| With the popularity of network applications and diversification,network security situation is deteriorating,cyber attacks are increasingly frequent.Firewall technology as one of the methods to solve the problem of network security,its status is increasingly important.Due to the traditional firewall in response to the current large number of threats and constantly changing application environment has appeared to be inadequate,so the next generation of firewalls was take advantage of the opportunity to born.This article is based on the Next Generation of Firewall System as the background.To prevent the known "malicious traffic" flow into subsequent defense modules of firewall System,design and implement a perimeter traffic filtering system based on black and white list.The main function of the system is use the rules of black and white list to filter traffic at the beginning of firewall received data packets,so as to reduce the test pressure of the follow-up module.The main content of the paper is divided into black and white list management,traffic filtering and log aggregation three functional modules.The black and white list management involves the main content is the collection of black list.This paper studies several well-known blacklist websites provided by the ENISA,and evaluates the blacklist websites by designing multiple measures to screen out the blacklist resources.Private the function of data analysis to achieve the automatic blacklist access.A custom black and white list interface is also provided for ease of customization and third-party interfaces for interacting with third-party security vendor devices.Traffic filtering is an important part of the implementation of this system,the system will intercept the data packet analysis and matching with the local black and white list rules,matching efficiency is essential.By studying the integer hash algorithm,the paper designs an efficient hash method to ensure the elements in the hash table to be stored evenly.At the same time,based on the traditional hash table design scheme,this paper optimizes its storage scheme,reduces its average searching time,ensures high efficiency matching,and validates its validity through experimental data.This paper design a log aggregation algorithm to combine the redundant log records to reduce the redundancy of log information which generated during the traffic filtering matching process.In addition,this paper also provides a configuration interface for user design,which is used for user configuration settings and queries.At the same time,this paper private the details of each module realization.Finally,according to the system requirements,the function and performance of the system are tested respectively,The test results show that the system can meet the system requirements and can effectively prevent the known "malicious" traffic flow into the follow-up defense module. |
PDF Full Text Request