Basic Search / Detailed Display

Author: 林福中
Fu Chung Lin
Thesis Title: 以三階區域聯防與分層攔截之觀點建立資安防護管理架構
Information Protection Management Structure Using the Viewpoint of Three Stages Zone Defense and Layering Intercept
Advisor: 余尚武
Shang-Wu Yu
Committee: 賴源正
Yuan-Cheng Lai
Bor-Shen Lin
Degree: 碩士
Department: 管理學院 - 資訊管理系
Department of Information Management
Thesis Publication Year: 2006
Graduation Academic Year: 94
Language: 中文
Pages: 64
Keywords (in Chinese): 駭客入侵防火牆區域聯防精準攔截系統存活
Keywords (in other languages): Hacker intrusion, firewall, zone defense, precise intercept, System survival
Reference times: Clicks: 166Downloads: 9
School Collection Retrieve National Library Collection Retrieve Error Report


There is a typical tactic calling "zone defense" in the basketball game. The purpose is enhancing the regional defense to dissolve the attack from opponent. The hacker techniques have grown rapidly, so the traditional firewall with single network gateway is gradually unwell in the present enterprise environments. In this thesis, a novel scheme is proposed. It is combined with three parts: the host firewall, the PC firewall, and the gateway firewall. Each firewall attends to its own duties and reaches the best effects in the defense structure. Then the all-new combination of firewall iron triangle is presented. And it provides the guarantee that the security of the enterprise networks.
The “OfficeScan,” a popular anti-virus product of Trend-Micro, has the basic structure of the center-controlled zone defense. But it is not effective in the case of virus event “Storm”. The OfficeScan adopts the content check to detect the malicious program. Although the OfficeScan has being installed to each computer. But it detects already known virus except unknown. So the unknown virus is the fatal wound. In the industrial circles recently, it is an important issue that defends the virus attack on the intercept point of “Winsock” and “TCP/IP.” It breaks the limit of traditional method “content check.” The major idea of zone defense is “precise intercept” that constructed in three stages of inner defend structures: gateway, sever and operation point. They defend the attacks of malice programs that damage the network security, and prevent the disaster spread. The system survival is the goal of the zone defense. And this scenario is powerful than the content check scheme built in the firewall or the anti-virus program.
The information security scheme using intercept model proposed in this thesis. It proves that the mechanisms based upon “virus pattern filter” and “firewall policy” are not robust. And it is difficult to detect the backdoor injection by fake program. In the experiments, this scheme allows us to provide “precise intercept” and “zone defense” in information security. Thus, our scheme can reach the purpose of this research.

中文摘要 I 英文摘要 III 誌謝 V 目錄 VI 圖目錄 VIII 表目錄 IX 第一章 緒 論 1 1.1研究動機與目的 1 1.2研究方法與流程 2 1.3研究範圍與限制 2 第二章 文獻探討 4 2.1 駭客入侵攻擊相關文獻探討 4 2.2 入侵偵測與防火牆系統相關文獻探討 6 2.3 網路安全縱深防護探討 10 2.4 防火牆的最新架構—區域聯防與攔截概念 14 第三章 區域聯防及分層攔截之架構 18 3.1 概述 18 3.2 集中控管及區域聯防 19 3.3 分層攔截 21 3.4 設計理念 23 3.5 模式建構 25 第四章 實際驗證 29 4.1 測試環境建置 29 4.2 實證經過與結果分析 32 第五章 結論與建議 63 5.1 結論 63 5.2 未來研究建議 63 參考文獻 65 附錄一 67 附錄二 71 附錄三 75

[1] 黃志泰(2002),「資訊安全與資訊戰講義」,國防大學國防管理學院編印。
[2] 陳俊祥、黃富惠(2003),「網路安全有效解決方案之探討」。
[3] 曾宇瑞(2000),「網路安全縱深防護機制之研究」,國立中央大學資訊管理研究所碩士論文。
[4] 謝和興、張克章、陳政鎔(2000),「安全電子郵件反制攔截機制之研究」,國防管理學院學報第21卷第1期。
[5] 郭崇信(2002),「網路安全多層次聯防動態控管機制之研究」,國防管理學院國防資訊研究所碩士論文。
[6] 沈文吉(2000),「網路安全監控與攻擊行為之分析與實作」,國立台灣大學資訊管理研究所碩士論文。
[7] 嚴大中(2002),「網路防火牆系統安全之設計與分析」。
[8] 陳炳富(2002),「企業防火牆的最新架構—區域聯防」。

[1] Ranum+, Marcus J. Ranum and Matt Curtin, “Internet Firewalls FAQ”
[2] Sutterfield 97, Lee Sutterfield, “Large-Scale Network Intrusion Detection”, Computer Security Journal, Vol.XII, No. 2, 1997, pp.41-48.
[3] ISS, SAFEsuit FAMILY – Realsecure,
[4] Lars Klander, Hacker proof : the ultimate guide to network security, McGraw-Hill, 1999, pp.1-45.
[5] Schepers 98, Filip Schepers, “Network-versus host-based intrusion detection”, Information Secuirty Technical Report, Vol.3, No.4, 1998, pp.32-42
[6] Gregory B. White, “Protecting the Real Corporate Network”, Computer Security Journal, Vol. XIV, No. 4, 1999, pp. 47-58
[7] Stallings 99 , William Stallings, Cryptography and Network Security: Principles and Practice, Chapter 16, Prentice-Hall, Inc., 1999, 2nd Ed
[8] Loew + 99, Robert Loew, Ingo Stengel, Udo Bleimann and Aidan McDonald, ”Security aspects of an enterprise-wide network architecture”, Internet Research, Vol.9, No. 1, 1999, pp.8-15

Full text public date This full text is not authorized to be published. (Internet public)
Full text public date This full text is not authorized to be published. (National library)