| Along with the rapid development of Internet, the security problems of network become more and more severe. Firewall is a security device of network, which is more mature during recent years. Specially, the packet-filtering hardware-firewall is integrated with the functions of connection stracking, NAT, VLAN, MPLS, etc. Because it has many advantages, such as simpleness, rapidity, low cost, transparency, and full-scale protection, this kind of firewall is applied to all kinds of network. The key part of packet-filtering hardware-firewall is rules, however, its management and maintenance, which are very complex. This part can reduce the performance of the fireware or bring security problems if the device is managed improperly. So, the technology of rule management is very important for packet-filtering firewall, which can not only make network-operator's management and maintenance of firewall's rule easy, but also extend the functions of firewall conveniently.In this paper, we analyse the firewall code of linux deeply, especially IPTABLES which manages the rules. We construe the algorithm of software and hardware about packet classifying. And then combining the characteristic of packet-filtering firewall and the accumulation of project, we propose a algorithm of packet classifying which is based on Patricia and a hanrdware algorithm which is based on content addressable memory(for short, CAM). They are the foundation to actualize the technology of rule management of packet-filtering firewall.Based on this idea, we firstly study the network processor which is based on Patricia tree, and propose a design scheme of the technology of rule management based on NP, combining the characteristic of packet-filtering firewall. Secondly, after analyzing CAM and its lookup algorithm, we provide a design scheme of the technology of rule management based on CAM, and evaluate its performance.
|
PDF Full Text Request