一個對於防毒、防廣告信、入侵偵測以及內容過濾的整合性代理伺服器架構

Abstract

網路內容安全是一個大眾所關切的重要議題。我們選擇了五個非常普及的開放原始碼套件來解決網路入侵，病毒，廣告信以及不適當的網頁內容等問題。然而光是安裝這些套件會造成四種系統的額外負擔：分別是process forking、多餘的IPC、user/kernel space interaction、以及重複的封包重組。為了解決以上的系統額外負擔，我們提出了一個緊密的整合性架構。此架構使用多執行緒以及select()系統呼叫來解決第一種系統負擔。另外此架構整合需要的套件到同一個代理伺服器上來解決第二三四種系統負擔。外部測試顯示系統整合之後，在內容過濾以及入侵偵測的效能從7.16 Mbps提升到13.11 Mbps，在防毒以及防廣告信方面從2.85 Mbps提升到5.82 Mbps。測試結果顯示最大的額外負擔在於process forking，而內部測試更顯示出在HTTP中最大的瓶頸出現在字串比對而在SMTP中是檔案系統存取，分別佔48%以及62%。最後我們建議幾個方向來改善整個架構，包括字串比對演算法，硬體加速，更多協定支援，以及更多的偵測支援。

Network content security has become a critical issue for the Internet. We selected five popular open-source packages to solve the problems of intrusions, viruses, spam, and inappropriate Web pages. However, simply installing these packages brings four kinds of overheads: (1) process forking, (2) redundant IPCs, (3) redundant user/kernel space interactions, and (4) duplicate packet reassembly. To reduce the above overheads, we propose a tightly-integrated architecture. This architecture uses multi-thread and the system call, select(), to eliminate the overhead in (1), and is integrated with cooperating packages into a single proxy to eliminate the overheads in (2), (3) and (4). The external benchmark reveals that the improvement of performance is from 7.16 Mbps to 13.11 Mbps in content filtering and intrusion detection, and is from 2.85 Mbps to 5.82 Mbps in anti-virus and anti-spam. It shows that the dominating overhead in the original architecture is process forking. The internal benchmark shows that the main bottlenecks of the content processing are string matching in HTTP and file system access in SMTP, 48% and 62%, respectively. Finally, to scale up this architecture, we suggest directions of improvement, including faster string matching algorithms, hardware accelerators, and more protocol support.