The Design And Implementation Of Security Policy Center And NP-based Firewall

Nowadays there are two hot topics in Network Security Research, which are improving protection–ability and processing–rate respectively. To improve protection–ability, the approach is to build a comprehensive protection system by the cooperation and coordination of diverse security facilities, which share security information. In order to accommodate to the growth of network bandwidth, it is necessary to improve the processing–rate of the protection facilities, especially for the gateway device–firewall. The evolution from software-based firewall to hardware-based has already shown the approach to make the firewall to achieve high speed.The paper takes the"Active Secure Defence System"as its background. And according to the two topics mentioned above, the paper's contribution consists of two parts. The first part is the design and implementation of the Security Policy Center (SPC). The SPC generates the security policy with the intrusion alert from IDS and the vulnerability assessment from the Security Scanner, and executes the policy through firewall. The presence of SPC improves the reasonableness of the coordination of the system, by replacing the direct coordination mechanism. In addition, the SPC has the ability of discovering the anomalies in firewall policy set, which could assist the administrator with configuring the firewall correctly and then improve the manageability. The second part is to design the Network Processor (NP) based firewall and to implement it partly. As specially designed chip for processing high-speed network data stream, NP achieves its high performance through special hardware architecture. The paper presents the detailed design of firewall based on the Intel IXP2400 network processor, and implements the IP packet filtering function as a prototype system–SimFilter.The paper's research work mainly includes:Presenting the SPC model to improve the protection–ability, and giving the detailed design of SPC in the Active Intrusion Prevention System.Implementing the SPC system, and integrating it with other facilities like IDS, Firewall and Security Scanner.Based on research on the hardware and software architecture of Intel IXP network processor, making the design of a complete firewall system, whose function includes packet filtering, NAT gateway and VPN gateway.Implementing a simple packet-filtering firewall–SimFilter based on Intel IXP2400 network processor, and performing the function test and performance simulation.