| Secure area boundary is an important component of information assurance technical framework. In the traditional mechanism of the secure area boundary, there are two major problems:structural design is not enough and performance cannot adapt to the rapid development of network technology and application. In response to these problems, the architecture of secure area boundary was studied in the first. According to summarizing the technology features of existing mechanism of secure area boundary, its limitations were pointed out. Based on research results of trusted computing, we propose architecture of trusted secure area boundary. In the architecture the area boundary security gateways, security mechanism of terminal computing environments and security management centers are integrated. By the classification of network information flow, a leveled and structured protection system of secure area boundary is achieved. By triple-element peer authentication, the self integrity of protection system of secure area boundary is measured and attested. By designing the mandatory access control model of secure area boundary, a fine-grained access control is achieved. As boundary security gateway is an important component of boundary security policy in the architecture, and its performance will become the bottleneck of the availability of the area boundary, so its functionality design and parallel processing optimization model based on multi-core processor is given. Three key technologies of performance optimization model were studied.1) Through the model of network packets forwarding in security gateway, the performance bottlenecks was analyzed. Then we give a mechanism of packet buffer recycling based on multiple recycling queues, and a mechanism of the processor affinity based on packet queue. By the two kinds of optimization mechanisms, forwarding performance of data plane in boundary security gateway is greatly improved. Experiments show that the forwarding capacity of small-size packet (64Bytes) increases67%.2) Analysis indicated that parallel processing model based on decomposition and scheduling data flow was satisfied the need of current security engine. Then we present a load-balanced flow scheduling mechanism (named MFD) based on the instant load-balance measurement and the big flow detection. Through the real data trace driven simulator, several typical flow scheduling algorithms were compared. Experiment results showed that, MFD ensures the load balancing of the parallel security engine, and achieves the minimum degree of flow damage. So it is satisfied with security engine needs.3) Using the producer/consumer model to describe the structure of shared message queue in boundary security gateway pipeline, we give a lock-free queue operation algorithm based on linked list storage structure. The algorithm satisfies linearizability of concurrent objects and non-blocking properties. In a lab environment, several well-known producer/consumer queue algorithms were tested. The experimental results show that our algorithm has good performance in a variety of application environments.
|
PDF Full Text Request