| الوصف: |
碩士 ; 國立清華大學 ; 資訊系統與應用研究所 ; GH000926721 ; 近年人們廣泛地使用網路進行各種通訊,使得網路流量急遽增加。網路安全之問題也越來越受重視。防火牆或者入侵偵測防禦系統等網路安全設備通常放在網路的出入口,因此需要強大的計算能力才能及時提供內容檢測的功能與服務。建置具負載平衡和高可靠度的網路安全系統更是企業建構網路時所優先考量之規劃。 本論文提出並實作出一具延展性,負載平衡和高可靠度特色之網路安全交換器系統架構。本論文利用網路安全交換器作為主要核心服務和具有hardware-bypass功能的網路接口當作設計平台,在這架構下,每一個安全交換機是結合了一般傳統的第二層交換機和具備第七層封包深層檢查能力的設備,而這兩種設備是用Gigabit乙太網路接口所連接起來的,利用一種嶄新的設計方式將所有的安全交換機給結合起來形成具有高可用度的系統架構。既使系統只存活一個網路安全交換機也可以使整個系統正常工作,再加上分散式負載平衡演算法,使得整個系統能有更佳更好的穩定度.。最後,本論文實做具負載平衡/高可靠度與網路安全交換機結合之系統,並且將其他三個網路安全交換機慢慢關機來秀出高可靠度,在針對每台網路安全交換機注入不同大小的封包流量來觀察彼此之間負載平衡的程度 。本論文提出的演算法可以使系統服務更多的網路流量並且經由使用更多hardware-bypass ports來提高系統可靠度。 ; Internet traffic grow very fast in the past years and network security issue becomes more and more critical and important. Typically, network security devices, such as firewalls and Intrusion Detection and Prevention Systems (IPS), are installed behind the routers of an enterprise network to prevent the attack from Internet. However, it is found that more than 80% attacks are actually launched from the affected computers inside the intranet. Therefore the concept of defense-in-depth is emerged to prevent attacks not only from the Internet but also from the internal personal computers. This leads the need of security switches to provide the first mile protection. Unfortunately, the current layer-7 security switch solution is complex and expensive. In this thesis, a scalable load balance and high availability (LB/HA) architecture for network security switches is proposed. In this architecture, each “security switch” is composed a traditional layer-2 switch and a “security switch engine (SSE)” which provides the layer-7 packet inspection service. These two components are coupled by Gigabit Ethernet link. A novel mechanism is designed to connect the SSEes so that a group of security switches are interconnected to achieve the HA feature. Thus, the system can still provide security service even only one security switch is alive. An intelligent load balancing is also designed for the SSE so that the security service can ... |