The Research Of Network-layer Content Filtering Firewall System

With the rapid development of Internet, network security issues are becoming increasingly prominent. The firewall technique is an efficient method for guaranteeing the security of network information. However, the traditional firewall system can not filter the content of network information effectively, and become easily the bottleneck of the entire network performance. Therefore, how to improve the efficiency of content filtering becomes a hot research at home and abroad.This dissertation introduces the present research of the firewall technique at first. Then on a basis of analyzing deeply the implementation process of content filtering in network-layer and application-layer, we propose a latency analysis method of the firewall which bases on queuing theory. This method sets up respectively latency models for multi-core network-layer firewalls and multi-core application-layer firewalls, and bases on the queuing theory, derives the corresponding latency formulas for content filtration, analyzes and compares quantitatively latency characteristics of these two types of firewalls. The analysis results indicate that the latency characteristic of the network-layer firewall is better than the one of the application-layer firewall obviously in content filtration. It provides a theoretical reference for designing the network-layer content filtering firewall system.Secondly, we analyze core functions and data structures of the Linux firewall framework-Netfilter, and study deeply the implementation principle and operational mechanism of the five hook points. Then a network-layer content filtering firewall prototype system is designed and implemented. The system has flow classification, packet filtering, web content filtering and log management functions, as well as the HCI(human-computer interaction) graphical interface which is written with QT.Finally, a test environment is set up to test function and performance of the content filtering firewall. The test results show that the firewall system can not only filter content information effectively, but also have a good efficiency.