《网络安全与防火墙-英文文献翻译(共6页).doc》由会员分享,可在线阅读,更多相关《网络安全与防火墙-英文文献翻译(共6页).doc(6页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、精选优质文档-倾情为你奉上Research of Network Security and Firewalls TechniquesAbstract:As the key facility that maintains the network security , firewalls take the purpose of establishing an obstacle between trust and trustless network, and put corresponding safety strategy into practice. In this paper , the co
2、mputer network security and the techniques of firewalls were mainly discussed, the concept and classification of the firewalls were introduced. It also introduced three kinds of basic implement techniques of the firewalls: Packet filtering , Application Proxy and Monitor model in detail. Finally des
3、cribed the trend of development of the firewalls techniques in Internet briefly. Key words: network security, firewalls, Packet filtering, monitor1. IntroductionNow with the computer network and e-commerce used widely, network security has become an important problem that we must consider and resolv
4、e. More and more professions. enterprises and individuals surfer from the security problem in different degree. they are looking for the more reliable safety solution . In the defense system adopted by network security at present, the firewalls stand the very important position.As the key facility t
5、hat maintains the network security. firewalls take the purpose of establishing an obstacle between trust and trustless network, and put corresponding safety strategy into practice. All the firewalls have the function to filter the IP address. This task checks the IP packet, makes the decision whethe
6、r to release or to abandon it according to the source address and destination address of the IP. Shown in Fig.I, there is a firewall between two network sections, an UNIX computer is on one side of the firewall, and the other side is a PC client. While the PC client asks a telnet request for the UNI
7、X computer, the client procedure of telnet in the PC produces a TCP packet and passes the packet to the local protocol stack to prepare to send. The protocol stack fills it in one IP packet. then, sends it to UNIX computer through the path defined by the TCP/IP stack of PC. The IP packet cant reach
8、the UNIX computer until it passes the firewall between the PC and the UNIX computer.Fig. I Ip Address Filtering The application firewall is a very efficient means of network security on Internet, it is installed between the trust and trustless network, can isolate the connection between the trust an
9、d trustless network, and doesnt hamper peoples access to the trustless network at the same time. It can isolate the connection between the risk area (namely there may be a certain risk on Internet) and the safe area (LAN), and doesnt hamper peoples access to the risk area at the same time. Firewall
10、can monitor the traffic flowing in and out from the network to finish the task seemingly impossible;it only allows the safe and checked information to enter into, and meanwhile resists on the data that may bring about the threat to enterprise. As the fault and defect of the security problem become m
11、ore and more general, the invasion to the network not only comes from the super attack means, but also may be from the lower-level mistakes or improper password selections on the configuration. So, the function of the firewalls is preventing the communication that not hoped and authorized passes in
12、and out of the network protected. forcing the companies to strengthen their own network security policy. The general firewalls can achieve the following purposes: First, restraining others from entering the inside network, filtering the unsafe service and illegal user; Second, preventing the invader
