臺灣博碩士論文加值系統

防火牆是幾個可以保護內部網路不被外部網路攻擊或入侵的最佳方法之一。如果你的內部網路有連接上網際網路，設定防火牆巳經變成一種基本的保護措施。但是防火牆有規則數目的擴充性問題，當規則數目增加時，防火牆處理每個封包的時間也會增加而導致效能下降。我們提出一種新穎的正面與反面快取機制來加速防火牆以解決這個問題但卻不更改原有防火牆的封包比對演算法。其中，正面快取用來加速正常的連線而反面快取則用來加速不正常連線。我們將我們的演算法實做在一套開放原始碼防火牆IP Filter上，並且做了評比來說明我們的加速效果，結果顯示在五百條規則下，我們的技術提升封包大小64位元組的UDP傳輸效能(吞吐量)為原有的13.5倍，窗戶大小16千位元組的TCP傳輸效能(吞吐量)為原有的1.78倍。

Firewall is one of the best solutions for protecting their networks and hosts against external attacks and intrusions. Setting up a firewall is turned into a basic protection if you connect Internet. But it has scalability issue on the number of firewall rules. As the number of rules increases, per-packet processing time increases and the performance drops. We proposed new positive and negative caching mechanisms instead of modifying existing packet matching algorithm to accelerate firewall and resolve the scalability problem. Positive flow cache is for normal traffic and negative is for abnormal one. We implement our algorithm on the open source firewall IP Filter. Benchmarking results are also provided to further illustrate our acceleration. Compared to original firewall under 500 rules, the result shows that UDP throughput is increased by 13.5 times with packet size 64 bytes and TCP throughput is increased by 1.78 times with windows size 16 Kbytes when using our mechanism.

1 Introduction 1
2 Positive and Negative Flow Cache 4
2.1 Architecture 4
2.2 Design Considerations 6
2.3 Data Structure 8
2.4 Algorithm 11
2.4.1 Entry Point 11
2.4.2 Cache Lookup 12
2.4.3 Cache Insert 13
3 Implementation 15
3.1 Introduction to NetBSD 15
3.2 Introduction to IP Filter 15
3.3 Related Codes 16
3.3.1 IP Layer in NetBSD 16
3.3.2 IP Filter Entry Point 17
4 Evaluation 19
4.1 Benchmarking methodology 19
4.1.1 UDP Throughput and Latency 19
4.1.2 TCP Throughput 20
4.1.3 Effect of Negative Cache 20
4.1.4 Worst Case Testing 21
4.2 Benchmarking Results 21
5 Conclusion and Future Work 27
References 28

[1] P. Gupta, N. McKeown, "Algorithms for packet classification", IEEE Network, Volume: 15 Issue: 2, March-April 2001, Page(s): 24 -32
[2] Ye Tung, Hao Che, "Study of flow caching for layer-4 switching", Computer Communications and Networks, 2000. Proceedings. Ninth International Conference on , 2000, Page(s): 135 -140
[3] Noureldien A.N, Osman I.M, "A Stateful Inspection Module Architecture", TENCON 2000. Proceedings, Volume: 2, 2000, Page(s): 259 -265 vol.2
[4] "Internet Firewalls: Frequently Asked Questions", http://www.interhack.net/pubs/fwfaq/
[5] "IP Filter - TCP/IP Packet Filtering package", http://coombs.anu.edu.au/~avalon/ip-filter.html
[6] CERTR Coordination Center, "CERTR Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL", http://www.cert.org/advisories/CA-2001-19.html
[7] CERTR Coordination Center, "CERTR Advisory CA-2001-26 Nimda Worm", http://www.cert.org/advisories/CA-2001-26.html
[8] CERTR Coordination Center, Denial of Service Attacks, http://www.cert.org/tech_tips/denial_of_service.html
[9] "NetBSD homepage", http://www.netbsd.org/
[10] "NetBSD Kernel Manual", http://www.tac.eu.org/cgi-bin/man-cgi?pfil+9
[11] SmartFlow, http://www.netcomsystems.com/
[12] SmartBits, http://www.netcomsystems.com/
[13] "Iperf Version 1.6", http://dast.nlanr.net/Projects/Iperf/