以DNSSEC為基礎的DNS安全控管平台-以政府機關為案例

Abstract

網域名稱解析系統(Domain Name System簡稱DNS)是網路服務的基礎設施，現今的網路應用服務均仰賴此基礎設施。因此DNS成為惡意攻擊標的，並可利用其弱點作為攻擊工具。惟DNS架構原未有資料完整性之安全機制。後續發展的網域名稱系統安全擴充(Domain Name System Security Extension簡稱DNSSEC)是現今最有效的資料完整性確保機制。惟現今面對進階持續威脅(Advanced Persistent Threat簡稱APT)，此新型態攻擊手法持續的利用軟體的Zero Day弱點進行攻擊進而滲透目標的網路環境，企業內外部與合作夥伴資訊交流的網路環境均受到嚴重威脅。本研究參考Clark與Wilson模型，導入DNSSEC與DNS相關安全技術於企業網路環境，確保企業關鍵DNS紀錄查詢之完整性安全外，同時監控網路行為，從中分析惡意網路行為並阻斷其運作，我們以政府機關作為案例研究對象，評估其導入後之效益，成果良好。希望本研究平台控管DNS安全風險，與透過DNS查詢歷程分析，監控企業之網路安全狀態。

The Domain Name System (referred to as DNS) is one of infrastructure network services. Most internet applications today are dependent on it .And it is the subject of malicious attackers and attack tools. But DNS is not built in the concept of regarding of data integrity security mechanism. Domain Name System Security Extension (referred DNSSEC) is now the most effective mechanisms to ensure data integrity. But now we face Advanced Persistent Threat (referred to as APT), this new type of attack continues using the software 's Zero Day vulnerabilities to attack and then penetrate the target network environment, internal and external information exchange with partners network environment are under serious threat. This study attempts to refer to Clark and Wilson model , import DNSSEC and DNS -related security technology in the enterprise network environment ,and ensure the integrity of the safety record of business-critical DNS queries. At the same time , the platform can monitor network behavior , which analyzes malicious network behavior and resistance off its operation, and the research take the government as a case study to assess the effectiveness of its benefits.The result has significant benefit.This study hopes to help the public sectors to control the DNS security risk, and through the course of the DNS query analysis, to monitor network security state for increasing the security control.