摘要
针对普通VPN实现机制易受攻击的缺陷,提出了一种基于MII接口的硬件IP包过滤技术。利用物理层芯片Back-to-Back技术,在普通VPN机制中增加硬件IP包过滤模块,切断CPU模块和外网的物理直连,防范外网黑客对VPN设备的CPU操作系统和协议栈的扫描、阻塞等攻击。对比普通VPN实现机制,阐述了改进的VPN逻辑原理和主要的包过滤流程。实现外网进来的IP包匹配过滤后才进入后端的CPU,保证了CPU模块的安全性。该IP包过滤技术无需CPU和协议栈支持,抗攻击力强,成本低廉,各模块独立性好,修改灵活。
For VPN vulnerability,this paper presents a hardware IP packet-filtering technology based on MII interface.Use of the physical layer chip Back-to-Back technology,we increase a hardware IP packet-filtering module in VPN,so we can cut off the directly connection between CPU module and WAN,prevent scanning,blocking and other attacks to CPU operating system and protocol stack from hackers of WAN.Through a comparison,this paper explains logical structure of the improved VPN and the main IP packet-filtering processes.The IP packets from WAN are matched and filtered before going into CPU,ensure the security of CPU module.The IP packet-filtering method does not involve CPU and TCP/IP protocol stack,and it has many advantages,such as anti-attack ability,low cost,the independence of each module,flexible modification.
出处
《计算机安全》
2011年第10期6-8,共3页
Network & Computer Security