Windows CE.NET平台基于NDIS中间层驱动的包过滤程序设计与实现

【作者】 刘博；

【导师】 刘元安；

【作者基本信息】 北京邮电大学 ， 电磁场与微波技术， 2006， 硕士

【摘要】 包过滤是最早使用的一种防火墙技术，因为其具有部署容易、对应用透明高效、性能可靠的特点，所以广泛应用于防火墙领域。 传统包过滤技术通过检查数据流中每一个数据包的源地址、目的地址、源端口号、目的端口号及数据包头中的各种标志位等网络层的信息，来决定否允许该数据包通过。但是对于防火墙来说，毕竟安全是最重要的因素。传统包过滤技术依据IP地址和服务端口等传输层以下的信息实现网络控制能力，而大量的网络攻击则是利用应用系统的漏洞实现，对应用层明显缺少足够安全的保护，这使得传统包过滤技术的安全性受到了严峻的挑战。 本论文从两个方面解决了传统包过滤技术的不足，第一是使用中间层驱动程序，工作于内核态的包截获手段，提出独特的中间层驱动程序包管理策略和缓冲区管理策略，大大减少了系统占用的内存资源，提高了执行效率。第二个采用状态过滤机制，它是一种基于连接的状态检测机制，利用状态表跟踪每一个网络会话的状态，对不同协议数据包特性的分析引入了不同的过滤机制技术，增强了包过滤技术对传输层的控制能力，提供更加有效的应用层安全保护能力。 论文根据Windows CE.NET的结构，使用中间层驱动程序，结合状态过滤机制，设计和实现了Windows CE.NET下具有状态过滤的包过滤系统，系统的安全性能和吞吐能力明显优于传统包过滤技术。更多还原

【Abstract】 Packet filtering is one of the earlist technologies which is widely used in the firewall field. Packet filtering has great advantages in deployment, transparence, efficiency to application, and reliable performance.By inspecting the source address, destination address, source port, destination port and the head information of a packet, traditional packet filtering technology decides which packet should pass the firewall. However, as far as the firewall is concerned, security is the most important consideration. Traditional packet filtering technology implements its network control function below the transport layer, because it acts by having access to the IP address and service port which is the information in the network layer. However, most of network attacks today employ the defects of the application layers. Therefore, because of its deficiency in providing effective protection for the application layers, traditional packet filtering is faced with a great challenge for its security.This paper solves the problem with two new technologies. Firstly, by using NDIS intermediate driver, which works in the kernal module , and particular strategy in packet and buffer management, the improved traditional packet filtering technology has gained much higher efficiency and reduced the occupancy of system memory. Secondly, the paper employs Stateful Filtering Mechanism(SFM). The technology aims at providing more reliable protection on the application layers. By monitoring the status of every network session, the connection-oriented SFM technology treats different packets with different filtering technologies according to their different characteristics. As a result, SFM enhances the control over the transport layer and realizes more efficient protection on the application layers.In a word, the paper designs and implements the packet filtering system using NDIS intermediate driver and the stateful packet filtering technology under Windows CE.NET architecture. As a result, the performance of system security and throughput is obviously better than the traditional packet filtering technology.更多还原