| 一,INTRODUCTIONWith more and more hosts being connected to the Internet, the importance of securing connected networks has increased, too. One mechanism to provide enhanced security for a network is to filter out potentially malicious network packets. Firewalls are designed to provide "policy-based" network filtering and prevent some communications forbidden by the network policy.A firewall may consist of several components. Its key component is usually a packet filter. Packet filter has two types:stateless packet filter and stateful packet filter.The packet filter may be stateful to reach more informed decisions. The state allows the packet filter to keep track of established connections so that arriving packets could be associated with them. On the other hand, a stateless packet filter bases its decisions solely on individual packets。Stateful packet filtering implies that a firewall inspects not only single packets, but also that it knows about established connections. Any rule that passes a packet may create an entry in the state table. Before the filter rule set is evaluated for a packet, the state table is searched for a matching entry. If a packet is part of a tracked connection, it is passed unconditionally, without rule set evaluation. Stateless packet filters are simpler to implement, but more complicated to configure, and ultimately much less secure than packet filters that do keep state. From the perspective of stateless packet filters, every packet that arrives is a new packet (with no relationship to any packet that came before or after). Since most useful network conversations have two sides, stateless packet filters need two rules for each kind of network traffic they allow--one for the request and another for the reply.Since stateful firewall reaches decision based on the state table,The state tables is important,especially in the network system that provides uninterrupted service for 7*24 hours. But on most networks, the firewall is a single point of failure. When the firewall goes down, inside users are unable to surf the web. We can solve this problem by placing two(or more) firewalls in parallel. All traffic passes through the primary firewall; when it fails the backup firewall assumes the identity of the primary firewall, and continues where it left off. Existing connections are preserved, and network traffic continues as if nothing had happened.二,MAIN RESEARCH AND WORKThis paper has two parts: one part is to analyze the principle of stateful firewall ,realization of linux firewall and improvement of the stateful packet filters.then two ways are realized to synchroniz firewallState table,so when the backup firewall take over main firewall,it can continue to work.The other part is network take-over ,it is realized according to VRRP,but now vrrpd provided by linux monitors only one network interface,it can't monitor multiple network interfaces,this paper implements monitoring multiple network interface .the follow is this paper's work and conclusion:(一) Linux firewall supports stateful packet filter,state inspect is realized by connection track mechanism,but connection state is not used to filter packets and only as a match option in the rule set.this paper realizes stateful packet filter based on it,once the connection is established and all packets after that (for that session) are processed rapidly because it is simple and fast to determine whether it belongs to an existing, pre-screened session. Once the session has ended, its entry in the state-table is discarded.(二) two ways to synchronize state table1,firewalls are connected by share media.In this case,all the firewall receive packets at the same time and keep the same state table,but the backup firewall don't forward the packet until the main fireall fails.Since state table is same among all the nodes, when the backup node take overs,network traffic continues as if nothing had happened.2,firewalls are connected by share media such as switch.In this case,switch don't transmit the p...
|
PDF Full Text Request