Full metadata record
DC FieldValueLanguage
dc.contributor.author余少棠en_US
dc.contributor.authorShao-Tang Yuen_US
dc.contributor.author林盈達en_US
dc.contributor.authorYing-Dar Linen_US
dc.date.accessioned2014-12-12T02:25:11Z-
dc.date.available2014-12-12T02:25:11Z-
dc.date.issued2000en_US
dc.identifier.urihttp://140.113.39.130/cdrfb3/record/nctu/#NT890394061en_US
dc.identifier.urihttp://hdl.handle.net/11536/66964-
dc.description.abstract網路安全是企業所關切的重要議題。本論文中,我們首先利用開放原始碼套件整合出具有防火牆(Firewall)、虛擬私有網路(VPN)與入侵偵測系統(IDS)三大功能的安全閘道器,整合的套件包括Linux kernel,ipchains(packet filter),Squid(URL filter),TIS(content filter),FreeS/WAN(VPN)及Snort(IDS)。整合當中,我們也修補了系統核心,使得各套件可以一同合作來滿足使用者的需求。在開放原始碼解決方案與商業產品的比較中發現:ipchains與FreeS/WAN套件是實用的,而TIS與Snort套件則有效能上的問題。且在詳細的內部效能檢測中發現:對於一個1518-byte的封包,3DES加密所需要的處理時間分別是MD5認證與網路位址轉換(NAT)的9倍與31倍,顯示核心模組中per-packet處理時間最久的是FreeS/WAN套件中的3DES加密功能;而daemon層級中request/response處理時間最久的是TIS套件,其處理時間是Squid與Snort套件的好幾十倍。透過進一步地追蹤原始碼發現:TIS由於一些不適當的實作技巧所以效能不好,而ipchains與Snort則因採用線性的比對演算法所以延展性不佳。最後,我們提出四個改進效能的方向:改進比對演算法,較適當的實作技巧,將一些daemon層級的工作移到核心去做以及用硬體來加速處理。zh_TW
dc.description.abstractNetwork security has become a critical issue for enterprises. In this work, we first demonstrate how to build a security gateway capable of firewall, VPN, and IDS functions by integrating open source packages: Linux kernel, ipchains(packet filter), Squid(URL filter), TIS(content filter), FreeS/WAN(VPN), and Snort(IDS).We patch the kernel to ensure interoperability of these packages. Next, we compare this open source solution with commercial products and observe that ipchains and FreeS/WAN are viable but TIS and Snort have performance problems. Our detailed internal benchmarking reveals that the 3DES encryption in FreeS/WAN tops the ranking of packet processing within kernel, 9 times of the MD5 authentication and 31 times of NAT for 1518-byte packets, and TIS tops the ranking of request/response processing at the daemon level, several orders of magnitude higher than Snort and Squid. Further code tracing identifies the improper implementation in TIS and the less scalable linear matching algorithms in ipchains and Snort. Finally, to scale up these packages, we suggest ways of improvement, including enhanced matching algorithms, proper implementation tips, function relocation from daemon to kernel, and hardware accelerators.en_US
dc.language.isoen_USen_US
dc.subject安全閘道器zh_TW
dc.subject防火牆zh_TW
dc.subject網路位址轉換zh_TW
dc.subject虛擬私有網路zh_TW
dc.subject入侵偵測系統zh_TW
dc.subject效能檢測zh_TW
dc.subject開放原始碼zh_TW
dc.subjectsecurity gatewayen_US
dc.subjectfirewallen_US
dc.subjectNATen_US
dc.subjectVPNen_US
dc.subjectIDSen_US
dc.subjectbenchmarken_US
dc.subjectopen sourceen_US
dc.title具有開放原始碼防火牆、虛擬私有網路與入侵偵測系統的安全閘道器之系統整合與效能檢測zh_TW
dc.titleIntegrating and Benchmarking Security Gateway with Open Source Firewall, VPN, and IDSen_US
dc.typeThesisen_US
dc.contributor.department資訊科學與工程研究所zh_TW
Appears in Collections:Thesis