標題: | 具有開放原始碼防火牆、虛擬私有網路與入侵偵測系統的安全閘道器之系統整合與效能檢測 Integrating and Benchmarking Security Gateway with Open Source Firewall, VPN, and IDS |
作者: | 余少棠 Shao-Tang Yu 林盈達 Ying-Dar Lin 資訊科學與工程研究所 |
關鍵字: | 安全閘道器;防火牆;網路位址轉換;虛擬私有網路;入侵偵測系統;效能檢測;開放原始碼;security gateway;firewall;NAT;VPN;IDS;benchmark;open source |
公開日期: | 2000 |
摘要: | 網路安全是企業所關切的重要議題。本論文中,我們首先利用開放原始碼套件整合出具有防火牆(Firewall)、虛擬私有網路(VPN)與入侵偵測系統(IDS)三大功能的安全閘道器,整合的套件包括Linux kernel,ipchains(packet filter),Squid(URL filter),TIS(content filter),FreeS/WAN(VPN)及Snort(IDS)。整合當中,我們也修補了系統核心,使得各套件可以一同合作來滿足使用者的需求。在開放原始碼解決方案與商業產品的比較中發現:ipchains與FreeS/WAN套件是實用的,而TIS與Snort套件則有效能上的問題。且在詳細的內部效能檢測中發現:對於一個1518-byte的封包,3DES加密所需要的處理時間分別是MD5認證與網路位址轉換(NAT)的9倍與31倍,顯示核心模組中per-packet處理時間最久的是FreeS/WAN套件中的3DES加密功能;而daemon層級中request/response處理時間最久的是TIS套件,其處理時間是Squid與Snort套件的好幾十倍。透過進一步地追蹤原始碼發現:TIS由於一些不適當的實作技巧所以效能不好,而ipchains與Snort則因採用線性的比對演算法所以延展性不佳。最後,我們提出四個改進效能的方向:改進比對演算法,較適當的實作技巧,將一些daemon層級的工作移到核心去做以及用硬體來加速處理。 Network security has become a critical issue for enterprises. In this work, we first demonstrate how to build a security gateway capable of firewall, VPN, and IDS functions by integrating open source packages: Linux kernel, ipchains(packet filter), Squid(URL filter), TIS(content filter), FreeS/WAN(VPN), and Snort(IDS).We patch the kernel to ensure interoperability of these packages. Next, we compare this open source solution with commercial products and observe that ipchains and FreeS/WAN are viable but TIS and Snort have performance problems. Our detailed internal benchmarking reveals that the 3DES encryption in FreeS/WAN tops the ranking of packet processing within kernel, 9 times of the MD5 authentication and 31 times of NAT for 1518-byte packets, and TIS tops the ranking of request/response processing at the daemon level, several orders of magnitude higher than Snort and Squid. Further code tracing identifies the improper implementation in TIS and the less scalable linear matching algorithms in ipchains and Snort. Finally, to scale up these packages, we suggest ways of improvement, including enhanced matching algorithms, proper implementation tips, function relocation from daemon to kernel, and hardware accelerators. |
URI: | http://140.113.39.130/cdrfb3/record/nctu/#NT890394061 http://hdl.handle.net/11536/66964 |
Appears in Collections: | Thesis |