Design And Implementation Of Ndis-based Filtering Framework

Posted on:2008-11-28

Degree:Master

Type:Thesis

Country:China

Candidate:Y S Liang

Full Text:PDF

GTID:2208360215950240

Subject:Computer system architecture

Abstract/Summary:

PDF Full Text Request

With most of the Windows systems, the network applications, such as NAT and firewall, are based on NDIS (Network Driver Interface Specification). To filter a packet, you need to write a NDIS driver, which requires comprehensive knowledge on NDIS driver development. This will prevent us from developing various new filters in a timely manner.To solve this problem, we intend to design and implement a filter based on NDIS featuring configurability, extensibility and the support for third party add-ons. If we develop filters based on the framework, it is unnecessary for us to understand the details of NDIS, which makes it more efficient for us to develop new filters.Meanwhile, based on this framework, an NAT and a firewall instance are implemented. A detailed discussion about firewall rules management carried out. Due to the increasing complexity of the firewall rule set, it becomes more and more difficult to effectively manage firewall rules. A newly added rule usually conflicts with those are already in the rule set. This may lead to some security holes. In order to avoid these holes, the network administrator must determine the location where the newly rule is inserted. To fulfill this object, we must find out all rules that conflict with the new rule. At present, there is an algorithm for detecting rule set conflicts and its time complexity is 0(dN). However, this algorithm's performance is very poor. As a workaround, almost all the firewalls use priority to simplify the resolution towards the conflicts of rules. However, this method is not able to resolve the rule-conflict problem while potentially weaken performance of the packet classification.Considering the bottleneck caused by the existing conflicts detecting algorithm, this paper addresses a new algorithm for detecting rule set conflicts based on the intersection of a field. The algorithm can efficiently help administrators find out rule conflicts and its time complexity is brought down to 0(log N+N/w). Based on the decomposing of rules to eliminate the conflicts, a new method is also introduced to improve the performance of the packet classification. The algorithm can quickly filter packets and its time complexity is 0(dlogN).

Keywords/Search Tags:

NDIS, Filter Framwork, NAT, Packet Classification

PDF Full Text Request

Related items

1	The Design And Implementation Of Packet Filter And Monitor Based On NDIS
2	Research On Packet Classification Algorithms For Packet Filter Firewall
3	Packet Filtering System Design & Realization Of Individual Security Defense System For MS Windows2000
4	Based On The Data Link Layer Packet Filtering And Data Reorganization Processing Technology Research And Application
5	Research Of Deep Packet Detection Base On NDIS
6	The Research On The Algorithm For Packet Classification Based On Bloom Filter
7	Research And Implement Of Deep Packet Inspection Firewall Based On NDIS Technology
8	The Research Of The Way To Block The Illegal Access Network Using NAT Gateway Based On NDIS
9	Windows Ce.net Platform Is Based On The Design And Realization Of The Ndis Intermediate Driver's Packet Filtering Program
10	Design And Implementation Of Application Layer Packet Classificatory Collector