| With the wider use of internet, the issue of network security attracts more and more attention. Today, network security isolation and information exchange technology has been the most efficient measure to protect the network. Traditional network security isolation and information exchange technology mostly includes packet filter technology and proxy technology. Packet filter technology can be implemented easily and has high performance on network process, but it has no ability to provide protection to application. Although proxy technology is able to protect application, its performance on network process is lower, so it can't satisfy more and more requirement from network user. How to adjust the irreconcilable contradiction between security performance and processing performance is increasingly drawing attention. Stream filter technology has emerged, which combines the merits of packet filter and proxy technology and provides protection to application in the form of packet filter. In this paper, stream filter technology has been researched in-depth.Firstly, network security isolation and information exchange technology were studied in-depth and universal architecture of isolation exchange system were abstracted. The characteristics of packet filter and proxy technology were analyzed and the advantages of stream filter technology were illustrated.Secondly, we analyzed the idea of stream filter and the current problems in its implementation in-depth. Based on the characteristics of TCP/IP protocol and application protocol, the paper proposed the key point of stream filter: on the basis of state inspection, the TCP segment must be classified and processed according to its type. Based on the key point, TCP segments can be divided into two categories that is application related segments and application unrelated segments. Application related segments can be divided into two categories that is protocol data segments and content data segments. TCP segment will be security checked in different depth by stream filter according to its type.Then, the paper proposed some key algorithms such as validity check and optimized rule match algorithm in state inspection, session state inspection in process of protocol data, and some algorithm about rebuilding and forwarding in process of content data.Finally, based on netfilter framework in Linux we designed and implemented the stream filter module, and verified the advantages of stream filter technology on security performance and processing performance through function test and performance test.At the end of the paper, we get further research in the future on the existing basis. |
PDF Full Text Request