| With the rapid development of computer network, attacks also become more and more sophisticated, complex. DoS/DDoS is one of the attacks which present an especially damaging type of network security threat to the network security. How to design an efficient and reliable security prevention system has been the hot topic in network security management field.In this paper, the general protection ways are presented, and furthermore emphasize that network devices and common perimeter security technologies do not by themselves provide comprehensive DoS/DDoS protection. One of the problems is that illegitimate packets are indistinguishable from legitimate packets, making detection performed by IDS difficult. The other problem is that many of these attacks use spoofed source IP addresses, make it difficult to configure network devices and traditional perimeter security technologies properly.In order to solve these problems, on the basis of completely researching on NetFlow and policy-based network management technology, a new model of policy-based security prevention system that integrating NetFlow technology is presented. According to the design of the system, different module's design and development are presented here. In this paper, security policy's definition, deployment and implementation are the major job achieved, realizing devices' auto-configuration according to the environment. This system satisfies the present requirement that includes the ability to specifically detect and defeat increasingly sophisticated, complex, and deceptive attacks.In conclusion, the implementation of prototype is provided and a simulated experiment that prevents SYN Flooding attack is done which proves its efficiency and availability. And what's more important is providing a better solution to the security management field. |
PDF Full Text Request