论文部分内容阅读
Along with the proliferation of Internet and network application system, sorts of network intrusions and attacks have emerged, severely impacting the normal operation of the system. As an access control mechanism deployed between two separate networks, firewall is able to guarantee the reliable data flow to pass through and decline the unreliable one, in purpose of preventing from illegal visits.Firewall, as an indispensable network protection tool, is extensively deployed in different network application scenarios. Network Address Translation (NAT) and Access Control List (ACL) strategies, as the core policies in firewall, are conferred the responsibilities of intranet-protection as well as the address-multiplexing. However, the situations of configuration-disorder and efficiency-declination are triggered by the lack of uniform firewall configuration management and auditing, greatly threating the network security status for which this firewall is responsible.Due to the above several aspects of threats, auditing the configurations of firewall strategies is of significance in implementing network security check. The audit process can be divided into those following steps:firstly, analyzing configuration files of firewalls; then, filtering the items with flaws and deficiencies; finally, checking the connectivity of network. The above process is the key to keep target system operating securely.On the basis of firewall configuration information and the theoretic model of firewall configuration audit scheme, this paper designs and proposes the audit scheme for Cisco, Huawei and Juniper firewalls. This scheme can implement audit works for these three types of firewalls, and then exhibit the audit results which can be a reference for security engineers deploying the network security check.This paper has conducted the works as following:Firstly, in terms of Cisco ASA firewall, auditing rules and corresponding auditing methods are proposed on the basis of NAT policy analysis; Moreover, NAT substitution and comparison algorithms are raised. Predicated with all above, a scheme aiming at auditing the NAT policies of Cisco Firewall are designed.Secondly, as to Huawei Eudemon and Juniper SRX firewalls, auditing rules and corresponding auditing methods are proposed on the basis of ACL policy analysis. Schemes aiming at auditing the ACL policies of Huawei and Juniper Firewalls are designed respectively.Finally, according to the designs of auditing schemes catering for three types of firewalls, this paper conducts feasibility analysis. By adopting the analysis, these schemes are able to provide theoretical supports for later research and development of firewall policy auditing systems.