中大機構典藏-NCU Institutional Repository-提供博碩士論文、考古題、期刊論文、研究計畫等下載:Item 987654321/98247
English  |  正體中文  |  简体中文  |  全文笔数/总笔数 : 83776/83776 (100%)
造访人次 : 60039381      在线人数 : 945
RC Version 7.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
搜寻范围 查询小技巧:
  • 您可在西文检索词汇前后加上"双引号",以获取较精准的检索结果
  • 若欲以作者姓名搜寻,建议至进阶搜寻限定作者字段,可获得较完整数据
    •  进阶搜寻


    jsp.display-item.identifier=請使用永久網址來引用或連結此文件: https://ir.lib.ncu.edu.tw/handle/987654321/98247


    题名: Biforch: A system Improving Firewall Orchestration, Reverse proxy Configuration, and Harmonization
    作者: 張哲庭;Chang, Che-Ting
    贡献者: 資訊工程學系
    关键词: 防火牆;反向代理;Firewall;Reverse Proxy;Biforch
    日期: 2025-07-16
    上传时间: 2025-10-17 12:32:30 (UTC+8)
    出版者: 國立中央大學
    摘要: 隨著雲原生技術與微服務架構普及,企業日益依賴反向代理(Layer 7)作為統一入口。然而,當希望以服務為最小單位規劃防護時,存取規則被迫分散於兩層設備,配置複雜度的上升同時也造成資安風險。

    本文提出Biforch框架,以「Service-as-Alias」模式將服務抽象為防火牆Alias,集中在單一防火牆入口定義存取策略,並將相關規則轉譯與同步至反向代理。Core-Agent抽象具備廠商中立性,得以支援 FortiGate、OPNsense 等多品牌防火牆以及主流反向代理軟體。

    在1.4 GHz、1 vCPU環境之測試顯示,Biforch在多條規則的同步壓力下仍然可低負載運行。同時在理論分析中,Biforch的配置步驟優於手動配置步驟,且規則集中於單一位置、以語意化Alias呈現,可讀性大幅提升。

    研究證實 Biforch 能在不變更既有拓撲的前提下,低成本地協調 L3/L4與L7存取控制,減少人為配置風險,為中小型組織邁向零信任與微分段提供一條「最小侵入」之可行途徑。
    ;With the growing adoption of cloud-native technologies and microservice architectures, enterprises increasingly rely on Layer-7 reverse proxies as a single entry point. When security policies must be defined at the service level, however, access rules become fragmented across two tiers of equipment, driving up configuration complexity and, consequently, security risk.

    This paper presents Biforch, a framework that introduces a Service-as-Alias model: each service is abstracted as a firewall alias, so access policies can be defined once—at a single firewall interface—then translated and synchronized to every reverse proxy. Thanks to its vendor-neutral Core–Agent design, Biforch supports multiple firewall brands (e.g., FortiGate, OPNsense) as well as mainstream reverse-proxy software.

    Stress tests on a modest 1.4 GHz, 1-vCPU platform show that Biforch remains lightweight even when synchronizing hundreds of rules. Theoretical analysis further demonstrates that Biforch requires fewer configuration steps than manual workflows, while concentrating rules in one place and expressing them through semantic aliases that greatly improve readability.

    Overall, the study confirms that Biforch can coordinate L3/L4 and L7 access control at low cost—without changing existing network topologies—significantly reducing human-error risk. It therefore offers small- and medium-sized organizations a minimal-intrusion path toward zero-trust security and fine-grained micro-segmentation.
    显示于类别:[資訊工程研究所] 博碩士論文

    文件中的档案:

    档案 描述 大小格式浏览次数
    index.html0KbHTML18检视/开启


    在NCUIR中所有的数据项都受到原著作权保护.

    社群 sharing

    ::: Copyright National Central University. | 國立中央大學圖書館版權所有 | 收藏本站 | 設為首頁 | 最佳瀏覽畫面: 1024*768 | 建站日期:8-24-2009 :::
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - 隱私權政策聲明