| The strong function of Internet comes from its extensive and connective and opening, which has also caused it unsafe. Traditional perimeter firewall is set up between internal network and external network as a kind of effective network security policy, which has been set for in advance, make legitimacy filtration and check to which pass in and out the inside network datum and thus realize the protection of the inside network. But with the development of Internet, the connection methods, outside network, encrypt appearance of communication and bandwidth constant to raise day by day, the limitation of the begin to reveal out apparently.In order to overcome the defect of the traditional perimeter firewall and keep its advantage, people have put forward the concept of the distributed firewall. The essential characteristic of the distributed firewall can be summarized as " Making the strategy centralized and implementing it distributed. Keeping the daily record that is made dispersed ". The safety policy must be made by the administrator and must be pushed to the host that at the edge of the network. At the same time the logs must be collected and centralized managed in unison.This paper has carried on some analysis and research of the structure of the distributed firewall system. Then brings forward a new project that fully utilizes the existing technology and design plan of the system. Namely while keeping the traditional perimeter firewall and extend it to the terminal station of inside network, thus form a multi-level and omni-directional safe system. To make perimeter firewall carry on safe protection to the whole network fine, the system adopts the firewall and the embedding technology of the Intrusion Detection System (IDS) to defense the border. The real-time intercepting datagram is chartered in the firewall, which means that the legal data passed the checking could be send through the defense system of the border directly. It reduces the number of times of match of EDS. If the datagram is illegal then it must be read from kernel attitude to user attitude and sent to the IDS. Then the firewall will block the way when an intrusion is find, or the datagram will be dealt with according to the rules of the firewall. Communications among administrative center, firewall of the host computer and perimeter firewall all adopt the OpenSSH encryption communicationmechanism, which could make the communication of the administrative center, firewall of the host computer and the border defense system safer.
|
PDF Full Text Request