跳到主要內容

臺灣博碩士論文加值系統

(44.222.218.145) 您好!臺灣時間:2024/03/04 17:28
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

: 
twitterline
研究生:陳盈達
研究生(外文):Ying-ta Chen
論文名稱:網際網路防火牆政策驗證系統
論文名稱(外文):Internet Firewall Policy Verification System
指導教授:劉安之劉安之引用關係
學位類別:碩士
校院名稱:逢甲大學
系所名稱:資訊工程所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2006
畢業學年度:94
語文別:中文
論文頁數:71
中文關鍵詞:政策性網路管理網路安全政策目標防火牆規則分析存取控制清單
外文關鍵詞:access control listpolicy-based network managementnetwork security policy goalfirewall rule analysis
相關次數:
  • 被引用被引用:5
  • 點閱點閱:303
  • 評分評分:
  • 下載下載:92
  • 收藏至我的研究室書目清單書目收藏:0
網際網路防火牆為網路安全之基本核心元件,它負責保護網路內部元件、設備不受外部攻擊。為了避免網路安全漏洞出現,防火牆的存取控制清單(access control list)的撰寫、次序及佈署都必須經過詳細考慮與規劃,否則容易產生規則異常(rule anomaly)。因此,防火牆規則之部署暨撰寫變成一項困難的工作,尤其是身處在多個防火牆的網路環境之中。因為每一個防火牆的設定人員可能不同,網路管理人員們通常無法即時清楚了解防火牆規則的影響範圍及結果效應。這些問題總是在網路或系統執行一段時間後才發現。
本論文的目標是設置一套有效之網路安全政策驗證環境,建立過濾規則之分析功能,並且提供整個受管網路的監控視覺化資訊。這個網路安全政策驗證環境是有能力讓網管人員可以容易地掌控整個網路安全政策,並且了解錯誤之過濾規則的所在位置。
為了有效達成分析防火牆規則並且驗證整體網路安全政策目標(global policy goal)的達成,我們利用設備相依關係圖(device dependency graph)來描述網路元件(防火牆、路由器及具有過濾封包功能的相關設備)之間的上、下游關係,藉此了解網路流量在網路元件之間通過的順序。另外我們利用陣列的表示法來表現每一個存取控制清單的語意,將每一個存取控制清單所規範的網路流量的行為記錄在該陣列中,並且將推理結果與網管人員制定的整體網路安全政策目標作比對,使網管人員了解各設備中的組態是否符合整體政策之目標。若比對結果產生內容不一致的結果,網管人員也可以即時利用此資訊來修正存取控制清單。
Firewalls are core elements in network security. They are responsible for protecting inside network elements to against outside attacks. The composing, order, and allocation of the access control list in the firewall should be exhaustively considered and planned to avoid the rule anomaly caused by the leak of the network security. Therefore, the allocation and composing of rules in firewalls becomes a very hard task, especially in the environment of multi-firewalls. Since the firewalls may configure by different managers, the network managers can not know the effects and results caused by the rules of firewalls immediately. The problems are always discovered after execution of the network or system.
The goal of this thesis is to establish an environment of verifying network security policy, and to build the analyzable functions of filtering rules to provide the visual information about the managed network. It enables the network manager to control the network security policy and to know the location and the coverage of the wrong filtering rules.
In order to effectively analyze the rules of firewalls and verify the global policy goal, we use the device dependency graph to describe the relationships between different network elements. Further we use array to display the semantics of every access control list, and record the action of network traffic to the corresponding array. Network managers can understand whether the configuration of every device match global policy goal or not by comparing the result reasoned from the matrix with global policy goal. Managers can also use the comparison to reconfigure the access control list of corresponding device immediately, if the result is different from our goal.
致謝 i
摘要 ii
Abstract iii
目錄 iv
圖目錄 vi
表目錄 vii
第一章 緒論 1
1.1 研究動機 1
1.2 研究目的 4
1.3 論文章節概述 4
第二章 文獻探討 5
2.1 防火牆簡介 5
2.2 IETF/DMTF政策管理架構 8
2.3規則異常檢測法 11
2.3.1防火牆規則之間的相互關係 12
2.3.2內部防火牆異常介紹 14
2.3.3 相互防火牆異常介紹 16
2.3.4 規則異常檢測法的缺點 21
第三章 研究架構及方法 22
3.1 語意的表示 22
3.1.1 二維空間表示法 22
3.1.2 二維空間的分割 24
3.1.3資料結構 29
3.1.4 討論 31
3.2錯誤的定義 31
3.3 語意驗證模型 34
3.4 語意的轉換 35
3.5 檢測語意的演算法 38
3.6錯誤定位 40
3.6.1 存取控制清單定位 41
3.6.2 規則定位 41
第四章 系統實作 43
4.1 系統架構 43
4.2 資源收集和拓樸探索的實作 44
4.3 語意轉換 45
4.4 語意比對 46
4.5 整體政策語法 48
4.5 使用者介面的實作 49
4.6 系統運作展示 52
4.7 系統效能分析 55
4.7.1 系統執行效能 55
4.7.2 錯誤定位的有效率 57
4.7.3 討論 58
第五章 結論及未來研究方向 59
參考文獻 61
[1] E. Al-Shaer and H. Hamed, “Discovery of Policy Anomalies in Distributed Firewalls,” Twenty-third AnnualJoint Conference of the IEEE Computer and Communications Societies, Vol. 4, pp. 2605 - 2616, 2004.
[2] E. Al-Shaer and H. Hamed, “Firewall Policy Advisor for anomaly discovery and rule editing,” Eighth International Symposium on Integrated Network Management, pp. 17-30, 2003.
[3] E. Al-Shaer, H. Hamed, R.Boutaba and M. Hasan, “Conflict classification and analysis of distributed firewall policies,” IEEE Journal on Selected Areas in Communications, Vol.23, Issue 10, pp. 2069 – 2084, 2005.
[4] E. Al-Shaer, “Managing firewall and network-edge security policies,” Network Operations and Management Symposium, Vol. 1, pp. 926, 2004.
[5] S. Hinrichs, “Policy-based management: bridging the gap”, Proceedings of 15th Annual Computer Security Applications Conference, pp. 209 – 218, 1999.
[6] Y. Bartal, A. J. Mayer, K. Nissim, and A. Wool, “Firmato: A novel firewall management toolkit,” ACM Transactions on Computer Systems, Vol. 22, pp. 381-420, 2004.
[7] Y. Bartal, A. J. Mayer, K. Nissim, and A. Wool, “Firmato: A novel firewall management toolkit,'' Proceedings of 20th IEEE Symposium on Security and Privac, pp. 17-31, 1999
[8] A. Mayer, A. Wool, and E. Ziskind, “Fang: A firewall analysis engine,” Proc. IEEE Symposium on Security and Privacy, pp 177-187, 2000.

