1. NCCU Academic Hub
  2. 學術產出
  3. College of Informatics
  4. Theses
  5. Item

學術產出-Theses

Article View/Open

Publication Export

Google ScholarTM

政大圖書館

Citation Infomation

  • No doi shows Citation Infomation
題名 以SDN為基礎之自動化防火牆:規則學習、入侵偵測與多路頻寬負載平衡器之實作
SDN based Automatic Firewall for Rules Learning, IDS and Multi-WAN Load Balancer
作者 王昌弘
Wang, Chang Hung
貢獻者 張宏慶
Jang, Hung Chin
王昌弘
Wang, Chang Hung
關鍵詞 軟體定義網路
防火牆
入侵偵測系統
多路頻寬負載平衡器
SDN
Firewall
IDS
Multi-WAN Load Balancer
日期 2015
上傳時間 3-Dec-2015 10:38:30 (UTC+8)
摘要 防火牆是現今網路中的重要設備,負責區隔內部網路和公共網路,維護內部網路安全。然而防火牆也存在幾個重要的問題,首先,防火牆的規則是由網管人員設定,近年來隨著網路科技蓬勃發展、虛擬技術大量應用,此項工作已帶給網管人員龐大的負擔。其次,防火牆雖可隔離外部網路,阻擋有害流量,但對內部網路的防範卻毫無用武之地。目前市面上普遍使用入侵偵測系統(IDS)進行偵測,但僅能在發現攻擊行為後發出警告訊息,無法即時處理。最後,企業在連外網路部分,通常採用多條線路進行備援,並倚賴多路頻寬負載平衡器(Multi-WAN load balancer)增加頻寬的使用率,但在線路數量上卻受限於廠商所制定之規格,無法彈性調整。而在負載平衡演算法方面,也只能基於網路特徵(IP位置)、權重比例(weight)或是輪詢機制(round robin),無法依據目前網路狀況做出更好判斷。
     
     為改善上述問題,本論文在軟體定義網路(不再受SDN)環境下,使用交換機取代傳統防火牆設備,透過封包分析與信任觀測區間達到規則學習,並整合Snort入侵偵測系統,透過特徵比對,找出危害網路環境之封包,即時阻擋該危險流量。本論文也提出基於隨需(on demand)概念,動態調整防火 牆規則,降低管理人員負擔。最後利用交換機擁有多個實體通訊埠的概念
     ,依需求可自由調整對外及對內線路數量,限於廠商規格,取代傳統多路寬頻負載平衡器,建構更彈性的架構。並透過收集交換機上的實體埠與資料流表中的資訊,即時評估網路狀況,加強負載平衡。為驗證本論文所提出之方法的有效性,我們使用Linux伺服器架設KVM、OpenvSwitch以及POX控制器實際建構SDN網路環境,透過發送封包對防火牆提出請求,以驗證實驗方法的正確性。
     
     根據實驗結果顯示,本論文所提出之概念均能正確運作,有效降低調整防火牆所需之人工作業。在多路寬頻負載平衡器部分,本研究所提出之負載平衡方法,與round robin負載平衡方法相較之下,在最佳情況下,能有效提升約25%平均頻寬使用率,並降低約17.5%封包遺失率。
Firewall is an important device that is responsible for securing internal network by separating Internet from Intranet, but here are several existing issues about the firewall. First, the firewall rules are set by the network admistrator manually. Along with the vigorous development of Internet technologies and great amount of applications of virtual technology in recent years. This work burdens the network adminstrator with a heavy workload. Second, the firewall is able to isolate the external network from harmful traffic, however, it can do nothing to the internal network. The common situation is to use IDS to detect the harmful packet, but it can only send an alert message to the adminstrater, no more actions can be done. Finally, most companies use several ISP connections to assure fault tolerance and use Multi-WAN load balancer to integrate those connections to enhance bandwidth utilization. But the number of WAN/LAN ports is set by the manufacturer, and the load balance algorithm is also limited by the manufacturer. It offers only a few algorithms (network-based features, round-robin, etc.), and there is no other way to provide more efficient algorithms.
     
