企業資料外洩防護-以主機端代理程式防護橋接網路

Abstract

隨著網路應用的普及、雲端時代的來臨與新版個資法通過，企業的重要文件資料必須更謹慎管控與保護。若企業因外部駭客入侵與內部員工任意散佈而導致資料外洩，將可能造成企業競爭力與商譽上的嚴重損失。因此，重視與管理資料外洩防護(DLP)的工作是很重要的，目前DLP的機制，大致可分為「檔案控管」、「週邊控管」與「網路控管」三種類型。本研究僅就「網路控管」類型中的橋接網路的防護做深入探討研究。探討企業內部員工利用3G網路行動WiFi熱點功能所提供的無線網路，透過手提電腦與企業內部網路形成橋接網路，導致企業資料外洩的風險。本研究使用開放原始碼，提出一個主機端的代理程式(Agent)，結合DHCP、DNS的資訊與防火牆的功能與技術,解決此種漏洞。其設計的原則是：用最小的導入成本，影響現有的效能最少，並提昇防護的效益。 經過模擬電腦主機使用於企業網路不同情境的連線方式，證實此代理程式能夠實際應用於真實的企業網路環境，有效解決企業橋接網路的漏洞。

With the popularity of network applications, cloud storage and computation, and the enforcement of new version of Personal Data Protection Law, the enterprise is forced to pay more attention on protecting documents than before. If any information was leaked due to the data hacked from external or stolen by employees, it could result in heavily loss of competitiveness and damage of corporate image of enterprises. Therefore, it is of utmost importance to manage Data Loss Prevention (DLP). "File Restriction", "Peripheral Restriction" and "Network Restriction" are three mechanisms of DLP so far. This research discusses on the protection of bridged network of "Network Restriction" only. It discusses the high risk of data leakage when bridging network was formed by using 3G mobile WiFi Hotspot function to provide wireless networking for laptop by employees. Host-side open source software also known as “Agent” was used in this research. It combined the information of both DHCP and DNS, firewall functionality and technology to reduce this vulnerability. The goal is to use the minimum implement cost with minimum impact on performance to gain maximum benefits. The agent can actually be implemented to network environment in each enterprise after simulating in different network connections. It is an effective solution for enterprise bridged network vulnerabilities.