A Research And Implementation Of Network Security Mechanism Based On Embedded Devices

The traditional gateway, as a node of network, provides the function of interconnection between two networks that using different communication protocols.However, with now the increasing of network security problems, to provide security protection for the internal network is also becoming very important. Network security isolation and information exchange technique isolate the internal and external network and disable two ends’ directly communication, is now the most suitable security technology used in gateway. The current isolation and exchange techniques are basically based on the network layer, which, however, can’t provide effective detection for the application layer protocols that use TCP as transport protocol because the simple IP packet filtering may have been unable to deal with the security threats that exist in TCP data stream and also to deal with the deeper cyber attacks due to its inability to restore the complete data stream. The deeper security filtering must track the application protocol’s interaction session state, to provide security protection at the session layer.A safety isolation gateway which using stream filtering technique and was based on the isolation of transport layer were designed and implemented in this thesis considering the above disadvantage of existing isolation and exchange technique. The main research and innovation in this thesis are as follows:(1) The possibility of implementing the split-TCP technique on isolation gateway was analyzed based on the disadvantage that traditional isolation and exchange technique are unable to provide security protection for the application protocols that use TCP. In this situation, the isolation gateway cut off the direct interaction between the two ends of connection so it can get the reorganization TCP data stream of the two ends and realize the deep security filtering.(2) An I/O control algorithm under the situation of TCP splitting was proposed in this thesis based on the difficulties of both buffer management and effective I/O control in the isolation gateway which large number of TCP connections are existed. Experiment results show that the influence of network transmission performance which spit-TCP brings to the gateway is only about 20 percent.(3) A distributed architecture of security load was designed based on the problem that security filtering load may affect the primary packet-forwarding function of gateway. And for the possible denial of service attack, an optimization algorithm of network protocol stack was proposed. This algorithm filtered the potential malicious SYN packet in advance through a pre-elimination mechanism and it would not allocate resource for a connection until the three-way handshake was completed.Finally, the experimental environment of system test was established. The experiment results show that the isolation gateway realized the security protection for the application layer and reduce the influence of security load that isolation and exchange brings and reduced the transmission performance degradation that security load brings to the gateway at the same time.