在今日隨著電腦資訊快速發展、網路科技一日千里的時代，對於網路資安防禦 的觀念已經十分的普及。然而，最早的資安防禦架構，主要都著重強調對於連 接外部網路的防禦，諸如防火牆、駭客入侵偵測、網頁攻擊防禦...等等;到現 在所有對外防禦的產品已經十分的完整成熟。但近年來駭客入侵內網的事件頻 傳，知名企業重要資料被偷竊的事件不斷時有所聞。於是，對於防範從企業內 部入侵與攻擊的需求，又成為新的話題。 談到企業內部網路防禦，不得不提 到最底層的乙太網路 (Ethernet) ，因其成本低廉、架構簡單容易佈建，早已 打敗其他結構嚴謹，功能完整的網路架構 (如: Token-Ring、ATM等協定)，長 久以來乙太網路已成為基礎網路的標準。但是同時也因先天上簡單的設計，沒 有任何管理或控制連網設備的機制，造成不易管理、無法有效監控上線設備的 問題;又再如，隨著BYOD(Bring Your Own Device)各種移動設備的盛行， 需求不斷地成長，企業對於如何因應此風潮的同時，又要能維護內網安全，無 不希望能夠找到一個有效的解決的管理手段，更加深了企業對於企業內部資安 防禦方案的重視。

隨著內網安全與管理需求不斷地增加，許多因應之解決方案也隨之產生。 NAC 這樣的一個名詞因之而誕生。NAC (Network Access control) 主要的功 能就在於解決設備在連上企業或組織內部網路的第一時間，如何來判斷其是否 合法，有無權限進入網路的問題。就好像從旅客國外回國進入海關，海關第一 時間就會檢查你是否有合法授權可以入境。

NAC是所有此類產品的統稱，所有具備檢查設備接入網路合法性的種功能的 解決方案，均稱為NAC產品。( 隨著網路與資安的複雜度，之後NAC 的產 品，又加入如何判斷接入設備的OS版本、系統Patch是否更新到最新版本， 防毒軟體病毒碼是否更新...等需求，本文之後也會將此功能稍加討論)。而在 NAC多種產品與協定中，以802.1X的功能的方案更為其中的代表。最早期， 思科之整體NAC方案便是以802.1X 為基礎核心而建構。

802.1X的架構及功能優點說明:

1. 802.1X是一種ISO第二層的協定，可以在設備接入網路的第一時間，而且 是在不需要IP位址的狀況下就能對設備或使用者進行身份認證。


2. 802.1X可以針對接入之設備(Device)或者是個人(User)進行驗證， 802.1X 採用的認證機制為EAP (Extended Authentication )協定，在所有 NAC產品的方案中，具備十分嚴謹及安全的認證方式，不易被有心人士突 破。


3. 802.1X 具備另一優點為提供動態VLAN的功能。所謂動態VLAN的功能是 在設備連接的交換器設備上的一種功能。該交換器的連接埠並不固定於某 個VLAN或網段，可依據接入之連網設備或使用者的身份，如該設備的 MAC 位址，或USER-ID 判斷其所屬的單位及其網段，將該設備所連接的 交換器埠，即時動態改為所屬之網段 VLAN ( 隨著不同的設備或使用者連 接，該連接埠也動態變更其所屬 VLAN)。如果設備無法通過認證，則可將 該設備連接埠改為獨立或封鎖的VLAN網段，進行後續處理。因為是經由 網路交換器分隔VLAN，相當於實體隔離，十分的安全。 動態VLAN能配合使用者的單位身份，它的好處是不論使用者在任何單位 的部門、地點或樓層，隨時可將其所連接之交換器網路埠即時改成所屬之 VLAN及網段，所以所配發的IP可以永遠固定同一個。這在現在移動設備 盛行，機動作業環境，提供使用者的極大的便利性，同時因設備之IP位址 的一致性，更有助於資安追蹤與考核的方便性。(不須因為使用者或設備 的移動造成IP位址需要變動產生IP追蹤的困難)。

當在透過嚴謹的EAP認證程序驗證個人或設備為合法的狀態時，便可用該使 用者所屬之單位組織派送相關之網段VLAN，當設備進入此VLAN以後更可派 送相對應的IP地址，因為其支持動態網段所以帶來的好處是不論使用者到任 何其他單位的部門、地點、樓層，所接入的交換器的埠均會變成他所屬單位 的VLAN及IP 網段。

802.1X的缺點:

