Author: |
林福中 Fu Chung Lin |
---|---|
Thesis Title: |
以三階區域聯防與分層攔截之觀點建立資安防護管理架構 Information Protection Management Structure Using the Viewpoint of Three Stages Zone Defense and Layering Intercept |
Advisor: |
余尚武
Shang-Wu Yu |
Committee: |
賴源正
Yuan-Cheng Lai 林伯慎 Bor-Shen Lin |
Degree: |
碩士 Master |
Department: |
管理學院 - 資訊管理系 Department of Information Management |
Thesis Publication Year: | 2006 |
Graduation Academic Year: | 94 |
Language: | 中文 |
Pages: | 64 |
Keywords (in Chinese): | 駭客入侵 、防火牆 、區域聯防 、精準攔截 、系統存活 |
Keywords (in other languages): | Hacker intrusion, firewall, zone defense, precise intercept, System survival |
Reference times: | Clicks: 437 Downloads: 9 |
Share: |
School Collection Retrieve National Library Collection Retrieve Error Report |
在籃球運動中有所謂「區域聯防」的戰術,其目的是利用各區域的加強防衛動作來化解對手的攻擊行為。隨著駭客技術的不斷提升,過去傳統的單一網路閘道型防火牆已漸漸不適於現今企業架構中。我們必須結合主機型防火牆與個人電腦型防火牆再配合傳統閘道型防火牆的功能,讓其各司其職,各在其位,來達成全方位及最佳效能比的防衛架構,方能呈現出防火牆鐵三角的全新組合,為企業網路安全有效把關。
但關鍵的問題來了,趨勢科技之Office-scan不也粗具中央控管區域聯防之基本架構嗎?但效果如何?從疾風席捲全台就可得之,因Office-scan仍採內容過濾來辨識,雖每台電腦皆有安裝,但已知的可防,未知/新發生的不能防。故目前資訊業界正朝突破傳統之內容比對防護方式,朝Winsock與TCP/IP攔截點來著手。故區域聯防實以「精準攔截」為核心觀念,佈建於「閘道」、「伺服主機」與「各作業節點」之三階段內部防禦體系中,將危害區域網路安全之攻擊與後門程式行為,以階層分散的架構方式有效防堵,並防止災情擴散。其中「系統存活」實為區域聯防之終極目標,此情境實非僅全面性安裝內容比對防火牆或防毒軟體所能比擬。
本研究所建構之資訊安全防禦理念與攔截模式流程,除可驗證「病毒碼內容過濾」與「防火牆安全政策」之防禦機制不合時宜及合法掩護非法之後門程式植入系統之必然性外,並從模擬驗證中得到攔截點之驗證成果與三階段區域聯防之管理概念,達到本論文之研究目的。
There is a typical tactic calling "zone defense" in the basketball game. The purpose is enhancing the regional defense to dissolve the attack from opponent. The hacker techniques have grown rapidly, so the traditional firewall with single network gateway is gradually unwell in the present enterprise environments. In this thesis, a novel scheme is proposed. It is combined with three parts: the host firewall, the PC firewall, and the gateway firewall. Each firewall attends to its own duties and reaches the best effects in the defense structure. Then the all-new combination of firewall iron triangle is presented. And it provides the guarantee that the security of the enterprise networks.
The “OfficeScan,” a popular anti-virus product of Trend-Micro, has the basic structure of the center-controlled zone defense. But it is not effective in the case of virus event “Storm”. The OfficeScan adopts the content check to detect the malicious program. Although the OfficeScan has being installed to each computer. But it detects already known virus except unknown. So the unknown virus is the fatal wound. In the industrial circles recently, it is an important issue that defends the virus attack on the intercept point of “Winsock” and “TCP/IP.” It breaks the limit of traditional method “content check.” The major idea of zone defense is “precise intercept” that constructed in three stages of inner defend structures: gateway, sever and operation point. They defend the attacks of malice programs that damage the network security, and prevent the disaster spread. The system survival is the goal of the zone defense. And this scenario is powerful than the content check scheme built in the firewall or the anti-virus program.
The information security scheme using intercept model proposed in this thesis. It proves that the mechanisms based upon “virus pattern filter” and “firewall policy” are not robust. And it is difficult to detect the backdoor injection by fake program. In the experiments, this scheme allows us to provide “precise intercept” and “zone defense” in information security. Thus, our scheme can reach the purpose of this research.
中文部份:
[1] 黃志泰(2002),「資訊安全與資訊戰講義」,國防大學國防管理學院編印。
[2] 陳俊祥、黃富惠(2003),「網路安全有效解決方案之探討」。
[3] 曾宇瑞(2000),「網路安全縱深防護機制之研究」,國立中央大學資訊管理研究所碩士論文。
[4] 謝和興、張克章、陳政鎔(2000),「安全電子郵件反制攔截機制之研究」,國防管理學院學報第21卷第1期。
[5] 郭崇信(2002),「網路安全多層次聯防動態控管機制之研究」,國防管理學院國防資訊研究所碩士論文。
[6] 沈文吉(2000),「網路安全監控與攻擊行為之分析與實作」,國立台灣大學資訊管理研究所碩士論文。
[7] 嚴大中(2002),「網路防火牆系統安全之設計與分析」。
[8] 陳炳富(2002),「企業防火牆的最新架構—區域聯防」。
英文文獻:
[1] Ranum+, Marcus J. Ranum and Matt Curtin, “Internet Firewalls FAQ”
[2] Sutterfield 97, Lee Sutterfield, “Large-Scale Network Intrusion Detection”, Computer Security Journal, Vol.XII, No. 2, 1997, pp.41-48.
[3] ISS, SAFEsuit FAMILY – Realsecure, http://www.firewall.com.tw
[4] Lars Klander, Hacker proof : the ultimate guide to network security, McGraw-Hill, 1999, pp.1-45.
[5] Schepers 98, Filip Schepers, “Network-versus host-based intrusion detection”, Information Secuirty Technical Report, Vol.3, No.4, 1998, pp.32-42
[6] Gregory B. White, “Protecting the Real Corporate Network”, Computer Security Journal, Vol. XIV, No. 4, 1999, pp. 47-58
[7] Stallings 99 , William Stallings, Cryptography and Network Security: Principles and Practice, Chapter 16, Prentice-Hall, Inc., 1999, 2nd Ed
[8] Loew + 99, Robert Loew, Ingo Stengel, Udo Bleimann and Aidan McDonald, ”Security aspects of an enterprise-wide network architecture”, Internet Research, Vol.9, No. 1, 1999, pp.8-15