     In order to resolve the mentioned problems, we propose an automatic firewall based Software Defined Network (SDN). We use Openflow switches to replace traditional firewalls, the system is able to learn the rules automaticlly by packet analysis during an observation interval. We aslo integrate Snort Intrusion Detection System (IDS) to localize the dangerous packets and block them immediately. Next, we propose an on-demand based dynamic firewall rules adjustment mechanism which is able to reduce management workload. Finally, we implement a Multi-WAN load balancer architecture and provide a more efficient load balance algorithm by collecting port usage and firewall rule information. In order to verify the proposed methods, we implement a SDN environment by using Linux Ubuntu servers with KVM, Open vSwitch and POX controller. According to the experiment result, it proves that the proposed method is able to reduce the firewall configuration effectively. In the Multi-WAN load balancer, experiment results show that our method outperforms round-robin argrithom in terms of average bandwidth utilization and packet loss rate by 25% and 17.5%, respectively.
參考文獻 [1] B. Lantz, B. Heller and N. McKeown, "A network in a laptop: rapid prototyping for software-defined networks," Proc. 9th ACM SIGCOMM Workshop Hot Topics Netw., pp.19:1 -19:6 2010.
     [2] C. Monsanto, J. Reich, N. Foster, J. Rexford and D. Walker, "Composing software-defined networks," Proc. 10th USENIX Symp. on Networked Systems Design and Implementation, NSDI., pp.1 -14 2013.
     [3] D. Levin, A. Wundsam, B. Heller, N. Handigol and A. Feldmann, "Logically centralized?: state distribution trade-offs in software defined networks," Proc. 1st workshop on Hot topics in software defined networks, HotSDN., pp.1 -6 2012.
     [4] Django, https://www.djangoproject.com, retrieved date:2015/04/13.
     [5] Django Wiki, https://zh.wikipedia.org/wiki/Django, retrieved date:2015/04/13.
     [6] H. Hu, W. Han, G.-J. Ahn and Z. Zhao, "FLOWGUARD: building robust firewalls for software-defined networks," Proc. 3rd workshop on Hot topics in software defined networks, HotSDN., pp.97 -102 2014.
     [7] H. Long, Y. Shen, M. Guo, and F. Tang, "LABERIO: dynamic load-balanced routing in OpenFlow-enabled networks," Proc. 27th Advanced Information Networking and Applications, AINA., pp. 290 -297 2013.
     [8] I. F. Akyildiz, A. Lee, P. Wang, M. Luo and W. Chou, "A roadmap for traffic engineering in SDN-OpenFlow networks," Computer Networks, Vol. 71, pp.1-30 2014.
     [9] Iperf, https://iperf.fr, retrieved date:2015/06/18.
     [10] IDSwakeup, http://www.hsc.fr/ressources/outils/idswakeup/, retrieved date:2014/10/15.
     [11] K. Bakshi, "Considerations for software defined networking (SDN): approaches and use cases," Aerospace Conference, pp. 1-9, 2013.
     [12] KVM, http://www.linux-kvm.org/, retrieved date:2014/10/12.
     [13] L. Yu and D. Pan, "OpenFlow based load balancing for fat-tree networks with multipath support," Proc. 12th IEEE International Conference on Communications, 2013.
     [14] M.-K. Shin, K.-H. Nam, and H.-J. Kim, "Software-defined networking (SDN): a reference architecture and open apis," International Conference on ICT Convergence, ICTC., pp.360 -361 2012.
     [15] M. Jarschel, T. Zinner, T. Hoßfeld, P. Tran-Gia and W. Kellerer, “Interfaces, attributes, and use cases: a compass for SDN," IEEE Communications Magezine., vol.52, no.6, pp.210 -217 2014.
     [16] M. Koerner, O. Kao, "Multiple service load-balancing with OpenFlow," Proc. 13th High Performance Switching and Routing, HPSR., pp. 210-214 2012.
     [17] Mininet, http://mininet.org,retrieved date:2014/10/15.
