Design And Implementation Of Region-Oriented Network Access Control System

Internet has been an essential part of people’s life for its growing popularity, which has also brought the rapid development of the Internet companies, mainly reflected by the increasing scale of these companies and the growing number of servers. But, at the same time, the WLAN security issues of Internet companies have been more and more serious, while the management of the WLAN is facing more difficulty than ever. Therefore, Network access control of the server clusters becomes one of the core issues within enterprises, which makes it particularly significant to ensure the efficiency of server cluster management and the security of LAN.To figure out the issue of large-scale server management, a thorough analysis of conventional WLAN management method has been developed in this paper. Basing on the principle of "Distributed deployment, centralized management", region-oriented network access control model is proposed, and the architecture of it was then designed out, which, following by system implementation involving a series of comparative analysis and evaluation. The main works includes the following:(1)The region-oriented network access control model was proposed. The limitation of the conventional WLAN management was avoided in this model by using the concept of "region". Through using logical region instead of physical region, the flexibility of servers management was enhanced, besides, the audit was made easier.(2)Designed the region-oriented network access control architecture, implemented the security access control within WLAN. The architecture consisted of three modules:operation center, server and agent. The structure and workflow of each modules was introduced, besides, the developed environment and implement details of each modules was also given in this paper(3)Designed and implemented the region-oriented network access control system. A packet filtering module basing on the NETFILTER framework in Linux kernel was realized in this system. A kind of Multidimensional packet classification algorithm based on hash that fit in this system was designed, which has gotten rid of the sharp decline of the matching efficiency caused by the increasing number of rules in IPTABLES. It’s proved that Nanosecond-level packet matching speed can still be kept with large rule set.(4)Performed the function and performance evaluation of the system, and then analyzed the evaluation result. The function evaluation included the capability of access control and policy update, while the performance evaluation was mainly about the packet classification algorithm. It’s proved that large-scale server management was reliable and featured by the method put forward in this paper.