基于802.1X和DFW的网络安全研究及NAC系统的设计与(3)

基于802.1X和DFW的网络安全研究及NAC系统的设计与实现

Abstract

Network security technology attracts more and more attention with the development of information technology, which prompts the prosperity of the firewall, access control and other several techniques related to network security. Per the requirement of security and accounting, the 802.1x based on port control becomes the mainstream of authentication, meanwhile, the distributed firewall characterized by “centralized management and distributed protection” turns into an important solution via efficient port aegis. Almost more than 70% security threat comes from the intranet, the authenticated hosts sometimes work as the attack source unconsciously or desperately, which is difficult for the network managers to prevent. So they wish to control all the hosts when they accessing the intranet via a new trust mode both authentication and host’s security status are implemented. The thesis conduct the research based on the 802.1x authentication and distributed firewall, then provides a real solution for it.

First, systematical analysis is laid on the protocols of 802.1X, EAP, RADIUS. Construing the principle of 802.1X, the paper carries out the extension from based on port to based on user. Construing the workflow of EAP, RADIUS, packet format, the carrying of private information is implemented via the EAPOL frame.

Second, much emphasis is placed on the research of the principle and flowchart of firewall system. Through the analysis on policy server, host firewall and boundary firewall, the combination of host integrity check and 802.1X authentication is advanced. Comparing several packet holding technologies, and combined EAPOL’s carrying private information, the legal transfer of HI results is achieved.

At last, a new trust mode is defined based on the authentication and host integrity, in which the author makes use of the security deficiency of current 802.1X, and realized the “transparent” span of HI-Judge Server. In the implement, WMI is used to check the host integrity, NDIS to hold up the 802.1X packet. And the detailed authentication process in NAC system is introduced.

Keywords：802.1X; Distributed Firewall; EAP; Host Firewall; HI-Judge Server; Network

Access Control