| This thesis researched on the security problems of policy communication between policy server and each distributed firewall client network card in the Embedded Firewall environment. A variety of multiple firewall clients may need different security policy according to their different requirements of quite different security levels, and these rules need to be generated centralized,or rather to say, the security policy needs to be generated centralized and be distributed by policy server. A new security problem comes out that is how to assure the security during the distribution of policy which leads to veracity of policy enforcement in Embedded Firewall, like how to ensure the authenticity of applicants and the server, how to avoid senders denying their services for the users within the policy communication between policy server and client NICs, and how to achieve the confidentiality and integrity of the policy during the process.After analysing some relevant theory of the IPsec security protocol, a policy communication mechanism based on IPsec in Embedded Firewall environment was proposed. The policy server is responsible for generating each user's security policy centralizedly, and implement the validation of both sides in policy communication and the security transmission for the policy by using the verification and encryption function of IPsec protocol.The mechanism proposes to use the IPsec connection in transport mode, to use improved SHA-1 signature arithmetic to carry out signature or validation for data packages, and to use 3DES encryption algorithm which has preferable intensity to encrypt data packages, and a method to obtain impactful secret key for algorithm dynamically from static script was designed, consequently the security of policy communication process was improved farther. After introducing the realization of the whole mechanism, portions of important codes about the actualization was explained and the relatively experimental results were given. |
PDF Full Text Request