根據網路攻擊技術發展的趨勢,傳統的防火牆已不足以阻擋各種安全威脅,而整合威脅管理(UTM)雖然可以提供全方位的基本防護,但在功能與效能上也無法盡善盡美,而且單一資訊安全閘道平台很難長期抵禦瞬息萬變的網路攻擊。因此如果能結合其它網路閘道設備,協同合作以組成縱深防禦,則是一個未來趨勢。在以往的縱深防禦概念中,大部份均需限制為相同廠牌的設備結合,或需第三方的協同產品來實現協同工作。本研究提出一個使用異質資安設備且無需額外控制裝置之協同縱深防禦網路安全機制(Cooperative Defense-in-depth Network Security Mechanism;CDNSM),此機制首先在相關的異質網路設備間建立管理關係,彼此間可以通訊,當資安事件確定發生時可以建立協同防禦規則,形成縱深防禦系統。此系統利用具網路第三層路徑過濾的路由器與企業內的核心交換器建立隔離區,經由多層次的防禦以降低潛在的資安威脅風險。最後本研究用Untangle UTM、Cisco Router、和D-Link Switch等異質設備實現CDNSM,實驗結果顯示性能較現有廠牌所用機制有顯著改進。
According to the development trend of network attack techniques, the traditional firewall is not good enough to block various security threats. Recently, although UTM can provide basic protection, its function and effectiveness are not comprehensive. Besides, a single information security gateway is also insufficient to defend against various network attacks. Therefore, combining and coordinating independent network security devices to form a cooperative and defense-in-depth system will be a future trend. In the past, a cooperative and defense-in-depth system is required to have components of the same brand or a third-party coordinator to perform the security work. This study proposes a cooperative and defense-in-depth network security mechanism (CDNSM) using heterogeneous information security devices without an extra network control device. This mechanism first establishes the network management relation among the related heterogeneous devices in order to communicate with each other. Then, it creates cooperative defense rules to form a defend-in-depth system when any threats are identified. This security system utilizes routers with routing filter of network layer 3 and core switches to form a segregated zone for decreasing the risk of potential information security threats through multiple layers of defense. Finally, this study uses Untangle UTM, Cisco Router, and D-Link Switch to implement the mechanism. The experimental results show that the performance of CDNSM has a significant improvement over that of currently used mechanism.
