Design And Implementation Of Packet Filter Rule Framework Of Firewall

With the continuous development of economy and society, and the more widespread of network applications, the user demand for the network security protection is growing continuously. And the requirement of protection capabilities and performance of the network security equipment is gradually improving too. The traditional network security equipment Firewall has been difficult to meet the needs of complex applications, and it started the transition from the traditional firewall to Unified Threat Management (UTM) system. In the meantime, with the expansion of security equipment functions, the categories of filter rule which is the basis of the network security are increased subsequently. Supposing that, the manufacturers implement rule management modules and rule matching modules for each new rule independently, it would be bound to the high cost of development and maintenance, and also it is not conducive to accelerating the pace of product development.Therefore, developing a scalable security rules framework has become an urgent need. It will make the integration of new rules modular, and reduce the development and maintenance cost of new rules.This thesis analyses the packet forwarding process and the characteristics of the various security rules of firewall, and proposes the concept of abstract rules. It designed and implemented a common framework system for security rules management and matching rules, provided the reusable interfaces for rule matching and rule management. The thesis describes the design of the whole framework of rules and the implementation process, and illustrates the process and methods of the IP packet filtering rule module implements based on rule framework. Finally, it introduces the function and performance test process against the rule framework.The rule framework not only integrated interfaces of various rules to add, delete, match and the other conventional operations,, allows modules can be re-used when developing new rule functions, the rule framework also provides the interface of expanding rule matching algorithm, organize and manage these expanding rule matching algorithm uniform and solves the problem of all kinds of rules'reuse for matching algorithm. It makes the rules system of the product more scalable and easier to integrate new rules; also it improved the code reuse rates, saved the development costs. The specific application IP packet filter rule module which is developed based on rule framework has been successfully integrated into the latest version of the Neusoft UTM products. And the using of new matching algorithm, greatly enhance the performance of the rule matching function At the end of the thesis, it summarizes achievement and problems in the rule framework, and proposed improvements in the following work.