產品有優點通常也會有些對應的缺點，802.1X有其嚴謹的認證機制及安全的 隔離防禦能力，但因此其架構也相對複雜，所有的末端網路交換器均需要支 援802.1X 的功能 (在現今大部分廠牌的交換器均已支援802.1X，這點已經不 再是問題) ， 同時 802.1X也需要建置多個伺服主機分別進行認證、確認身份 並派送VLAN及派送所需IP位址的功能。 而建置前期也需要大量的工作將企 業內部的設備MAC 地址進行輸入，而且同時需要更新多個伺服器上面的相關 資料，之後的資料同步維護也需要投入不少的人力 ( 即便全部都使用微軟系統 的環境 AD、NPA及DHCP等，多種功能之間也無法同步，需要分別進行資料 的建立與維護)。近來NAC產品對於接入設備檢查的需求已經從認證之外，更 加上了對接入設備的系統版本、Patch更新、病毒版本更新等等的檢查，確認 設備是否安全才允許其進入網路，如此一來更需要在後台連結更多種的伺服器 來進行相關的檢測，使得整體的系統架構更加複雜，更加難以維護.。

另一個問題為802.1X 認證有只在設備接入網路時進行認證及確認身份的動 作，一旦核可之後，就不再做後續追蹤，(就如同邊境海關只在人員經過海關 時檢查有無合法證件，入境後就不再管理)。例如: 如果某員工電腦合法進入內 網網路後，擅自更改IP位址，802.1X便無法管理此種違規行為。又如連線設 備何時離線(上下線時間紀錄)，或者目前總共有多少設備上線等設備追蹤與管 理問題，都非802.1X所涵蓋。

IP/ARP 偵測與阻斷管控解決方案 :

有別於802.1X方案，另一種以設備IP/MAC位址為主體進行管控的方式，採 用IP/ARP協定對於接入設備之MAC 進行即時偵測，判斷其是否為授權設備， 從而決定其是否能夠進入網路。IP/MAC 控管系統，以偵測設備之 ARP 廣播內 容為基礎。利用所有設備接入乙太網路環境時，必須使用ARP 協定與其他設 備或閘道器溝通的原理，即時偵測接入設備的MAC及IP等相關資訊，並判斷 此MAC 位址是否具備合法授權，可以進入網路中。或者如果設備沒有授權， 便利用干擾設備之 ARP 內容之方式，立即阻擋該設備進入網路。

此種 NAC 解決方案雖不具有802.1X EAP等級之嚴謹認證機制，但具備多項 優點:

1. 具備快速建置，易於管理的優勢。


2. 不限定任何廠牌之網路交換器均可相容，迅速整合於企業網路之中。


3. 另外一種主要的功能是具備不斷即時的追蹤的能力，即使設備已經北允許 進入網路，仍然受到IP/MAC管理系統不斷的監控，諸入不可隨意更改IP 位址、位置的移動、何時上下線等都有詳細的紀錄。


4. 可整合微軟OS Patch更新，病毒軟體的病毒碼更新。於設備接入網路第 一時間進行版本預先檢查(Pre-Check)，而且在隨後設備有任何違反網路 政策的情況時，可隨時進行網路阻隔。

兩種NAC解決方案，使用的架構與協定並不相，各有其優點;802.1X 以 EAP 協定為基礎，搭配動態VLAN功能提供安全、具備嚴謹的網路接入認證功能及 動態的VLAN派送功能。以IP/ARP協定為基礎之IP/MAC 控管方式，具備彈性 與快速建置的優勢以及持續性的監控能力。 實務上若能結合此兩種方案的特 性，則可吸收互補兩種產品的優點，形成一種更加完整的 NAC 解決方案。台 灣飛泓科技公司，研發生產NAC 產品技術多年，深知各種NAC協定之功能及 優勢，針對此兩種解決方案加以整合，融合802.1X 及動態 VLAN的技術以及 IP/ARP 管控技術的各項功能，產生一個全新整合性的 NAC 解決方案及更加完 整的功能:

1. 具備802.1X 高安全性(EPA) 協定認證機制 設備接入網路時，系統可同步 進行Pre-Check，檢查設備OS Patch狀態，病毒版本的更新等。


2. 分配使用者設備至所屬單位VLAN ( 動態 VLAN功能 ) 不論設備接入或移 動至公司內部任何樓層、地點，永遠派送同一個IP (並可綁訂 MAC 與 IP) 包含IPv4 及IPv6 完整派送。


3. 隨時追縱設備狀態 (IP/MAC 網路政策追蹤控管功能) 除經過802.1X認證 之外，在網內中仍隨時監控設備，任何違反網路政策之行為，仍可立即封 鎖。


4. 結合訪客系統及員工簽入系統 設備聯網時立即自動偵測該設備MAC 位 址，無須手動建置，訪客或員工填入相關資訊，立即整合於後台系統中進 行認證及政策之派送。大幅簡化後台資料建置或維護的人力需求。


