| The security of computer network can be divided into tow kinds of problems: (1) how to protect the message sent on the network to be private, and prevent them from being stolen, distorted or fabricated. (2) how to limit user's (or program's) access permission on the network. Presently, the best solution for the first problem is using VPN technology, and the best solution for the second problem is adopting firewall technology. Firewall considers how to prevent the unauthorized transmission come into or leave the private network, but does not consider how to the transmission security after its leaving. VPN adopts tunnel technology, encryption, identity authentication and etc., and constructs private network in the public network. In VPN, data transfers in the public network through the "encrypted tunnel". VPN ensure that the transmission is safe after leaving the private network. Both VPN and firewall are secrecy technology and they share some same functions. Therefore, integrating VPN's functions and firewall's functions in a same equipment has now become a trend. Firewall's working mechanism, filtration technology and VPN's IPSEC protocol are the main research content of this paper. According to the development trend of firewall and VPN, and the firewall's short point that it can not protect network transmission, an improved firewall mechanism, combined with VPN, is proposed in this paper. The characteristics of the improved mechanism are listed as follows: (1) using HOOK technology, of the driver's level, to capture data package. This is an effective combination of "actions"on network layer. In this paper, according to the existing VPN and firewall technology, the architecture of IP data package is reconstructed by extracting the thinking of package structure transformation in VPN, improved encryption is adopted, and combined with the firewall, filtrating on the network layer, firewall's encryption and authentication mechanism are studied and implemented partly. Because the users of firewall are common, ESP transfer pattern in VPN is adopted. (2) constructing the connection of firewall's filtration rules and VPN security union with security mechanism database. This is the "thinking"combination. The firewall, studied in this paper, adopts the thinking of state connection technology, constructs its own filtration rule mechanism database, which can ensure its own security, and can also make itself be connected with SPD, SAD database. Therefore, the data package, accessing the host, can receive high quality encryption and authentication service. The mechanism improved firewall can protect the computer from being attacked by illegal users but also ensure data to be transferred safely. The improved firewall abandons some sophisticated management mechanism, which suits some large gateway, and focuses on tow main functions of VPN: authentication and encryption, which make the firewall proposed in this paper can be used easily. Because firewall can not protect data transferred on the network, in this paper, firewall is improved by adopting encryption authentication used in VPN, which enables firewall, a kind of network security equipment, to possess more security functions.
|
PDF Full Text Request