【摘要】：隨著信息技術(shù)的發(fā)展、企業(yè)信息化的普及、電子政務(wù)的優(yōu)化,使得企事業(yè)單位都邁入了互聯(lián)網(wǎng)技術(shù)的時代快車,充分利用信息技術(shù)、計算機技術(shù)、網(wǎng)絡(luò)技術(shù)來提升單位的生產(chǎn)、工作效率。但也帶來了網(wǎng)絡(luò)性能下降、網(wǎng)絡(luò)利用率低下、網(wǎng)絡(luò)病毒流行等問題。對企事業(yè)單位而言,識別并控制網(wǎng)絡(luò)應(yīng)用無論是對提高單位的管理水平還是對保障單位信息系統(tǒng)的正常高效運行都至關(guān)重要。 以傳統(tǒng)防火墻為代表的應(yīng)用識別控制系統(tǒng)基于數(shù)據(jù)包五元組進行安全檢測,這種僅依靠判斷IP地址和端口的方法早已無法識別具體的應(yīng)用類型,更難以對同一應(yīng)用軟件進行細粒度的功能識別和控制,已經(jīng)無法滿足當前的網(wǎng)絡(luò)管理和安全防護需求。本文重點研究下一代防火墻的關(guān)鍵技術(shù),其中著重研究了DPI和網(wǎng)絡(luò)應(yīng)用識別控制這兩類在下一代防火墻中起重要作用的核心技術(shù)。網(wǎng)絡(luò)應(yīng)用識別控制系統(tǒng)將作為DPI應(yīng)用識別技術(shù)的實現(xiàn)平臺,可以準確識別網(wǎng)絡(luò)中各類應(yīng)用協(xié)議,并對相應(yīng)的網(wǎng)絡(luò)協(xié)議實現(xiàn)精細控制,同時該系統(tǒng)可以進行模塊擴展。 本課題旨在為企業(yè)用戶解決如何控制員工有效上網(wǎng)保證網(wǎng)絡(luò)安全的問題提供了一種有效的技術(shù)手段,在尋求系統(tǒng)安全與使用便捷的契合點方面作出了積極的探索。本課題對防火墻技術(shù)和網(wǎng)絡(luò)訪問控制現(xiàn)狀和發(fā)展趨勢進行研究,通過對市場上常見的防火墻系統(tǒng)產(chǎn)品進行了對比與研究,提出“基于下一代防火墻技術(shù)的網(wǎng)絡(luò)應(yīng)用識別控制系統(tǒng)”的設(shè)計目標和功能需求,對系統(tǒng)的整體架構(gòu)和工作流程進行設(shè)計,并簡要介紹了系統(tǒng)開發(fā)的關(guān)鍵技術(shù)以及方案實施條件。具體地,本文完成的的主要工作如下： 1、分析比較傳統(tǒng)的防火墻的關(guān)鍵技術(shù)及其面臨的挑戰(zhàn),指出下一代防火墻必須具備的新特性及關(guān)鍵技術(shù)。 2、基于下一代防火墻的特性,提出利用DPI技術(shù)識別網(wǎng)絡(luò)應(yīng)用并對應(yīng)用進行細粒度控制的方案。 3、研究并設(shè)計應(yīng)用識別和控制的系統(tǒng)架構(gòu)。該系統(tǒng)能夠精確識別網(wǎng)絡(luò)應(yīng)用,對不同的應(yīng)用制定控制策略。
[Abstract]:With the development of information technology, the popularization of enterprise informatization and the optimization of e-government, enterprises and institutions have stepped into the era of Internet technology, making full use of information technology, computer technology and network technology to promote the production of units. Working efficiency. But it also brings some problems, such as network performance decline, network utilization rate low, network virus prevalence and so on. For enterprises and institutions, it is very important to identify and control the network application, not only to improve the management level of the unit, but also to ensure the normal and efficient operation of the unit information system. The application identification control system represented by the traditional firewall is based on the five-tuple packet for security detection. The method of judging the address and port of IP has long been unable to identify the specific application type. It is more difficult to identify and control the fine granularity function of the same application software, which can not meet the current network management and security requirements. This paper focuses on the key technologies of the next generation firewall, including DPI and network application identification control, which play an important role in the next generation firewall. The network application identification control system will be used as the implementation platform of DPI application identification technology. It can accurately identify all kinds of application protocols in the network, and realize fine control of the corresponding network protocols. At the same time, the system can be extended by modules. The purpose of this paper is to provide an effective technical means for the enterprise users to solve the problem of how to control the employees to access the Internet effectively to ensure the network security, and to make an active exploration in seeking the connection between the system security and the convenient use of the system. This paper studies the current situation and development trend of firewall technology and network access control, and compares and studies the common firewall system products in the market. This paper puts forward the design goal and function requirement of the network application identification control system based on the next generation firewall technology, and designs the whole structure and workflow of the system. The key technology of the system development and the implementation conditions of the scheme are briefly introduced. Specifically, the main work of this paper is as follows: 1. Analyze the key technologies of traditional firewall and the challenges it faces. The new features and key technologies of the next generation firewall are pointed out. 2. Based on the characteristics of the next generation firewall, This paper presents a scheme to identify and control network applications using DPI technology. 3. The system architecture of application identification and control is studied and designed. The system can accurately identify network applications and formulate control strategies for different applications.
【學位授予單位】：中國科學院大學（工程管理與信息技術(shù)學院）
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前10條

1 楊路明,肖瀟;網(wǎng)絡(luò)安全與防火墻技術(shù)[J];電腦與信息技術(shù);2004年03期

2 李增雷;;淺析傳統(tǒng)防火墻的防護不足與發(fā)展趨勢[J];電腦知識與技術(shù);2012年18期

3 孔佳泉;;淺談下一代防火墻及其應(yīng)用[J];信息安全與技術(shù);2012年11期

4 胡波;;下一代防火墻技術(shù)探析[J];保密科學技術(shù);2012年02期

5 董劍安,王永剛,吳秋峰;iptables防火墻的研究與實現(xiàn)[J];計算機工程與應(yīng)用;2003年17期

6 李惠娟;王汝傳;任勛益;;基于Netfilter的數(shù)據(jù)包捕獲技術(shù)研究[J];計算機科學;2007年06期

7 汪立東,錢麗萍,蔣重響;一次性口令認證及其在防火墻上的實現(xiàn)[J];計算機與通信;1998年04期

8 唐寧,金連甫,陳平;基于Linux的最新防火墻技術(shù)的研究[J];計算機應(yīng)用研究;2002年12期

9 曹漢平,馮啟明,吳春蕾;Linux防火墻技術(shù)研究[J];武漢理工大學學報(交通科學與工程版);2002年01期

10 胡安磊,周大水,李大興;Linux中Netfilter/IPtables的應(yīng)用研究[J];計算機應(yīng)用與軟件;2004年10期

，

本文編號：2292839