大型企業網路服務分流機制

Abstract

大型企業組織身處於網際網路發達的今日，在網路服務流量不斷攀升的情況下，應尋求如何改進網路存取速度與建置完善的網路管理系統。本文依據流量監測系統所獲得的資訊，藉由網際網路服務流量分流方式，建置大型企業的網路架構，提昇各種網際網路服務的存取速度，進而達到加強企業的整體網路效能與管理之目的。 論文中採用廣域網路監測工具NetFlow，收集企業網際網路流量數據，分析各種網路應用服務分佈情形，以便作為大型企業網路服務流量分流架構的基準點。再利用統計數學的理論基礎提出網路頻寬需求的預測模式，不僅是提昇使用者網路應用效率的重要指標，更是各種網路服務頻寬擴充與入侵偵測系統建置容量的規劃基礎。最後依據本論文所提出的分流機制與預測模式，在工研院實際建置一個網路服務流量分流架構。整體過程可驗證本論文所述架構與方法的正確性。 以工研院的網路服務分流機制規劃與建置作為實例驗證，其中提出諸多網際網路服務效能評估與改善的方法，以及架構選取的分析步驟，除了可佐證本論文所提之方法和理論的可行性，更適合作為大型企業組織對於既有的網路架構作效能測試時採用。同時，網路入侵偵測系統中攻擊特徵選取數目的多寡，所造成入侵偵測率的數值差異，足以證明經由減少入侵攻擊特徵選取數目，除提高入侵偵測率，亦可作為網路入侵偵測系統參數調整的考量。整個研究結果可提供大型企業組織在改善網路服務存取效能與提昇網路安全方面的參考依據。而驗證過程中提及網路效能與入侵偵測率的變動因素，更是未來深入研究的方向。

In the environment of growing internet and increasing network service traffics, enterprises seek to improve internet service efficency and implement robust network management system. According to the information gained by the traffic monitoring system, through the distributing internet service traffics, we implement enterprise's network infrastructure to decrease the access time of all kinds of network service. Furthermore, we achieve the objective of enforcing an enterprise's whole network efficiency management. In this thesis, we adopt NetFlow, a WAN monitoring tool, to collect network traffic volume, analyze the usage of network application services to be the base of distribution mechanism of internet service traffics. Then we use the theory of statistic mathematics to propose a bandwidth forecasting model. This can not only be an important index of users' network application efficiency, but also a planning basis for the expansion of network bandwidth and the capacity implementation of an IDS. At last we actually build up a network infrastructure in the Industrial Technology Research Institute（ITRI） according to the distribution mechanism and forecasting model proposed in the thesis. The whole process can verify the framework and methodology of this thesis. By the verification of the planning and implementation of ITRI's distribution mechanism of internet service traffics, we proposed methods to evaluate and improve the performance of internet service, and the analysis steps of framework selection. We prove the feasibility of proposed methods and theories that can be adopted by an enterprise to test performance of its network infrastructure. At the same time, the amount of feature selection in an IDS can make a difference in detection rate. We can verify that by decreasing the amount of feature selection, the detection rate can be increased under the distribution mechanism. We can also take that into consideration to adjust the parameters in IDS. The whole research result can be enterprise's reference to improve internet service access performance and increase the network security. The varied factors of network performance and detection rate can be further researched.