請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/19775
完整後設資料紀錄
DC 欄位 | 值 | 語言 |
---|---|---|
dc.contributor.advisor | 吳文方 | |
dc.contributor.author | Ya-Nan Kao | en |
dc.contributor.author | 高亞南 | zh_TW |
dc.date.accessioned | 2021-06-08T02:18:26Z | - |
dc.date.issued | 2015 | |
dc.date.submitted | 2015-08-26 | |
dc.identifier.citation | 1.Anderson, B. A. (1984). 'TACACS User Identification Telnet Option.'
2.Bellardo, J. and S. Savage (2003). 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions. USENIX security. 3.Blumenthal, U. and B. Wijnen (1997). 'The User-Based Security Model for Version 3 of the Simple Network Management Protocol (SNMPv3).' draft-ietf-snmpv3-usm-01. txt. 4.Chang, R. K. (2002). 'Defending against flooding-based distributed denial-of-service attacks: a tutorial.' Communications Magazine, IEEE 40(10): 42-51. 5.Chiba, M. (2003). 'Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS).' 6.Chomsiri, T. Sniffing packets on LAN without ARP spoofing, IEEE. 7.Congdon, P., B. Aboba, et al. (2003). 'IEEE 802.1 X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.' RFC3580, September. 8.Eddy, W. M. (2011). SYN Flood Attack. Encyclopedia of Cryptography and Security, Springer: 1273-1274. 9.Epah, M. (2009). Network Access Control (NAC). DFN-Forum Kommunikation-stechnologien. 10.Qin, F.-l., H.-x. Duan, et al. (2009). 'Overview of ARP spoofing detection and prevention techniques [J].' Application Research of Computers 1: 007. | |
dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/19775 | - |
dc.description.abstract | 在當今年代,人們對於資訊的需求似乎永無止境,無不想隨時隨地透過各種網路連接設備輕易取得所要的資訊,這種情形其實也改變現今商業經營的模式。以上需求讓數位資產安全成為網路管理者重要關注點之一,他們被要求確保企業網路與網際網路連接間之安全度與可用性,同時也講求一定程度的存取速度。總而言之,網路管理者需確保網路的穩健性,而事實上,目前市面上有多方法可以增加網路的穩健性,其中,安奈特公司採用業界領先的交換技術,提供全面安全套件,以支援多層次方式,維護網路安全並打擊網路上共同的威脅。本論文分三個層面探討安奈特交換器如何確保網路基礎設施之安全性與可靠性,而後提出一新的解決方案,該解決方案文件檔著眼於描述一些常見的網路攻擊方式,而後說明如何透過安奈特公司的設備讓網路攻擊得到緩解。 | zh_TW |
dc.description.abstract | The increasing number of connected devices in today's networks has created an insatiable demand for access to information, when and where we need it. This situation has changed the way we do business, as we are now becoming more and more reliant on information technology resources and applications. The security of digital assets has therefore become a principal concern for network administrators, and to ensure maximum availabilities of those assets including corporate network and internet access becomes their major responsibility.
There are a number of ways to increase the robustness of modern corporate network and internet access. Among them, Allied Telesis uses industry leading switching technology to provide a comprehensive security suite, which supports a multi-layered approach to safeguard the network and combat common threats. The present thesis discusses in three ways how the switches of Allied Telesis ensure a reliable and secure network infrastructure. It also looks at some common network attacks, and demonstrates how those attacks can be mitigated using Allied Telesis equipment. | en |
dc.description.provenance | Made available in DSpace on 2021-06-08T02:18:26Z (GMT). No. of bitstreams: 1 ntu-104-P02546014-1.pdf: 3978429 bytes, checksum: b470ff9c60753424edbbd8e124c109a2 (MD5) Previous issue date: 2015 | en |
dc.description.tableofcontents | 口試委員會審定書 ........................................................................................ i
誌謝 ............................................................................................................... ii Acknowledgments ......................................................................................... ii 中文摘要 ...................................................................................................... iii ABSTRACT ................................................................................................. iv 目 錄 ........................................................................................................... v Table of Contents .......................................................................................... v 表目錄 .......................................................................................................... xi List of Tables ................................................................................................ xi 圖目錄 ......................................................................................................... xii List of figures .............................................................................................. xii 第壹章 緒論 ............................................................................................... 1 Chapter 1 Introduction .................................................................................. 1 1.1研究背景與動機 .............................................................................. 1 1.1 Background and Motivation of Study ............................................. 1 1.2研究目的 .......................................................................................... 3 1.2 Purpose of Study ............................................................................. 3 1.3 研究方法 .......................................................................................... 4 1.3 Methodology of Study ..................................................................... 4 1.4研究範圍與限制 .............................................................................. 