Research Of Key Technology Of Firewall Security Policy Configuration

Firewall, as a basic network security protecting device, using is becoming more and more complexly, due to the function of them becoming more and more strongly. Nowadays, the ways of firewall configuration are hard to ensure the security of the application and dissatisfy the requirement of hosts, maybe existing the abnormities, such as unconsistency and so on. Security policy configuration is a hot topic. This paper discusses two key technology, one is high level describing and low level firewall configuration building, the other is firewall policy consistency conflicting checking. Major work includes:First, we have analyzed the state of current high level policy languages, and pose a high level firewall policy language named ExFlip aiming at the lack that high level policy language named Flip cannot describe authentication and tunnel information of new pattern firewalls. This language inherits syntax of Flip language, and achieves VPN policy and authentication policy description, enhancing the abilities of firewall policy description.Second, we have analyzed the strongman architecture, and design a kind of policy configuration process, aiming at the lack of information granularity and policy checking management. We have automatically translated hosts'requirements, network information and authentication information into firewall policy configuration, omitting details configuration process. It greatly improves the efficiency of policy configuration, and ensures the correctness of policy.Third, we have summarized the classify of firewall rules abnormities and checking algorithms, pose a kind of Service based grouping firewall policy conflicting checking, BSG, aiming at the low efficiency. This algorithm can checking the position of abnormities highly efficiently and warning correctly. The performance of BSG has beyond the most efficiency checking algorithm named Fireman.Last, basing above work, we realize a firewall configuration building and checking prototype system, and we do the functions test and data analysis.(Abstract)...