VPN技术在组网中的研究与应用
摘要
本课题在系统调研基础上,针对传统的Internet接入服务已越来越满足不了用户需求这一问题(传统的Internet只提供浏览、电子邮件等单一服务,没有服务质量保证,没有权限和安全机制,界面复杂不易掌握),提出了利用VPN技术组网的设计目标、原则以及解决方案,实现了公网专用的功能。
存在的问题是辽阳公安局原有的综合业务数据网系统比较复杂,总局与分局、交警支队、消防支队、派出所、城区所队、农村所队之间是通过拨号方式连接,受上网速度的限制,内部的文件处理速度特别慢,办公业务也受到影响,同时还会受内部数据不能共享的影响。另外使用起来安全性较差,网络安全得不到有效地保证。如果需要一些新的服务,需要填写许多的单据,再等上相当一段时间,才能享受到新的服务。更为重要的是两端的终端设备不但价格昂贵,而且管理也需要一定的专业技术人员,无疑增加了成本,而且其现有的综合业务数据网也不会像Internet那样,可立即与世界上任何一个使用Internet网络的单位连接。
为解决以上问题,辽阳电信网通分公司计算机应用开发中心和辽宁信息职业技术学院华为实验室根据现有的设备、技术力量,提出了开展研究工作的设想,即使用光纤直连方式搭建一个VPN网络,以10/100M实现分局与市局原有北电Passport 6480路由器相连(交警支队、消防支队、辽阳县、灯塔市利用已经建成各自的广域网和局域网,公安局与消防支队采用DDN专线相连,与交警支队采用广电的光缆相连)。考虑公安专网与外网的分离问题,因此搭建一个VPN网络。提出了解决办法是利用VPN技术中的MPLS VPN技术解决公安行业的业务实现和安全隔离。
本文较详细的阐述了利用VPN技术实现公安专用网络的处理的思路、实现过程,附有系统拓扑图,并选择了适当的硬件设备,实现了公安专用网络在使用过程中的所应具有的安全性、高效性和可靠性。
Based on the system investigation and study , this topic aimed at the issue that traditional Internet service couldn't satisfy users' demand. (Traditional Internet only provides simple service such as browsing, email and, without service guarantee and jurisdiction and safety mechanism. Another problem is that contact surface is complex and not easy to grasp), This thesis proposed the design goal, principle and settlement of VPN technology network. The solution has realized the virtual special-purpose net's function with the public special-purpose net.
Liaoyang police station's existing comprehensive service data networking system is quite complex, The connection between the bureau and the sub-bureau, the traffic police crew, the fire crew, the local police station, the city team and the countryside team are through the dialing way. Influenced by net speed limit, the internal file processing speed is specially slow, and the work service also comes under the influence. Meanwhile the internal data couldn't be shared. Moreover, it has little security, and the network security cannot be effectively guaranteed. If the user needs some new services, he will need to fill in many documentary evidences and wait for a quite period of time for enjoying the new service. What's more important, the terminal device of the beginnings and ends is expensive, and it also needs the a certain specialized technical personnel, which will increased the cost undoubtedly. And its existing comprehensive service data couldn't immediately connect with any net unit in the world as the Internet do.
In order to solve the above problem, the Liaoyang Telecommunication NetworkCompany computer application development center and Liaoning Information Vocational Technology Institute Huawei laboratory proposed the development research work tentative plan which based on the existing equipment and technical force. The plan is to build a VPN network with the optical fiber straight connecting way, and to connect the sub-bureau and the city bureau original north electricity Passport 6,480 routers by the 10/100M (traffic police crew, fire crew, the Liaoyang county, and Lighthouse county have already completed respective WAN and local area network. Police station uses the DDN special line to connect with fire crew, and broad electricity optical cable with traffic police crew). Considering the current VPN way, I think the MPLS VPN is the most suitable technology to the public security service realization and the secure isolation, and divides it to be an independent VPN, realizing the secure isolation functions between public security network and other user networks.
This thesis has narrated the thought and the realization process of using the VPN technology to realize public security private network in detail, attaching the system analysis situs chart, and with the suitable hardware equipment. The technology has realized the security, effectiveness and reliability in the use of public security private network.
