I. FirewallOverviewNetwork Firewall is a technology used to enhance access control between networks and prevent external network users from illegally accessing internal networks and network resources through external networks, special network interconnection devices that protect the operating environment of internal networks. It checks data packets transmitted between two or more networks according to certain security policies to determine whether communications between networks are allowed and monitor the network running status. Depending on the technology used by the firewall, it can be divided into four basic types: Packet Filter Type, Network Address Translation-NAT, proxy type and monitoring type. Packet Filter is a basic firewall product. Its technical basis is packet transfer technology in the network. The advantage of the packet filtering technology is that it is simple and practical, and the implementation cost is low. When the application environment is relatively simple, the system security can be guaranteed to a certain extent at a small cost. Network Address Translation is a standard for converting IP addresses into temporary, external, and registered IP addresses. It allows internal networks with private IP addresses to access the Internet. A proxy firewall can also be called a proxy server. It is more secure than a packet-filtering product and has begun to develop at the application layer. The advantage of proxy firewall is its high security. It can detect and scan the application layer to deal with intrusion and viruses Based on the application layer. Its disadvantage is that it has a great impact on the integrity of the system, and the proxy server must be set one by one for all application types that may be generated by the client, greatly increasing the complexity of system management. The monitoring Firewall is a new generation product that can actively and in real time monitor the data at all layers. Based on the analysis of the data, the monitoring firewall can effectively detect illegal intrusion at each layer. At the same time, such detection firewall products generally carry distributed detectors, which are placed on various application servers and nodes on other networks, not only to detect attacks from outside the network, at the same time, it also has a strong preventive effect on internal malicious damages. The security of the monitoring firewall has exceeded the packet filter type and the proxy server type firewall, but its implementation cost is high. Based on the comprehensive consideration of system cost and security technical cost, users can choose to use some monitoring technologies.Ii. Overall Design of Linux-based Personal FirewallThis article studies the software and hardware environment of the firewall system, the development steps and functions of the firewall, and finally describes the hardware and software platform principles required by the firewall system. Although all Linux systems have built-in firewall kernel programs, user configuration is required to protect network security.1. Overall Firewall System DesignIn Linux, implementing the design and application of software firewalls is essentially a host-based network security solution. Therefore, we can choose an appropriate software and hardware platform and the corresponding firewall design principles, and develop a firewall system that can meet the requirements. To sum up, the firewall to be implemented must meet two major requirements: first, it must be able to provide security protection for hosts, that is, to implement security protection during data transmission between hosts and hosts outside the LAN; second, it is necessary to provide a good man-machine interface with the advantages of easy operation and easy management. Considering the limitations of existing hardware devices, the experiment environment is simplified as much as possible to ensure that the experiment requirements are met. Because the firewall system is designed based on the host, you only need a networked host to perform the experiment. In Linux, the system uses C language to implement the design and application of the packet filtering software firewall, and uses Kylix development tools for interface design and database connection. The Linux-based personal firewall system provides the following functions: 1) full-process dynamic packet filtering. This firewall must implement full-process dynamic packet filtering in Linux, by analyzing the address, protocol, and port of the data packet, you can control the access to the current status of any network connection to improve system performance and security. 2) provide log auditing. This firewall is equipped with a logging system and query tools to record system management, system access, and network access to security policies. 3) Firewall Database Backup This Firewall creates a firewall to filter databases, and the administrator can actively set the database.Iii. Structure and Principle Analysis of the packet capture Module Based on LinuxThis section discusses the structural features of the monitoring layer data packet capture module, discusses its principles in detail, and describes some important functions of the program that implements the data packet capture function.1. Structure of the data packet capture moduleThe packet capture module is used to monitor and verify network traffic. It can intercept or read packets at various Protocol levels in the OSI protocol model on the network. The data Packet capture program designed in this article can capture Raw Packet through the original Socket interface. When a data Packet reaches the network interface, the data packet capture program reads the captured data packets directly from the cache for data analysis and processing. The structure 1 of the data capture module is shown below:
