Stateful Inspection Firewall And Design

Content: Information Security problem in the network has been not only paid attention by individuals and companies of network information society increasingly, but also involved in all aspects. For building reliable and secure information networks, it is of great necessity and urgency to make research on security technology. Open in its source code and convenient usability of the embedded linux greatly impel the research of security technique and the development of security product based on the embedded linux.The thesis will research the mechanism of connection tracking and how to achieve dynamic NAT based on it.Because traditional firewall such as Packet Filtering firewall, application gateway can't suit the requirement of security in the network gradually, a kind of firewall based on connection tracking become a researchful hotspot in network security. For a certain communication connection, communication state (former communication information) and application state (other application information) are the key factors when control the communication connection. Thereafter, for assuring the high-layer security, the firewall must be able to access, analyze and make use of the following four kinds of information: the whole datagram information of application layer, the former state information of the communication, other application state information, the agile expression appraisive information based on the former three kinds of information. The thesis firstly analyze the basic principle and completive function according to linux source code, and discuss detailedly the connection state between datagram based on Ipv4 in linux, the method to obtain these states, the influence and the variance among these connection states, and record every connetion state to the table, and then based on the mechanism of connection tracking carry out these firewall function such as the Source NAT, Destination NAT, restriction of datagram speed, and so on. The item is researched and designed based on Ipv4. When analyze the mechanism of connection tracking and design NAT, the protocol is compartmentalized to three parts namely TCP,UDP,ICMP. Because take full advantage of module mechanism of linux when analysis and design, the set of software is of high modularization and good expansibility.