Research And Realization Of The Multi-layer Firewall Based On The Special Protocol Stack

The paper is addressed in research and realization of the multi-layer firewall based on the special protocol stack. This design is based on Linux OS. By using our kernel loadable module programming, the TCP/IP stacks of Linux are changed, then the specific network stack is realized. And the firewall system is built to set up defenses from data link layer and network layer to transmission layer, the goals of which are transparence, high security and high efficiency.General TCP/IP protocol stacks are adopted in most of software firewalls based on universal operating systems and inevitably many hidden troubles have been brought. So we spurn general TCP/IP protocol stacks and renewably design the special TCP/IP protocol stack stringent according to relevant RFC documents.Because of abroad applying of firewalls, hackers already have developed so many crafty attack means that all vulnerabilities from low-level communication protocol to application become attack goals. Therefore it needs to provide security measures in each layer to safeguard network. The multi-layer firewall embodies two facets: first, in the view of data packet filtering, sets up defenses from data link layer and network layer to transmission layer to filter illegality packet as soon as possible; second, in the view of the intrusion process, safeguards the overall flow from information collection, port scan, to launching DoS attack.In data link layer, we solved three problems by improving the ARP protocol. As follows: 1. The transparent mode is realized. And the troubles of firewall management in different subnet are solved. 2. The shutdown computers' IP address of local area network is protected by ARP. 3. ARP spoofing is defended effectively by binding IP and MAC or processing the ICMP redirect messages.In network-layer, an efficient and secure firewall fragment reassemble tactic is proposed in this paper. A way is proposed which applies the disposing results of the first fragment to other fragments to lighten the load of the firewall and creatively applies spray tree algorithm in the firewall system to rearrange fragments to improve the efficiency of the rearrangement and reduce the requirement of the storage space.For defending denial of service attack and ports scanning, we adopt corresponding measures in network layer and transport layer. And it is firstly proposed to build in detective codes and defense program in Linux kernel, which realize the real-time detection and defense of the Smurf attacking.Finally, the author sums up his research works, and points out the further research work.