一种分布式防火墙过滤策略的异常检测模型

分布式防火墙的安全性很大程度上取决于过滤策略正确配置。过滤策略的异常可能导致分布式防火墙系统所保护的网络出现严重的访问漏洞。为了能够自动化地检测分布式防火墙过滤策略存在的异常,对分布式防火墙系统中各过滤节点上的过滤规则之间可能出现的异常进行分类,并建立了一个过滤策略异常检测的模型。该模型能够检测出分布式防火墙过滤规则之间的冗余、冲突、不完整等各种异常,从而保证了分布式防火墙过滤策略的完整性和一致性。     

包过滤防火墙相关规则的排序及向无关规则的转化

提出了防火墙规则排序的算法 .防火墙进行包过滤时 ,规则集中的规则是顺序匹配的 ,这样防火墙过滤效率不高 .为了应用快速的非顺序的规则匹配算法 ,则必须将相关的防火墙规则转化为无关的规则 ,本文为此提出了防火墙相关规则向无关规则的转化算法 .两个算法实现之后的应用效果明显     

防火墙规则配置错误快速检测算法

在防火墙的规则配置中潜伏着一些问题：安全管理员可能在最初配置规则表的时候,出现一些错误;随着规则表中规则数目的增长,不同的规则之间发生冲突的可能性也相应增加。该文对防火墙规则配置过程中可能出现的错误进行了分析,介绍了防火墙规则配置错误的几种常见类型,给出了发现错误的算法,并根据防火墙规则表的特点对算法进行了改进,提高了规则配置错误的检测效率。     

基于防火墙规则匹配优化算法的研究

随着网络功能和应用程序的增加,过滤规则集日益庞大,这严重影响了网络的性能。该文提出了一种基于规则匹配的防火墙优化方法。该方法对通过防火墙匹配的数据包进行权重计算相关规则排序,从而减少规则匹配时间。仿真结果显示,该方法有效地改善了防火墙的性能。     

增强型包过滤防火墙规则的形式化及推理机的设计与实现

防火墙是一种重要的网络安全技术,对防火墙的核心技术--规则和推理机进行了研究,提出了增强型包过滤防火墙的规则形式化定义、推理机的抽象模型和推理算法,据此,设计和实现了相应的推理机,同时给出了防火墙的设计实例,以此做为对上述工作的验证。最后,总结了该防火墙的优点,并提出了进一步的研究目标。     

基于规则的防火墙匹配算法研究

传统防火墙包过滤过程是通过数据包与过滤规则顺序匹配,直到有一条规则匹配后即可停止。当过滤规则日益增多时,防火墙的吞吐量也不断下降,严重影响了网络的性能。该文提出并设计了快速的规则匹配算法,改变了以往的顺序匹配,极大地提高了防火墙的吞吐量和性能。     

基于哈夫曼树的防火墙规则动态优化的研究

随着网络功能的不断增加,防火墙过滤规则集合日益庞大,已严重影响了网络整体性能。本文基于网络流量的特征,提出一种根据网络流量变化动态调整防火墙规则的防火墙规则优化方法,使得匹配网络数据包越多的规则越先与数据包相匹配,从而尽量减少数据包过滤时间。     

防火墙过滤规则异常的研究

对防火墙过滤规则之间的联系和可能存在的异常作了深入的研究,给出了一种能自动发现防火墙规则异常的技术和标准,便于规则的管理和维护,也消除了因管理员错误配置规则而造成的安全隐患。     

基于Linux高校网络防火墙的设计

在众多网络安全技术中,防火墙技术是常用的一种.本文首先分析了网络安全和防火墙的基本概念,然后设计了一种以太网综合型主机防火墙.该防火墙使用了包过滤技术,但是在传统的包过滤技术上作了较大的改进,在包过滤的规则中加入了关键字过滤规则以及基于对TCP连接状态进行监测的动态过滤规则.在该防火墙中还集成了入侵检测模块,使得防火墙能够对网络中的异常情况作出响应,提高了系统的安全性.本文中还在Linux操作系统下将该防火墙进行了实现,并对其     

