跳到主要內容

臺灣博碩士論文加值系統

(3.95.131.146) 您好!臺灣時間:2021/07/29 00:22
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:陳志豪
研究生(外文):Chih-Hao Chen
論文名稱:高階高速網路交換機之設計與實作
論文名稱(外文):The Design and Implementation of Layer 7 High Speed Security Switch
指導教授:黃能富黃能富引用關係
指導教授(外文):Nen-Fu Haung
學位類別:碩士
校院名稱:國立清華大學
系所名稱:資訊工程學系
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2004
畢業學年度:92
語文別:英文
論文頁數:57
中文關鍵詞:第二層交換機網路安全交換機入侵偵測入侵偵測防禦防火牆蠕蟲網路攻擊
相關次數:
  • 被引用被引用:0
  • 點閱點閱:103
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
由於近來網際網路應用程式如P2P (peer-to-peer),IM (Instant Messenger),和 Spyware/Adware 的蓬勃發展,網路安全的議題也就越發引起注意。再者,由於攻擊產生工具的日趨便利與普及,使得DOS/DDOS的攻擊和蠕蟲病毒,諸如:(NetKey, Sasser, MS-Blaster, SQL Slammer, CodeRed 等)日益肆虐。就目前所知,在單機上執行的軟體解決方案已不適用於阻擋上述日益嚴重的網路攻擊。雖然,入侵偵測和入侵偵測防禦系統 (IDP/IPS) 已漸取而代之而為人所熟知,但是由於其多裝置於路由器與防火牆之間的企業網路出口,且缺乏有效的縱深防禦機制使得單一入侵偵測防禦系統對於發自網路內部的攻擊仍是束手無策。而如眾所熟知的第二層網路交換機已成為佈置最廣的網路設備,誠然若欲有效扼制發自網路內部的網路攻擊,就是使第二層網路交換機升級成為網路安全交換機;使得每個封包在交換機的兩port進出之間得以接受安全性的檢查。
在這篇畢業論文中,我們提出一個彈性且節省成本的網路安全交換機的架構,使得網路封包在進出交換機之間得以被檢查與保護。在此架構下,我們設計一個Giga級且具有檢查到第七層網路封包能力的網路安全引擎與傳統的第二層可網管式的網路交換機。藉由VLAN的特性,使每一筆交換機所收到的封包都以giga 介面轉上來給網路安全引擎檢查,經過檢查後封包或是由於安全因素而被慮掉,或是被送回交換機再由交換機根據封包的目的位址轉送到正確的port;這個架構不但提供了內部網路封包安全檢查的解決方案,也由於不是將所有第二層交換機更換而是採用升級的方式使得建置的成本相對降低很多。
The network security issues will be paid more and more attentions in the coming years as the deployment of new and treating Internet applications, such as P2P (peer-to-peer), IM (Instant Messenger), and Spyware/Adware are achieved in a rapid way. Also the DOS/DDOS attacking, such as worms (NetKey, Sasser, MS-Blaster, SQL Slammer, CodeRed, etc), will be launched more frequently as the attacking tools are more and more friendly to use. It has been pointed out that the pure software-based solution for clients to prevent these treating applications and the attacking worms is not feasible any more. Although the Intrusion Detection and Prevention System (IDP/IPS) is becoming more popular to prevent such emerging treats and attacks, it is typically installed between the router and firewall of an enterprise. Thus, for the treating/attacking traffic within the intranet, the single IDP/IPS system is unable to furnish a complete or efficient protection due to the lack of defense-in-depth mechanism. As L2 switches are the most widely deployed network equipments in the world, it seems that the most efficient way to protect the intranet from the attacking of affected clients is to upgrade the L2 switches into security switches, where the traffic between each switching port is verified and protected.