5 1.4 Range and Limitations of Study ...................................................... 5 第貳章 背景知識與文獻探討 ................................................................... 7 Chapter 2 Background Knowledge and Literature Review ......................... 7 2.1 簡介 .................................................................................................. 7 2.1 Introduction ...................................................................................... 7 vi 2.1.1 網路存取控制 .................................................................................... 9 2.1.1 Network Access Control (NAC) ................................................... 9 2.1.2 安全殼層 ........................................................................................... 10 2.1.2 Secure Shell (SSH) ......................................................................... 10 2.1.3超文字傳輸協定 ............................................................................. 10 2.1.3 Hypertext Transfer Protocol (HTTP) ......................................... 10 2.1.4網路終端模擬器協定 .................................................................... 10 2.1.4 Telnet (TErminal over NETwork) .............................................. 10 2.1.5簡單網路管理協定 ......................................................................... 10 2.1.5 Simple Network Management Protocol (SNMP) ................... 10 2.1.6 圖形用戶介面 .................................................................................. 11 2.1.6 Graphical User Interface (GUI) ................................................... 11 2.1.7 系統日誌 ........................................................................................... 11 2.1.7 Syslog ................................................................................................. 11 2.1.8 生成樹協定 ...................................................................................... 11 2.1.8 Spanning Tree Protocol (STP) ..................................................... 11 2.1.9網橋協定數據單元 ......................................................................... 12 2.1.9 Bridge Protocol Data Unit (BPDU) ............................................ 12 2.1.10 控制平面 ......................................................................................... 12 2.1.10 Control Plane .................................................................................. 12 2.1.11阻斷服務 ......................................................................................... 12 2.1.11 Denial of Service (DoS) .............................................................. 12 2.1.12 動態主機組態協定 ...................................................................... 12 2.1.12 Dynamic Host Configuration Protocol (DHCP) ................... 12 2.1.13 BOOTP協定 .................................................................................. 13 2.1.13 BOOTP (Bootstrap Protocol) ..................................................... 13 2.1.14 媒體存取控制位址 ...................................................................... 13 vii 2.1.14 Media Access Control (MAC) ................................................... 13 2.1.15 存取控制串列 ............................................................................... 13 2.1.15 Access Control List (ACL) ......................................................... 13 2.1.16 基於埠的網路接入控制 ............................................................. 14 2.1.16 802.1X ............................................................................................. 14 2.1.17 EAPOL(通過LAN可擴展身份驗證協定) .................... 14 2.1.17 EAPOL (Extensible Authentication Protocol Over LAN) . 14 2.1.18遠端認證撥號使用者服務伺服器 .......................................... 14 2.1.18 RADIUS (Remote Access Dial In User Service) server ..... 14 2.1.19 虛擬區域網路 ............................................................................... 15 2.1.19 Virtual LAN (VLAN) .................................................................. 15 2.1.20 全球資訊網 .................................................................................... 15 2.1.20 World Wide Web .......................................................................... 15 2.1.21區域網路 ......................................................................................... 16 2.1.21 Local Area Network ..................................................................... 16 2.1.22 位址解析協定 ............................................................................... 16 2.1.22 Address Resolution Protocol (ARP) .................................... 16 2.1.23 淚滴攻擊 ......................................................................................... 16 2.1.23 Tear Drop ........................................................................................ 16 2.1.24 死亡之Ping .................................................................................... 16 2.1.24 Ping of Death ................................................................................. 16 2.1.25 Internet 控制訊息通訊協定 ...................................................... 17 2.1.25 Internet Control Message Protocol (ICMP) ........................... 17 2.1.26藍精靈攻擊 .................................................................................... 17 2.1.26 Smurf attack ................................................................................... 17 2.1.27 PING網絡封包測試發現 .......................................................... 