隨著網際網路與電子商務之日漸普及,各機構、企業體為了防範資訊系統遭受入侵或攻擊,皆積極投入資源,來強化其網路安全系統的能力。在各種網路安全相關技術中,防火牆的使用最為普遍。然而現今使用的傳統式防火牆系統基本上是安裝於網路節點或個人電腦上之應用程式,在建制與管理上相當不便,更成為效能與安全的瓶頸。為了讓防火牆的的建制與管理更為容易且不破壞網路架構,本計畫將針對如何設計一個嵌入式、分散式的網路安全防禦系統,開創性地將防火牆功能與具有中央控管機制的網安防禦系統,加入到一般網路卡內,為網路之整體防衛效能及安全性,帶來幾項效益: 1. 實作分散式防火牆的概念,解決傳統式防火牆的缺點,提昇網路之整體防衛效能及安全性。 2. 設計並實現一個能夠獨立運作的嵌入式系統以取代一般網路卡,將防火牆功能的運作與原有電腦節點的作業系統完全獨立出來,對電腦節點上原有的網路設定與程式運作衝擊降到最低。 3. 在這個獨立運作的嵌入式系統上,如果有其他安全服務的需求,可以自行加入更多的網路安全功能模組。 4. 研究與實作網路安全策略伺服器,針對不同的需求,提供不同的封包過濾安全策略,實現量身訂做的防火牆防禦策略。因為資訊系統的應用不斷成長,網路安全的功能需求將會越來越多,被採用率高達97%的防火牆系統及相關技術仍有相當的發展空間。本計畫若能成功地將設計概念及其實作以硬體式原型系統呈現出來,則對於網路安全系統技術的發展將有相當的助益。 With the rapid growth in Web services and e-commerce, organizations and enterprises have put effort in providing secure information services from being attacked and invaded. Nowadays, firewall systems are the most generally applied method within the relevant techniques for the Internet security services. However, firewall systems in used are application programs installed in nodes or personal computers. It is not convenient in management and construction. Moreover, it becomes the bottleneck of performance and security. In order to make the management and construction easier without destroying the network topology and keep high performance and high security level, we plan to study another type of firewall design. In this project, we propose to design a distributed and embedded firewall system for the Internet security. We combine the functions of firewall and the central security policy system into the NIC (Network Interface Card). There are some benefits from this project: 1. Solve the shortcomings of the conventional firewall and enhance the defense ability on the Internet by using the distributed firewall system. 2. Transform the NIC into an embedded system that can operate independently. And separate the functions of firewall from the original nodes to reduce the complexity of the settings of node devices and software operations. 3. Security function modules can be added conveniently into the independently operate embedded systems if there is a demand for security purpose. 4. The Central Security Policy Server (CSPS) can provide different security policies to filter the packages and offer convenient policy settings. Due to the growth of the Internet services and applications, it demands high performance and high security level security systems for online requirements. Although firewall relevant technology has a 97% of adopting rate, it still not fits all of the requirements for applications. In this project, if the hardware prototype can be designed and implemented successfully, we believe that there would be more advantageous benefits for network security systems.
