本研究為實現網路實體隔離中協定隔離的方法,又因實現過程中無使用開關方式的網閘,我們將這樣的架構稱為準網路實體隔離架構。準網路實體隔離技術使用通訊協定隔離的網路屏蔽技術。透過通訊協定不同,讓資料的傳輸過程不存在一個實際的TCP/IP連線,達成網路屏蔽的效果。 有別於一般屏蔽技術是利用黑名單阻擋的方式,此種屏蔽技術在傳遞資料時,是透過白名單的方式將信任的應用程式或通訊協定來傳遞。這樣可以阻擋機敏網路中因使用者使用習慣而產生的蠕蟲攻擊無效。而透過協定的隔離,我們可以防止IP協定中利用Optional data欄位中產生的各樣攻擊行為,例如ICMP attack,來威脅我們的機敏網路。 這樣的技術與架構可以使用在存在有機密敏感性資料的區域網路中,使得機密敏感性資料不因網路的連結而外流。在效果上比起傳統使用防火牆的屏蔽技術,準網路實體隔離可以阻擋因TCP/IP漏洞所產生的各種威脅與攻擊。實現方法使用了虛擬化的作業系統,兩主機間使用的通道為虛擬的橋接器,確保隔離兩主機間的通道專屬於兩主機。 This research is to implement the protocol isolation of the physical isolation net-work. Because of the implementation process without using physical switching gate-way, we will call that the quasi physical isolation network. Quasi physical isolation network technology is using internet protocol isolation technology. Through different protocols, data transmission does not exist a real TCP/IP connection, to reach the network shielding. Unlike ordinary shielding technology blocking connections use blacklists. This shielding technology passes connections using white lists of trusted applications or protocols. In this way, we can block worms due to bad user habits. And through the protocol of separation, we can prevent attack from using Optional data field in IP protocol, such as ICMP attack. We can use this architecture in the sensitive information confidential in the pres-ence of the local area network, so sensitive information would not outflow because of the network connection. Comparing with traditional firewalls, quasi isolation network can block threats and attacks which exercise shortcoming of TCP/IP modules. We use VM systems to Implement and use virtual bridges between two virtual machines to ensure two virtual machines has privacy tunnel.
