| Along with the increasingly concern about the network security, firewalls, which are used as basic protecting devices to the network security, their security had already regarded by the administrators of firewalls. In order to ensure the consistency of the firewall rules and security policies as well as the validity of the regulation configure, we must check the firewall's regulation configure, and find out the rule's anomaly in the set of the rules, which can influence the security policies to firewalls. This thesis had deeply researched the checking technology of the rules configuration to firewalls.The thesis analyzed the meaning of checking the rules configuration to firewalls at first, and introduced the researching situation at present. To meet the need of the task, and base the mature anomaly discovering algorithm, we got a firewall rules anomaly discovering algorithm based on matching packets set named AD_MPS algorithm, AD_MPS algorithm defined a standard form to describe firewall rules, analyses the relations between two rules according the matching packets described by rules, and defined five rules anomaly which may exist between two special rules. AD_MPS algorithm can precisely located the five rules anomaly which may exist in the rules.And then, the thesis analyzed the influence to firewall security policy caused by relations in many rules, defined the anomaly in multiple relations. Consider the situation of invalid anomaly, the thesis brings out the improved methods to the AD_MPS algorithm, and make sure that it can analyze the relations among three rules.For validate the correctness of the anomaly discovering result, this thesis designed out a method of validate the result of the anomaly discovering. This method has two validate patterns called off-line and on-line, uses the anomalistic rule's matching packets set as sample space to choose the testing packets, then judge the correctness of the anomaly discovering result based the situation of these testing packets penetrate firewall.In the foundation of researching the algorithm to anomaly discovering and the method of validate the anomaly discovering result, to meet the user's requirement, this thesis designed out the tool of firewall rules Configuration Checking which aimed at the Cisco PIX, and has brief introductions to the implement of this tool.At last, the thesis summarizes its main working, points out the problems which must be resolved at present and the main point of next step. |
PDF Full Text Request