| With the continuous development of network information technology, people attach more importance to the network security issues, and the devices and methods of security isolation become more abundant. Because of the complex environment of network and the evolving attacking means, traditional network security products cannot satisfy the requirement of security, especially in the private networks, which have higher requirement, and more specific demands of function. The existing security isolation scheme cannot satisfy the requirement of isolation in private environment.We analyzed the status of security isolation, and proposed a kind of isolation scheme for comprehensive protection in network layer and application layer, aiming at seperating most of the data for the security of private networks. We did specific analytical investigations, design and implementation of network layer and application layer isolation protection, and did testing. The main jobs are as followed:1. The status of network security and technologies applied in network isolation were introduced. The thesis indicated the disadvantages of existing technology, and proposed a comprehensive protective isolation scheme for network layer and application layer.2. The thesis utilized iptables firewall technologies for isolation in network layer to filter the packets. To improve efficiency, we proposed optimization based on traditional iptables filtering, which divided the filtering rules into four categories according to the protocol, and put packets of different protocols into different rule sets for matching. Meanwhile, the thesis analyzed the conflicts which might result from the optimization and solved them by preprocessing added with rules.3. Deep Packet Inspection was firstly done for the analysis of application layer protocols in application layer isolation, and then filtered the packets twice by rule lists. The scheme applied to various protocols isolation, with better expandability and higher flexibility. We can modify the list at any time according to the requirements of environment with immediate effects. We filtered twice in order to guarantee it more accurate. The thesis took the Simple Network Management Protocol and Session Initial Protocol as examples, which were often used in private networks, and did the detection and analysis.4. We applied the comprehensive protection scheme in network layer and application layer to private security isolation system, and did the implementation and testing. The result achieved anticipated purpose. We accomplished the implementation of function like operation log,operation statistics, and security log. The system ran well, and had the capability to filter illegal data, and guaranteed the security.A new thought that the optimization of iptables firewall and rule lists for the twice filtering were proposed for private network isolation, and had reference value. |
PDF Full Text Request