5. 設備管制 包含個人電腦、NB 、平板、手機、有線、無線等終端設備，均 可管制。


6. 單一系統包含所有認證、VLAN資訊傳遞、IP派送之功能 簡化原有 802.1X需要建置多個後台伺服器的工程，架構單純建置快速，人員或訪 客資料統一管控，無須跨多個系統進行維護。

Today, with the rapid development of computer information and the rapid development of network technology, the defense of network security The concept of has become very popular. However, the earliest information security defense architecture mainly emphasized Connect to the external network defense, such as firewall, hacker intrusion detection, web attack defense... etc.; now All external defense products have been very complete and mature. However, in recent years, there have been frequent incidents of hackers invading the intranet It is said that incidents of the theft of important information from well-known companies have been heard from time to time. Therefore, for prevention from within the enterprise The demand for intrusions and attacks has become a new topic. When it comes to corporate internal network defense, I have to mention To the lowest level of the Ethernet (Ethernet), because of its low cost, simple structure and easy deployment, it has long been Beat other rigorous structure and complete function network architecture (such as: Token-Ring, ATM and other protocols), long Ethernet has long been the standard for basic networks. But at the same time, due to the inherently simple design, there is no There is any mechanism for managing or controlling connected devices, making it difficult to manage and unable to effectively monitor online devices The problem; another example, with the prevalence of BYOD (Bring Your Own Device) various mobile devices, The demand continues to grow, and companies have to be able to maintain the security of the intranet while responding to this trend. I don’t want to be able to find an effective management method to solve this problem. The attention of the defense program.

As the demand for intranet security and management continues to increase, many corresponding solutions have also emerged. A noun like NAC was born from this. Main functions of NAC (Network Access control) The ability is to solve the problem of how to determine whether the device is connected to the enterprise or organization’s internal network at the first time It is legal, and there is a question of whether there is permission to enter the network. It’s like returning from a foreign country to the customs, the customs first Time will check whether you have a legal authorization to enter the country.

NAC is the collective name for all such products, and all those that have the function of checking the legality of equipment access to the network The solutions are all called NAC products. (With the complexity of the Internet and information security, NAC's production Product, and how to determine whether the OS version of the access device and the system patch are updated to the latest version, Whether the virus code of the anti-virus software is updated... etc., this function will be discussed later in this article). While in Among NAC's various products and agreements, the 802.1X function is more representative. At the very beginning, Cisco's overall NAC solution is constructed based on 802.1X.

Description of the advantages of 802.1X architecture and functions:

1. 802.1X is an ISO Layer 2 protocol, which can be used as soon as the device connects to the network, and The device or user can be authenticated without the need of an IP address.


2. 802.1X can be authenticated against the connected device (Device) or individual (User), The authentication mechanism used by 802.1X is the EAP (Extended Authentication) protocol. The NAC product scheme has a very rigorous and safe authentication method, which is not easy to be smashed by interested parties. break.


3. 802.1X has another advantage to provide dynamic VLAN function. The function of the so-called dynamic VLAN is A function on the switch device to which the device is connected. The port of the switch is not fixed to a certain A VLAN or network segment can be based on the identity of the connected networked device or user, such as the device’s MAC address or USER-ID to determine the unit and its network segment to which the device is connected The switch port is dynamically changed to the VLAN to which it belongs (as different devices or users connect Connected, the port also dynamically changes its VLAN). If the device fails to pass the certification, you can change The device port is changed to an independent or blocked VLAN network segment for subsequent processing. Because it is via The network switch separates VLANs, which is equivalent to physical isolation, which is very safe. Dynamic VLAN can match the user’s unit identity, and its advantage is that no matter what the user is in, Department, location or floor, you can change the switch network port it is connected to at any time to the one it belongs to VLAN and network segment, so the assigned IP can always be fixed to the same one. This is on mobile devices now The prevailing, mobile operating environment provides users with great convenience, and at the same time, due to the IP address of the device The consistency of the data security is more conducive to the convenience of information security tracking and assessment. (Not because of users or equipment The movement caused the difficulty of IP tracking due to the need to change the IP address).

This can be used when verifying that an individual or device is legal through a rigorous EAP authentication process The organization to which the user belongs will dispatch the relevant network segment VLAN, when the device enters this VLAN, it can be dispatched Send the corresponding IP address, because it supports dynamic network segment, the benefit is that regardless of the user’s arrival The department, location, floor of any other unit, and the port of the switch connected to it will become the unit to which it belongs VLAN and IP network segment.