基于信息增益的防火墙过滤域排序优化

传统的防火墙从检测规则冲突和调整规则排序两方面来提高防火墙性能,但效果都不是很理想。本文从优化防火墙过滤域排序这样的一个新角度,依据信息增益理论构造决策树,然后根据决策树层次与防火墙过滤域排序的对应关系,确定了过滤域的最优排序。实验表明,这个最优排序确实能够显著地降低数据包与防火墙规则的元组比较的总次数,从而提高防火墙的过滤效率。     

基于智能防火墙的网络安全设计

本文分析了传统防火墙所存在的缺点,讨论了网络层与应用层信息在防火墙安全策略制定过程中综合应用的方法。研究了防火墙过滤规则自动产生与配置的途径,提出了一种基于智能防火墙网络安全的模型和实现方法。     

基于默认规则的防火墙优化方法

提出一种基于默认规则的防火墙优化方法,根据规则的匹配概率及防火墙日志,从默认规则中分离出简单规则,分析这些规则与原规则的关系,并合并成新的规则。评价规则对防火墙性能的影响,并选择性地加入防火墙规则库,实现防火墙线性匹配优化。实验结果表明,该方法在一般情况下能有效降低规则的平均匹配次数,提高防火墙性能。     

基于Linux的网络入侵防御系统的研究和设计

基于特征的入侵防御系统是目前的入侵防御技术的主流。分析研究Snort入侵检测系统和Netfilter防火墙的工作原理,对如何保障自身安全以及联动的方式进行探讨,利用插件技术、多线程技术设计编写相关协同模块,提出一种基于Snort和Netfilter的分布式入侵防御系统;针对Netfilter防火墙规则集的顺序敏感性的工作特点,对其规则的编写进行具体优化,提高系统工作效率。经过测试证明,该系统灵活高效,能够利用入侵检测系统的检测能力,动态地为防火墙定制过滤规则,阻断攻击源,从而达到入侵防御的目的。     

Application of evolutionary algorithm in performance optimization of embedded network firewall

With the development of the network, the problem of network security is becoming increasingly serious. The importance of a firewall as the "first portal" to network security is obvious. In order to cope with a complex network environment, the firewall must formulate a large number of targeted rules to help it implement network security policies. Based on the characteristics of the cloud environment, this paper makes in-depth research on network security protection technology, and studies the network firewall system. The system implements unified configuration of firewall policy rules on the cloud management end and delivers them to the physical server where the virtual machine is located. Aiming at the characteristics of virtual machines sharing network resources through kernel bridges, a network threat model for virtual machines in a cloud environment is proposed. Through analysis of network security threats, a packet filtering firewall scheme based on kernel bridges is determined. Various conflict relationships between rules are defined, and a conflict detection algorithm is designed. Based on this, a rule order adjustment algorithm that does not destroy the original semantics of the rule table is proposed. Starting from the matching probability of the rules, simple rules are separated from the default rules according to the firewall logs, the relationships between these rules and the original rules are analyzed, and the rules are merged into new rules to evaluate the impact of these rules on the performance of the firewall. New rules are added to the firewall rule base to achieve linear firewall optimization. It can be seen from the experimental results that the optimization strategy proposed in this paper can effectively reduce the average number of matching rules and improve the performance of the firewall.     

Improving cloud network security using the Tree-Rule firewall

This study proposes a new model of firewall called the ‘Tree-Rule Firewall’, which offers various benefits and is applicable for large networks such as ‘cloud’ networks. The recently available firewalls (i.e., Listed-Rule firewalls) have their limitations in performing the tasks and are inapplicable for working on some networks with huge firewall rule sizes. The Listed-Rule firewall is mathematically tested in this paper to prove that the firewall potentially causes conflict rules and redundant rules and hence leads to problematic network security systems and slow functional speed. To overcome these problems, we show the design and development of Tree-Rule firewall that does not create conflict rules and redundant rules. In a Tree-Rule firewall, the rule positioning is based on a tree structure instead of traditional rule listing. To manage firewall rules, we implement a Tree-Rule firewall on the Linux platform and test it on a regular network and under a cloud environment respectively to show its performance. It is demonstrated that the Tree-Rule firewall offers better network security and functional speed than the Listed-Rule firewall. Compared to the Listed-Rule firewall, rules of the Tree-Rule firewall are easier to be created, especially on a large network such as a cloud network.     

