This article describes at large the realizing method, result, conclusion about the firewall system with IDS. At present, it is easy to filtrate some special intrusive data-packet in firewall system, base on network security technologies. But it is still a hard problem to filtrate universal intrusive data-packets in firewall until now. My ultimate aim is to try to design a firewall software system that can settle above problem.For carrying my point, I offered a creative settling scheme. The new firewall system is made of two parts, one is utilized to filtrate data-packets, another is utilized to detect intrusion actions. Both parts run independently and exchange information each other in time. It is for that firewall system doesn' t detect the intrusive data-packets straightly to act as above. If firewall detects the intrusive data-packets straightly, the efficiency of the whole system will be too low to be endurable , which always is a hard problem to software engineers who want the firewall able to filtrate intrusive data-packets. Here I made a new firewall by uniting a traditional firewall and a traditional IDS. After analyzing quite a few objects of firewall or IDS, I select the netfilter, which realizes on IPV4 protocols in Linux 2.4 OS, as the base for developing deeply packet-filtering in new firewall system; select the Snort, which is a opening source code IDS, as the base for developing deeply intrusion-detecting in new firewall system. By hard working beyond a year, I have realized the rudiment of the new firewall with IDS which incarnates my design basically.The new firewall system has three advantages beyond everyone before: 1. new firewall can filtrate intrusive packets roundly and the capacity to filtrate intrusive packets is depended on IDS of the whole firewall system; 2. ability to be developed independently, both parts of the whole firewall system can be developed on its own. 3. more rounded log files; this point provides the convenience to network supervisor. Whereas the new system has many lacks , is still a experiment and could be really used by deep development, it basically proves my design scheme and offers a profitable probe to develop firewall system. |