13、s from closing to your defense installation; Third,limiting the user to access the special site; Fourth,providing convenience for monitoring the Internet security.2. The classification and implement technology of firewalls An integrated firewalls system usually consists of screening router and proxy
14、 server. The screening router is a multi-port IP router. it check the each coming IP packet according to the group regular to judge whether to transmit it. The screening router gets information from the packet. fot example the protocol number. the IP address and port number that receiving and sendin
15、g massages. the flag of link even some other IP selections. filtering IP packet. The proxy server are server process in the firewall. it can replace the network user to finish the specific TCP/IP function. A proxy server is naturally a gateway of application layer. a gateway of two networks joined s
16、pecific network application. Users contact with proxy server by one of the TCP/IP application such as Telnet or FTP. the proxy server ask the users for the name of the remote host. which users want to access. After the users have answered and offered the correct users identities and authentication i
17、nformation, the proxy server communicates the remote host, act as the relay between two communication sites. The whole course can be totally transparent to users. There are mainly three types in the firewalls: packet filtering. application gateways and state detection. Packet filtering firewall work
18、s on the network layer.it can filter the source address. destination address. source port and destination port of TCP/IP data packet. It has advantages such as the higher efficiency.transparent to user. and users might not feel the existence of the packer filtering firewall, unless he is the illegal
19、 user and has been refused. The shortcomings are that it cant ensure the security to most services and protocols, unable to distinguish the different users of the same IP address effectively,and it is difficult to be configured, monitored and managed. cant offer enough daily records and warning. The
20、 application gateways firewall performs its function on the application layer, it connects with specific middle-joint (firewall) by a client procedure, and then the middle-joint connects with the server actually. Unlike the packet filtering firewall. when using the firewall of this kind. there is no
21、 direct connection between the outside networks. so even if the matter has happened in the firewall. the outside networks cant connect with networks protected. The application gateway firewall offers the detailed daily records and auditing function, it improved the security of the network greatly. a
22、nd provides the possibility to improve the security performance of the existing software too. The application gateways firewall solves the safety problem based on the specific application program. the products based on Proxy will be improved to configure the service in common use and non-standard po
23、rt. However. so long as the application program needs upgrading. the users based on Proxy will find that they must buy new Proxy server. As a technique of network safety. Firewall combined with proxy server has simple and practical characteristics, can reach a certain security request in case of not
24、 revising the original network application system. However. if the firewall system is broken through. the network protected is in having no state of protecting. And if an enterprise hopes to launch the business activity on Internet and carry on communication with numerous customers. it cant meet the
