The Research On Protocol Controlled Security Switch Technologies

Security-switch technology is aiming to tackle with the ever-complexing security problem within the intra-network. A notable problem is raised that the data link can not be controlled; therefore any access following the standard Ethernet data link layer protocol is recognized as legal. The thesis first summarizes the architecture and security strategies of security switch, and then a brand new architecture namely Protocol Controlled Security-switch System (PCSS) is proposed, including the adopted strategies such as protocol control and dynamic conversion, hardware based full-field security transferring and hardware data filtering strategy based on packet head and self-defined data field as well.As the key technology of the PCSS architecture, a data link layer protocol- SLAN is proposed, which is based on transformation of frame fields and different CRC checking methods. Not only did we establish the FSM model of SLAN, but described it by using the natural and formal language. The simulation of SLAN proved that it could realize dynamic conversion and static configuration. The flexible SLAN state and security updating strategy greatly improved the security level of intra-network. The analyses such as the delay parameter of every SLAN state and packet loss rate due to the asynchronism of state conversion are also done.The firewall of the security switch is the intensifier of PCSS. We had a research on packet filtering firewall and state inspection firewall. Aimed at the limitation of traditional packet filtering firewall which filter packet based on the its head, a new hardware-based self-defined data field filtering strategy is proposed; Aimed at the the weakness of some state inspection firewall whose timeout parameter could not be changed, a Priority Aging algorithm is put forward to deal with Denial of Service attack such as UDP-Flood. We referenced to the parameter of NetScreen25 firewall and simulated a DoS attacking scenario, in which the attacking rate increased by 100 packets per 100 seconds, the simulation time was totally 300 seconds. The result proved that the algorithm can effectively control the Entry number and deal with the DoS attacking easily.Finally we designed and realized the core of PCSS- Security Control Chip for Security Switch and Security Adapter Chip for Security Adapter. By using SOPC technology, we integrated the modules of the chip and finally had it simulated and evaluated.