| The ma in bearing of the network security strategy is he firewa ll rule set. Thecompar ison of firewa ll r ule sets is very important. First, it can find out theincons istenc ies between ma nua lly configuration o f secur ity rules and secur ityrequire ments, so as to detect the incorrect configuratio n; second, through t hecompar ison of different firewa ll rules designed by multip le design groups to select themore appropriate one; third, by contrast firewa ll rule sets before and aftertransplantatio n, to ensure the cons istency and integr ity. At present, the firewa ll ruleset comparison method has become an important and difficult problem.Stateful firewa ll is a kind of new firewa ll. Compared to ordinary firewall,stateful firewa ll adds a state section, used to save the current and past sess ion packetinformatio n, which constitute state table. Both the state table a nd set of r ulesdetermine whether the data package can pass through the firewa ll. Thus, even if theset of rules is the same but the state section is differe nt, may also lead to differe ntdecis ion. However, tranditio na l FDD (Firewa ll Decis io n Dia gra m)did not consider theimpact of the state section; therefore, FDD does not apply to the comparison of thestateful firewa ll rule set. So far, the comparison o f stateful firewa ll rule sets has notbeen reported, and the study for stateful firewall rule comparison is necessary.This paper based on the research on the firewall r ule set, through the study ofstateful firewa ll concepts, models, and is to meet the needs of the administrator toconfigure the inte ntion o f stateful firewa ll r ules, proposed the stateful firewa lldecis ion d iagra m constructio n algor ithm (SFDD), and imp lied in stateful firewall r uleset comparison method. The main work is as follows:1. Analyzes the domestic and foreign research status on the stateful firewall,describes the basic concept, key techno logies and models of stateful firewall, andpresents the form and the key technology of the firewall rule set.2. On the basis of FDD constructio n algorithm, proposed SFDD constructionalgorithm which converted stateful firewall rule table to an equivalent SFDD.3. Describes stateful firewa ll rule set co mparison method. There are ma inly threephases: design, compar ison and correction. F irst: accord ing to the security demand,multip le developme nt teams respective ly realized by the ir methods. Second: by theoperation of s implifying and semi-iso morphic, converted to the semi-iso morphicSFDDs, and then compares the decis ions to the administrator s to find the differe ntpoints. Third, analyze these differe nt decis ions, correct stateful firewa ll designed according to the security demand.Theoretica l analys is and simulation results show that the method can effectivelydetect all the d ifferences between the rule sets. And when the number of rules for boththe stateful and stateless section is3000, the time cost is less than2secends. |
PDF Full Text Request