| Summary: | 碩士 === 國立清華大學 === 資訊系統與應用研究所 === 93 === Internet traffic grow very fast in the past years and network security issue becomes more and more critical and important. Typically, network security devices, such as firewalls and Intrusion Detection and Prevention Systems (IPS), are installed behind the routers of an enterprise network to prevent the attack from Internet. However, it is found that more than 80% attacks are actually launched from the affected computers inside the intranet. Therefore the concept of defense-in-depth is emerged to prevent attacks not only from the Internet but also from the internal personal computers. This leads the need of security switches to provide the first mile protection. Unfortunately, the current layer-7 security switch solution is complex and expensive.
In this thesis, a scalable load balance and high availability (LB/HA) architecture for network security switches is proposed. In this architecture, each “security switch” is composed a traditional layer-2 switch and a “security switch engine (SSE)” which provides the layer-7 packet inspection service. These two components are coupled by Gigabit Ethernet link. A novel mechanism is designed to connect the SSEes so that a group of security switches are interconnected to achieve the HA feature. Thus, the system can still provide security service even only one security switch is alive. An intelligent load balancing is also designed for the SSE so that the security service can be balanced among the SSEes. The proposed architecture is also implemented with four security switches. Experimental results show that the HA function works well for shutting down any three security switches and the security service can be balanced among the alive security switches dynamically. Most importantly, the SSE can be a high performance but cost effective standard IPC, and therefore the proposed LB/HA security system can be implemented on a very cost efficient way.
|
|---|
