Research of Key Technology of Firewall Security Policy Configuration
|School||National University of Defense Science and Technology|
|Course||Computer Science and Technology|
|Keywords||Firewall Policy language ExFlip Security policy BSG Collision detection|
Firewall as a network security protection equipment , its function is growing more and more complicated to use . Existing firewall policy configuration is very difficult to guarantee the security of their applications , does not meet user needs , there are inconsistencies rules abnormal . The security policy configuration become a hot topic . This article discusses the key technology is concentrated in two areas , the high - level description and the low-level firewall configuration generated firewall rules consistency conflict detection . The main duties include : First, the analysis of the current research status of high - level policy language can not describe a new type of firewall for the lack of authentication information and tunnel information for Flip senior policy language , a Flip extended firewall senior policy language ExFlip . The language inherited the the Flip language of grammar , the description of the VPN policy and certification strategy , further enhance the description capability of the firewall policy . Secondly, the the strongman architecture , for the lack of information granularity in the system as well as strategies detection and management , design a strategy for the deployment process , the security needs of the user , the network information and authentication information automatically into the firewall policy configuration , omit the configuration configuration details in the process , greatly improve the efficiency of the policy configuration to ensure the correctness of the policy deployment . Again , summarizes the the firewall rules abnormal classification and anomaly detection algorithm for the detection efficiency is not high , the duplicate detection service packet - based firewall policy conflict detection algorithm BSG . The algorithm can be efficiently rules that may exist in the firewall rules abnormality accurately positioning alarm performance exceeds the highest detection efficiency Fireman algorithm . Finally , based on the above work to achieve a firewall configuration generation and testing of a prototype system , and its function testing and validation , and data analysis .