| 摘要: | 隨著企業資訊環境日益複雜,網路攻擊手法也不斷演進,從早期的外部入侵逐漸發展為橫向移動攻擊、內部滲透以及多階段的威脅形式。面對這樣的資訊安全風險,企業必須建立一個具備彈性與可擴展性的資訊安全防護環境,其中,多層防火牆(Multi-Layer)架構已逐漸成為主流防護策略,透過在不同區段部署具特定功能的防火牆設備,不僅能有效抵禦各種外部的攻擊,也能保護內部網路的安全,實現縱深防禦的整體目標。然而,儘管多層式架構具資安強度優勢,但實際部署中仍伴隨管理挑戰。特別是在異質性防火牆共存的情況下,因為不同品牌之間的規則設定語法、管理介面和查詢機制存在顯著差異,容易導致防火牆規則設定錯誤、規則衝突或冗餘等問題,進而影響政策執行一致性與整體效能。為協助管理者有效比對多層規則與辨識潛在風險,本研究設計名為PolicyRefie的自動化防火牆規則管理輔助工具,藉由統一規則解析架構與檢測模組,提升防火牆規則的一致性,以減少因人工比對所造成的錯誤與人力負擔,並建立快速反應機制,以應對潛在資安事件。此外,透過視覺化輸出整合到單一管理平台中,可實現跨品牌防火牆的整體規則管理。本研究已完成雛型系統設計與實作,並透過實際企業環境中取得的規則進行測試與驗證,證實本系統能強化防火牆規則準確度與執行一致性,有效降低設定錯誤與規則衝突的風險。;As enterprise information environments grow increasingly complex, cyberattack techniques have also evolved—from early external intrusions to more sophisticated threats such as lateral movement, internal infiltration, and multi-stage attacks. To address these risks, organizations must adopt flexible and scalable defense architectures. Among them, the multi-layer firewall has become a mainstream strategy. By deploying firewalls with specific functions across network segments, enterprises can effectively block external attacks and protect internal networks, achieving the goal of defense-in-depth.Despite its security advantages, a multi-layered setup presents real-world management challenges. In particular, the coexistence of heterogeneous firewalls from different vendors results in inconsistencies in rule syntax, interfaces, and query mechanisms. These often cause misconfigurations, rule conflicts, or redundancies, undermining policy consistency and overall effectiveness.To resolve these issues, this study proposes an au-tomated firewall rule management assistant tool, PolicyRefie. It integrates a unified rule parsing framework and detection modules to help administrators compare cross-layer rules, identify po-tential risks, and improve policy consistency. It also reduces manual workload and supports rapid responses to potential incidents. In addition, the system provides visualized outputs inte-grated into a centralized platform for consistent rule management across heterogeneous fire-walls.The prototype was developed and tested using real enterprise firewall configurations. Re-sults show that the system significantly improves rule accuracy and execution consistency while reducing risks of misconfiguration and conflict. |