18 2.1.27 PING (Packet Internet Groper) .................................................. 18 viii 2.1.28 傳輸控制協定 ............................................................................... 18 2.1.28 Transmission Control Protocol (TCP) ..................................... 18 2.1.29 同步泛流攻擊 ............................................................................... 18 2.1.29 SYN flood ....................................................................................... 18 2.2 現有某大A公司之交換器網路存取安全的作法 ....................... 19 2.2 A Major Existing Company A Switch Network Access Security Practices .......................................................................................... 19 2.3 現有某大B公司交換器網路存取安全的作法 ........................... 22 2.3 A Major Existing Company B Switch Network Access Security Practices .......................................................................................... 22 第參章 ALLIED TELESIS 介紹 ............................................................. 25 Chapter 3 About Allied Telesis, Inc. ........................................................... 25 第肆章 安奈特網路交換器的網路存取安全 ......................................... 29 Chapter 4 Network Access Security of Allied Telesis Ethernet Switches . 29 4.1安全交換器管理 ............................................................................ 29 4.1 Secure switch management ............................................................ 29 4.2 網路安全功能 ................................................................................ 30 4.2 Network security features ............................................................... 30 4.2.1 端口安全 ........................................................................................... 30 4.2.1 Port Security ..................................................................................... 30 4.2.2生成樹協定(Spanning Tree Protocol, STP)的安全配置 32 4.2.2 Secure configuration of Spanning Tree Protocol (STP) ........ 32 4.2.3風暴防護 ........................................................................................... 32 4.2.3 Storm Protection .............................................................................. 32 4.2.4控制平面的優先化(Control Plane Prioritization, CPP) . 33 4.2.4 Control Plane Prioritization (CPP) ............................................. 33 4.2.5阻斷服務(Denial of Service, DoS)攻擊之防禦 ............... 33 ix 4.2.5 Denial of Service (DoS) attack prevention ............................... 33 4.2.6動態主機組態協定(Dynamic Host Configuration Protocol, DHCP)偵聽 .................................................................................. 34 4.2.6 Dynamic Host Configuration Protocol (DHCP) Snooping .. 34 4.2.7存取控制串列(Access Control Lists, ACL)和過濾器 ... 34 4.2.7 Access Control Lists (ACLs) and Filters .................................. 34 4.3網路存取控制(Network Access Control , NAC) ..................... 35 4.3 Network Access Control (NAC) .................................................... 35 4.3.1網路存取控制(Network Access Control, NAC) .............. 35 4.3.1 Network Access Control (NAC) ................................................. 35 4.3.2三種認證方式 .................................................................................. 36 4.3.2 Tri-authentication ............................................................................ 36 4.3.3漫遊認證 ........................................................................................... 39 4.3.3 Roaming authentication ................................................................. 39 4.3.4兩步驟的驗證 .................................................................................. 39 4.3.4 Two-step authentication ................................................................ 39 4.3.5 強大的存取護盾 ............................................................................. 43 4.3.5 Strong Access Shield ...................................................................... 43 4.3.6緩解常見的網路攻擊 .................................................................... 43 4.3.6 Mitigating common network attacks .......................................... 43 4.3.6.1 MAC泛洪攻擊 .......................................................... 44 4.3.6.1 MAC flooding attack .................................................. 44 4.3.6.2位址解析協定(Address Resolution Protocol, ARP)的電子詐欺攻擊 ........................................................ 48 4.3.6.2 Address Resolution Protocol (ARP) spoofing attacks 48 4.3.6.3虛擬區域網路 (VLAN) 之跳躍攻擊 ........................ 51 4.3.6.3 VLAN hopping attacks ............................................... 51 x 4.3.6.4雙標籤虛擬區域網路(VLAN)之跳躍攻擊 ......... 54 4.3.6.4 Double-tag VLAN hopping attack ............................. 54 4.3.6.5生成樹協定(STP)攻擊 ......................................... 57 4.3.6.5 Spanning Tree Protocol (STP) Attack ........................ 57 4.3.6.6動態主機組態協定(DHCP)的攻擊 ..................... 60 4.3.6.6動態主機組態協定(DHCP)的攻擊 ..................... 60 4.3.6.6 Dynamic Host Configuration Protocol (DHCP) attacks .................................................................................... 60 4.3.6.6.1動態主機組態協定(DHCP)的飢餓攻擊 .... 60 4.3.6.6.1 DHCP starvation attack .......................................... 60 4.3.6.6.2 動態主機組態協定(DHCP)欺詐伺服器的 攻擊 ............................................................................ 63 4.3.6.6.2 DHCP rogue server attack ...................................... 63 4.3.6.7阻斷服務(DoS)之攻擊 ......................................... 