| Facing more and more attacks to application layer data and DoS (Denial ofService), firewalls come across two problems mainly. The first one is how to makefirewall software more portable and independent from platform while protectingapplication layer data. The other one is how to strengthen their defense ability withoutcompromise their performance.This dissertation proposes a prototype firewall named FireNet, which has aportable and platform independent architecture. Furthermore, FireNet can protect itselfand the trusted network from foregoing attacks. FireNet runs in Linux kernel and leadsto the following conclusions.FireNet is based on the theories of firewall and virtual machine. The authorinitiates a new idea to virtual machine technology into the design of FireNet's packetfilter. The most important component of FireNet is the new packet filter engine (NPFE),which bears a virtual processor as its core. Programming technique was also introduced.FireNet provides a packet filter programming language named FireTiger andcorresponding compiler, which could optimize NPFE's object codes based on theanalysis of global data flow. In this approach, a new kind of firewall's applicationthrough packet filter program is presented.Furthermore, the author explored the elements of deep packet inspection and itstypical representation—stream filter. With intense analysis on the essence of the TCPhandshaking procedure and the main points of stream filter, a stream filter independentof application protocol is suggested, whose main code regarding to FireNet is addressedin detail in this dissertation.Also, a lightweight TCP interceptor against the DoS attacking based onSyn-Flooding is introduced. Moreover, with a purpose to defend the DoS attack via timecomplexity of Hash search algorithm, a solution employing the universal hash algorithmas its foundation is proposed, which embodies a new idea bringing hash functionparametrical, structural and random. |
PDF Full Text Request