Disadvantages of 802.1X:

Products have advantages and usually have corresponding disadvantages. 802.1X has its rigorous authentication mechanism and security Isolation and defense capabilities, but therefore its structure is relatively complex, all end network switches need to support Support 802.1X function (most of the switches of the brand nowadays support 802.1X, this is no longer Another question), at the same time, 802.1X also needs to build multiple server hosts to authenticate and confirm their identities. And dispatch VLAN and dispatch the required IP address function. And the pre-construction stage also requires a lot of work to Enter the MAC address of the device within the industry, and need to update the relevant information on multiple servers at the same time Data, the subsequent data synchronization maintenance also requires a lot of manpower (even if all of them use Microsoft systems In the environment of AD, NPA, DHCP, etc., multiple functions cannot be synchronized, and data needs to be performed separately Establishment and maintenance). Recently, NAC products' requirements for access device inspection have gone beyond certification, and more Added the check of the system version, patch update, virus version update, etc. of the access device to confirm Whether the device is safe to allow it to enter the network, so it is more necessary to connect to more kinds of servers in the background To perform related inspections, the overall system architecture is more complex and more difficult to maintain.

Another problem is that 802.1X authentication has the function of authenticating and confirming identity only when the device is connected to the network. Once approved, no follow-up will be done (just like border customs only when people pass through the customs Check whether there is a legal document from time to time, and it will no longer be managed after entry). For example: If an employee’s computer legally enters After connecting to the Internet, if the IP address is changed without authorization, 802.1X cannot manage such violations. Another example is the connection setting When the device is offline (record of online and offline time), or how many devices are currently online, and other equipment tracking and management Management issues are not covered by 802.1X.

IP/ARP detection and blocking control solution:

Different from the 802.1X solution, another way to control and control the device IP/MAC address as the main body, adopts Use the IP/ARP protocol to detect the MAC of the access device in real time to determine whether it is an authorized device, So as to determine whether it can enter the network. IP/MAC control system to detect the device’s ARP broadcast Content as the foundation. When using all devices to access the Ethernet environment, the ARP protocol and other devices must be used. The principle of communication between devices or gateways, real-time detection of related information such as MAC and IP of the connected device, and judgment Whether this MAC address has legal authorization to enter the network. Or if the device is not authorized, Conveniently use the method of interfering with the device's ARP content to immediately block the device from entering the network.

Although this NAC solution does not have the rigorous authentication mechanism of 802.1X EAP level, it has a number of advantage:

1. It has the advantages of fast construction and easy management.


2. It does not limit the compatibility of network switches of any brand, and it can be quickly integrated into the corporate network.


3. Another main function is the ability to keep track of in real time, even if the device has been allowed Entering the network, it is still under constant monitoring by the IP/MAC management system. You cannot change the IP at will There are detailed records of address, location movement, and when to go online and offline.


4. Can integrate Microsoft OS Patch update, virus code update of virus software. When the device is connected to the network Perform version pre-check (Pre-Check) at a time, and any subsequent device violations of the network In case of policy, the network can be blocked at any time.

The two NAC solutions use different architectures and protocols, and each has its own advantages; 802.1X is based on EAP Protocol-based, with dynamic VLAN function to provide security, with strict network access authentication function and Dynamic VLAN dispatch function. The IP/MAC control method based on the IP/ARP protocol is flexible With the advantages of rapid construction and continuous monitoring capabilities. In practice, if the characteristics of these two schemes can be combined It can absorb the advantages of complementary two products to form a more complete NAC solution. tower Wanfeihong Technology Co., Ltd. has developed and produced NAC product technology for many years, and is well aware of the functions and functions of various NAC agreements. Advantages, for the integration of these two solutions, the integration of 802.1X and dynamic VLAN technology and The various functions of IP/ARP control technology produce a new integrated NAC solution and a more complete The whole function:

1. With 802.1X high security (EPA) protocol authentication mechanism, when the device is connected to the network, the system can be synchronized Perform Pre-Check, check the device OS Patch status, virus version update, etc.


2. Assign user equipment to the unit’s VLAN (dynamic VLAN function) regardless of equipment access or migration Move to any floor and location in the company, always send the same IP (and bind MAC and IP) Includes full delivery of IPv4 and IPv6.


3. Track device status at any time (IP/MAC network policy tracking and control function) except for 802.1X authentication In addition, the equipment is still monitored in the network at any time, and any behavior that violates the network policy can still be blocked immediately Lock.


4. Combine the visitor system and employee sign-in system. When the device is connected to the Internet, it will automatically detect the MAC location of the device. Address, there is no need to manually build, visitors or employees fill in relevant information, and immediately integrate it into the back-end system. Delivery of certification and policy. Significantly simplify the manpower requirements for background data establishment or maintenance.


5. Equipment control includes personal computers, NBs, tablets, mobile phones, wired, wireless and other terminal equipment, all Can be controlled.


6. A single system includes all the functions of authentication, VLAN information transmission, and IP delivery. Simplify the original 802.1X requires a project to build multiple back-end servers. The architecture is simple to build quickly, and personnel or visits Unified management and control of customer data, no need to maintain across multiple systems.