| With the growing of network size and network applications diversity, networksecurity issues become increasingly severe. Therefore, many kinds of networksecurity products are developed. In the types of network security products, firewall,beyond other network security field, become one of the most important securityproducts. With the development of firewall, traditional pure software firewall is notable to adapt to current market demand for firewall requirements for performanceand diverse functions. Dedicated high-performance firewall device has become aninevitable choice for most Internet service providers.Also due to the diversity of network security functional requirements, firewalldetection methods are constantly changing. From the initial single packet filteringfirewall, to a variety of application proxy firewall, the firewall architecture andcheck-method are in constant development. For professional firewall devices,integrating predecessor wisdom is an inevitable choice. The result is such a hybridfirewall choice. Hybrid firewall combines the advances of the two type of firewall,can keep efficient for single package attack defense, and make up for deficiencies byapplication proxy.This paper, based on hybrid firewall architecture, will design andimplementation of the scanning attack defense module and client-verify proxymodule. At the same time, it will offer some optimization ideas and solutions.In the overall structure of the design, considering the advantages of twofirewalls and requirements of specific business modules, we unify the packetspre-process, data management and log management to improve the overall firewallperformance.In scanning attack defense part, by presenting a unified statistical processpacket at the same time simplifying the counting operation, you can detect thecurrently accepted three scan attack effective and accurate identification. Inclient-verify proxy part, we provide a variety of agents currently for three mainnetwork protocols. In business processes, the design of an efficient multi-layeredstructure model of aging data maintenance, reduces the system timer interruptfrequency.Finally, this paper provides the main test data through functional testing andperformance testing two angles to prove the system function properly and efficiently.In the functional test, we simulate the real business of the different scenarios,comprehensive business logic to be tested. In performance tests, in the sameenvironment, we check the impact on the forwarding performance through new modules to verify the efficiency of the system. |
PDF Full Text Request