* [Blog](https://www2.paloaltonetworks.com/blog) * [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/) * [未分類](https://www2.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr) * 界定保護範圍以大幅縮小攻擊範圍... # 界定保護範圍以大幅縮小攻擊範圍 [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2018%2F10%2Fdefine-protect-surface-massively-reduce-attack-surface%2F%3Flang%3Dzh-hant) [](https://twitter.com/share?text=%E7%95%8C%E5%AE%9A%E4%BF%9D%E8%AD%B7%E7%AF%84%E5%9C%8D%E4%BB%A5%E5%A4%A7%E5%B9%85%E7%B8%AE%E5%B0%8F%E6%94%BB%E6%93%8A%E7%AF%84%E5%9C%8D&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2018%2F10%2Fdefine-protect-surface-massively-reduce-attack-surface%2F%3Flang%3Dzh-hant) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2018%2F10%2Fdefine-protect-surface-massively-reduce-attack-surface%2F%3Flang%3Dzh-hant&title=%E7%95%8C%E5%AE%9A%E4%BF%9D%E8%AD%B7%E7%AF%84%E5%9C%8D%E4%BB%A5%E5%A4%A7%E5%B9%85%E7%B8%AE%E5%B0%8F%E6%94%BB%E6%93%8A%E7%AF%84%E5%9C%8D&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2018/10/define-protect-surface-massively-reduce-attack-surface/?lang=zh-hant&ts=markdown) [](mailto:?subject=界定保護範圍以大幅縮小攻擊範圍) Link copied By [John Kindervag](https://www.paloaltonetworks.com/blog/author/john-kindervag/?lang=zh-hant&ts=markdown "Posts by John Kindervag") Oct 20, 2018 1 minutes [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown) This post is also available in: [English (英語)](https://www2.paloaltonetworks.com/blog/2018/09/define-protect-surface-massively-reduce-attack-surface/ "Switch to 英語(English)") [Nederlands (荷蘭語)](https://www2.paloaltonetworks.com/blog/2018/10/definieer-een-verdedigingsoppervlak-om-uw-aanvalsoppervlak-enorm-te-verkleinen/?lang=nl "Switch to 荷蘭語(Nederlands)") [Deutsch (德語)](https://www2.paloaltonetworks.com/blog/2018/11/reduzieren-sie-ihre-angriffsflaeche-erheblich-durch-definition-einer-schutzflaeche/?lang=de "Switch to 德語(Deutsch)") [Italiano (義大利語)](https://www2.paloaltonetworks.com/blog/2018/11/definisci-la-superficie-da-proteggere-riducendo-notevolmente-la-superficie-di-attaco/?lang=it "Switch to 義大利語(Italiano)") [한국어 (韓語)](https://www2.paloaltonetworks.com/blog/2018/10/define-protect-surface-massively-reduce-attack-surface/?lang=ko "Switch to 韓語(한국어)") [Español (西班牙語)](https://www2.paloaltonetworks.com/blog/2018/11/defina-una-superficie-de-proteccion-para-reducir-drasticamente-la-superficie-de-ataque/?lang=es "Switch to 西班牙語(Español)") [Türkçe (土耳其語)](https://www2.paloaltonetworks.com/blog/2018/11/saldiri-yuzeyinizi-buyuk-olcude-azaltmak-icin-bir-koruma-yuzeyi-tanimlayin/?lang=tr "Switch to 土耳其語(Türkçe)") 在網路安全方面,有一件大家都會關注的事情,就是界定需要保護的內容。我們的共識是要防禦攻擊,但是攻擊都有自己的目標。這個目標是什麼? 多年來,我們一直在努力縮小攻擊範圍,但攻擊範圍卻有點像宇宙一樣,不斷擴張。每項新技術都會帶來一系列新的問題和弱點。最值得注意的是,物聯網導致攻擊範圍大幅擴大。新發現的弱點 (例如晶片組攻擊的潛在弱點 [Spectre 和 Meltdown](https://www.paloaltonetworks.com/blog/2018/01/threat-brief-meltdown-spectre-vulnerabilities)) 導致幾乎每個現今的運算系統都淪為整個攻擊範圍的一部份。 ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/08/thought_1.png) 零信任並不關注宏觀層面的攻擊範圍,而是確定需要保護的內容:盡可能縮小攻擊範圍或保護範圍。通常,零信任網路依據下列四項 (以首字母縮略詞 DAAS 表示) 的至少一項界定保護範圍: * 數據 (**D** ata):*需要保護哪些數據?* * 應用程式 (**A** pplication):*哪些應用程式使用敏感資訊?* * 資產 (**A** sset):*哪種資產最敏感?* * 服務 (**S** ervice):*哪些服務 (例如 DNS、DHCP 和 Active Directory) 遭入侵後可以用來破壞正常的 IT 運作?* 所幸,保護範圍不僅規模比整個攻擊範圍小,而且很容易得知。您可能不知道目前的範圍應該多大,但是您一定能找到答案。大多數組織都無法真正界定攻擊範圍,因此嘗試滲透的攻擊者得以完成入侵。有許多方法可以入侵組織巨大的保護範圍。因此建立大型周邊安全方法的構想經證實無法取得成功。在舊的模型中,防火牆和入侵防禦技術等控制措施被推到網路周邊,盡可能遠離保護範圍。 零信任會界定保護範圍,將控制措施盡可能移動到保護範圍附近,以界定微型周邊。運用新世代技術作為區隔閘道,我們可以在第 7 層政策中進行網路區隔,並精確控制進出微型周邊的流量。實際上,極少數使用者或資源才需要存取環境中的敏感數據或資產。透過擬定有限、精確且易於理解的政策聲明,我們可以限制攻擊者成功發動網路攻擊的能力。 *** ** * ** *** ## Related Blogs ### [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown) [#### Strata Copilot - 加速邁向自發性網路安全性的未來](https://www2.paloaltonetworks.com/blog/network-security/introducing-strata-copilot/?lang=zh-hant) ### [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown) [#### 醫療企業是勒索軟體攻擊者的首要目標](https://www2.paloaltonetworks.com/blog/2021/10/healthcare-organizations-are-the-top-target/?lang=zh-hant) ### [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown) [#### 適用於 5G 的零信任:實現安全的數位轉型](https://www2.paloaltonetworks.com/blog/2021/10/zero-trust-for-5g-digital-transformation/?lang=zh-hant) ### [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown) [#### 網路攻擊鎖定金融服務企業的 3 個原因以及防禦方式](https://www2.paloaltonetworks.com/blog/2021/10/financial-services-cyberattacks/?lang=zh-hant) ### [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown) [#### 連續 7 年提供出色的客戶服務](https://www2.paloaltonetworks.com/blog/2021/10/delivering-outstanding-customer-service/?lang=zh-hant) ### [未分類](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e9%a1%9e/?lang=fr&ts=markdown) [#### Palo Alto Networks 研究:61% 的企業難以確保在家工作的遙距網絡安全](https://www2.paloaltonetworks.com/blog/2021/09/state-of-hybrid-workforce-security-2021/?lang=zh-hant) ### Subscribe to the Blog! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language