Study And Implement Of High Performance Firewall Technology

With the drastically world-wide booming of the Internet, it has penetrated into our life. Nevertheless, it gives rise to the network security, which causes people to confront the threat of intrusions while enjoying the convenience from Internet. A variety of security technologies have been developed to dealing with the worsening network situation. Firewall is one of the most important defensive measures, which is utilized in diverse network.The evolution of the firewall gives rise to many realization technologies. The traditional packet filtering processes packet at high speed, but its security is poor. The technology of application gateway inspects the validity of packets in the higher protocol layers vice versa, so it is more secure, but with a drawback of slow processing speed. Combining the advantages of them, the stateful packet filtering which relays packets at a quite high speed with security, becomes the main realization technology of firewall now.Stateful packet filtering is a high performance firewall technology. As the core, the stateful inspection mechanism is the focus of this thesis. Our work is arranged as follows:First of all, according to the idea proposed by Guido van Rooij that utilizes the regular variations of sequence number and acknowledgment number of TCP datagram to undertake state-matching, the thesis designs the window-tracking mechanism. It's based on the principles of TCP's sliding window protocol and the analysis of related buffer, so make inducement more obvious. The mechanism also fix the disadvantage of Guido van Rooij's algorithm, it takes every possibility of transportation into account, provides additional methods to guarantee the robustness of the stateful inspection mechanism.Afterwards, the thesis makes use of the Netfilter framework in Linux to implement the prototype system of stateful packet filtering based on the window-tracking mechanism.Last but not least, a firewall penetration test against the prototype system and other firewalls has been done. The result demonstrates the immunity of the prototype system from attacks of forged datagram penetration and verifies the validity of window-tracking mechanism.