25、 demands. In addition, the firewall based on Proxy Service will often makes the performance of the network obviously drop.The third generation of firewall takes the detection technique of state as the core, combines the packet filtering firewall and application gateways firewall. The state detection
26、 firewall accesses and analyzes the data achieved from the communication layer through the module of state detection to perform its function. The state monitor act as firewall technique. it is best in security perfonnance, it adopts a software engine.which executes the tactics of network security on
27、 the gateways, called the detection module. On the premise of not influencing the network to work normally, detection module collects the relevant data to monitor each of the network communication layers, collects a part of data, namely status information, and stores the data up dynamically for the
28、reference in making security decision afterward. Detection modulesupports many kinds of protocols and application program, and can implement the expansion of application and service very easily. Different from other safety schemes, before the users access reaches the operating system of network gate
29、ways, the state monitor should collect the relevant data to analyze, combine network configuration and safety regulation to make the decisions of acceptance, refutation, appraisal or encrypting to the communication etc Once a certain access violates the security regulation, the safety alarm will ref
30、use it and write down to report the state of the network to the system management device. This technology has defects too, namely the configuration of the state monitor is very complicated, and will decelerate the network.3. New generation technique of firewallsAccording to the present firewalls mar
31、ket, the domestic and international manufacturers of firewall can all support the basic function of the firewall well,including access control, the network address transform, proxy, authentication, daily records audit etc. However, as stated before, with the attack to the network increasing, and use
32、rs requisition for network security improving day by day, the firewall must get further development. Combine the present experience of research and development and the achievement,some relevant studies point out, according to the development trend of application and technology, how to strengthen the
33、 security of firewall, improve the performance of firewall, enrich the function of firewall, will become the problem that the manufacturer of firewalls must face and solve next. The purpose of the new generation firewall is mainly combining the packet filtering and proxy technology, overcoming the d
34、efects in the safety respect of two; being able to exert the omnidirectional control from the layer of data chain to the application layer; implementing the micro-kernel of TCP/IP protocol to perform all the security control on the layer of TCP/IP protocol; based on the micro-kernel above, making th
35、e speed to exceed thetraditional packet filtering firewall; Offering the transparent mode of proxy. lightening the configuration work on the client; Supporting the data encryption and decryption (DES and RSA ), offering the strong support to the Virtual Private Network VPN; hiding the Inside informa
36、tion totally; producing a new firewall theory.The new techniqe of firewalls has not only covered all the functions of traditional packet filtering firewalls, but also has remarkable advantages in opposing overall the attack means of IP deception, SYN Flood, ICMP. ARP, etc. strengthening proxy servic