In this thesis, we propose a flexible architecture for network security switch so that the traffic between switching ports is inspected and protected in a cost effective way. In this architecture, a gigabit security engine with layer-7 packet inspection capability is designed to accompany with traditional managed L2 switches. By employing the VLAN technology intelligently, every packet coming from each of the switching port is forwarded to the security engine via the gigabit interface, and after the packet is inspected by the security engine, it is either been dropped (abnormal packet) or sent back (normal packet) to the switch and forwarded to the output port by the L2 switch according to the original destination MAC address of the packet. The proposed security switch architecture not only provides a deep inspection protection for the intranet traffic but also furnishes a very cost effective solution as the installed L2 switched are upgraded instead of been replaced.
[1]. 3com crop, “3com security switch 6200”. http://www.3com.com/other/pdfs/products/en_US/400835.pdf
[2]. Howard C. Berkowitz, “Designing Routing and Switching Architecture”, Macmillan Technical Publishing, 1999.
[3]. E. Bell, A. Smith, P. Langille, A. Rijhsinhani, and K. McCloghrie, “Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions”, RFC 2674, August 1999.
[4]. Kennedy Clark and Kevin Hamilton, “Cisco LAN Switching:The most complete guide to Cisco Catalyst switch network design, operation, and configuration ”, Cisco Press, 2001.
[5]. Cisco Systems Inc., “Cisco Catalyst 2950 Series Switches with Enhanced Image SW”. http://www.cisco.com/warp/public/cc/pd/si/casi/ca2950/prodlit/sseis_ds.pdf
[6]. Cisco Systems Inc., “How to Get VLAN Information From a Catalyst Using SNMP”. http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a008015773e.shtml
[7]. Cisco Systems Inc., “How to Add, Modify, and Remove VLANs on a Catalyst Using SNMP”. http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c6035.shtml
[8]. Cisco Systems Inc., “Using SNMP to Find a Port Number from a MAC Address on a Catalyst Switch”. http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml
[9]. Cisco Systems, “SNMP Community String Indexing”. http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801576ff.shtml
[10]. Cisco Systems, “Virtual LAN Security Best Practices”. http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf
[11]. E. Decker, P. Langille, A. Rijisinghani, and K. McCloghire, “Definitions of Managed Objects for Bridges”, RFC1286, July 1993.
[12]. Sanjib HomChudhuri and Macro Foschiano, “PRIVATE VLANS: Addressing vlan scalability and security issues in a multi-client environment”, Internet-Draft, September 2003.
[13]. IEEE 802.1D: Media Access Control (MAC) Bridges, 1998.
[14]. IEEE 802.1Q/D8: Virtual Bridge Local Area Networks, December 1998.
[15]. IEEE 802.1Q: Virtual Bridge Local Area Networks, May 2003.
[16]. Jack Koziol, “Intrusion Detection with Snort”, SAMS, 2003.
[17]. Merike Kaeo, “Designing Network Security:A Practical guide to creating a secure network infrastructure”, Cisco Press, 2003.
[18]. Allan Liska, “The Practice of Network Security:Development Strategies for Production Environments”, Prentice Hall, 2003.
[19]. Saadat Malik, “Network Security Principles and Practices”, Cisco Press 2003.
[20]. David Passmore and John Freeman, “The Virtual LAN Technology Report”, 1996. www.3com.com/other/pdfs/solutions/en_US/20037401.pdf
[21]. Radia Perlman, “Interconnections Second Edition:Bridges, Routers, Switches, and Internetworking Protocols”, Addison Wesley, 1999.
[22]. Radware Ltd., “DefensePro White Thesis”, http://www.radware.com/content/download.asp?document=3932
[23]. Gene Schultz, Carl Endorf, and Jim Mellander, “Intrusion Detection & Prevention”, McGraw-Hill, 2003.
[24]. Rich Seifert, “The Switch Book:The Complete Guide to LAN Switching Technology ”, John Wiley & Sons, Inc., 2000.
[25]. Timothy D. Wickham, “Intrusion Detection is Dead. Long Live Intrusion Prevention!”, SANS GIAC Certification Practical, 2003.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top