Research And Implement Of Deep Packet Inspection Firewall Based On NDIS Technology

In the recent several years, attacks from network are growing greatly year by year. These attacks which aim at loopholes in application layer, such as worm and trojan horse, have bring a great challenge to network security, but traditional firewall technologies, such as packets filter firewall and stateful inspection firewall, can't defense them efficiently.As an important part of network secuity system, firewalls must improve their abilities and new technology and motheds must be developed in order to defend these attacks which aim at application layer.Based on circumstances talked above, this paper puts forward a new-style, double-defence firewall framework based on TDI filter driver and NDIS-HOOK deep packet inspection technology, and implement it in windows kernel. The main works of this paper are as follows:(1) Researched I/O mechanism in windows kernel. Analysed and tested how to capture, analyze, filtrate and control IRP packets in TDI layer and NDIS layer of windows network protocol stack by means of attaching drivers.(2) Designed and implemented the filtration and control of network IRP in TDI layer. Many kinds of information, such as IP address, port, protocol, user and process, can be easily got in TDI layer, so TDI filter driver module can implement network access control which aims at special processes and users.(3) Designed and implemented the filtration and control of network packets by deep packet inspection in NDIS layer. Implemented the capture and protocol analysis of these packets based on NDIS-HOOK technology. The module analyzes the principles and characteristics of protocols in application layer, uses stateful inspection technology to maintain the state of packets, checks illegal network requirement and network attacks, and finally denies them in time.(4) Tested the firewall designed and implemented in this paper systematicly, including the test of the filteration and control of network IRP based on application and user information in TDI layer, and the deep packet inspection and control of HTTP protocol based on NDIS layer.Test results show that this new-style, double-defence firewall framework based on TDI filter driver and NDIS-HOOK deep packet inspection technology can implement network access control and deep packet inspection in their different layers, and finally improves the security of computer.