| Traditional firewalls were deployed at the boundary of network and depended on its physical topology to ensure the security of internal network. With the development of Internet, the appearance of encryption communication and the demand of remote access, the topology is more and more complex, and the limitation of traditional firewall becomes increasingly obvious. To solve the increasingly severe problem, the new distributed firewall emerges. The distributed firewall is more suitable for the development of network security application and presents the trend of the research and development of firewall technology.After comparing the advantage and disadvantage between the traditional firewall and distributed firewall, this thesis studies the technology and status of distributed firewall and SSL(Secure Socket Layer). On the basis above, according to the real demand of the domestic small-scale mixed network, a distributed firewall based on the SSL is presented and the prototype of server is implemented under Windows.Because there is no standard language to describe security policy recently, according to the actual situation of distributed firewall, a security policy description language format is defined by using Backus-Naur Form (BNF). Furthermore, the security policy abnormity is studied preliminarily. The policy that integrates the network management command and packet filtering rule is used for describing the communication between the nodes.A certificate authority (CA) is built in the new distributed firewall system to manage node's certificate which is used for authentication in the SSL communication. The certificate is bound to the host name instead of EP address, and therefore the attack of spoofing IP address is eliminated. Additionally, the new distributed firewall system improves the limitation of authentication in the handshake protocol of SSL and solves the security communication problem. |
PDF Full Text Request