With the rapid development of the technology of network, the problem of network security becomes more and more important. As a kind of effective network security technology, traditional perimeter firewall realizes the protection of the inside network. But with the development of Internet, it is not adaptable in the current Internet application environment. Distributed firewall(DFW) is brought forward to solve the problem of traditional perimeter firewall. This paper first analyses the limitation of traditional perimeter firewall. Then the basic principle and related concept of DFW are described and a close study is made about the system models of DFW and implement technology of host firewall. On the basic of the research and analysis, the task and characteristics of the host firewall in DFW is obtained, a new design and implementation of host firewall is brought forward.In our solution, policy enforcement mechanism is implemented in kernel mode using TDI-NDIS double-layer filtering technology, a fine-grained network access control is enforced based on the users, network application programs, packet header information and network interface card; System call is hooked to secure the resource of host firewall, it solves the problem of node invalidation in DFW with the heart-beat mechanism; The BNF is used to formalize the network access control rules. |