| The enterprise’s informationization rapid development and information technology utilization depth and popular, developed the tremendous role to enterprise’s productive forces.While more and more relying on the enterprise computer network, its latent security Hidden dangers also in gradually increases along with its scale unceasing expansion, the network security becomes more and more important. At present one of main technologies of network security protection is the firewall. The firewall is a kind of technology which combine hardware and the software, establish a protective layer between exterior net and protected net, concerns as far as possible to exterior network shield is protected the network the information and the structure realizes the security of partial network, for realize the local network security under the unsafe public network environment. The traditional firewall’s safe protection performance, aspects and so on in structure as well as compatibility all has much shortcomings. As a result of the enterprise informationization development and the network attack method Constantly changes , more and more high demand to the firewall technical standard, but deficiencies of of traditional firewall technology is unable to satisfy the enterprise the need, In this case, the distributional firewall appearance, show huge superioty in the technical performance and the safety performance compares the traditional firewall, more and more becomes the first choice of the enterprise safety work .Distributional firewall its basic thought is: use strategy language expresses the security policy; The security policy is formulation in the central management server centralism,then distributes to each host in the system; The host is responsible to implement the security policy; communication between the hosts uses the IPSec agreement to carry on the encryption. compares with the traditional firewall ,The distributional firewall the merit is: (1) topology independent (2) prevents the internal attack (3) reduction fragle of single spot (4) much protection to host. Its realization technology divides into two kind of strategies the definitions and the implementation way, one kind is the central strategy definition and the implementation; Another kind is the strategy which centralism definited and disperser implementation. The distributional firewall has made up the traditional firewall insufficiency during display tradition firewall superiority, it more adapts the networking development. This article has conducted the thorough research and the comparison to the traditional firewall technology as well as the distributional firewall technology, take into account Anshan NetCom company’s actual situation, designed and realizes a distributional firewall based on the IPSec which full use existing technology and use to guarantee the enterprise the information security.This article designed and the specify distributional firewall based on the IPSec system architecture.The system structure is composed mainly of the strategy control center, the strategy actuator as well as IPSec corresponds three parts. This article has all made the detailed elaboration and the analysis to the concept , structure and the technical principle of the strategy control center, the strategy actuator as well as the IPSec (1) the strategy control center main function is the registration is protected the host, for receives protects the host formulation security policy, to receives protects the host transmission strategy document.The strategy control center structure mainly includes the host registration module, the strategy edition module as well as the strategy transmission module. (2) strategy actuator is the movement is receiving protects the main engine, explained and enforces by the strategy control center provide security policy procedure, it truly exercises the protection vertex main engine responsibility procedure, mainly completes the package of filtration function, moreover also must realize and the strategy control center correspondence, carries on the strategy document the receive as well as translates the rule expression form the strategy document which the package of filtration module may distinguish. (3) IPSec correspondence is carries on the protection to correspondence between the distributional firewall interior hosts, prevents the internal attack.After has determined the distributional firewall system structure and the technology, this article introduction detailed system realization process.Had determined this system uses the development platform is Redhat the Linux 9.0 operating systems, the essence edition is 2.4. This system uses the development tools is Borland JBuilder 2005, is mainly uses JAVA in the language JNI technology as well as the object serializing technology. The system software configuration for installs the Netfilter/IPTables system and Frees/WAN.In linux constructs package filtration procedure IPTables is write in C language, this article has carried on Package it with the java JNI technology. According to package filtration procedure structure and package filtration rule composition. detail elaborated the realization process of system which is compose of three major part is the strategy actuator module, the strategy control center module as well as the IPSec correspondence composition. Among them, the strategy actuator module divides into (1) package of filtration module: The package filtration module of strategy actuator uses the package filtration procedure IPTables realization which in Linux constructs. (2) strategy translation module strategy translation module main function is transPolicy(), it reads strategy document each rule which the strategy receive module receive in turn from in the strategy control center, increases the rule to the corresponding package filtration chain in. (3) strategy receive module: The strategy receive module main function is policyRecv(), it uses the local 5656 ports and the strategy control center strategy transmission module carries on the correspondence, the receive and the preserved strategy document. This article to the above three module realization principle, the flow and the algorithm has made the concise introduction. The strategy control center divides into (1)host registration module: Completes the host in the strategy control center registration, causes the host to receive protection from the system (2) strategy edition module: Completes to edits the host security policy for the host which needs to protect (3) strategy transmission module: transmites edited strategy document to corresponding host. Finally, carries on the establishment to the system IPSec part.Establishes IPSec to need the configuration files ipsec.conf, ipsec.conf document is uses IPSec on Linux to carry on the correspondence correctly main configuration files, only then correctly carries on the disposition to it, can cause the IPSec normal work.. It is a text form document, records all link situation which using IPSec to carry on the comunicaton and some system disposition information, mainly contains two parts of contents: Link part and disposition part.This article introduced the ipsec.conf disposition parameter and the disposition process.after finished the system design, carries on the test to the system.The test environment is installs the strategy control center on the gateway machine, internal host hostA, hostB installs the strategy actuator separately, the hostC plays attacks the host. Adds hostA, hostB for protected host and formulation security policy for its in the strategy control center, transmits separately the security policy document to hostA and hostB, examine firewall rule in hostA or in the hostB terminal with iptables - L. Through the test, this system had achieved the IPSec communication security between hosts and prohibition of the TCP/UDP connection between protected host, has realized the distributional firewall model application.in practical application in the company network security in Anshan NetCom, the system effective shield mostly network attack, enhanced the enterprise network safety performance, contrast before the system use it very great degree reduced the network security accident, enhanced enterprise’s production efficiency, receives the consistent high praise. |
PDF Full Text Request