Study On Dynamic Access Control In Hierarchical Firewall System

As the rapid development of computer network, the network security has become more and more important. Firewall is a kind of effective defence measure for network security and has been used in many types of networks. The development of firewall technology has been come through several phases, whether the traditional boundary firewall or the present distributed firewall, they have their own shortage and limitation, so that they are restricted in practice use. In this thesis, a new firewall scheme named hierarchical firewall is researched, and the dynamic access control that is the hard-core technology of the hierarchical firewall is studied. The dynamic access control is the main part of the hierarchical firewall system, and its efficiency will directly affect the performance of whole firewall system. There are two parts of the access control in the new scheme, one is the dynamic access control in a single module and the other is hierarchical access control between multi-modules.In the thesis, the topology and management model of the hierarchical firewall system are respectively presented, moreover, the system is compartmentalized into modules according to different function. The new scheme is a tradeoff between boundary firewall and distributed firewall, and it integrates the two kinds of firewalls' advantage. It can not only overcome the shortcomings of boundary firewall such as single invalidation point and unsafe inside network, but also avoid the weakness of centralized management in distributed firewall.The thesis researches an algorithm based on decision tree classifier for packet filtering. The main idea is taking use of the redundancy of the firewall rule-set to build a decision tree, and then classifying the packets based on it. The algorithm can be used for multi-dimension and multi-type data classifying, and it meets therequirements of dynamic updating rules. Additionally, presents an inexact packet classify algorithm, which is using weight-threshhold measure to confine the depth of the searching, and this algorithm make the classifier have some predictable ability. The thesis also studies a limited direct insertion method to solve the increase by degrees problem of tree nodes. This method can reduce the rebuilding times so that debase the updating complexity.According to the architecture of hierarchical firewall system, the thesis brings.forward a hierarchical access control scheme based on indexed tree, and presets a new method to form the indexed tree. Firstly, converts the system topology into tree structure and assigns index for each node. Then, produces key for each node using the index value based on some private key cryptosystem. And then implements the hierarchical access control based on thus keys. This scheme is easy and effective, and it fits for the networks with clear hierarchy.A protocol of production and distribution for dormant public keys is put forward and proved out in the thesis. And furthermore studies a hierarchical access control scheme based on such dormant public key cryptosystem. The scheme takes the dormant information into the improved Chang Scheme to implement hierarchical access control. The scheme has many advantages such as well digital signature and preventing the attack of cipher tampering, and it has the ability of both sides authentication, as well as, it overcomes the general security hidden trouble in public key cryptosystems.At last, the computer simulation to access control module has been done under Linux OS environment, and the results are satisfactory which proves the thesis' study and work.