     [18] N. Handigol, S. Seetharaman, M. Flajslik, N. McKeown, and R. Jo- hari, "Plug-n-Serve: load-balancing web traffic using OpenFlow," Proc ACM SIGCOMM (Demo), 2009.
     [19] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker and J. Turner, "OpenFlow: enabling innovation in campus networks," SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp.69 -74 2008.
     [20] OpenFlow Switch Specification 1.3.2, https://www.cs.princeton.edu/courses/archive/fall13/cos597E/papers/openflow-spec-v1.3.2.pdf, retrieved date:2014/10/21.
     [21] Open Network Foundation, https://www.opennetworking.org/, retrieved date:2014/10/13.
     [22] Open vSwitch, http://openvswitch.org/, retrieved date:2014/10/12.
     [23] Openflow, https://www.opennetworking.org/sdn-resources/openflow, retrieved date:2014/10/15.
     [24] POX Wiki, https://openflow.stanford.edu/display/ONL/POX+Wiki, retrieved date:2014/11/03.
     [25] R. Wang, D. Butnariu and J. Rexford, "OpenFlow-based server load balancing gone wild," Proc. 11th USENIX Conf. Hot Topics Manage. Internet Cloud Enterprise Netw. Services, pp.12 2011.
     [26] SDN architecture,https://www.opennetworking.org/images/stories/downloads/sdn-resources/technical-reports/TR_SDN_ARCH_1.0_06062014.pdf ,retrieved date:2015/02/21.
     [27] SDN Architecture, https://www.sdxcentral.com/resources/sdn/inside-sdn-architecture/, retrieved date:2014/10/15.
     [28] Software-Defined Networking: The New Norm for Networks, https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf ,retrieved date:2014/10/15.
     [29] Snort, http://www.snort.org/, retrieved date:2015/04/10.
     [30] Unix domain socket, https://en.wikipedia.org/wiki/Unix_domain_socket, retrieved date:2015/01/08.
     [31] Ubuntu, http://www.ubuntu.com/index_roadshow, retrieved date:2014/10/15.
     [32] VirtualBox, https://www.virtualbox.org/, retrieved date:2014/10/15.
     [33] Z. Qazi, C. Tu, L. Chiang, R. Miao, V. Sekar, and M. Yu, “SIMPLE-fying middlebox policy enforcement using SDN,” Proc. Conf. Appl. Technol. Architect. Protocols Comput. Commun., pp.27 -38 2013
     [34] 簡旭彤,林盈達,SDN 網路安全架構:以防火牆為例,國立交通大學資訊工程系,September 30,2014. http://speed.cis.nctu.edu.tw/~ydlin/miscpub/indep_HsuTung.pdf, retrieved date:2014/10/15.
     [35] 蕭翔之,入侵偵測與預防系統簡介與應用,http://avp.toko.edu.tw/docs/class/3/入侵偵測與預防系統簡介與應用.pdf,retrieved date:2015/04/15.
     [36] 張浩置、楊中皇、林志鴻,基於規則分類的網路入侵偵測系統之效能分析與改善,http://security.nknu.edu.tw/psnl/publications/2009IMNT_Snort.pdf, retrieved date:2014/10/25.
     [37] 防火牆 Wiki,https://zh.wikipedia.org/wiki/防火牆,retrieved date:2015/01/08.
     [38] 防火牆原理,http://tpc.k12.edu.tw/1001215331/6/0322/網路_防火牆原理.pdf,retrieved date:2015/01/08.
     [39] PyPy, http://pypy.org, retrieved date:2014/10/15.
描述 碩士
國立政治大學
資訊科學系碩士在職專班
102971015
資料來源 http://thesis.lib.nccu.edu.tw/record/#G0102971015
資料類型 thesis
dc.contributor.advisor 張宏慶zh_TW
dc.contributor.advisor Jang, Hung Chinen_US
dc.contributor.author (Authors) 王昌弘zh_TW
dc.contributor.author (Authors) Wang, Chang Hungen_US
dc.creator (作者) 王昌弘zh_TW
dc.creator (作者) Wang, Chang Hungen_US
dc.date (日期) 2015en_US
dc.date.accessioned 3-Dec-2015 10:38:30 (UTC+8)-
dc.date.available 3-Dec-2015 10:38:30 (UTC+8)-
dc.date.issued (上傳時間) 3-Dec-2015 10:38:30 (UTC+8)-
dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/79570-
dc.description (描述) 碩士zh_TW
dc.description (描述) 國立政治大學zh_TW
dc.description (描述) 資訊科學系碩士在職專班zh_TW
dc.description (描述) 102971015zh_TW
dc.description.abstract (摘要) 防火牆是現今網路中的重要設備,負責區隔內部網路和公共網路,維護內部網路安全。然而防火牆也存在幾個重要的問題,首先,防火牆的規則是由網管人員設定,近年來隨著網路科技蓬勃發展、虛擬技術大量應用,此項工作已帶給網管人員龐大的負擔。其次,防火牆雖可隔離外部網路,阻擋有害流量,但對內部網路的防範卻毫無用武之地。目前市面上普遍使用入侵偵測系統(IDS)進行偵測,但僅能在發現攻擊行為後發出警告訊息,無法即時處理。最後,企業在連外網路部分,通常採用多條線路進行備援,並倚賴多路頻寬負載平衡器(Multi-WAN load balancer)增加頻寬的使用率,但在線路數量上卻受限於廠商所制定之規格,無法彈性調整。而在負載平衡演算法方面,也只能基於網路特徵(IP位置)、權重比例(weight)或是輪詢機制(round robin),無法依據目前網路狀況做出更好判斷。
     
