基于IXP2400千兆防火墙包分类算法的设计与实现*

针对千兆网下包过滤防火墙,提出了HSBIPG(Hash Search Based on IP Group)包分类算法,并分析了算法的优缺点,基于该算法用IXP2400实现了线速千兆包过滤防火墙,通过实验证明了此算法是可行和高效的。     

防火墙过滤规则动态生成方案设计

基于主机的包过滤防火墙只能提供单一层面的、静态的网络安全防护。为此,设计一个可动态生成防火墙过滤规则的方案。利用专家知识检测网络层数据包的攻击行为和运行中应用程序的攻击行为,通过专家系统推理,实现防火墙过滤规则的动态生成。基于 Windows系统的实验结果证明,该防火墙系统能检测出多种攻击行为,并及时生成防火墙的过滤规则。     

基于IPv6的硬件防火墙技术初探

本文在分析了Intel IXA架构及网络处理器IXP2400的基础上,构建了一套可用于IPv6网络环境下的硬件防火墙系统。基于IXP2400处理器的硬件防火墙不仅能进行2、3层过滤转发,也能对数据包内容进行更深层检查和处理。     

基于IPv6的硬件防火墙技术初探

本文在分析了Intel IXA架构及网络处理器IXP2400的基础上,构建了一套可用于IPv6网络环境下的硬件防火墙系统。基于IXP2400处理器的硬件防火墙不仅能进行2、3层过滤转发,也能对数据包内容进行更深层检查和处理。     

基于Intel XSeale IXP425处理器的嵌入式IPv6防火墙设计与实现

为解决防火墙对IPv6协议的兼容及对内部网络之间安全的保障问题。本文设计实现了基于Intel Xscale IXP425处理器的嵌入式IPv6防火墙。该防火墙能通过WEB实现远程管理．对IPv6网络包和IPv4网络包均可进行良好的过滤。防火墙能够判断出网络包的协议类型,分别加以处理,实行动态包过滤,并可以解决IPv6分片攻击问题。通过实际设定过滤规则,对防火墙在IPv6和IPv4下的工作情况进行测试,验证了防火墙的准确性和高效性。     

基于Intel XScale IXP425处理器的嵌入式IPv6防火墙设计与实现

为解决防火墙对IPv6协议的兼容及对内部网络之间安全的保障问题。本文设计实现了基于Intel Xscale IXP425处理器的嵌入式IPv6防火墙。该防火墙能通过WEB实现远程管理．对IPv6网络包和IPv4网络包均可进行良好的过滤。防火墙能够判断出网络包的协议类型,分别加以处理,实行动态包过滤,并可以解决IPv6分片攻击问题。通过实际设定过滤规则,对防火墙在IPv6和IPv4下的工作情况进行测试,验证了防火墙的准确性和高效性。     

基于网络处理器防火墙的设计与实现

本文介绍了一种基于IXP2400网络处理器的防火墙设计方案。首先介绍了基于IXP2400网络处理器防火墙的工作原理;然后提出一种三层转发的安全转发模式防火墙的体系结构设计和具体的实现方案,设计中,引进多级处理设备和多线程的实现技术,保证整个系统的稳定性、各实现层次的独立性和安全性。     

基于IXP 2400的防火墙系统的设计与实现

针对传统防火墙在性能和灵活性需求上难以兼顾的问题,设计并实现了一个基于Intel IXP 2400的防火墙系统,在给出系统整体设计方案的基础上,对该系统的路由转发、包过滤、网络地址转换、虚拟专用网等模块给出了详细设计方案,并对其中涉及的算法做了具体描述.经测试证明该防火墙系统具备线速处理能力.     

基于IXP2800和VxWorks的嵌入式病毒防火墙实现*

针对隐蔽在网络流量中的攻击,提出了基于Intel IXP2800网络处理器和VxWorks的嵌入式病毒防火墙(embedded anti-virus firewall)实现方案。该方案将硬件包过滤技术与应用层病毒实时防护相结合,底层数据包的实时响应、过滤转发等处理均由IXP2800的微引擎完成,而使XSCALE主处理器更专注于高层协议的病毒扫描过滤。实验数据表明,这种实现方案运行稳定,具有良好的性能指标。     

防火墙中规则的翻译及检测方法的研究

iptables的Web配置系统，虽然使防火墙的规则输入变得非常容易操作，避免了输入规则的语法错误，而同时又保持了iptables的强大功能，但没有考虑规则之间的联系。在以往的防火墙规则输入过程中，规则都由用户判定其语义是否正确，规则之间是否矛盾，是否有无用的规则。但因规则的语义是与其在规则表中的位置相关的，因此，当规则较多时，很容易出错。因此文中针对基于Linux防火墙的包过滤系统，提出了如何对包过滤规则进行翻译和正确性检测。     

基于Windows200x的WDM体系的IP过滤实现技术

基于内容的IP包过滤技术涉及到操作系统的内核态技术.通过对比用户态及内核态的特征,分析了Windows内核态的网络编程接口,采用了WDM的驱动程序模式体系及NDIS的层次架构.遵循IRP(I/O request packet)规范,实现了具有Miniport和Protocol层的中间驱动程序,并透明钩挂,截取、分析IP包.具体给出了Windows 200X系统中实现IP包过滤的鳊程技术方案.     

