| With the rapid development of computer network technology,firewall technology has become an important component of network security protection.Especially for embedded devices,how to ensure the security performance of firewall is a hot topic.At present,there are still some problems in packet matching algorithm and firewall policy detection algorithm.For example,the packet matching algorithm in most network firewalls is still the basic sequence matching algorithm,which can not meet the high demand of filtering performance in large network firewalls.However,the current firewall policy detection algorithm lacks a good solution for dealing with the problem of arbitrary prefix length of IP address.The main work of this paper is as follows:First,in firewall matching algorithm,a fast packet matching algorithm based on independent rule set is proposed.At present,most network firewalls do not have the ability to analyze and rewrite the original rule set,so they usually adjust the order of the rule set through statistical analysis to improve the matching efficiency.But this method does not improve the efficiency of matching algorithm in essence.Based on the research of the mainstream network firewall packet matching algorithm,a fast packet matching algorithm based on independent rule set is proposed.Secondly,in the aspect of firewall strategy analysis,a space partition algorithm combining binary classification tree and bit vector algorithm is proposed to solve the conflict detection problem.We have done two things.On the one hand,the naive space classification algorithm and the binary tree based classification algorithm are proposed.The binary tree algorithm eliminates the precision vortex problem of too many classification times of the naive space classification algorithm,and also solves the problem of processing IP address prefixes of any length.On the other hand,the leading edge algorithm of bit vector collision detection is studied.Bit vector collision detection algorithm is the most widely used and efficient algorithm.Thirdly,the system design of network firewall security analysis under Linux operating system is given.It is proved that the fast packet matching algorithm has high performance in matching time efficiency,and it can obviously improve the matching efficiency.The simulationresults show that the binary tree classification algorithm is more efficient than the bit vector algorithm in prefix type.The conflict detection algorithm based on bit vector is studied and simulated with asbv algorithm to verify the advantages of the algorithm.This proves that the conflict detection algorithm based on binary tree and bit vector combines the advantages of both,and it is a better technology to deal with the rule detection of Linux firewall at present. |
PDF Full Text Request