Bytes
Data capture
Obtain the packet header information. |
|
Figure 1 data capture program structure
2. Principle Analysis of the data packet capture module
1) network card setting principle in a real system, data transmission and receiving are completed by the network card, and the network card receives the transmitted data, the target MAC address of the data frame received by the program in the NIC. Based on the receiving mode set by the NIC driver on the computer, the system determines whether the data frame should be received or not. For NICs, there are generally four receiving modes: broadcast mode multicast mode, direct mode, and hybrid mode. The packet capture program first makes the network interface (NIC) in a hybrid state, which can intercept the content on the network and analyze the content of the data in real time through corresponding software processing, prepare for data packet filtering. 2) description of basic functions this article describes how to write a data packet capture program in C language on a Linux host. Many predefined functions in Linux are used in the program, this section describes the functions and usage features of these basic functions. 1) the ioctl function defines the ioctl () function, which can control the attributes of various files. It is used to control the underlying device parameters of special files. These special files usually refer to terminals, sockets, and interfaces. The ioctl function is prototype: int ioctl (int handle, int cmd [, int * argdx, int argcx]); 2) the socket function defines two common Socket types: stream Socket (SOCK_STREAM) and Data PACKET Socket (SOCK_DGRAM ). Streaming is a connection-oriented Socket for connection-oriented TCP Service applications; datagram Socket is a connectionless Socket for connectionless UDP Service applications. The prototype of the Socket function is: int socket (int domain, int type, int protocol); 3) the recvfrom () function is defined to use the recvfrom () function to receive data packets () it is a function with the "blocking I/O" feature. It can temporarily suspend waiting when no data packet arrives until the data packet is received, and then activate the function for next processing. The original recvfrom () function is: int recvfrom (SOCKET s, char FAR * buf, int len, int flags, struct sockaddr FAR * from, int * fromlen ); this function receives data from the connected interfaces and captures the address of the data sending source. For interfaces of the SOCK_STREAM type, a maximum of data in the buffer zone can be received. If the set of interfaces is set to receive out-of-band data within the line (the option is SO_OOBINLINE) and out-of-band data is not read, out-of-band data is returned. The application can call the SOCATMARK command of ioctlsocket () to determine whether out-of-band data is to be read. For interfaces of the SOCK_STREAM type, the from and fromlen parameters are ignored. 4) Some "byte sequence" conversion functions have the "byte sequence" problem because of the differences in memory sequence arrangement between the network and the host's storage bytes. During network storage, high bytes are stored at the starting position of the memory, while low bytes are stored at a high position. The storage order of hosts is the opposite. Low bytes are stored at the starting position of the memory. In this case, the corresponding byte sequence Conversion Function: inet_ntoa (): converts a 32-bit network binary value to a IP address with a dot delimiter in the readable decimal format. Inet_addr (): converts an IP address with a delimiter to a 32-bit unsigned long format. Ntohs (): converts network bytes to 32-bit host bytes. Ntohl (): converts network bytes to 16-bit host bytes. Htonl (): converts 32-bit u_long values from host bytes to network bytes. Htons (): converts 16-bit u_long values from host bytes to network bytes. The data capture program designed in this article requires the use of the SOCK_PACKET device, SOCK_PACKET is effectively defined only in the Linux-based operating system. To this end, the American National Laboratory of Lorenz Berkeley has compiled the API function library Libpcap for data packet interception ". This function is designed to unify different types of interfaces provided by different systems for data packet interception, and make it simple and effective to write and port similar high-level applications, you no longer need to use different system-dependent data packet interception modules for each application.
