- 學位論文
基於VPN的中小企業零信任架構研究
Research on VPN-based Zero-trust Architecture for Small and Medium-sized Enterprises
摘要
在COVID-19疫情持續衝擊下有高達八成的中小企業因疫情影響造成營收減少,也不得不為遠距辦公的需求,添購所需的資訊軟硬體設備,來提供疫情下的工作。美國國家標準與技術研究院(National Institute of Standards and Technology, NIST)在2020年提出了零信任架構標準,零信任是一種新的安全理念和多種相關技術的概念,其最終目標是降低資源存取過程中的所有安全風險。 由於台灣許多中小企業在資訊架構是使用傳統邊界安全架構建置,簡單說就是內外網之間是由防火牆或是相關網路設備阻隔而成,其主要的主機及服務,均在公司內網內,所以需要將遠程工作員工的工作環境納入內網。若採用傳統的虛擬私人網路(Virtual Private Network, VPN)解決方案,可直接繼承使用企業已建置而成的網路安全環境,只需額外附加一些安全機制。所以對於中小企業要實現「零信任」的概念和精神而言,需要以組織進行零信任改造、升級的速度以及資金的投入限制等因素來考慮,所以對於植基於零信任的VPN,需要針對身分識別的驗證更加嚴謹的對待。 我們分析了從傳統的企業網路環境到利用VPN達到零信任的需求並提出了建置的步驟與考慮的因素,提供台灣中小企業可以依照可投入的資金與人力進行5+1個階段的規畫案,階段一利用防火牆切隔內網與外網,並基於營業秘密法,使用端點軟體,來收集員工電腦資料存取操作和行為紀錄,階段二提供遠距工作者的連線到企業網路的使用方案,階段三結合了多因子認證(Multi-Factor Authentication, MFA)讓內網更為安全,階段四以零信任的設計加入網路微分隔概念的規劃,階段五則提供了資料保護的方案,此外提供另一個新簡易型動態密碼驗證機制的選擇,可進一步的降低成本支出,取代階段三的多因子認證系統,讓中小企業向零信任更為邁進。經由討論與分析,相信我們提出的方案對於中小企業在導入零信任架構的過程會有更佳的成果。
並列摘要
Amid the ongoing impact of COVID-19, up to 80% of small and medium-sized enterprises (SMEs) have experienced a decrease in revenue. In addition, they have been compelled to purchase necessary information technology software and hardware to meet the demands of remote work during the pandemic. The National Institute of Standards and Technology (NIST) released a zero trust architecture standard in 2020. Zero trust is a new security concept which combines with multiple technologies. The ultimate goal of Zero Trust is to reduce all security risks during resource access. Many small and medium-sized enterprises (SMEs) in Taiwan adopt a traditional perimeter security architecture. They segregate the internal and external network structures using firewalls or related network devices. Their main hosts and services are located within the company's internal network. Therefore, they need to consider integrating the remote work environment into the internal network. If the traditional Virtual Private Network (VPN) solution is adopted, the network security environment that the enterprise has built can be directly inherited and used. If SMEs want to practice the concept and spirit of zero trust, they must consider the zero-trust transformation, the speed of upgrading and the budget constraints. Therefore, we should focus on identity authentication of VPN services. We have analyzed the requirements of migrating the traditional enterprise network environment to use VPN to achieve Zero Trust. Then, we have proposed a phased plan and provided a 5+1 phased implementation plan for Taiwanese SMEs based on available resource and manpower. The Phase 1 uses a firewall to isolate the internal network from the external network, and uses endpoint software based on the Trade Secret Act to collect employee computer data access operations and behavior records. The Phase 2 provides a solution for remote workers to connect to the Intranet. The Phase 3 integrates Multi-Factor Authentication (MFA) to make the Intranet more secure. The Phase 4 adds network micro-segmentation planning to the zero-trust design. The Phase 5 provides a solution for data protection. In addition, an alternative to a new simple dynamic password authentication mechanism is provided, which can further reduce costs and replace the multi-factor authentication system in Phase three. After our discussion and analysis, we believe the guideline we proposed will bring more perfect results to SMEs in the process of introducing zero-trust architecture.