| There are two problems in almost all firewalls based on the windows platform.Firstly, defending techniques evolve according to the increasing diversity of attack methods. This requires developing new filters based on the original firewall systems in a timely manner. Wording it another way, the need of extensibility for the original one. However, most firewall products are lack of extensibility and the support for third-part development. Also, these products are implemented based on NDIS, which is a complicated technology that prevents us from rapidly implementing new filters.Secondly, due to the increasing complexity of the firewall rule set, it becomes more and more difficult to effectively manage firewall rules. A newly added rule usually conflicts with those that are already in the rule set. This may lead to some security holes. In order to avoid these holes, administrators must determine the location where the newly rule is inserted. To fulfill this object, we must find out all rules that conflict with the newly rule. At present, there is an algorithm for detecting rule set conflicts and its time complexity is O(dN). However, this algorithm's performance is very poor. As a workaround, almost all the firewalls use priorities to simplify the resolution towards the conflicts of rules. However, this method is not able to resolve the rule-conflict problem while potentially weaken performance of the packet classification.Challenged by these two problems, this paper designs and implements a plug-in firewall. This firewall contains two parts: a plug-in framework based on NDIS and a firewall instance based on this framework.This framework features configuration, extensibility and the support for third party add-ons. If we develop filters based on the framework, it is unnecessary for us to understand the details of NDIS. So, we can rapidly develop new filters.The firewall instance implements the fundamental functions of a stateful packet filtering which exemplifies the framework's characteristics from another aspect. Considering the bottleneck caused by the existing conflicts detecting algorithm, the instance addresses a new algorithm for detecting rule set conflicts based on the intersection of a field. The algorithm can efficiently help administrators find out rule... |
PDF Full Text Request