基于802.1x和dfw的網(wǎng)絡(luò)安全研究及nac系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)

1、華中科技大學(xué)碩士學(xué)位論文基于802.1X和DFW的網(wǎng)絡(luò)安全研究及NAC系統(tǒng)的設(shè)計(jì)與實(shí)現(xiàn)姓名：周曉申請(qǐng)學(xué)位級(jí)別：碩士專業(yè)：通信與信息系統(tǒng)指導(dǎo)教師：王芙蓉20060428II Abstract Network security technology attracts more and more attention with the development of information technology, which prompts th

2、e prosperity of the firewall, access control and other several techniques related to network security. Per the requirement of security and accounting, the 802.1x based on port control becomes the mainstream of authentica

3、tion, meanwhile, the distributed firewall characterized by “centralized management and distributed protection” turns into an important solution via efficient port aegis. Almost more than 70% security threat comes from th

4、e intranet, the authenticated hosts sometimes work as the attack source unconsciously or desperately, which is difficult for the network managers to prevent. So they wish to control all the hosts when they accessing the

5、intranet via a new trust mode both authentication and host’s security status are implemented. The thesis conduct the research based on the 802.1x authentication and distributed firewall, then provides a real solution for

6、 it. First, systematical analysis is laid on the protocols of 802.1X, EAP, RADIUS. Construing the principle of 802.1X, the paper carries out the extension from based on port to based on user. Construing the workflow of E

7、AP, RADIUS, packet format, the carrying of private information is implemented via the EAPOL frame. Second, much emphasis is placed on the research of the principle and flowchart of firewall system. Through the analysis

8、on policy server, host firewall and boundary firewall, the combination of host integrity check and 802.1X authentication is advanced. Comparing several packet holding technologies, and combined EAPOL’s carrying private i

9、nformation, the legal transfer of HI results is achieved. At last, a new trust mode is defined based on the authentication and host integrity, in which the author makes use of the security deficiency of current 802.1X, a

10、nd realized the “transparent” span of HI-Judge Server. In the implement, WMI is used to check the host integrity, NDIS to hold up the 802.1X packet. And the detailed authentication process in NAC system is introduced. Ke