Design And Implementation Of The Network Application Identify And Control System Based On Next Generation Firewall

With the development of information technology, enterprise information technology, electronic government, the enterprises have set foot on the Internet Express, make full use of network technology, computer technology and information technology to improve workplace productivity. But it also brings issues such as poor network performance, low network utilization and spreading of network viruses. It is important for Enterprises to identify and control network applications to improve the management and operation of information systems.Traditional application identification and control systems such as firewall perform security check based on five tuples. However, solely based on IP address and port number, these methods cannot detect the specific application types, let alone fine-grained identification and control of functions within the same application, so these methods cannot meet the requirements of present network management and security. This thesis focuses on key technologies of next generation firewall, especially on the DPI and application identification and control technologies which play an important role in the next generation firewall. Network application identification and control system will serve as the basic implementation platform of the DPI application, which can accurately identify various types of network applications, achieve fine-grained control of the corresponding network protocols and make the system modular and extensible.This thesis intends to provide an effective technical means for enterprises to control their employees’network access and ensure the security of their enterprise networks. It attempts to make balance between achieving system security and user convenience. The thesis surveyed current firewall technologies and network access control systems, and analyzed popular firewall products available on the market. The design goals and functional requirements of the "next-generation firewall technology based network application identification and control system" was first proposed, then the design of the overall architecture and workflow was described, and finally the key technologies adopted in system development and preconditions for deployment were briefly described. Specifically, the main contribution of the thesis is as follows: 1. Analyze the key technology challenges faced by traditional firewalls and point out the key features that next generation firewalls must have.2. Propose the use of DPI technology to identify network applications and achieve fine-grained control of network applications based on next-generation firewall features.3. Study and design the "application identification and control system architecture". The system is able to accurately identify network applications, and set different control strategies for different applications.