Linux Firewall extension technology and intrusion detection implementation-Linux Enterprise applications-Linux server application information. The following is a detailed description. Abstract: This article introduces the implementation mechanism and extension technology based on the Linux netfilter/iptables architecture, and proposes the extension matching option to implement the firewall intrusion detection function, the expanded firewall can have intrusion detection functions like Snort, which expands the Security Control Function of the firewall and converts Snort rules into firewall rules to expand the firewall rule set.
According to the firewall's internal and external data processing method, the firewall can be divided into packet filtering Firewall and application layer firewall, packet filtering firewall works at the network layer, it only checks the protocol header of the packet to determine the data packet, it runs fast but cannot check the Protocol content of the top layer. The application layer firewall can forward and filter high-level data and force authentication, however, proxy applications are required for different services and network bottlenecks are established. packet filtering and multiple application technologies are integrated, building a compound Firewall is a feature of domestic Firewall Products and is also the mainstream technology of firewall development in the future. In view of the data packet detection function integrated in the firewall is a good solution, it can make up for the shortcomings of the existing firewall and has the same detection function as the intrusion detection system, this article introduces the implementation mechanism and extension technology based on the Linux netfilter/iptables architecture, and proposes the extension matching option to implement the firewall's intrusion detection function, the expanded firewall can have intrusion detection functions like Snort, and can convert Snort rules into firewall rules to expand the rule set.
1 Linux firewall's extended netfilter/iptables Technology
In Linux, the firewall Netfilter/Iptables system mainly includes two basic components: the general framework Net filter and Packet Selection defined in the kernel space ). the latter is composed of two parts: the data structure "IP table" (IP Tables) defined on the Net filter framework and the application iptables implemented in the user space. for detailed firewall workflow, see [1] [2].
With the addition of the Net filter architecture, new functions can be extended through simple kernel modularization. In the existing Netfilter/Iptables, the existing firewall can be extended in two ways, one is to extend the Net filter by writing the relevant kernel module and calling nf_register_hook () to directly register on the relevant hook to obtain the new features, one is to write matching standards and objectives to implement new features in the extended IP table. The extended IP table method is to expand the matching rules of the existing table and has nothing to do with the specific table. To expand the IP table, you need to write the kernel and user code. The kernel module provides the actual packet matching rule code, and the user code provides a shared library for IPTABLE's new command line options.
2 Linux Firewall intrusion detection extension matching design
Currently, intrusion detection systems generally adopt precise pattern matching algorithms. For example, Snort uses rule-based rules to match data packets to detect a variety of intrusion behaviors and detection activities, this method is simple and effective. Therefore, you can use this method to add matching options to firewall matching options to detect the content in data packets. Because the Extended IP table has good flexibility, therefore, we can use this method to expand the matching standards to implement the intrusion detection module. This method requires writing kernel and user space code. The standardization of Netfilter/Iptables provides important data structures used by both parties, when implementing these two sections of code, we mainly fill in the corresponding data structure content and then register them to expand the function.
2.1 kernel module Data Structure
The New MATCH function can be used as an independent module. In order to enable the new module to be used by other modules, you can use iptable's iptable-provided filing-match () to register this module, the core of the new MATCH module is the JIT-match structure, which registers it as a parameter of the JIT-register-match () to the MATCH linked list for backup and adds new rule matching options.
