摘要: | 資訊科技進步快速,人類已過度仰賴網路的功能來輔助生活中的各種事物,在這虛擬世界中所流動的知識與金錢更是難以估計,因此引起許多不法人士的覬覦,網路犯罪與破壞層出不窮,資訊安全的維護費用更是逐年增加。所以企業內通常會在網路閘道端建立資安防護的設備,諸如防火牆(Firewall)、整合威脅管理(Unified Threat Management ; UTM)、入侵防禦(Intrusion Prevent System ; IPS)、垃圾郵件(Anti-SPAM)等資安設備。
在資安產品的演進中,傳統的防火牆已不敷使用,而UTM雖然可以提供全方位的基本防護,但在功能與效能上也無法盡善盡美。且單一資訊安全閘道平台實在很難長期抵禦瞬息萬變的探索與攻擊。因此如果能結合其它網路閘道設備組成縱深防禦,協同合作則是一個未來趨勢。
在以往的縱深防禦概念中,大部份均需限制為相同廠牌的設備結合,或需第三方的協同產品來實現協同工作。本研究提出一個協同縱深防禦機制(Cooperative Defense-in-depth Network Security Mechanism ; CDNSM)主要概念是將異質網路平台建立管理關係,不需要額外的網管設備控制,當資安事件確定發生時可以彼此溝通,建立協同防禦規則,形成縱深防禦體系。其利用網路第三層高運算的路由阻擋能力與企業內的核心交換器所建立的隔離區,可以將潛在的資安威脅降低及產生預警作用,更可以進一步的保護資安設備,實現將異質網路平台整合協同運作的理念,令惡意威脅以多層次的方式杜絕,提高企業內部整體的防護能力。本研究最後將CDNSM機制模擬與實驗,驗證的確較現有機制優良。
Due to the rapid improvement in internet technology, most of the people have excessively relied on Internet based services for information exchange, such as e-business, e-mail, VoIP, etc. That has made large amounts of information and money available in this virtual world, and caused inestimable crimes consequently. So, connecting a private (or an enterprise) network to the Internet will encounter malicious attacks from anywhere in the world. Therefore, in general, the owner of a network sets up its own information security services using devices such as firewall, UTM (Unified Threat Management), IPS (Intrusion Prevent System), anti-SPAM and so on.
According to the development trend of network attack techniques, the traditional firewall is not good enough to block various threats. Recently, although UTM can provide basic protection, its function and effectiveness are not comprehensive. Besides, the one-way Information security gateway is also insufficient to defend against various network attacks. Therefore, combining and coordinating independent network security devices to form a cooperative and defense-in-depth system will be a future trend.
In the past, a cooperative and defense-in-depth system are required to have components of the same brand or a third-party coordinator to perform the security work. This study proposes a cooperative and defense-in-depth network security mechanism (CDNSM) using heterogeneous information security devices without an extra network control device. This mechanism first establishes the network management relation among the related devices in order to communicate with each other. Then, it creates cooperative defense rules to form a defend-in-depth system when any threats are identified. This security system utilizes routers with high-computing routing filter in network layer 3 and core switches to form a segregated zone for decreasing the risk of potential information security threats. Furthermore, implementation of this mechanism can integrate heterogeneous information security devices and eradicate intentional threats by the way of multiple layers of defense. Finally, this study uses Untangle UTM, Cisco Router, and D-Link Switch to implement the mechanism. The experimental results show that the performance of CDNSM has a significant improvement over that of currently used mechanism. |