Structured firewall design

A firewall is a security guard placed at the point of entry between a private network and the outside Internet such that all incoming and outgoing packets have to pass through it. The function of a firewall is to examine every incoming or outgoing packet and decide whether to accept or discard it. This function is conventionally specified by a sequence of rules, where rules often conflict. To resolve conflicts, the decision for each packet is the decision of the first rule that the packet matches. The current practice of designing a firewall directly as a sequence of rules suffers from three types of major problems: (1) the consistency problem, which means that it is difficult to order the rules correctly; (2) the completeness problem, which means that it is difficult to ensure thorough consideration for all types of traffic; (3) the compactness problem, which means that it is difficult to keep the number of rules small (because some rules may be redundant and some rules may be combined into one rule).To achieve consistency, completeness, and compactness, we propose a new method called structured firewall design, which consists of two steps. First, one designs a firewall using a firewall decision diagram instead of a sequence of often conflicting rules. Second, a program converts the firewall decision diagram into a compact, yet functionally equivalent, sequence of rules. This method addresses the consistency problem because a firewall decision diagram is conflict-free. It addresses the completeness problem because the syntactic requirements of a firewall decision diagram force the designer to consider all types of traffic. It also addresses the compactness problem because in the second step we use two algorithms (namely FDD reduction and FDD marking) to combine rules together, and one algorithm (namely firewall compaction) to remove redundant rules. Moreover, the techniques and algorithms presented in this paper are extensible to other rule-based systems such as IPsec rules.     

防火墙规则间包含关系的解析方法

针对防火墙规则集中规则间的相互关系难以把握,从而导致防火墙无法正确地过滤数据包的问题,提出了一种基于集合理论的规则间包含关系的解析方法.该方法在不考虑规则动作的情况下,基于集合理论的包含关系来解析和分类规则之间的关系,简化了分析规则间相互关系的过程.并且使用高效的函数式编程语言Haskell实现了所提出的方法,整体代码简洁、易于维护和扩展.实验结果表明,对于中小规模的防火墙规则集,能够快速而有效地解析规则间的包含关系,并且能够为后续的规则间的异常检测提供重要的依据.     

防火墙过滤规则动态生成方案设计

基于主机的包过滤防火墙只能提供单一层面的、静态的网络安全防护。为此,设计一个可动态生成防火墙过滤规则的方案。利用专家知识检测网络层数据包的攻击行为和运行中应用程序的攻击行为,通过专家系统推理,实现防火墙过滤规则的动态生成。基于 Windows系统的实验结果证明,该防火墙系统能检测出多种攻击行为,并及时生成防火墙的过滤规则。     

防火墙中规则的翻译及检测方法的研究

iptables的Web配置系统,虽然使防火墙的规则输入变得非常容易操作,避免了输入规则的语法错误,而同时又保持了iptables的强大功能,但没有考虑规则之间的联系。在以往的防火墙规则输入过程中,规则都由用户判定其语义是否正确,规则之间是否矛盾,是否有无用的规则。但因规则的语义是与其在规则表中的位置相关的,因此,当规则较多时,很容易出错。因此文中针对基于Linux防火墙的包过滤系统,提出了如何对包过滤规则进行翻译和正确性检测。     

基于改进策略树的防火墙策略审计方案设计与实现

防火墙在当今网络中起着不可或缺的作用,防火墙规则配置的合理与否直接关系到网络环境的安全.随着网络规模日益增大,防火墙配置也日趋复杂,为了更好的发挥防火墙的防护性能,防火墙策略审计应需而生.文章首先对防火墙规则之间的关系进行了详细研究,总结并分析了一些常见的规则异常种类,并对现有的策略审计方案进行了综述研究.其次,论述了防火墙策略审计系统整体的工作流程,层次化的分析了系统总体架构设计,对防火墙策略审计系统的配置规则审计模块进行了重点研究论述.再次,论述了传统的策略判定树审计方案,详细阐述了该方案的实现流程,分析并指出了该方案的优点以及所存在的不足.接下来提出一种以树形结构为基础改进后的策略审计方案,详细论述了该方案的审计流程并实现了改进的审计方案.最后结合该实现展示了系统的图形化报表以及详细审计结果,对改进后审计方案的审计结果与传统策略树进行了对比分析验证.