| At present, there are large numbers of small-scale enterprises and laboratory. They have some characteristics, such as the topology of these units is simple, they connect to Internet through a gateway, and there are often some Web server or FTP server in the network to provide service. In this kind of network, there are often some long-distance users who want to connect to access internal resources and different access controls are adopted on different internal sub-networks. These requirements aim at parts of users in the network, so the conventional perimeter firewalls cannot fill these needs. This paper aims at the actual requirement and applies distributed firewall technologies to small-scale network, using the distributed characteristics to solve the requirements of distributed service, and implements a distributed firewall model system.Currently, the development of distributed firewall is immature and there are no uniform solutions in many fields especially in the small-scale mixed network. The technologies of distributed firewalls could meet the requirements and have favorable applied foreground.This paper compares conventional firewalls with distributed firewalls in many respects, researches the technologies of distributed firewalls on small-scale network, designs and implements a distributed firewall prototype model system HywaveGuard based on Windows operating system and expounds the key technologies of policy distribution and policy enforcement which are key parts in HywaveGuard.The mechanism of policy distribution is implemented by a Push and Pull policy distribution protocol. Distributed node firewalls establish a connection, and then confirm the certificate to policy control center to pull its policy. The policy control center can push policy to the edge of network after it updates the policy.The mechanism of policy enforcement is accomplished by node firewall on network endpoint hosts. Node firewall can communicate with policy control center and take over security policy from it. Node firewalls load the policies into the kernel dynamically after translate them into internal formula, and then use them to actualize access control. The kernel of node firewalls adopts packet filter method using multi-rule links.The distributed characteristics of distributed firewall could satisfy the requirements of distributed services, and the distribution character is expressed that policies are handed out after they are defined centrally, and enforced by distributed node host on the network. The implementation of policy distribution and enforcement in HywaveGuard is just the embodiment of its distribution character. |
PDF Full Text Request