| Accounting is closely related to both ISPs and users in economic interests. However, traditional network accounting system is not strong enough to accommodate the development of network services. The diversification of network attacks makes network security problem more serious. Based on the current research and implementations, this paper provides an overall design of a secure gateway with accounting. The implementations of sub-systems on Windows platform, such as WEB authentication, background accounting, database design, and management client are described. The system provides flexible configurations of accounting policy, user access control and generic packet filtering. The accounting is based on users, but unlike proxy, users can access the Internet without client configurations, i.e. the system architecture is transparent to users. So it can provide most application layer services on top of network and transport layers. The permission management is made via user access control, e.g. to make users enjoy different network services in different time. Packet filtering provides basic safety protection ability.Finally, future network security architecture is considered. Firewall technology, Intrusion Detection System, and Vulnerability Assessment should be integrated to interwork. In addition, the possibility of anti-virus in gateway is considered. Because worms have notable network behavior characteristics, expressions with dynamic variables are added to the matching part and additional action part of the packet filtering rules, which can be used to react to worm attacks. |