Font Size: a A A

Design And Implementation Of Linux Firewall

Posted on:2010-08-07Degree:MasterType:Thesis
Country:ChinaCandidate:K TuFull Text:PDF
GTID:2178360278459318Subject:Computer software and theory
Abstract/Summary:
Nowadays the computer network technology is developing rapidly, people pay more and more attention to firewall technology while the network security problems are increasing prominent. It is necessary to design and develop our own firewall system for special requirements in the sensitive department. Linux provides the Netfilter framework based on kernel with generic and scalability features. The developers can implement their firewall systems depending on different network security requirements.First of all, the theory of building a firewall based on Linux Netfilter is presented in this thesis. Then the technology and theory referred in design and implementation of the firewall is introduced. Finally, the design and implementation of HiPF(High Performance Firewall) with functions of packet filtering, anti-DoS(Denial of Service) attacks, logging, event notification, configuration management are presented in this thesis. HiPF has the following features compared with the traditional firewalls:1. The traditional linux firewalls have little ability to associate with other system, it can't send notification to user-space processes from kernel-space process when detecting events. The function of event notification is implemented in HiPF, HiPF will send notification to user-space processes while finding expected events to achieve emergency, alarm, association.2. The traditional linux firewalls have a lack of diagnosising consistency of rule sets. The security of firewall may be reduced because of inconsitency rule sets. HiPF supports rule consistency diagnosis and provides the best procedure to remove conflicting rules to make the rule set be consistent.3. The packets are classified inefficiently when the rule set has mass rules and flows under heave traffic by linear search in the traditional linux firewalls. Most firewalls make use of HASH algorithm to realize fast classification. But the attack to HASH algorithm will bring the classification rate down. A packet classification algorithm named GEM(Geometric Efficient Matching) based on computational geometry is implemented in HiPF to keep high throughput under the load of mass rules and heavy flows. A building algorithm for data structure of GEM is proposed in this thesis, the time and space complexity are feasible through the experiments.The configuration of test environment is introduced in this thesis. A test tool called NetTest based on winpcap is developed for testing. The tool can send packets according to the config files flexibly and its sending performance is stable. Finally the gem searching algorithms and the linear searching algorithm are tested with NetTest. The GEM is proved to have a higher performance and better practicality. The function of event notification is tested to verify that the firewall will execute corresponding commands correctly to alarm or work with other systems under attack.Test results show that the anticipation of the firewall has been achieved. The ideas, design methods, algorithms mentioned in this thesis is valuable for developing firewalls on platform of linux.
Keywords/Search Tags:Linux, Firewall Design, Consistency Diagnosis, Matching Algorithm
Related items