Research And Implementation Of Firewall Technology With Role-Based Access Control

Computer network brings great conveniences to people's life. At the same time, it makes the security problems outstanding day by day. For guaranteeing the privacy of network users, the security of sharing data and the integrity of sharing resource information, lots of safe technologies and products have been presented at present, and they solve the network security problems from different levels. Firewall is a very crucial protection technology in network security field; therefore it always gets the favour of people. But with the unceasing change of the attack technology along with network, the traditional firewall technology has already been unable to meet the security demand of people. How to make firewall technology play its role better in security field in the future, its technology still awaits further research and development. After comparing various traditional firewall technologies through analyzing, this paper chooses the Windows operation system extensively used at present as the platform, carrying on further research on the kernel modules of firewall. After analyzing the network architecture of Windows operation system, we find different level places to intercept network data packets. Through comparing pluses and minuses of intercepting data packets at present, this paper selects NDIS HOOK and SPI technology to control the whole system's network data packet from network layer and application layer, further combining the strategy of Role-Based Access Control to filter data packets, which remedies the defect of the traditional firewall technology and simplifies the management of filter rules, therefore the efficiency and security of the system has been improved. In the kernel part of this system adopts the NDIS HOOK technology to realize the interception and control of data packets from network layer. The NDIS HOOK technology accords with the Network Driver Interface Specification. It runs in the kernel mode of the system, by hooking the key functions of NDIS API, i.e. it replaces the original API functions of the system with the functions written by itself, it makes the network data packets running through the machine are first filtered by self-defined functions, then transmit them to systemic functions to continue the normal transmission. Combining the characteristic of Windows 2000 operation system, this paper implements the hooking system functions by modifying the export table of NDIS library file. In self-defined functions, this system treats with intercepting data packets, deciding whether to discard the data packets or not according to the security policy constituted by system, then achieving the goals of preventing illegal data packets from incoming and outgoing the machine. This paper combines with the most popular policy of access control, which is Role-Based Access Control, to divide and manage the network users and the filtering rule of IP data packets. The administrator divides different roles according to different network demands and responsibilities, assigning the corresponding filter rules, dividing logically different segments and assigning different roles for different network users. The system at first parses the format of intercepted NDIS data packets, then checks the IP address by the captured non-local IP address. For legal IP address, the system finds the network users divided by the administrator and obtains the corresponding role, then filters the data packets by corresponding filter rules. Therefore it reduces the matching time of filtering rules and raises the systemic security. Although the NDIS HOOK technology can intercept all data packets incoming and outgoing the machine from network layer, but the system can't get the complete information of the processes which accesses the network on the NDIS layer, which leaves over the leak easily, hence in order to control the applications which access network, this paper chooses the SPI technology to implement the intercepting of the data packets on the application layer. The SPI technology is an increased function of Winsock 2.0 editions. It can write self-defined SPI program through the open SPI interface to hook the service functions supplied by operation system, which makes all access requests of network communication based on Winsock deal correspondingly by self-defined SPI programs and execute the original SPI programs. This paper writes checking functions to check the application's name, and provides a counter to record the application's access number. When an application first...