Research On Embedded Firewall And Its Key Technologies

With the growing popularity of the Internet , network turns to be more and more important. Meanwhile the network and information security gains more and more focus due to the characters of network: open and inter-connected, which makes the network easy to be attacked. In the security protection system of network and information, the traditional centric firewall would be located at the edge of the network, separating the areas between trust and distrust, blocking the unauthorized information inside or outside from the protected network, keeping the network away from attacks. As the first gate of security, the traditional centric firewall has been doing the work on its way. However, there're still limitations: depending too much on the network topology; not be able to protect the attacks initiated from inside; flow be too centralized to be a bottleneck. Distributed firewall can sovle these problems and it is concerned by most researchers.Distributed firewalls push the protection to the desktop. The policy server generates and dispatches the strategies, the firewalls at the end execute the strategies, monitor the inside and outside packets. There're 2 ways to build the distributed firewall, one is implemented by software and the other is built by hardware. There's a functional absurdity blocked in the first way, while the second will be called as embedded firewall when the embedded technology be joint to the hardware based distributed firewall. This dissertation focuses on the key technologies of embedded firewall, mainly on the packat classification, policy generation, policy distribution, service performance measurement and firewall construction etc. The main contributions of this dissertation are summarized as follows:(1) A novel regional partition algorithm on packet classification is proposed. Through a heuristic lookup with the joint of heuristic algorithm and space geometry algorithm. it dynamically calculates the partition of the policy database, make proportional distribution by an adjustable factor. The decision tree is lower, the time and space needed for lookup is smaller, the time complexity is O( D + dM), in which D is the depth of decision tree, d is the dimension and M is the max number of the rules in one point.(2) A policy generation algorithm based on restricted role is proposed. The embedded firewall is power-limited, end-numerous and point-dispersed, this algorithm has been brought up with the research on RBAC. Policy server establishes the policy for the whole region and the policy for the restrict role, generate the policy for partition by the set calculation, then deduce strategies for all clients. This algorithm ensure the integrality, security and consistency.(3) A policy distribution algorithm built on enhanced push and pull mechanism is proposed and the performance of policy server is measured. After detail analysis on the mechanism of push and pull of traditional policy distribution, this dissertation mainly focuses on the policy distribution during initialization and policy update, trying to lessen the flow and load due to the policy distribution. To measure the service performance of the embedded policy server, M/M/1 queue model has been used, parameters of instruction cycle of embedded firewall and instruction numbers of process program have been introduced, and the relationship between service rate and settings of embedded device has been calculated. They would be a good reference for further work on embedded firewall.(4) A novel constrution mechanism of embedded firewall built by ARM processor is proposed. ARM is powerful, programable and cheap. The framework of the embedded firewall based on ARM has been introduce, and the modular design on the hardware and software as well. S3C2410X chipset with the ARM920T core has been selected to construct the hardware, which has high performance and high flexibility; and the hardware of EFW is divided into core board and expanded board, which has high stability, reliability and expansibility. The work of the software design mainly include the customize and porting of the Bootloader, the linux O.S. , the building up of the file system, the driver of the network card and the development of the security application. More applicaions on security information could be developed based on the platform with independent copyright and intellectual property.The embedded firewall which developed here has been patented by the government( it obtained two national patents: 200810018852.8 for invention patent and 200820031113.8 for utility patent), thus it launches the embedded firewall into practical application from the laboratory and forms our national independent copyright and the knowledge-core information security product.