37、e, merging it with packet filtering, then adding the intelligence filtering technology to make the security of the firewall rising to another height. 4. ConclusionNow the firewall has already been widely used on Internet, and because of its characteristic of not limited to the TCP/IP protocol, it ha
38、s more vitality outside Internet progressively too. To be subjective, the firewall is not the omnipotent prescription of solving the problem of network security, but only a component of the network security policy and tactics. However, understanding the technology of firewall and learning to use it
39、in actual operation, believing that every net friend may be benefited a lot from the network life in the new century.外文资料翻译译文摘要:作为关键设施,维护网络的安全性,防火墙采取建立信任与不可靠的网络障碍的目的,并落实相应的安全策略。在这个文件中,计算机网络安全与防火墙的技术,主要讨论的概念和分类,介绍了防火墙。它还介绍了三种基本的防火墙实现技术:分组过滤,代理服务器和应用详细监测模型的。最后描述对互联网的简单防火墙技术的发展趋势。关键词:网络安全,防火墙,包过滤,监控1 介
40、绍现在,随着计算机网络和电子商务的广泛应用,网络安全已成为一个我们必须考虑和解决的重要问题。越来越多的专业,企业和个人上网的不同程度的安全问题。他们正在寻找更可靠的安全解决方案。在防御系统所采用的网络安全的现状,防火墙占据了非常重要的地位。 作为维护网络安全的关键设施,防火墙采取建立一个障碍在信任和不信任的网络之间,并实施相应的安全策略。所有的防火墙具有过滤IP地址的功能。这项任务是检查IP数据包,根据源地址和目的IP地址决定是否释放或放弃这个数据包。在图1所示,在两个网段中间有一个防火墙,一侧是UNIX计算机,另一侧是PC客户端。当PC客户端向UNIX 计算机发送远程登陆请求时,PC里的远程
41、登陆客户端程序产生一个TCP数据包并把此包传递给本地协议栈准备发送。协议栈把它填充在一个IP数据包内,然后通过PC的TCP/IP协议栈中定义的路径发送到UNIX计算机。在它通过PC和UNIX计算机之间的防火墙之前,这个IP包不能送达UNIX计算机。图1 IP地址过滤 在互联网上防火墙是网络安全的非常有效的手段,它安装在信任和不可靠的网络之间,可以隔离安全区域和风险区域的连接,在同一时间并不妨碍人们进入风险区域。它可以隔离风险区域之间的连接(即有可能是在互联网上一定的风险)和安全区(局域网)上,也不妨碍人们在同一时间进入危险领域。防火墙可以监控进出网络的通信量,从网络来完成这项任务看似不可能的,
42、它只允许安全和通过检查的信息进入,同时阻止那些可能给企业带来威胁的数据信息。由于故障和安全问题的缺陷变得越来越普遍,入侵网络不仅来自高超的攻击手段,也可能是来自配置上的低级错误或不合适的密码选择。因此,这个防火墙的功能是防止不被希望和未经许可的通讯进出网络保护。迫使公司加强自己的网络安全策略。一般防火墙可以达到以下目的:第一,制止他人进入内部网络,过滤不安全服务和非法用户;第二,防止关闭安装到你的防御侵略者;第三,限制用户访问特殊站点;第四,提供便利的网络安全监控。2防火墙技术的分类和实施 一个集成的防火墙系统通常包括筛选路由器和代理服务器。该筛选路由器是一个多端口的IP路由器,它根据定期的小
43、组来检查每个IP数据包,以判断是否将其发送。筛选路由器得到分组信息,例如协议号、IP地址、端口号、甚至IP选择中的标志和联系。代理服务器是防火墙的过程服务器。它可以代替网络用户还结束一个特殊的TCP/IP协议。代理服务器是应用层的入口,也是两个网关连接的特定应用程序。用户通过TCP/IP协议,例如远程登录和FIP协议与代理服务器建立联系。服务器要求用户先声明想要登录的远程主机名。用户输入认证的用户名及密码后,服务器即可为用户和远程主机建立联系,作为两者信息传递的平台,这整个过程对于用户是完全透明的。主要有三种类型的防火墙:包过滤,应用网关和状态检测。包过滤防火墙是工作在网络层的,它可以过滤TC
44、P/IP数据包的源地址,目标地址、源端口、目标端口。它具有效率高,对用户透明度高等优势。除非用户是以非法身份登录被拒绝,否则不会感觉到分组过滤防火墙的存在。它的劣势在于不能保证大部分网络服务和协议的安全性,不能有效的区分使用相同IP地址的不同用户,它是很难被设定、监控和管理的。也不能提供足够的日报记录和警告。应用网关防火墙工作在应用层,它通过特定的客户端程序与防火墙中的几个节点相连接,然后这些节点再与服务器连接。与包过滤防火墙不同的是,当使用这种类型的防火墙时,用户不会与外部网络建立直接的联系。因此,即使有事件发生,外部网络也不会对内部被保护的网络产生影响。这个应用程序提供了详细的防火墙日常记
45、录和审计功能,很大的提高了网络安全性,同时提供了可以现有的安控软件。它解决了基于特定应用程序的安全问题。基于代理服务器的产品也将有可能提高标准和非标准端口的配置与服务。但是,只要应用程序需要升级,基于代理器的用户将会发现他们必须购买新的代理服务器。作为一种网络安全技术,与代理服务相联系的防火墙应该具有简单实用这个特点,可以在不修改原有的网络应用系统的情况下,满足特定的安全要求。如果防火墙遭到破坏,将不在对内部网络具有保护功能。它不能满足企业希望在网与广大客户进行沟通的需要。此外,基于代理服务防火墙通常使对网络性能明显下降。第三代防火墙以状态监测为核心,结合了分组过滤防火墙和应用网关防火墙。状态
46、检测防火墙通过模块的状态检测履行存取和分析通信层数据的职能。状态监测作为防火墙技术有很好的安全性,它采用安全软件引擎。执行策略的网络安全的入口,称为检测模块。在不影响网络正常工作的情况下,监测模块提取了通信层的数据进行相关网络监控,这些数据中包括状态信息和涉及网络安全的动态信息。检测组件支持多种协议和应用程序,可以方便得增加应用程序及服务。在用户进入网关的操作系统之前,各种安全模式会收集相关的数据进行分析,再结合的网络配置和安全规定作出接受、拒绝、待鉴定或者加密通信等决定。一旦某个进程违反了安全协议,安全报警器会拒绝进行并汇报给系统管理设备。这种技术也有一些缺陷,例如配置的状态监测是非常复杂的
47、,并会减慢网络进程。3. 新一代的防火墙技术根据目前的防火墙市场、国内外厂商的防火墙都能支持防火墙的基本功能,包括访问控制、网络地址转换、代理服务器、身份验证、每日检查等。但是正如前文所述,随着网络攻击次数的增加,和用户对网络安全要求的日益增加,防火墙技术也随之发展。结合现有技术及成果,一些相关研究表明随着应用技术的发展,如何增强防火墙安全性,提高防火墙性,增加防火墙功能成为许多厂家必须面对的问题。新一代防火墙主要是想要结合包过滤防火墙和代理服务技术,克服两者在安全性上的缺陷,能够发挥从数据链路层到应用层的全方位控制,实行TCP/IP微内核协议去执行所有TCP/IP协议层的安全控制;在微内核的
48、基础上,使之速度超越传统的包过滤防火墙,提供代理服务器的透明模式。闪电配置工作程序;提供数据加密和解码,支持虚拟专用网络,隐藏内部信息。这将成为一种新的防火墙理论。这种新的防火墙技术不仅可以提供传统的包过滤技术提供的全部功能,而且对于防止各种网络袭击有明显优势,加强代理服务、包过滤技术与智能过滤技术相结合,可以使安全防火墙的上升到另一个高度。4 结论 现在该防火墙已被广泛应用于互联网,由于它不受TCP / IP协议限制的特点,使它在英特网之外也有更多的活力。 防火墙不是解决网络安全的主观方法,只是网络安全策略的一个组成部分。我们要在实际应用中学习和了解防火墙技术,相信每一个朋友都可以在新世纪的网络生活中获益良多。专心-专注-专业