     為改善上述問題,本論文在軟體定義網路(不再受SDN)環境下,使用交換機取代傳統防火牆設備,透過封包分析與信任觀測區間達到規則學習,並整合Snort入侵偵測系統,透過特徵比對,找出危害網路環境之封包,即時阻擋該危險流量。本論文也提出基於隨需(on demand)概念,動態調整防火 牆規則,降低管理人員負擔。最後利用交換機擁有多個實體通訊埠的概念
     ,依需求可自由調整對外及對內線路數量,限於廠商規格,取代傳統多路寬頻負載平衡器,建構更彈性的架構。並透過收集交換機上的實體埠與資料流表中的資訊,即時評估網路狀況,加強負載平衡。為驗證本論文所提出之方法的有效性,我們使用Linux伺服器架設KVM、OpenvSwitch以及POX控制器實際建構SDN網路環境,透過發送封包對防火牆提出請求,以驗證實驗方法的正確性。
     
     根據實驗結果顯示,本論文所提出之概念均能正確運作,有效降低調整防火牆所需之人工作業。在多路寬頻負載平衡器部分,本研究所提出之負載平衡方法,與round robin負載平衡方法相較之下,在最佳情況下,能有效提升約25%平均頻寬使用率,並降低約17.5%封包遺失率。		zh_TW
dc.description.abstract (摘要) Firewall is an important device that is responsible for securing internal network by separating Internet from Intranet, but here are several existing issues about the firewall. First, the firewall rules are set by the network admistrator manually. Along with the vigorous development of Internet technologies and great amount of applications of virtual technology in recent years. This work burdens the network adminstrator with a heavy workload. Second, the firewall is able to isolate the external network from harmful traffic, however, it can do nothing to the internal network. The common situation is to use IDS to detect the harmful packet, but it can only send an alert message to the adminstrater, no more actions can be done. Finally, most companies use several ISP connections to assure fault tolerance and use Multi-WAN load balancer to integrate those connections to enhance bandwidth utilization. But the number of WAN/LAN ports is set by the manufacturer, and the load balance algorithm is also limited by the manufacturer. It offers only a few algorithms (network-based features, round-robin, etc.), and there is no other way to provide more efficient algorithms.
     
