隨著網路應用的普及與多元化,網路的安全問題逐漸被人們所重視。目前防火牆已經成為大多數企業的第一道網路安全防線,同時也是最重要的攻擊回應機制,且未來幾年內,防火牆仍然會是相當重要的網路安全防禦機制。但現有的防火牆因為部署位置及運作架構的限制,遭遇愈來愈多的問題,也漸漸無法防禦日新月異的攻擊手法。 本研究首先整理及分析防火牆的演進及目前的問題,進而以分散式防火牆為基礎,加上縱深防禦及合作防禦的概念,提出一套合作式防火牆系統,各合作式防火牆主機與其它防禦機制可進行合作防禦來達到入侵預防的目的。本研究將探討合作式防火牆的數種合作防禦方式及其中的困難點,並提出對應的解決方案,包括提出一種以 XML 為基礎的通用規則來解決合作防禦時的溝通及分散式防火牆的管理問題,及一種網蟲防禦方法以解決網蟲擴散時的內部網路癱瘓問題。 論文中也將說明合作式防火牆的系統架構、運作流程及模組設計,並以系統雛型展示解決網蟲的內部網路癱瘓問題及與入侵偵測系統進行合作防禦來抵禦攻擊,藉此說明合作式防火牆系統的效用及應用方式。 Because of the popularity and variety of network applications, network security is getting respected by people. Today, firewalls are the first line of defense of network security in most enterprises, and are also the most important mechanism of attack response. However, firewalls that are restricted by deployed positions and their architectures now suffer more and more challenges, and they also can’t defend more and more new attacks. In this thesis, we analyze the evolutions and problems of firewalls, and then develop a cooperative firewall system which is based on the distributed firewall and the concepts of defense in depth and cooperative defense. All firewalls in the cooperative firewall system can cooperate with other defense mechanisms to achieve intrusion prevention. We first present some possible schemes of cooperative defense with cooperative firewall system and discuss their difficulties. Then we propose solutions to solve these difficulties. The solutions include a new generic rule based on XML to solve the communication problems in cooperative defense and the management problem of distributed firewalls, and a detection and defense method of internet worm to solve the problem of network jam when worms spreading. We also propose the system architecture, operating procedures, and module design of our cooperative firewall system and build a prototype system that is able to solve the network jam of internet worm and make cooperative defense with intrusion detection system to explain the efficiency and applications of the cooperative firewall system.
