摘要
虚拟专用网(VPN)是采用隧道技术以及加密、身份认证等方法,在公共网络上构建企业网络的技术。说VPN是虚拟的网,因为它没有固定的物理连接,使用的是公共网络。说VPN是专用的网,因为它使用路由将Internet通信隔离开来,并使用加密保证通信的安全。于是,企业网络想连接到哪里都可以,不仅使保密性、安全性、管理性的问题容易解决了,还降低了网络的使用成本。事实上,VPN技术也可以应用于专用网内。将VPN技术应用于校园网,可以突破校园专用网的地域性限制或优化校园网的管理和应用。本文在介绍TCP/IP协议、加密技术等与VPN相关知识的基础上,较详细论述了IPsec协议和VPN的两个主要协议:点到点隧道协议(PPTP)和层2隧道协议(L2TP)。然后,本文结合校园网的具体网络结构和使用情况提出了一个基于校园网的VPN实现方案,根据这个方案不仅可以利用VPN技术建立两个校区之间的虚拟专用网络连接,可以将校园专用网内资源被访问的区域范围扩展到任何连接Internet的地方,还可以优化专用网内部的资源管理。最后,文章根据提出的方案给出了一个利用Windows操作系统的路由和远程访问服务(RRAS)建立VPN访问服务器的实例,并通过运行Windows 2000系统的“网络监视器”对访问该VPN服务器的过程进行了监视和分析,对VPN通信的安全性进行了检验,在一定程度上验证了本文提出的方案的有效性。
VPN is the technology of building a intranet based on the public network with the support of Tunneling technology, Encapsulation and Authentication methods. A VPN is virtual in that it has no corresponding physical network but rather shares physical circuits with other traffic. A VPN is private in that it isolates Internet traffic with routing and secures it with encryption. That is to say, it is realizable to connect the intranet to anywhere. Not only the problem of privacy protection, safety property and manageability can be smoothed out, but also the cost of the network can be brought down. In fact, the technology of VPN can also be used in the private net. Being applied to CAN, VPN can break the regional limit of the CAN or give better administration ways and means of the CAN. After introducing the correlative knowledge of VPN, such as TCP/IP protocols, Encryption technology and so on, the article discusses in detail the IPsec protocol and the two main protocols of VPN: PPTP and L2TP. And then, according to the actual network structure and application situation, the article comes up with an implement plan of VPN based on CAN. With the plan, not only a virtual private network will be build between the two campus areas, the regional area of accessing the servers in the private CAN will be extended to wherever can connect to the Internet, but also the administration of the resource in the private CAN will be more easy and more reasonable. At last, the article gives a sample of building a VPN server with the RRAS of Windows 2000 OS based on the given plan. The procedure of accessing to the VPN server is monitored with the help of the "Microsoft Network Monitor" . The analysis based on the monitoring result provides the safety property of the VPN communication, and verifies the availability of the plan to some extent.
引文
[1] 化公为私的虚拟专用网技术——VPN,www.szcgt.com
[2] 关于VPN,www.20cn.net
[3] 靳美:VPN帮你轻松实现虚拟专用网;www.ahetc.gov.cn(计算机与信息技术);2000.11
[4] VPN的作用,www.anymacro.com
[5] (美)Drew Heywood著,王奇睿 陈文飞 译:Windows 2000网络服务;人民邮电出版社:2002.7
[6] 裘实、阳光、晓文 等编著:TCP/IP与网络互联技术;国防工业出版社:1998.5
[7] (美) Casey Wilson Peter Doak著,钟鸣 魏允韬 等译:虚拟专用网的创建与实现;机械工业出版社;2000.8
[8] 刘微微、程景云、程海蓉:互联网时代的信息安全;计算机辅助工程;No.2 Jun.2001
[9] 张剑:基于IPSEC的网络安全技术研究与应用;河海大学硕士学位论文;2001.3
[10] (美)Thomas M.Thomas Ⅱ、Adam Quiggle著,师夷工作室译:BCRAN建立Cisco远程访问网络;机械工业出版社;2001.3
[11] (美)Chander Dhawan著,郭志刚 寿国础等译:远程接入网络;人民邮电出版社;2000.3
[12] 李劲:Windows 2000 Server企业架站手册;中国青年出版社;2001.1
[13] 曹军生 编著:Windows 2000 Advanced Server 使用手册;人民邮电出版社;2000.12
[14] Christian Huitema著,陶文星 译:因特网路由技术;清华大学出版社;1998.1
[15] 虞和洵 主编:校园网的建设与管理;东南大学出版社;1997.9
[16] windows2000帮助
[17] 面向未来的CNCnet,www.computerworld.com.cn
[18] 中国互联网安全技术的发展与应用趋势,www.hzsynet.com
[19] 大家来看VPN技术慨述,wdb.tz167.com
[20] www. microsoft. com
[21] Samuel Patton etc., A Virtual Private Network Deployment Framework;IEEE 2002
[22] Samir A1-Khayatt etc. A Study of Encrypted, Tunneling Models in Virtual Private Networks;IEEE 2002
[23] William Yurcik and David Doss, A Planning Framework for Implementing Virtual Private Networks; IT PROFESSIONAL, Vol. 3; MAY/JUNE 2001
[24] Qiu Xuesong, The Study and Implementation of the VPN Service Management System; IEEE 2000
[25] Sixto Ortiz Jr., Virtual Private Networks: Leveraging the Internet; COMPUTER, Vol. 30; Nov 1997
[26] Nora Boukari, Ali Aljane, Security and Auditing of VPN;IEEE 1996
[27] RFCO791;Internet Protocol; J. Postel;Sep 1981
[28] RFC1O75; Distance Vector Multicast Routing Protocol; D. Waitzman, C. Partridge, S. E. Deering;Nov 1988
[29] RFC1661; The Point-to-Point Protocol (PPP);W. Simpson, Ed.;July 1994
[30] RFC2341; Cisco Layer Two Forwarding (Protocol) L2F; A. Valencia, M. Littlewood, T. Kolar; May 1998
[31] RFC2401; Security Architecture for the Internet Protocol; S. Kent, R. Atkinson; November 1998
[32] RFC2637;Point-to-Point Tunneling Protocol; K. Hamzeh, G. Pall, W. Verthein, J. Taarud, W. Little, G. Zorn; July 1999
[33] RFC2661; Layer Two Tunneling Protocol L2TP; W. Townsley, A. Valencia, A. Rubens, G.Pall, G. Zorn, B. Palter; August 1999
[34] RFC2764; A Framework for IP Based Virtual Private Networks; B. Gleeson, A. Lin, J.Heinanen, G. Armitage, A. Malis; February 2000
[35] Configuration Guide for the Cisco Secure PIX Firewall Version 5.1; 2000