     In order to resolve the mentioned problems, we propose an automatic firewall based Software Defined Network (SDN). We use Openflow switches to replace traditional firewalls, the system is able to learn the rules automaticlly by packet analysis during an observation interval. We aslo integrate Snort Intrusion Detection System (IDS) to localize the dangerous packets and block them immediately. Next, we propose an on-demand based dynamic firewall rules adjustment mechanism which is able to reduce management workload. Finally, we implement a Multi-WAN load balancer architecture and provide a more efficient load balance algorithm by collecting port usage and firewall rule information. In order to verify the proposed methods, we implement a SDN environment by using Linux Ubuntu servers with KVM, Open vSwitch and POX controller. According to the experiment result, it proves that the proposed method is able to reduce the firewall configuration effectively. In the Multi-WAN load balancer, experiment results show that our method outperforms round-robin argrithom in terms of average bandwidth utilization and packet loss rate by 25% and 17.5%, respectively.		en_US
dc.description.tableofcontents 第一章 前言 1
     1.1 研究背景 1
     1.2 論文架構 2
     第二章 背景技術與相關研究 3
     2.1 SDN簡介 3
     2.2 防火牆簡介 6
     2.2.1 網路層防火牆 6
     2.2.2 應用層防火牆 6
     2.2.3 代理服務 7
     2.2.4 防火牆架構 7
     2.3 入侵偵測系統簡介 10
     2.3.1 入侵偵測系統設計方式分類 10
     2.3.2 入侵偵測系統偵測方式分類 11
     2.3.3 Snort 入侵偵測系統 12
     2.4 Openflow相關概念 13
     2.4.1 OpenFlow交換機 14
     2.4.2 OpenFlow路由表 14
     2.4.3 OpenFlow Matching 15
     2.4.4 OpenFlow Counters 16
     2.4.5 OpenFlow Instruction 17
     2.4.6 安全通道 17
     2.5 POX SDN網路控制器 17
     2.6 Mininet 網路模擬器 19
     2.7 相關研究 20
     2.7.1 防火牆相關研究 20
     2.7.2 負載平衡相關研究 21
     第三章 實驗架構與實驗方法 22
     3.1 規則學習 22
     3.2 入侵偵測系統的自動防護功能 29
     3.3 隨需註冊機制 33
     3.4 多路寬頻負載平衡器 36
     第四章 實作技術與實驗結果 41
     4.1 系統架構 41
     4.2 硬體規格 43
     4.3 系統平台及軟體 43
     4.4 建置實驗環境 44
     4.4.1 KVM安裝 44
     4.4.2 Open vSwitch安裝與設定 45
     4.4.3 Snort安裝 46
     4.4.4 POX Controller安裝 47
     4.5 防火牆自動邏輯生成實驗結果 47
     4.6 入侵偵測系統的自動防護功能實驗結果 52
     4.7 隨需的註冊機制實驗結果 56
     4.8 多路寬頻負載平衡器實驗結果 57
     第五章 結論 69
     5.1 總結 69
     5.2 未來研究方向 69
     參考文獻 71		zh_TW
dc.format.extent 5811602 bytes-
dc.format.mimetype application/pdf-
dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0102971015en_US
dc.subject (關鍵詞) 軟體定義網路zh_TW
dc.subject (關鍵詞) 防火牆zh_TW
dc.subject (關鍵詞) 入侵偵測系統zh_TW
dc.subject (關鍵詞) 多路頻寬負載平衡器zh_TW
dc.subject (關鍵詞) SDNen_US
dc.subject (關鍵詞) Firewallen_US
dc.subject (關鍵詞) IDSen_US
dc.subject (關鍵詞) Multi-WAN Load Balanceren_US
dc.title (題名) 以SDN為基礎之自動化防火牆:規則學習、入侵偵測與多路頻寬負載平衡器之實作zh_TW
dc.title (題名) SDN based Automatic Firewall for Rules Learning, IDS and Multi-WAN Load Balanceren_US
dc.type (資料類型) thesisen
dc.relation.reference (參考文獻) [1] B. Lantz, B. Heller and N. McKeown, "A network in a laptop: rapid prototyping for software-defined networks," Proc. 9th ACM SIGCOMM Workshop Hot Topics Netw., pp.19:1 -19:6 2010.
     [2] C. Monsanto, J. Reich, N. Foster, J. Rexford and D. Walker, "Composing software-defined networks," Proc. 10th USENIX Symp. on Networked Systems Design and Implementation, NSDI., pp.1 -14 2013.
     [3] D. Levin, A. Wundsam, B. Heller, N. Handigol and A. Feldmann, "Logically centralized?: state distribution trade-offs in software defined networks," Proc. 1st workshop on Hot topics in software defined networks, HotSDN., pp.1 -6 2012.
     [4] Django, https://www.djangoproject.com, retrieved date:2015/04/13.
     [5] Django Wiki, https://zh.wikipedia.org/wiki/Django, retrieved date:2015/04/13.
     [6] H. Hu, W. Han, G.-J. Ahn and Z. Zhao, "FLOWGUARD: building robust firewalls for software-defined networks," Proc. 3rd workshop on Hot topics in software defined networks, HotSDN., pp.97 -102 2014.
     [7] H. Long, Y. Shen, M. Guo, and F. Tang, "LABERIO: dynamic load-balanced routing in OpenFlow-enabled networks," Proc. 27th Advanced Information Networking and Applications, AINA., pp. 290 -297 2013.
