由於各類網路服務及點對點應用之盛行,導致網路病毒漫延與網路入侵攻擊事件頻傳。應用防火牆、防毒及入侵偵測等防護網路上之主機已成為網路安全實務中不可或缺的一環,這些應用系統雖然具有偵測攻擊及抵擋入侵的能力,但多數都沒有機制可以控制網路設備以阻斷內網的攻擊來源,以致網管人員常需隨時待命處理病毒及攻擊事件。但像在中小學校中有許多網路管理人員是由教師兼職擔任,當攻擊事件出現時,他們可能正忙於課務或其他行政事務而無法立即進行處置,造成病毒感染擴大或被入侵的損害增加。因此我們需要一套能在發生攻擊事件初期,第一時間就由網路管理系統自動阻斷攻擊來源的解決方案。 本篇論文提出一套聯結防毒、入侵偵測系統及防火牆的自動處理機制,藉由代理者程式蒐集防毒軟體與入侵偵測系統所偵測到的威脅資訊,再由網路管理系統透過控制網路交換器來阻斷內部網路之攻擊來源或增加防火牆規則以阻斷網際網路之攻擊。網路管理人員只需隔一段時間檢視是否有因中毒或攻擊而被封鎖隔離的主機,若有才前往協助修補系統漏洞、掃除病毒或重安裝系統。完成後再透過網路管理系統啟動遭隔離的電腦網路連線。
Due to the rapid growth of network service and point-to-point applications, more and more people rely on the internet in their daily activities. However, one of the side effects is the wide spread of computer virus and network intrusion events. The use of firewall, anti-virus, and intrusion detection system to protect the hosts in the organization is becoming an inevitable part of the information security measure. Although, these system can detect and defend the attack on their own, most of them do not have the ability to control other network equipments to block attacks from internal network. Consequently, the administrators of network and server system need to monitor the system very closely to ensure that all equipments are in normal condition. However, most of the system administrators from elementary to high school are part time and have some other administrative as well as teaching work to do. They may not be able to resolve the virus infection and intrusion events immediately. This may result in a quick spread of virus or intrusion in the internal network. Therefore, we need a management system that can block the source of attack at the time immediately after the event happened no matter the source is internal or external. In this thesis, we proposed an automatic processing mechanism that combines the anti-virus and intrusion detection system to protect the network and server systems. We use the agent program to retrieve the information detected by those systems. Whenever a threat is identified, we can send command to the switch to shut the interface down when the source is internal or add rule to the firewall to block the traffic from the eternal attack source.