The Research In Distributed Firewall

As the rapid development of Internet, the firewall has come to the most important security product. The traditional firewall, which is devoted into the peripheral prevention in the Intranet, however, is quite difficult to balance the security and network performance. As a result, the distributed firewall can almost solve these problems from the headstream, and achieve the security in all kinds of aspects. Constructed on the conception of distributed firewall, combined the development of current technology of network security, the article improves the conception of distributed firewall and bring forward a practical scheme of it. The new scheme consist of the central policy management server, the gateway Enforce server, the LAN enforcer server and the endpoint firewall installed in the personal computer. After concretely researching the key technology of distributed firewall, the paper clearly dissertate the new system and infrastructure, began from data flow, the relationship and the communication among them. The system's central is the policy management server who has five different communication modules to connect to background database system, the Gateway enforcer, the LAN enforcer and the endpoint firewall. As for the policy-enforced, which is one of the difficult technical problems, the paper brings forward to the concept of Enforcer who is divided into two types: the Gateway Enforcer and the LAN Enforcer. The Gateway type is deployed between incoming door and outcoming door, which acts as a network bridge, and then it check in all the users, especially the users from the VPN connection and the wireless users. What is different is the LAN Enforcer that is deployed in the inside enterprise network. It authenticates all the users before they want to get the network accessible right by connecting the network equipment, such as the switch. The protocol of authentication is standard 802.1X. At this time, the LAN Enforcer acts as a standard Radius server, combined with the switch which must support the 802.1X authentication, and the agent firewall who acts as the part of supplicant to build a complete authentication system. Subsequently, the article designs the communication protocol and the process of the three parts. Test result is one of the most important parts of process. Finally, the article tells us in detail the test result of this schema and then discusses what we can do to develop and research the distributed firewall in the future.