金融跨業經營保險業防火牆設立之研究

林美娟

Unknown Date

金融自由化於一九六○年代末期發端於德、英二國後，隨即迅速傳佈至世界各地，蔚成一種國際化潮流趨勢，在全球金融一片國際化、自由化的風潮下，各國金融機構將來必定面臨外來金融機構競爭之挑戰，我國未來金融的發展，可預見在金融自由化的浪潮下，為配合市場自由化發展趨勢，其配套相關之法律和制度應重新規範，促進我國金融機構競爭力的提升及維持良好金融秩序。 本篇論文探討金融機構綜合經營金融業務下之優缺點，針對金融機構綜合經營後之弊端如何設立防火牆來減少其負面影響，藉由探討美、日目前金融綜合經營下，相關之法律及制度上之設計，以作為未來我國走向金融機構綜合經營下，相關金融法規（包括銀行法、證券交易法、保險法、金融合併法等等）之修正及訂立完整的法律規範之參考。 / Insurance activities bear important similarities to banking. Insurance companies collect premium payments as banks collect deposits; insurance companies intermediate funds received into loans and investments as do banks; insurance companies eventually repay their policyholders as banks repay their depositors; and insurance companies sell their products through local office networks as do banks. Because of these similarities, there is a strong trend that permitting affiliations between banking and insurance companies for the institutions, as well as significant benefit to consumers in the form of greater convenience and potentially lower costs. After a decades-long effort, historic financial modernization legislation was signed into law by the President of United States on November 12, 1999. The Gramm-Leach-Bliley Act will eliminate the artificial depression-era barriers between companies that sell securities, insurance, and banking products. The act involves authority governing consumer protection and information sharing. In 1992, Japan approved the “Financial Systems Reform Act”, amending Japan’s Securities Law, Banking Law, Insurance Law etc..The Ministry of Finance has elected to restrict the range of powers permissible for new subsidiaries of banks, securities, insurance. We move forward, domestic financial deregulation in eliminating barriers between companies that sell securities, insurance, and banking products. We need to give attention to the potential risks. Through making financial act providing a comprehensive framework, we maintain the safety and soundness of our financial institutions.

金融業

跨業經營

保險業

防火牆

金融合併法

以SDN為基礎之自動化防火牆：規則學習、入侵偵測與多路頻寬負載平衡器之實作 / SDN based Automatic Firewall for Rules Learning, IDS and Multi-WAN Load Balancer

王昌弘, Wang, Chang Hung

Unknown Date

防火牆是現今網路中的重要設備，負責區隔內部網路和公共網路，維護內部網路安全。然而防火牆也存在幾個重要的問題，首先，防火牆的規則是由網管人員設定，近年來隨著網路科技蓬勃發展、虛擬技術大量應用，此項工作已帶給網管人員龐大的負擔。其次，防火牆雖可隔離外部網路，阻擋有害流量，但對內部網路的防範卻毫無用武之地。目前市面上普遍使用入侵偵測系統(IDS)進行偵測，但僅能在發現攻擊行為後發出警告訊息，無法即時處理。最後，企業在連外網路部分，通常採用多條線路進行備援，並倚賴多路頻寬負載平衡器(Multi-WAN load balancer)增加頻寬的使用率，但在線路數量上卻受限於廠商所制定之規格，無法彈性調整。而在負載平衡演算法方面，也只能基於網路特徵(IP位置)、權重比例(weight)或是輪詢機制(round robin)，無法依據目前網路狀況做出更好判斷。 為改善上述問題，本論文在軟體定義網路(SDN)環境下，使用交換機取代傳統防火牆設備，透過封包分析與信任觀測區間達到規則學習，並整合Snort入侵偵測系統，透過特徵比對，找出危害網路環境之封包，即時阻擋該危險流量。本論文也提出基於隨需(on demand)概念，動態調整防火牆規則，降低管理人員負擔。最後利用交換機擁有多個實體通訊埠的概念 ，依需求可自由調整對外及對內線路數量，不再受限於廠商規格，取代傳統多路寬頻負載平衡器，建構更彈性的架構。並透過收集交換機上的實體埠與資料流表中的資訊，即時評估網路狀況，加強負載平衡。為驗證本論文所提出之⽅法的有效性，我們使用Linux伺服器架設KVM、OpenvSwitch以及POX控制器實際建構SDN網路環境，透過發送封包對防火牆提出請求，以驗證實驗方法的正確性。 根據實驗結果顯示，本論文所提出之概念均能正確運作，有效降低調整防火牆所需之人工作業。在多路寬頻負載平衡器部分，本研究所提出之負載平衡方法，與round robin負載平衡方法相較之下，在最佳情況下，能有效提升約25%平均頻寬使用率，並降低約17.5%封包遺失率。 / Firewall is an important device that is responsible for securing internal network by separating Internet from Intranet, but here are several existing issues about the firewall. First, the firewall rules are set by the network admistrator manually. Along with the vigorous development of Internet technologies and great amount of applications of virtual technology in recent years. This work burdens the network adminstrator with a heavy workload. Second, the firewall is able to isolate the external network from harmful traffic, however, it can do nothing to the internal network. The common situation is to use IDS to detect the harmful packet, but it can only send an alert message to the adminstrater, no more actions can be done. Finally, most companies use several ISP connections to assure fault tolerance and use Multi-WAN load balancer to integrate those connections to enhance bandwidth utilization. But the number of WAN/LAN ports is set by the manufacturer, and the load balance algorithm is also limited by the manufacturer. It offers only a few algorithms (network-based features, round-robin, etc.), and there is no other way to provide more efficient algorithms. In order to resolve the mentioned problems, we propose an automatic firewall based Software Defined Network (SDN). We use Openflow switches to replace traditional firewalls, the system is able to learn the rules automaticlly by packet analysis during an observation interval. We aslo integrate Snort Intrusion Detection System (IDS) to localize the dangerous packets and block them immediately. Next, we propose an on-demand based dynamic firewall rules adjustment mechanism which is able to reduce management workload. Finally, we implement a Multi-WAN load balancer architecture and provide a more efficient load balance algorithm by collecting port usage and firewall rule information. In order to verify the proposed methods, we implement a SDN environment by using Linux Ubuntu servers with KVM, Open vSwitch and POX controller. According to the experiment result, it proves that the proposed method is able to reduce the firewall configuration effectively. In the Multi-WAN load balancer, experiment results show that our method outperforms round-robin argrithom in terms of average bandwidth utilization and packet loss rate by 25% and 17.5%, respectively.

軟體定義網路

防火牆

入侵偵測系統

多路頻寬負載平衡器

SDN

Firewall

IDS

Multi-WAN Load Balancer