Iv. Design and Implementation of the packet capture Module Based on Linux
1. Data Packet capture module design Flowchart
In the packet capture program, network links are monitored and data packets are collected by setting the network adapter to work in a hybrid State to obtain the packet header information. The flowchart 2 shows:
Start the SOCKET function |
Set the NIC to the hybrid mode |
Receive data from the buffer zone |
Check and display the data packet format |
Figure 2 flowchart of the data packet capture module
2. Data Packet capture module implementation
This data packet capture program is written in C language and uses many functions in Linux network programming. 1) set the network interface to the hybrid mode of the network interface so that a network interface device can only read data packets whose target address is 6-byte MAC address, to read all data packets in the network broadcast media. This part is implemented through two ioctl function calls:
Ioctl (sock, SIOCGIFFLAGS, & ifr) ifr. ifr_flags | = IFF_PROMISCioctl (sock, SIOCGIFFLAGS, & ifr)
The first ioctl function call is used to intercept the mark of the interface in the ifr (struct ifreq) structure. The first parameter is the original socket descriptor "sock" opened, and the second parameter is the request operation to be executed. The third parameter is the address pointer of the Interface request data structure, which contains the interface name value for the request. We apply the hybrid tag (IFF_PROMISC) to the tag variable of the Interface request structure to change the interface tag. The operator "| =" performs "or" on the mixed mark and the original interface mark to set the new interface mark. After obtaining the new interface tag, set it to the actual interface. The second ioctl call sets the interface device to the hybrid mode. Just as the first ioctl call is to get the mark of the network interface, this call is to set a new mark modified in the ifr structure to be written to the physical interface. 2) Open the Socket device and use the socket function to open the Socket device. Sock = socket (AF_PACKET, SOCK_RAW, htons (ETH_P_ALL) domain uses AF_PACKET to receive packets at both the link layer and the network layer. 3) The recvfrom () function is used to receive data packets: recvfrom (sock, (char *) buf, sizeof (buf), 0, (struct sockaddr *) & addr, & len) this is where the data packet is read from the open network Socket, but note that the addr structure has a forced type conversion to meet the syntax requirements of the recvfrom () function, recvfrom () if the function successfully reads data, the number of bytes is returned. Otherwise,-1 is returned. 4) determine the packet header pointer. The packet capture module can receive the original packet. Their format is generally the header of the Ethernet data frame, followed by the ARP or IP data packet header. The IP packet is followed by the TCP, UDP, and ICMP headers, and finally the data to be transmitted. Therefore, when splitting IP data packets, first extract the header of the Ethernet data frame, then extract the header of the IP data packet, and then analyze the header of the TCP, UDP, and ICMP data packets. Finally, extract the required data from the data packet.
3. Some struct parsing used in the program
1) The first structure type created by the sockadd_in struct in the network is sockaddr. This data structure stores address information for many types of interfaces. It is defined as follows: struct sockaddr {unsigned shortsa_family;/* This is an address family, usually in the form of AF-xxxx */charsa_data [14]; /* 14-byte address information */}; 2) the ethhdr struct contains the following data structures:
Struct ethhdr {unsigned char h_dest [ETH_ALEN];/* physical address of the 48-bit target address */unsigned char h_source [ETH_ALEN]; /* 48-bit physical NIC address */unsigned short h_proto;/* 16-bit Ethernet protocol */}
3) The iphdr struct is the ip protocol header of Linux. It can be defined differently for different versions. We generally use the BIG definition in China, where the version is the ip version, protocol is a protocol classification of ip addresses, saddr is a 32-bit source ip address, and daddr is a 32-bit destination ip address. 4) The tcphdr struct is a part of the tcp protocol in Linux. It is the same as the IP protocol. The source is the source port, the dest is the destination port, the seq is the s sequence, and the ack_seq is the sequence number, the other are tcp connection flags, which contain Six Flags: syn indicates connection request, urg indicates emergency information, fin indicates connection end, ack indicates connection response, and psh indicates push stack flag, rst indicates that the connection is interrupted. Window indicates the size of the received data window, check indicates the verification code, and urg ptr indicates the emergency pointer. 5) udphdr struct is part of the udp protocol in Linux IP protocol. The following is the data structure: struct udphdr {u_int16_t source;/* source Port */u_int16_t dest; /* destination port */u_int16_t len;/* udp length */u_int16_t check;/* Verification Code */} This article designs a package-based Personalized Firewall Based on Linux Hosts, its functions differ greatly from the popular firewalls in the current market. With the continuous development of technology, firewalls are constantly changing. The firewall technology has gone through three phases: packet filtering, application proxy gateway, and status detection. Among them, status detection is a relatively advanced firewall technology. It does not care about the shortcomings of packet connection status changes because packet filtering Firewall only examines the IP address and other parameters of data packets, create a status connection table in the core part of the firewall, and treat inbound and outbound data as sessions, and use the status table to track the status of each session. The status detection technology improves the security protection capability while improving the traffic processing speed. Status Monitoring Technology uses a series of optimization technologies to greatly improve firewall performance and can be applied in various network environments, especially in large-scale networks with complex rules. The Deep Packet detection technology will promote the development of firewalls to a new stage. This technology analyzes the content encapsulated by data headers or payload to guide, filter, and record IP-based application and Web Service communication traffic, its work is not limited by the protocol type and application type. With deep packet detection technology, enterprise networks can significantly improve performance without buying expensive servers or other security products.