The Linux 2.4.x Kernel Tcp / Ip Protocol Stack Safety Studies

The present menace on the network and those security problems existing in the TCP/IP protocols are described. Linux OS kernel and its TCP/IP source code have been read particularity and The Linux Security Modules (LSM, project addresses this problem by providing the Linux kernel with a general purpose framework for access control)梟etfilter. Data structure and the connection of the source code' s main modules and functions have been analyzed.Through the study, I have two methods to resolve the question in kernel: I utilize the linux OS theory and implement mechanism writing a LSM module and register it to listen to the NF_IP_PREROUTING hook, so when a packet is passed to the netfilter framework, it will be checked, we realize the defense of OS fingerprinting .The LSM framework allows access control models to be implemented as loadable kernel modules. Adding enhanced access control models to the kernel improves host security and can help a server survive malicious attacks. We design a frame of cooperating defense and multi-levels which include many security technology of computer network and implemented'a system based on the frame And discussed the implement of this module on Linux Operate System. This module adds the state inspection function and packet string to the original packet filter mechanism in the Linux OS, which means every packet has some relationship wity others in one session of the upper layer. We can resolve the problems such as efficiency and security in the original packet filter and proxy firewall technology. It goes beyond inspecting TCP/IP flags, The capabilities presents an attempt to cross the bridge between two firewall groups without getting stuck in disadvantages of either method. It should be noted that packet filter does not become higher-layer-protocol-aware since it still operates at network level, but is only allowed to peek at payloads, rather than analyze the application-level communication structure. It can be used to protect networks and individual hosts from many attacks on the network services.In the end, the paper also talks about something on the development of the state-inspection technology and how to add other security technology.