集群式防火墙系统的研究

发布时间：2018-01-19 22:21

本文关键词： 集群防火墙负载均衡容错　出处：《中南大学》2007年硕士论文　论文类型：学位论文

【摘要】： 进入21世纪以来，Internet得到了前所未有的高速发展，但它也面临着严峻的安全挑战。网络威胁呈现着多样化发展趋势，除传统的病毒、垃圾邮件外，危害更大的间谍软件、广告软件、网络钓鱼等也严重地威胁计算机网络的安全。而随着各种应用网络化程度的不断提高，，更多的关键应用进入网络，企业和用户对网络的安全性要求有了更大的提高。网络资源的安全问题变得越来越重要。防火墙是目前使用最广泛的网络安全设备，在网络安全保护中起着重要的作用。但传统防火墙以单点方式将内网接入外网，因而很容易成为网络的瓶颈，极大地制约了网络中的实际应用同时降低了网络性能和可扩展性。当防火墙出现故障时还会导致防火墙的单点失效，从而降低了网络的可用性。为此，本文通过对防火墙和集群技术的分析与研究，提出了集群式防火墙系统CFS(Cluster Firewall System)的概念。CFS系统由多台普通防火墙组成，以并行方式连接，相互协作共同完成防火墙功能。CFS能有效地防止防火墙的单点失效，提高了网络的可用性。CFS系统是提高防火墙的处理能力、吞吐量的一种全新的解决方案。与传统防火墙相比具有高可用性、高可伸缩性、高性价比以及高性能等特点。在实现过程中按照对数据包的处理方式将CFS系统分为基于流量分发机制的CFS和基于协商处理机制的CFS。本文设计了一种全新的CFS系统模型，将该系统分为三个子系统：负载均衡子系统、容错防火墙子系统以及在线监控子系统。对各个子系统进行了分析与设计，负载均衡子系统实现负载的均衡分配，容错防火墙子系统实现包过滤与容错，在线监控子系统实现对CFS的高效管理。本文重点研究了基于协商处理机制的CFS，并利用Linux内核防火墙对基于协商处理机制的CFS加以实验与测试，取得了较好的结果。
[Abstract]:Since 21th century, Internet has been developing at an unprecedented speed, but it is also facing severe security challenges. Network threats are showing a diversified development trend, except for traditional viruses. In addition to spam, more harmful spyware, advertising software, phishing and other serious threats to the security of computer networks. More and more key applications enter the network, enterprises and users of the network security requirements have been greatly improved. Network resources security issues have become increasingly important. Firewall is the most widely used network security equipment. It plays an important role in network security protection. However, the traditional firewall connects the intranet to the external network in a single point way, so it is easy to become the bottleneck of the network. It greatly restricts the practical application of the network and reduces the network performance and scalability. When the firewall fails, it will also lead to the failure of the firewall, thus reducing the availability of the network. Therefore, this paper through the firewall and cluster technology analysis and research. The concept of cluster firewall system (CFS(Cluster Firewall system) is put forward. The system is composed of several common firewalls and is connected in parallel mode. Working together to complete the firewall function. CFS can effectively prevent the firewall single point failure, improve the availability of the network. CFS system is to improve the processing capacity of the firewall. A new solution for throughput. Compared with traditional firewalls, it has high availability and scalability. In the process of implementation, the CFS system is divided into CFS based on traffic distribution mechanism and CFS based on negotiation processing mechanism. In this paper, a new CFS system model is designed, which is divided into three subsystems: load balancing subsystem. Fault-tolerant firewall subsystem and on-line monitoring subsystem. The analysis and design of each subsystem, load balancing subsystem to achieve load balancing, fault-tolerant firewall subsystem to achieve packet filtering and fault-tolerant. The online monitoring subsystem realizes the efficient management of CFS. This paper focuses on the research of CFS based on negotiation processing mechanism. The Linux kernel firewall is used to test CFS based on negotiation processing mechanism, and good results are obtained.
【学位授予单位】：中南大学
【学位级别】：硕士
【学位授予年份】：2007
【分类号】：TP393.08

【参考文献】