Ipsec And Firewall System Policy

This chain-structured thesis describes a total network security framework whoseprincipal part is firewall. It also specially discusses the combination between InternetProtocol Security - IPSec and the newly developing stateful inspection firewall.Farther, it probes into the field of policy management.The thesis begins with the deficiencies of traditional firework and leads to thediscussion on two advanced technologies: network tracking and stateful inspection.Network tracking is implemented on network layer. It builds connection trackingcontrol block and direction control block for every connection and collects security-related information. Then, all the successively packets will be tracked. Each securitymechanism, such as packet filtering, authentication and net address translation, etc,has its interface in connection tracking control block through which the passingnetwork packet can enter directly into policy checking models.Stateful inspection technology distinguishes application type by different servicesand extracts status information about communication and application program. Basedon status transformations of network communication, stateful inspection moduledynamically modifies the status information in connection tracking control block andbrings security policies into effect with predetermined rules.Next, the thesis makes a description on stateful inspection firewall using theabove two technologies and extends it to a security framework. This brings anotherimportant part in this framework, IPSec. For an integrate solution for networksecurity, port-to-port security is absolutely necessary. But, when IPSec isimplemented in a stateful inspection firewall and combines with connection tracking,things will be different.The third part gives the answer how IPSec agrees with our firewall. The use ofsecurity association chain in connection tracking unifies the management to IPSecand other security mechanisms, thus makes the modular structure more clear.However, to fully bring into play the advantages of IPSec, the standardization of itspolicy management by all means will be the developing trend.The final part is IPSec's policy management. It presents the notion of Trust-Management which is a meaningful management mode worth of being generalized.Trust-Management uses a uniform "Security Policy Specification Language" todescribe security policy. And its organization accepts the query along with policieswhich are both written in that language and submitted by application, makescompliance checking and determines whether the action shouId be allowed. Finally,an implemented trust-management system, KeyNote, is ana1yzed. Through this, wemake a good preparation for further putting it into our firewall system.