Optimal full-Order filtering for discrete-time systems with random measurement delays and multiple packet dropouts

This paper is concerned with the estimation problem for discrete-time stochastic linear systems with possible single unit delay and multiple packet dropouts. Based on a proposed uncertain model in data transmission, an optimal full-order filter for the state of the system is presented, which is shown to be of the form of employing the received outputs at the current and last time instants. The solution to the optimal filter is given in terms of a Riccati difference equation governed by two binary random variables. The optimal filter is reduced to the standard Kalman filter when there are no random delays and packet dropouts. The steady-state filter is also investigated. A sufficient condition for the existence of the steady-state filter is given. The asymptotic stability of the optimal filter is analyzed.     

基于数据包过滤和透明代理相结合的防网络攻击

提出基于Linux平台用数据包过滤与透明代理相结合防网络攻击的解决方案,对其中的关键技术进行了探讨,提出了一种完整的技术路线。给出一个三级防御模型,在网络层通过数据包过滤模块对IP欺骗进行过滤,在电路网关一级内网主机与外网主机通过透明连接,在应用网关级一级控制和监测外网提供的服务。包过滤模块通过Linux内核的Netfilter模块实现,电路级网关模块通过透明代理实现,应用级网关模块通过面向对象、事件驱动和模块化的代理应用程序实现,通过脚本语言易于制定代理策略,全面分析复杂的协议。     

防火墙包过滤技术发展研究*

防火墙技术主要分为包过滤和应用代理两类。从数据包结构出发,分析包过滤技术,首先提出包过滤技术的核心问题;然后在分析传统包过滤技术缺陷的基础上,详细论述了包过滤技术的两种发展趋势;最后以技术实例说明了这两种趋势的融合。     

Windows平台通用个人防火墙的分析与设计

定义个人防火墙系统应具备的主要功能,其核心技术是网络数据包的过滤。给出Windows系统网络协议分层体系结构,在对OSI参考模型和Windows网络体系结构对比分析的基础上给出实现包过滤的不同技术路线。对各技术路线进行评估,选择SPI作为实现方案,给出使用SPI进行包过滤的技术要点,个人防火墙系统的运行表明其具有较快的包过滤处理性能。     

基于Linux系统的数据包截获技术研究

网络数据包截获技术是指利用计算机技术截获网络上的数据包,然后根据数据包头部的源主机地址、目标主机地址、服务协议端口等字段特性过滤掉不关心的数据,再将用户感兴趣的数据发送给更高层的应用程序进行分析.文章探讨了基于Linux系统下数据包截获技术.     

一种基于嵌入式协议栈的内容过滤防火墙技术

针对传统包过滤防火墙解决不了的基于内容的网络攻击,而可以完成内容过滤的应用层代理型的防火墙又效率低下的问题,文章提出了一种基于嵌入式协议栈的内容过滤防火墙方案,通过在包过滤防火墙结构中增加嵌入式协议栈模块完成内容过滤,提高了内容过滤的效率。     

An IP Traceback Protocol using a Compressed Hash Table,a Sinkhole Router and Data Mining based on Network Forensics against Network Attacks

The Source Path Isolation Engine (SPIE) is based on a bloom filter. The SPIE is designed to improve the memory efficiency by storing in a bloom filter the information on packets that are passing through routers, but the bloom filter must be initialized periodically because of its limited memory. Thus, there is a problem that the SPIE cannot trace back the attack packets that passed through the routers earlier. To address this problem, this paper proposes an IP Traceback Protocol (ITP) that uses a Compressed Hash Table, a Sinkhole Router and Data Mining based on network forensics against network attacks. The ITP embeds in routers the Compressed Hash Table Module (CHTM), which compresses the contents of a Hash Table and also stores the result in a database. This protocol can trace an attack back not only in real time using a hash table but also periodically using a Compressed Hash Table (CHT). Moreover, the ITP detects a replay attack by attaching time-stamps to the messages and verifies its integrity by hashing it. This protocol also strengthens the attack packet filtering function of routers for the System Manager to update the attack list in the routers periodically and improves the Attack Detection Rate using the association rule among the attack packets with an Apriori algorithm.     

Robust nonlinear filter for nonlinear systems with multiplicative noise uncertainties,unknown external disturbances,and packet dropouts

This study is concerned with the robust nonlinear filtering problem for nonlinear discrete‐time stochastic system with multiplicative noise uncertainties, unknown external disturbances, and packet dropouts. The focus of this paper is to design a filter with predictor–corrector structure such that the upper bound on the state estimation error variance is minimized in the presence of multiplicative noise, unknown external disturbances, and packet dropouts. Thus, a robust nonlinear filter based on the method to obtain the upper bound on variances of multiplicative noises, unknown disturbances, and packet dropouts is designed. Further stability analysis shows that the proposed filter has robustness against multiplicative noises, unknown external disturbances, and packet dropouts. Simulation results show that the proposed filter is more effective than extended Kalman filter and other robust extended Kalman filter. Copyright © 2017 John Wiley & Sons, Ltd.     

Optimal linear estimation for systems with multiple packet dropouts

This paper is concerned with the optimal linear estimation problem for linear discrete-time stochastic systems with multiple packet dropouts. Based on a packet dropout model, the optimal linear estimators including filter, predictor and smoother are developed via an innovation analysis approach. The estimators are computed recursively in terms of the solution of a Riccati difference equation of dimension equal to the order of the system state plus that of the measurement output. The steady-state estimators are also investigated. A sufficient condition for the convergence of the optimal linear estimators is given. Simulation results show the effectiveness of the proposed optimal linear estimators.