運用職務角色控管機制在以政策為基礎之虛擬私有網路

Abstract

虛擬私有網路(virtual private network, VPN)的技術在於使用資料傳輸通道與資料驗證及加密技術促成公眾網路可以進行私密性的資料傳輸。藉著虛擬私有網路的應用，企業組織位於不同地理位置的分公司間或與企業夥伴之間，可透過公眾網路進行資料通訊，其有效性與私密性的保障就如同使用數據專線之企業內部網路(intranet)一般。 過去虛擬私有網路的發展，多半專注在封包傳送、資料加解密及驗證等機制的技術性探討，然而近年來，也逐漸有考慮到管理上的需要。在Internet Engineering Task Force (IETF)組織所公佈的RFC2401標準文件中提出了安全政策資料庫(security policy database, SPD)與安全性關聯資料庫(security association database, SAD)之間的運作關係。當虛擬私有網路系統在管理不同資料傳輸時的安全保護時，密鑰管理、SPD、SAD與企業組織間的相互配合，就顯的非常重要。 本研究根據RFC2401標準文件所訂定之技術，以虛擬私有網路技術面為出發點，探討在Internet Protocol Security (IPSec)協定為基礎的虛擬私有網路架構下，安全政策在虛擬私有網路系統中的運作與管理模式。本研究提出一個以政策管理為基礎的虛擬私有網路整合架構，提供企業組織兼具彈性，又簡化管理複雜性的網路安全管理系統，該系統架構中整合管理者介面、SPD、SAD、資料驗證與加密、密鑰管理等相關模組，以集中管理而分散儲存的設計理念，形成一分工負責的分散式安全管理機制。 最後，我們根據公司內職務角色之關係與政策管理系統整合之相關研究，進一步探討企業組織職務角色與虛擬私有網路安全政策之整合控管模式，並提出一個自動對應之模式，將原本互相獨立的管理工作，以權限分散管理但整合應用的精神，建立一可行的運作機制，使職務角色、政策管理與虛擬私有網路技術相互整合，成為一自動化之虛擬私有網路系統架構。

Virtual private network (VPN) is applied in the data transmission, information, and encrption technology by which data need to be transmitted confidentially. Through the application of virtual private network, enterprises are able to share information or transmit data confidentially between the affiliates and their business partners. The effectiveness and confidentiality of virtual private network is the same as the intranet in the enterprise. In the past the development of virtual private network is more emphasized on the transmission of packet, data coding and decoding, as well as the data verification. However, the need of management on the virtual private network obtains more attention in recent years. Based on the document of RFC2401, the Internet Engineering Task Force(IETF) mentions the importance of operational relationship between the security policy database(SPD) and security association database(SAD). When the system of virtual private network manages the security of different data transmission, key management, SPD, and SAD are very important. Based on the RFC2401, this research discusses the operation and management mode of security policy in the virtual private network in terms of Internet Protocol Security(IPSec). This research provides the enterprise organization a flexible and simplified network security-management system on the foundation of policy management. This system combines the concepts of manager interface, SPD, SAD, data verification, coding, and key management in order to create a separate and responsible security management organism based on the design concepts of controlling centrally but saving separately. Finaly, base on the research in role, policy management, and system combination within the corporation, we advance analyzing the entirely management in the enterprise organization role and virtual private network security and bring up an automatical corresponding model. It could improve mutual independent management to an automatically virtual private network structure that is with distributed authority management to bulid up an practicable model of combining employment role, policy management with virtual private network technology.