[9] D.Eppstein and S. Muthukrishnan, “Internet Packet Filter Management and Rectangle Geometry,” Proceedings of 12th Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 827-835, 2001.
[10] B. Hari, S. Suri and G.. Parulkar, “Detecting and Resolving Packet Filter Conflicts,” Proceedings of IEEE INFOCOM 2000, Vol. 3, pp.1203 – 1212, 2000.
[11] J.D. Guttman, “Filtering postures: local enforcement for global policies,” Proceedings of 1997 IEEE Symposium on Security and Privacy, pp.120 – 129, 1997.
[12] D. Chapman and E.Zwicky, Building Internet Firewalls, Second Edition, Orielly & Associates Inc., 2000.
[13] J. Sedayao, Cisco IOS Access Lists, Orielly & Associates Inc., 2001.
[14] H. C. Lin, S.C. Lai, P.W. Chen and H. L. Lai, “Automatic Topology Discovery of IP Networks,” IEICE Transactions on Information and Systems, Vol. E83-D, No. 1, pp. 71-79, 2000.
[15] Discovering Internet topology URL:
http://www.cs.cornell.edu/skeshav/papers.html
[16] H. C. Lin, S. C. Lai, and P. W. Chen, “An Algorithm for Automatic Topology Discovery of IP Networks,” Proceedings of the IEEE ICC’98, Vol. 2, pp. 1192-1196, June 1998.
[17] Y. Breitbart, M. Garofalakis, B. Jai, C. Martin, R. Rastogi, and A. Silberschatz, “Topology discovery in heterogeneous IP networks:the NetInventory system,” IEEE/ACM Transactions on Networking, Vol. 12, pp. 401-414, June 2004.
[18] G. Mansfield, M. Ouchi, K. Jayanthi, Y. Kimura, K. Ohta, and Y. Nemoto, “Techniques for Automated Network Map Generation Using SNMP,” Proccedings of IEEE INFOCOM, Vol. 2, pp. 473–480, March 1996.
[19]C. C. Lo, S. H. Chen, and B. Y. Lin, “Coding-Based Schemes for Fault Identification in Communication Networks”, International Journal of Network Management, Vol. 10, Issue 3, May-June 2000, pp. 157-164.
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top