66 4.3.6.7 Denial of Service (DoS) attacks ................................. 66 4.4 與現有某大A公司交換器及現有某大B公司交換器在網路存取安全功能機制的比較 ................................................................ 69 4.4 Compared the network access security mechanism with the existing major Company A and B in their switches .................................... 69 第伍章 結論 ................................................................................................ 73 Chapter 5 Conclusion .................................................................................. 73 參考文獻 ..................................................................................................... 77 Bibliographies(References) ......................................................................... 77 附錄 ............................................................................................................. 78 Appendix ..................................................................................................... 78 xi 表目錄 List of Tables 表1 網路存取安全功能比較矩陣 ....................................................................... 69 Table 1: Network Access Security Comparison Matrix ............................................ 70 xii 圖目錄 List of figures 圖1 學校持續且嚴謹的控管學生的網路存取與應用 ...................... 30 Figure 1 a school can keep tight control over network access and application availability for students ....................................................... 30 圖2 三種認證方式 ............................................................................... 37 Figure 2 Tri-authentication ................................................................... 37 圖3 步驟 1 MAC 認證 ........................................................................ 40 Figure 3 Step 1 MAC authentication .................................................... 41 圖4 步驟 2 Web 認證 .......................................................................... 41 Figure 4 Step 2 Web authentication ..................................................... 42 圖5 MAC 泛洪攻擊 ............................................................................ 44 Figure 5 MAC flooding attack ............................................................. 45 圖6 MAC 泛洪防禦 ............................................................................ 46 Figure 6 MAC flooding defense ........................................................... 46 圖7 位址解析協定(ARP)電子詐欺攻擊 ....................................... 47 Figure 7 ARP spoofing attack .............................................................. 48 圖8 位址解析協定(ARP)電子詐欺防禦 ....................................... 49 Figure 8 ARP spoofing defense ............................................................ 49 圖9 基本的虛擬區域網路(VLAN)之跳躍攻擊 ........................... 50 Figure 9 Basic VLAN hopping attack .................................................. 51 圖10 基本的虛擬區域網路(VLAN)之跳躍防禦 ........................... 52 Figure 10 Basic VLAN hopping defense ............................................... 52 圖11 雙標籤虛擬區域網路(VLAN)之跳躍攻擊 ........................... 53 Figure 11 Double-tag VLAN hopping attack ........................................ 54 圖12 雙標籤虛擬區域網路(VLAN)之跳躍防禦 ........................... 55 Figure 12 Double-tag VLAN hopping defense ...................................... 55 xiii 圖13 生成樹協定(STP)攻擊 ............................................................ 56 Figure 13 STP attack .............................................................................. 57 圖14 生成樹協定(STP)防禦 ............................................................ 58 Figure 14 STP defense ........................................................................... 58 圖15 動態主機設定協定(DHCP)的飢餓攻擊 ................................ 60 Figure 15 DHCP starvation attack ......................................................... 60 圖16 動態主機設定協定(DHCP)的飢餓防禦 ................................ 61 Figure 16 DHCP starvation defense ....................................................... 62 圖17 動態主機設定協定(DHCP)欺詐伺務器的攻擊 .................... 63 Figure 17 DHCP rogue server attack ..................................................... 63 圖18 動態主機設定協定(DHCP)欺詐伺務器的防禦 .................... 64 Figure 18 DHCP rogue server attack ..................................................... 64 圖19 斷服務(DoS)之攻擊 ............................................................... 66 Figure 19 DoS attack .............................................................................. 66 圖20阻斷服務(DoS)之防禦 ............................................................ 67 Figure 20 DoS defense ........................................................................... 68 | |
dc.language.iso | zh-TW | |
dc.title | 安奈特x系列網路交換器的網路存取安全 | zh_TW |
dc.title | The Network Access Security of Allied Telesis x-Series Switches | en |
dc.type | Thesis | |
dc.date.schoolyear | 103-2 | |
dc.description.degree | 碩士 | |
dc.contributor.coadvisor | 王銘宗 | |
dc.contributor.oralexamcommittee | 陳立元,許宏德,陳柏良 | |
dc.subject.keyword | 數位資產,企業網路,網際網路,網路管理,交換器, | zh_TW |
dc.subject.keyword | Digital Asset,Intranet/Extranet,Internet,Network Management,Switch, | en |
dc.relation.page | 89 | |
dc.rights.note | 未授權 | |
dc.date.accepted | 2015-08-27 | |
dc.contributor.author-college | 工學院 | zh_TW |
dc.contributor.author-dept | 工業工程學研究所 | zh_TW |
顯示於系所單位: | 工業工程學研究所 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-104-1.pdf 目前未授權公開取用 | 3.89 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。