| In recent years, computer network has developed rapidly, so as the information on net. As the expansion of network information, network security has become an important issue; malicious acts such as Trojans, virus, network attacks happen now and then, someone even use network to spread reactionary and eroticism messages. To keep network's health and safety, many network security products are involved, such like Firewall, IDS, which can supervise network packets and running status at a certain extent. However, as the network improves, malicious acts become complex and furtive, traditional defenses perform poorly; a new methord should be intruced to solve this problem that we face now.Traditional network devices use general-purpose CPU or ASIC as processing core, they perform well at the beginning, but fail as network becomes complex. Network Processor is a kind of newly developed device, which combines linear processing with fully programmable traits. Intel IXA is an internet exchange architecture developed by Intel for network applications which can satisfy many kind of sophisticated applies. It consists of hardware and software: hardware makes IXA process network packets at linear speed; software gives flexibility for programming.This thesis discusses a network information flow analyze system based on IXA, which can filter data on level 3 and above according to filter rules. This system has traits from Firewall, IDS, Content filter, besides; a deep-packet-analyse feature can provide a greater guarantee to network's health and safety. There are three parts in the thesis: first of all, an introduction of frequently used network security systems is made, including their relative merits. Based on them, an IXA based network analyze system is proposed. Then, there comes an illustration of components for IXA, including both hardware and software. Also a brief description of IXA SDK is made too. Finally, there comes the most importment part of this thesis. First we analyze the system needs and required functions, then we divide them into several modules, each module is implemented according to IXA principles. Importment data structures and system flow charts are attached to provide a better explanation. Some network-application-unique skills are expounded too; at last, we test the system functions under simulated environment, which justifies system feasibility. At the end of the thesis, it's a summary of whole system, and some feasible improvement is posted. |
PDF Full Text Request