臺灣博碩士論文加值系統

在建立一個安全的資訊安全環境，網路存取控管(NAC)是一個重要的部份。網路存取控管包含了對資訊設備或使用者在存取網路時的身分認證識別、對網路端點系統完整性的檢查、對依網路身份角色作為資源存取控管的依據、對網路攻擊威脅的防禦及網路使用者行為的監視和稽核。在針對主要的網路存取控管架構作分析探討，包含了edge enforcement，in-line enforcement，hybrid enforcement及protocol-based enforcement。經由分析發現，當企業要部署NAC在既有的網路中，edge enforcement為最佳的選擇架構。 雖然edge enforcement是最佳的選擇架構，但其針對系統完整性檢查所需的端點隔離及復原效能卻不及in-line enforcement，hybrid enforcement及protocol-based enforcement。本篇論文針對增進對系統完整性檢查所需的端點隔離及復原效能提出了新的enhanced edge enforcement的架構。該架構提出一個理想的端點隔離級復原的實施方法，它使用網路交換器所提供的封包存取控管機制，依接收端點檢查主機所傳遞未符合檢查端點條件的網路端點實體位址作實隔離，並可不變動網路設定及同時進行系統修復及及時傳遞端點系統狀態至端點檢查主機。此一理想的端點隔離的實施方法大大的增進網路存取控管的效率及簡化了網路存取控管的流程。

Network access control (NAC) is an important part to establish a secure environment for information security, network access control contains the authentication of a network access device or a user, the integrity of the network endpoint system checks, the role-based control, the threat control, and the network monitor and auditing user behavior. By analyzing the major architechtures of network access control including the edge enforcement, in-line enforcement, hybrid enforcement and protocol-based enforcement, it is found that the edge enforcement is an excellent choice for most enterprise looking to add into their existing networks. This thesis is aimed to enhance the endpoint quarantine and restore performance of system integrity check for edge enforcement NAC architecture.

TABLES OF CONTENTS
ENGLISH ABSTRACT i
CHINESE ABSTRACT iii
ACKNOWLEDGEMENTS v
TABLE OF CONTENTS vi
LIST OF FIGURES ix
LIST OF TABLES x
CHAPTER 1 Introduction 1
1.1 Authentication 1
1.1.1 Active Directory 2
1.1.2 IEEE 802.1X 3
1.1.3 Mac-based authentication 6
1.1.4 Web based authentication 7
1.2 Host integrity check 8
1.2.1 Clientless strategy 9
1.2.2 Client-based straegy 9
1.2.3 HIC check points9
1.3 Identity-based Control 10
1.4 Threat control 11
1.5 Visibility and audit 12
1.5.1 sFlow 13
1.5.2 NetFlow 13
1.5.3 Deep Packet Inspection (DPI 15

CHAPTER 2 Existing NAC enforcement 17
2.1 Five key criteria -- differentiate enforcement approaches 17
2.2 Edge enforcement 20
2.3 In-line enforcement 21
2.4 Hybrid enforcement 23
2.5 Protocol-based enforcemen 24
2.6 Security 25
2.7 Flexibility 31
2.8 Pragmatic deployment and risk of failure 36
2.9 Distribute enforcement, performance, and scalability 40
2.10 Cost 45
2.11 Comparison of five key criteria for enforcements 48
CHAPTER 3 Proposed enhanced edge enforcement 50
3.1 Enhanced edge enforcement 50
3.2 The flow of enhanced edge enforcement 52
3.3 Comparison of six approaches to enforcement 53
CHAPTER 4 Conclusion 55
REFERENCES 56

[1] C. J. Fu, Q. H. Cao, “Design and Implementation of Client agent in the
Network Admission Control”, International Congress on Ultra Modem Telecommunications and Control System and Workshops (ICUMT), 2010.
[2] Http://en.wikipedia.org/wiki/Active_Directory, “Active Directory”.
[3] RFC 3748, “Extensible Authentication Protocol, EAP Usage Within IEEE 802”, IETF, § 3.3, 2004.
[4] RFC 3748, “Extensible Authentication Protocol, Link Layer”, IETF, § 7.12, 2004.
[5] IEEE 802.1X-2001, “Port Based Network Access Control”, § 7.
[6] IEEE 802.1X-2004, “Port Based Network Access Control”, § 3.2.2.
[7] IEEE 802.1X-2010, “Port Based Network Access Control”, page iv.
[8] IEEE 802.1X-2010, “Port Based Network Access Control”, § 5.
[9] Http://www.wireless-nets.com/resources/downloads/802.1x_C2.html,
“802.1X Port-Based Authentication Concepts”.
[10] Data Sheet: Alcatel-Lucent, “OmniSwitch AOS Release 6 Network Configuration Guide”, pp. 30-1~30-46, Mar 2009.
[11] Http://wiki.personaltelco.net/CaptivePortal, “CaptivePortal”.
[12] Http://www.sflow.org, “Making the Network Visible”.
[13] Http://www.securityfocus.com/infocus/1817,
“The Perils of Deep Packet Inspection”.
[14] Http://dpi.priv.gc.ca/index.php/essays/just-deliver-the-packets/,
“Just Deliver the Packets”.
[15] Http://userpage.fu-berlin.de/~bendrath/Paper_Ralf-Bendrath_DPI_v1-5.pdf, “Global technology trends and national regulation : Explaining Variation in the Governance of Deep Packet Inspection”.
[16] Data Sheet: Opus One, “Selecting An Approach For NAC Enforcement : Five Key Issues”, pp. 1~15, Sept 2007.