以隱藏IP位址為基礎之Ethernet區域網路安全管理機制

Abstract

隨著危害資訊安全手法的推陳出新，使得企業對Lan上收送資料的安全性與可靠性愈來愈重視。本篇論文對使用TCP/IP協定的Ethernet LAN安全性，以網路通訊介面層的“NDIS Hook”技術為基礎，提出一套隱藏IP位址為基礎的安全管理機制。該安全管理機制是從TCP/IP協定三層次進行各項安全控制，針對各層次可能會洩露IP資訊部份加以分析並進行通訊DES加密與認證機制。實驗結果顯示，未安裝本安全管制軟體的主機無法與已安裝本管制軟體的主機或閘道器之間進行通訊，即使攔截網路上傳送的封包，也無法獲得相關的IP資訊，可確實達成以此管理機制對於Lan未經授權的行為進行安全控管的目的。

The reliability and confidentiality of data transfer over Local Area Networks (LANs) in enterprises are more and more important due to the continually emerging of information security problems. This paper discusses the “NDIS Hook” technology in the network communication layer and how to apply this technology to improve the security of TCP/IP networks. We propose an effective mechanism which focuses on hiding the IP addresses of network interfaces by analyzing the appearance of the IP addresses among different network layers. This methodology manipulates the TCP/IP protocol stack of windows platform to secure a TCP/IP LAN against unauthorized hosts.