Design And Implementation Of Firewall Integrated Distributed Billing System

Mostly, the traditional billing system and the traditional firewall work at the netboundary by centralized way. This more and more becomes the main bottleneck of thecampus net jointing the Internet while it faces the increasing demand of throughput.Furthermore, because the billing system and the firewall are connected serially in thetraditional network structure, this connection way further enlarges the bottleneckaffects above.The research of billing system has changed from the simplex information gatheringand accounting phase to control enhanced function and technology phase, but the corequestion of the billing system and the firewall is packet retransmission according tocontrol rules, namely is controlled packet classification question. Precisely because ofthis point, it is significant extremely to reseach and explore on the integration of thebilling system and the firewall.From the analysis of the research present situation and development tendency of thebilling system and the firewall technology, It can be seen that the implementationtechnology of the billing system is developping to the firewall technology based, thefuture firewall also will probably include billing function at the same time. Thepackage filter technology with condition monitoring will become mainstream in thefirewall eara.+Based on thinking above, this article proposes and implements a system calledFirewall Integrated Distributed Billing System (FIDBS). On the one hand, itintegrates two controls of the billing retransmission and the firewall safety into oneretransmission control, and distributes the tasks of retransmission control and flowgather to every modules called Billing-Firewall Gateway(B&F Gateway). By thismeans, the throughput capacity and extensibility of the system is enhanced, thebottleneck limit is breached too. On the other hand, it adopts an centralizedmonitoring management to control and administrate the operation situations of thoseB&F Gateways. This not only eliminated the inconvenientness due to distributedretransmission control and flow accounting but also enhanced the systemmanageability enormously.System designOn the linux system platform which is recognized widely and its' netfilter framewhich is designed specially for packet filter and retransmission, based on thecommunication principle and the data format of the TCP/IP protocol, the packagefilter technology with condition monitoring adopted, the whole design of FIDBSsystem is given.FIDBS includes the billing-firewall retransmission control module (Billing-FirewallGateway, B&F Gateway) , the real time monitoring module, the firewall managementmodule, the authorization management module, the account/log management module,data registration service module and database system seven parts.The Billing-Firewall Gateway operates in distributed mode. It is the function moduleof access control and data gather. All of these Billing-Firewall Gateways aredistributed to the gathering points of internal network and connected with theboundary router. By this means,it is implemented that the access control and flowgather of packets which flow from every parts of internal network to the boundaryrouter. All modules left operates in centralized mode.The whole architecture and the modules' relation of FIDBS is showed as Fig.i.For the system internal communication security, we set up special virtualsub-network——special-purpose Vlan, which is adopted to carry the FIDBS systeminternal data communication. The packets of special-purpose Vlan are retransmitedonly in the special-purpose Vlan interior and not routed in any sub-networks other.By this means, the communication security of the FIDBS interior is safeguarded.The communication mechanism of FIDBS is: Firstly, each B&F gateway must installthree network cards. Two of them operate in the internal network in promiscuousmode and do not have to establish the IP address. They are used to store andretransmit packets. Another network card operates in the special-purpose Vlan andneeds a IP address in the special-purpose Vlan.lt is used to communicate with thereal-time monitoring service module and the data registration service module.Secondly, the real-time monitoring service module installs one network card, so dothe data registration service module and the database system, they operate in thespecial-purpose Vlan and each of them needs a IP address in thespecial-purpose Vlan .Thirdly, each of the three, the firewall management system,the authenticationmanagement system and account/log management system, installs two network cardsrespectively, one operates in internal internal Vlan and needs an internal network IPaddress. It is used to provide the service for the internal network user. Anotheroperates in the special-purpose Vlan and needs a IP address in the special-purposeVlan. It is used to communicate with the other modules.Design and implementation of essential moduleand its core algorithmThe B&F Gateway is the essential module of the whole system. The architecture withB&F Gateway detailed is showed as Fig.ii. The packets filter module is the corealgorithm of the B&F Gateway. The inner structure of the packets filter module isshowed as Fig.iii.The packets packet filter module is divided into the dynamic state monitor moduleand the static rule match module. The dynamic state monitor module use and maintainseveral state monitor tables which adapt to different protocols. These tables used inthe FIDBS are implement by the AVL tree. The FIDBS designed traversal, search,levelling, deletion, update operation and so on;The core question of the static rulematch module is the packet classification question.The packets classification question is a query question for searching the optimumresult on the multi-dimensional rule (attribute). Through discussing the complexity ingeometry and the evaluation standard of the algorithm,three algorithm,the linearsearch algorithm, the Grid Of Tries (GOT) algorithm, the Recursive FlowClassification algorithm (RFC), is analyszed respectively. The work principle of RFCalgorithm is introduced with emphasis.Based on the analysis to the firewall security ruleset character, a packets classificationalgorithm is implemented on the firewall security ruleset. Based on the analysis to theIP Control Table, a storage structure in directed graph is designed to store the IPcontrol table, which is updated frequently. Importantly,a the special data structure ofthe IP Control Table is designed,which can unify the firewall security ruleset. Thisdata structure is named leafipnode. Its pseudo-code shows as follows.Through two attributes of data structure, FW_in_CBM and FW_out_CBM,the IPcontrol table connects with firewall rule set.By this means,the efficiency is higherthan the two simple serial superimposition obviously. The situation of one packetflow the IP control table and RFC search set shows as Fig.iv.Integrating the billing system and the firewall is the FIDBS characteristic and theinnovation point. This work may say that the firewall module is added to the billingsystem, otherwise, it also can be seen that the billing module is added to the firewall.To the system design and the implementation, the stale monitor table, the firewall ruleset and (he IP control table all adopt the data structure and the search algorithm,which are recognized is highly effective, stable and mature. By this means, the systemeffectiveness and the stability are guaranteed. The special data structure is designed,which unify the firewall rule set and the IP control table, as result the efficiency ishigher than the two simple serial superim position obviously. This efficiencyenhancement manifest once more the advantage of integrating two controls of thebilling retransmission and the firewall safety into One retransmission control, thecharacterise and the superiority of FIDBS is manifested too.The FIDBS system had achieved accurate, secure, stable, reliable goals and basicallyreached the anticipated design requirement.