CIMS中信息安全模型的建立及技术实现

【作者】 田珂；

【导师】 姚伯威；

【作者基本信息】 电子科技大学 ， 机电一体化， 2002， 硕士

【摘要】 本论文主要研究了CIMS系统中信息安全策略的建立及其技术实现问题。 随着CIMS工程在我国大型企业中的推广，企业信息化程度逐步提高，信息安全将越来越成为CIMS在企业中能否获得成功的一个重要因素。对于保障CIMS这样一个分布式系统的信息安全，传统防火墙由于其缺陷和不足很难胜任，最新提出的分布式防火墙体系无疑成为一个适当的选择。本文分析了分布式防火墙体系框架和功能，对其中MAC地址过滤、动态包过滤、流量控制这三个重要功能做了深入的研究。 Internet技术的飞速发展，极大地推动企业信息系统将从原来的地区化向全球化方向发展，将Web服务器作为企业数据的发布和交换平台将会大规模实现。但是，从企业信息安全角度出发，应该建立企业信息有限度的开放机制，保证用户在规定的权限范围内获取相应的信息。常规的安全检查方法就是设立用户身份验证机制，即在Web服务器上进行口令和IP地址过滤。可是，企业内部网络工作站的IP地址是动态分配，没有固定的地址，而且容易被假冒。口令检查方式既增加用户记忆上的负担，又容易被别人获取。由于网络工作站上的网卡地址是全世界唯一和固定不变的，可以作为安全检查的身份标识。目前，根据用户网络MAC地址进行身份验证的安全机制，已被证明是一种简易有效的安全检查手段。鉴于Linux2.2内核下的IPCHAINS没有提供MAC地址过滤功能，在第三章中详细讨论了MAC地址过滤在IPCHAINS中的实现，分析了封包在IPCHAINS的流程，IPCHAINS防火墙的关键函数和数据结构以及实现对MAC地址信息在核心和用户空间的处理。 动态包过滤又称状态检测，是在传统包过滤上的功能扩展，最早由CheckPoint提出。目前，在国外做网络安全的大公司都纷纷推出的防火墙产品中，动态包过滤功能基本上都得以实现，并且将其作为一个很重要的产品性能指标。在2001年4月推出LINUX2.4.X试验系列的内核防火墙NETFILTER代码中，该功能得到了实现，用户程序是IPTABLES。在第四章中分析了IPCHAINS防火墙的缺陷与不足，NETFILTER防火墙框架下的动态包过滤实现，并针对FTP协议的轨迹跟踪做了相应的分析，自行实现了IRC协议的轨迹跟踪工作。 目前，具有带宽控制功能的防火墙，在市场上非常受客户的欢迎，国 CIMS中信息安全模型的建立及技术实现外做网络安全的大公司都纷纷推出这方面的产品，例如：CheckPoint公司的 Firewall系列防火墙，CISCO公司的 PIX Firewall系列。实际上，是否具备带宽控制功能己成为衡量高端防火墙产品的一个重要的性能指标。在第五章中讨论了带宽控制的基本方法以及如何在Linux中下具体实现带宽（流量）控制，升且对Linux流量控制的代码做了细致的分析。更多还原

【Abstract】 The paper mainly studied the establishment and the technical implementation of information security strategy in CIMS.With the extension of CIMS in the large-scale industry in our country, the information level of industry will gradually improve. Therefore, the information security will be more important for the successful application of CIMS engineering in industry. Because of its deficiency and shortcoming, traditional firewall technology is not good enough to protect the information of CIMS, a distributed system. Distributed Firewall System, a new conception, will undoubtedly be an appropriate choice. The paper analyzed the framework and function of Distributed Firewall System, and made a deep study of its three important function: MAC Address Filtering, Dynamic Packet Filtering and Traffic Management.With the high speed of the development of Internet Technology, Enterprise Information System will be in a trend of globalization. WEB server will be widely used as the platform for the issue and exchange of enterprise data. But for the security of enterprise information, it should be set up that the limited-open mechanism of enterprise information. The regular method of security checking is to set up an authentication mechanism for identifying the users by means of user password and IP address. But in the internal enterprise network, the allocation of IP address is usually dynamic. Since no static IP address, IP spoofing is very easy to do. Considering the fact that MAC address is unique and static, MAC address can be used for user authentication. At present, it has been proved to be simple and effective that the security authentication mechanism using MAC address. Whereas the fact that IPCHAINS can not support MAC address filtering, in the chapter III, I discussed the implementation of MAC address filtering under the kernel of Linux 2.2 at length, analyzed the travel of packet in the IPCHAINS, the key function and data structure of IPCHAINS firewall, and transacted the MAC address information between the kernel and user space.Dynamic Packet Filtering, also named Stateful Inspection, is the extension of function of traditional Packet Filtering. At the present time, Dynamic Packet Filtering is usually implemented in the Firewall Products of big companies engaged in Network Security. In the source code of NETFILTER in the series of Linux 2.4.X, the function has been implemented,III CIMS中信息安全模型的建立及技术实现and the user program is IPTABLES. In chapter IV, I discussed the deficiency and shortcoming of IPCHAINS firewall, the dynamic packet filtering under the framework of NETF1LTER, analyzed the connection tracking of FTP application protocol, and implemented the connection tracking of IRC application protocol by myselfFor the moment, the firewall with the function of Traffic Management is very popular in the market. The kind of firewalls made by global Network Security giants appear in the market, such as the Checkpoint’s FireWall series, the CISCO’S PIX FIREWALL series. As a matter of fact, whether or not the function of Band Control is the important performance guideline for weighing high-end firewall products. In chapter V, I discussed the basic principle of traffic management and how to make a concrete implementation of traffic management under Linux, analyzed the source code of Linux traffic management in detail.更多还原