| 在IP包过滤中状态TCP包的过滤研究与设计 |
| |
| 引用本文: | 原箐,卿斯汉. 在IP包过滤中状态TCP包的过滤研究与设计[J]. 计算机工程与应用, 2002, 38(7): 162-164,176 |
| |
| 作者姓名: | 原箐 卿斯汉 |
| |
| 作者单位: | 中国科学院信息安全技术工程研究中心,北京,100080 |
| |
| 摘 要: | IP包过滤防火墙是构造整体网络安全系统的必不可少的部分。传统的IP包过滤防火墙有许多的缺陷,解决方法之一是使防火墙具有状态过滤能力。以TCP为例,状态过滤机制不仅能根据ACK标志和源、目的地址及端口号进行过滤,还能根据TCP包里的序列号和窗口大小来决定对该包的操作。这样可以防止一些利用TCP滑动窗口机制的攻击。在IP包过滤里加入状态过滤机制不仅能阻止更多的恶意包通过,还能提高IP包过滤的过滤速率(这对防火墙来说是很重要的)。
|
| 关 键 词: | IP包过滤 状态过滤 序列号 滑动窗口 |
| 文章编号: | 1002-8331-(2002)07-0162-03 |
Research and Design of Stateful TCP Packet Filter in IP Filter |
| |
| Yuan Qing Qing Sihan. Research and Design of Stateful TCP Packet Filter in IP Filter[J]. Computer Engineering and Applications, 2002, 38(7): 162-164,176 |
| |
| Authors: | Yuan Qing Qing Sihan |
| |
| Abstract: | Packet filtering firewall is necessary to the integral security system.The conventional packet filtering firewall has many drawbacks.One of the solutions is stateful packet filtering.In the case of TCP,the state engine not only inspects the presence of ACK flags,or looks at source and destination address and ports,but also includes sequence number and window sizes in its decision to pass or block packets.This reduces the opportunity for malicious packets to be passed through the packet filter.So the stateful packet filter not only reduecs the opportunity of malicious packets being passed through,but also improves the speed of packets filtering. |
| |
| Keywords: | IP packet filter state packet filter sequence number slip-window |
| 本文献已被 CNKI 维普 万方数据 等数据库收录! |
