or even thousands. Because the same firewall policy may be configured by different administrators, it is inevitable that redundant overlay will occur between the rules. At present, the conflict detection of redundant rules is based on pairwise rules, and the redundant overlay between multiple rules can only be found by brute force method or exhaustive method. On this basis, this paper gives a new definition of redundant rules. An improved decision tree model based on the improved decision tree model is proposed, which can detect redundant coverage between multiple rules.
【学位授予单位】:哈尔滨工程大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【引证文献】
相关硕士学位论文 前1条
1 陈贵宝;高性能高可用的数据中心同步软件的研究与实现[D];西安电子科技大学;2017年
,本文编号:2386975
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2386975.html
