Study On The Performance And Improve Of Firwall Based On Tos Architecture

With the rapid spread of the Internet application, network and information securities have become a key for the normal online business.As the first line of defense, the status of the firewall is particularly important. The firewall is in gateway position between the internal and external network.So all the data accessing gateway must be dealt with the firewall. Therefore, improving the firewall performance as a boundary node to ensure the safety while on the other side not becoming the bottleneck of transmission is one of the main directions of firewall development.The traditional firewall is mostly implemented based on Netfilter framework of Linux. While our study is based on the TOS architecture. It is more advanced and has more framework expansibility than Netfilter architecture. This paper firstly analyzes the development status and function of the firewall in addition to the core technique of the software and hardware and studies the performance of firewall and the standard test method in industry. And then we expound the function characteristics of TOS architecture, data processing cycle of TOS firewall and security strategy matching process. From the aspects of improving the performance, we emphatically analyze the current irrationality in firewall implement:First, the SYN proxy module handling less efficient.When the firewall is attacked by SYN flood and this attack reaches a certain size, there is a serious shortage of memory and all the session resources maybe allocated instant;Second,the IDS module handling less efficient because it has no uniform testing processes; Third, all of the sessions may be exhausted in the blink of an eye when a host sends a large number a sessions in a time slice.On the basis of the above three areas of deficiency, this paper proposes the appropriate improvement measures:First, we introduce SYN Cookie mechanism in SYN proxy module; second, we introduce the black and white list feature and change the detection process; third, we designed the MaxNewsession-limit module. Finally, based on the improved firewall, we have some tests and the test result proved that the improved solution can promote the performance of firewall in a certain extent.