美國電腦安全協會在「2009年電腦犯罪與安全調查」報告顯示,30%的資安專家曾處理過內部人士濫用網路事件,15%處理過內部人士未授權連接。因為區域網路所使用的TCP/IP與IEEE 802.3技術沒有認證功能,導致這些資安事件層出不窮。若有一套網路認證系統的解決方案,要求使用者需先經過認證才能存取網路,對企業資訊安全會有很大助益。 然則目前現有解決方案,有些導入成本高,有些功能不足,有些會與現況產生衝突。本研究提出一套網路認證系統的架構,以開放原始碼為基礎,結合DHCP、DNS與防火牆的功能與技術,其設計與建置的原則是:用最小導入成本,並能相容於現有情況,來達到最大效益。 此系統主要特色與功能有: 1. 相容現況:現有網路設備可以繼續使用,只需把網路架構做些調整即可有網路認證的功能。 2. 認證使用:使用者電腦需先通過認證,才能存取區域網路與外部網路,未通過認證會被網路認證系統予以阻擋攔截。 3. 系統管理:監視使用者認證連線,即時得知網路現況,並能透過報表了解系統運作情形。 並經過網路流量與連線數量的實驗,證實此系統能實際應用於真實企業網路環境。一個兼俱低成本與高效益表現的網路認證系統,是本研究的貢獻。Review the “2009 CSI Computer Crime & Security Survey” from Computer Security Institute (CSI), 30% of information security experts processed the event of “Insider abuse of Internet access”, 15% processed the event of “Unauthorized access by insider”. Because of the technology TCP/IP and IEEE 802.3 used by LAN lack of authentication, this is an endless event of information security now and future, but will be helpful if adopting one network authentication solution ask user to do authentication first before access network. But all network authentication solutions, some are expensive, some are insufficient, and some will make an impact on current state. This thesis brings one type of network authentication system, with the technology DHCP, DNS and Firewall based on the open source software. Idea to build this system is: the lowest cost, the best compatibility, and the highest performance. The features and functions of this system are: 1. Compatibility: All current network equipments can be used after adopting this system, just make a little adjustment in the network structure. 2. Authentication: All users must to do authentication so that be allowed to access the LAN and WAN, or be blocked by this system without doing it. 3. Administration: System administrator can monitor current authenticated session, get the network state, and the system operation status by doing a query to show the report in this system. This authentication system was verified that can be applied to the real business network environment because of two examinations: the maximum network throughput and the maximum network connections, so that one system both low cost and high performance is the contribution of this thesis.
