基于防火墙的访问控制列表的研究与优化

发布时间：2019-04-09 13:37

【摘要】：防火墙是位于私有网络和外部网络入口点之间的安全卫士,所有传入和传出的数据包必须通过它。它是保护大多数网络安全的关键系统。防火墙中的错误不仅会泄漏网络中的秘密信息,而且会破坏网络和其他互联网之间的合法通信。因此,如何正确的设计防火墙是一个重要的问题。我们知道网络中大部分的安全策略的实施都是使用访问控制列表(Access Control List,即ACL)来配置数据包分类的策略的。一个网关设备要执行流量过滤至少需要ACL部署数千条规则。由于ACL配置语言存在众多的困难,大型ACL规则集容易变得冗余,不一致,难以优化甚至难以理解。防火墙是网络安全的核心元素。但是,管理防火墙规则已经变得复杂且容易出错。为了正确实施安全策略,必须仔细地编写和组织防火墙过滤规则。此外,插入或修改过滤规则需要对此规则与其他规则之间的关系进行彻底分析,以确定此规则的正确顺序并提交更新。在本文中,我们提出了一套技术和算法,提供(1)自动异常检测,用于发现传统防火墙中的规则冲突和潜在问题,(2)规则插入,修改和删除的无异常策略编辑,(3)将过滤规则简洁的翻译成用于用户可视化和验证的高级文本描述。这是在一个名为“防火墙策略顾问”的用户友好工具中实现的。防火墙策略顾问大大简化了作为过滤规则编写的任何通用防火墙策略的管理,同时将由于防火墙规则配置错误引起的网络漏洞最小化。本文也实现了关于冲突规则和冗余规则的ACL的优化方法。在现有的防火墙策略图(Firewall Decision Diagram,即FDD)的构造算法中忽略了 ACL规则中的冲突和冗余问题。我们在防火墙策略图的基础上研究了检测ACL规则的冲突和冗余的算法,并在此基础上对原有的防火墙策略图的构造算法进行了优化,提出了一种新的防火墙决策图的算法,通过减少冗余和免除冲突来减少同构节点,使访问控制列表的规则数有了大幅度的减少,查询性能也得到了很大的提升。我们通过具体的实验验证了我们的改进的防火墙决策图的算法是切实可行的,效率也提高了很多。
[Abstract]:A firewall is a security guard between a private network and an external network entry point through which all incoming and outgoing packets must pass. It is the key system to protect most network security. An error in a firewall not only leaks secret information in the network, but also destroys legitimate communication between the network and other networks. Therefore, how to design the firewall correctly is an important problem. We know that most of the security policies in the network are implemented using the access control list (Access Control List, (ACL) to configure packet classification policies. At least thousands of rules need to be deployed by ACL to perform traffic filtering on a gateway device. Because of many difficulties in ACL configuration language, large-scale ACL rule sets are easy to become redundant, inconsistent, difficult to optimize or even difficult to understand. Firewall is the core element of network security. However, managing firewall rules has become complex and error-prone. In order to implement security policies correctly, firewall filtering rules must be carefully written and organized. In addition, inserting or modifying a filtering rule requires a thorough analysis of the relationship between this rule and other rules to determine the correct order of the rule and submit updates. In this paper, we propose a set of techniques and algorithms that provide (1) automatic anomaly detection to discover rule conflicts and potential problems in traditional firewalls, (2) rule insertion, modification and deletion of exception-free policy editing, (3) translate the filtering rules into high-level text descriptions for user visualization and validation. This is done in a user-friendly tool called Firewall Policy Advisor. Firewall Policy Advisor greatly simplifies the management of any common firewall policies written as filtering rules and minimizes network vulnerabilities due to misconfiguration of firewall rules. This paper also implements the ACL optimization method for conflict rules and redundant rules. The conflicts and redundancy problems in ACL rules are ignored in the existing construction algorithms of firewall policy graph (Firewall Decision Diagram, (FDD). On the basis of firewall policy graph, we study the algorithm of detecting conflicts and redundancy of ACL rules, and on this basis, we optimize the construction algorithm of firewall policy graph, and propose a new algorithm of firewall decision graph. By reducing redundancy and avoiding collision, the number of rules in access control list is greatly reduced, and the query performance is greatly improved. Experimental results show that our improved firewall decision graph algorithm is feasible and efficient.
【学位授予单位】：华中师范大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08

【参考文献】