     [8] I. F. Akyildiz, A. Lee, P. Wang, M. Luo and W. Chou, "A roadmap for traffic engineering in SDN-OpenFlow networks," Computer Networks, Vol. 71, pp.1-30 2014.
     [9] Iperf, https://iperf.fr, retrieved date:2015/06/18.
     [10] IDSwakeup, http://www.hsc.fr/ressources/outils/idswakeup/, retrieved date:2014/10/15.
     [11] K. Bakshi, "Considerations for software defined networking (SDN): approaches and use cases," Aerospace Conference, pp. 1-9, 2013.
     [12] KVM, http://www.linux-kvm.org/, retrieved date:2014/10/12.
     [13] L. Yu and D. Pan, "OpenFlow based load balancing for fat-tree networks with multipath support," Proc. 12th IEEE International Conference on Communications, 2013.
     [14] M.-K. Shin, K.-H. Nam, and H.-J. Kim, "Software-defined networking (SDN): a reference architecture and open apis," International Conference on ICT Convergence, ICTC., pp.360 -361 2012.
     [15] M. Jarschel, T. Zinner, T. Hoßfeld, P. Tran-Gia and W. Kellerer, “Interfaces, attributes, and use cases: a compass for SDN," IEEE Communications Magezine., vol.52, no.6, pp.210 -217 2014.
     [16] M. Koerner, O. Kao, "Multiple service load-balancing with OpenFlow," Proc. 13th High Performance Switching and Routing, HPSR., pp. 210-214 2012.
     [17] Mininet, http://mininet.org,retrieved date:2014/10/15.
     [18] N. Handigol, S. Seetharaman, M. Flajslik, N. McKeown, and R. Jo- hari, "Plug-n-Serve: load-balancing web traffic using OpenFlow," Proc ACM SIGCOMM (Demo), 2009.
     [19] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker and J. Turner, "OpenFlow: enabling innovation in campus networks," SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp.69 -74 2008.
     [20] OpenFlow Switch Specification 1.3.2, https://www.cs.princeton.edu/courses/archive/fall13/cos597E/papers/openflow-spec-v1.3.2.pdf, retrieved date:2014/10/21.
     [21] Open Network Foundation, https://www.opennetworking.org/, retrieved date:2014/10/13.
     [22] Open vSwitch, http://openvswitch.org/, retrieved date:2014/10/12.
     [23] Openflow, https://www.opennetworking.org/sdn-resources/openflow, retrieved date:2014/10/15.
     [24] POX Wiki, https://openflow.stanford.edu/display/ONL/POX+Wiki, retrieved date:2014/11/03.
     [25] R. Wang, D. Butnariu and J. Rexford, "OpenFlow-based server load balancing gone wild," Proc. 11th USENIX Conf. Hot Topics Manage. Internet Cloud Enterprise Netw. Services, pp.12 2011.
     [26] SDN architecture,https://www.opennetworking.org/images/stories/downloads/sdn-resources/technical-reports/TR_SDN_ARCH_1.0_06062014.pdf ,retrieved date:2015/02/21.
     [27] SDN Architecture, https://www.sdxcentral.com/resources/sdn/inside-sdn-architecture/, retrieved date:2014/10/15.
     [28] Software-Defined Networking: The New Norm for Networks, https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf ,retrieved date:2014/10/15.
     [29] Snort, http://www.snort.org/, retrieved date:2015/04/10.
     [30] Unix domain socket, https://en.wikipedia.org/wiki/Unix_domain_socket, retrieved date:2015/01/08.
     [31] Ubuntu, http://www.ubuntu.com/index_roadshow, retrieved date:2014/10/15.
     [32] VirtualBox, https://www.virtualbox.org/, retrieved date:2014/10/15.
     [33] Z. Qazi, C. Tu, L. Chiang, R. Miao, V. Sekar, and M. Yu, “SIMPLE-fying middlebox policy enforcement using SDN,” Proc. Conf. Appl. Technol. Architect. Protocols Comput. Commun., pp.27 -38 2013
     [34] 簡旭彤,林盈達,SDN 網路安全架構:以防火牆為例,國立交通大學資訊工程系,September 30,2014. http://speed.cis.nctu.edu.tw/~ydlin/miscpub/indep_HsuTung.pdf, retrieved date:2014/10/15.
     [35] 蕭翔之,入侵偵測與預防系統簡介與應用,http://avp.toko.edu.tw/docs/class/3/入侵偵測與預防系統簡介與應用.pdf,retrieved date:2015/04/15.
     [36] 張浩置、楊中皇、林志鴻,基於規則分類的網路入侵偵測系統之效能分析與改善,http://security.nknu.edu.tw/psnl/publications/2009IMNT_Snort.pdf, retrieved date:2014/10/25.
     [37] 防火牆 Wiki,https://zh.wikipedia.org/wiki/防火牆,retrieved date:2015/01/08.
     [38] 防火牆原理,http://tpc.k12.edu.tw/1001215331/6/0322/網路_防火牆原理.pdf,retrieved date:2015/01/08.
     [39] PyPy, http://pypy.org, retrieved date:2014/10/15.		zh_TW