| Firewall acts as the role of the actor to defend the security between the trusted network and non-trusted network. Its performance will directly affect the efficiency of data transfer and sharing of resources between the inside and outside the network, which is one of the key issues of today’s NG Firewall (referred to next-generation firewall) market research. What amazed us is that today’s Internet grows so fast and the sheer number of new business, which brings unprecedented pressures and challenges. Traditional firewalls have become increasingly unable to meet the security requirements. Research direction of the next-generation firewall now turns to targeting the application identification, which is not difficult to understand. Because any threat from the fundamental network is a network application, and it can be identified from other traffics through data analysis. So monitoring of a variety of network threats are unified to application identification, which is the essence of survival of the next-generation firewall. Next-generation firewalls must be able to meet the demand of application identification.Traffic detection technology is one of the important technical means in the field of information security, especially for network security to do network monitoring, protection and management. According to the drawbacks of traditional firewall, the paper introduces today’s several popular traffic detection technologies into the new firewall system, and carefully studies the advantages and disadvantages of various.detection techniques, and applies them into my system. This paper focuses on the research of the multimode string matching algorithm based on AC and improvement of today’s popular AC-BM algorithm. Then the paper verifies the improved performance of the algorithm through example matching. The paper designs a network firewall system, and carefully designed features and mechanisms of the various sub-modules. Overall, the agreement on a variety of different types of testing results shows that the system reaches the original intention of the design, though there are a lot of flaws in some aspects, but the overall result is satisfy. The specific main works of the paper are the following aspects:1. The paper analyzes the lack of the traditional firewall and compares the differences and focus between the traditional firewall and the next-generation firewall.2. The paper analyzes the existing network traffic identification technology and control technology, and summarizes the implementation of the various technologies and their advantages and disadvantages.3. The paper focuses on the performance of the various string matching algorithm and analyzes and makes a few appropriate improvements of AC-BM algorithm. Then the paper verifies the improved performance of the algorithm through example matching and experiment.4. The paper researches several typical business applications which are popular on the Internet, and analyzes and summarizes communication theory、flow characteristics and analysis methods of each protocol combined with specific instances.5. The paper designs a next-generation firewall systems and implements identification and control of network traffic. The method of using a variety of detection technologies is used to improve the recognition accuracy rate of the agreement. The paper gives a flow control algorithm based on the traffic control program of the Netfilter framework in the Linux system, and implements traffic control of the specific traffic.6. The paper gives a variety of different types of business software flow analysis, finds their features and writes them to characteristic rule database. Then the paper tests traffic identification and control functions of the system, and analyzes the test results:The analysis of the results shows that the system can accurately identify and effectively control a variety of flow and has a good detection efficiency, basically reaches the basic functional requirements for next-generation firewall. |
PDF Full Text Request