存在的问题是辽阳公安局原有的综合业务数据网系统比较复杂,总局与分局、交警支队、消防支队、派出所、城区所队、农村所队之间是通过拨号方式连接,受上网速度的限制,内部的文件处理速度特别慢,办公业务也受到影响,同时还会受内部数据不能共享的影响。另外使用起来安全性较差,网络安全得不到有效地保证。如果需要一些新的服务,需要填写许多的单据,再等上相当一段时间,才能享受到新的服务。更为重要的是两端的终端设备不但价格昂贵,而且管理也需要一定的专业技术人员,无疑增加了成本,而且其现有的综合业务数据网也不会像Internet那样,可立即与世界上任何一个使用Internet网络的单位连接。
为解决以上问题,辽阳电信网通分公司计算机应用开发中心和辽宁信息职业技术学院华为实验室根据现有的设备、技术力量,提出了开展研究工作的设想,即使用光纤直连方式搭建一个VPN网络,以10/100M实现分局与市局原有北电Passport 6480路由器相连(交警支队、消防支队、辽阳县、灯塔市利用已经建成各自的广域网和局域网,公安局与消防支队采用DDN专线相连,与交警支队采用广电的光缆相连)。考虑公安专网与外网的分离问题,因此搭建一个VPN网络。提出了解决办法是利用VPN技术中的MPLS VPN技术解决公安行业的业务实现和安全隔离。
本文较详细的阐述了利用VPN技术实现公安专用网络的处理的思路、实现过程,附有系统拓扑图,并选择了适当的硬件设备,实现了公安专用网络在使用过程中的所应具有的安全性、高效性和可靠性。
Based on the system investigation and study , this topic aimed at the issue that traditional Internet service couldn't satisfy users' demand. (Traditional Internet only provides simple service such as browsing, email and, without service guarantee and jurisdiction and safety mechanism. Another problem is that contact surface is complex and not easy to grasp), This thesis proposed the design goal, principle and settlement of VPN technology network. The solution has realized the virtual special-purpose net's function with the public special-purpose net.
Liaoyang police station's existing comprehensive service data networking system is quite complex, The connection between the bureau and the sub-bureau, the traffic police crew, the fire crew, the local police station, the city team and the countryside team are through the dialing way. Influenced by net speed limit, the internal file processing speed is specially slow, and the work service also comes under the influence. Meanwhile the internal data couldn't be shared. Moreover, it has little security, and the network security cannot be effectively guaranteed. If the user needs some new services, he will need to fill in many documentary evidences and wait for a quite period of time for enjoying the new service. What's more important, the terminal device of the beginnings and ends is expensive, and it also needs the a certain specialized technical personnel, which will increased the cost undoubtedly. And its existing comprehensive service data couldn't immediately connect with any net unit in the world as the Internet do.
In order to solve the above problem, the Liaoyang Telecommunication NetworkCompany computer application development center and Liaoning Information Vocational Technology Institute Huawei laboratory proposed the development research work tentative plan which based on the existing equipment and technical force. The plan is to build a VPN network with the optical fiber straight connecting way, and to connect the sub-bureau and the city bureau original north electricity Passport 6,480 routers by the 10/100M (traffic police crew, fire crew, the Liaoyang county, and Lighthouse county have already completed respective WAN and local area network. Police station uses the DDN special line to connect with fire crew, and broad electricity optical cable with traffic police crew). Considering the current VPN way, I think the MPLS VPN is the most suitable technology to the public security service realization and the secure isolation, and divides it to be an independent VPN, realizing the secure isolation functions between public security network and other user networks.
This thesis has narrated the thought and the realization process of using the VPN technology to realize public security private network in detail, attaching the system analysis situs chart, and with the suitable hardware equipment. The technology has realized the security, effectiveness and reliability in the use of public security private network.
引文
[1] Gentry,B.Perry.What Is A VPN.Information Security Technical Report,2001.99-102
[2] 华北工控供文.VPN的嵌入式应用.电子与电脑.2006(4).45-47
[3] 邵波等.计算机网络安全技术及应用.北京.电子工业出版社.2005年11月
[4] S.Broderick.VPN Security Policy.Information Security Technical Report.2001.32-35
[5] W Lee, R. Bhagavathula, N.Thanthry. MPLS-over-GRE based VPN Architecture: a Performance Comparison.Circuits and Systems,2002.77~80
[6] PKnight, C. Lewis. Layer 2 and 3 Virtual Private Networks. Communications Magazine.2004.19~23
[7] 杨煦,孙建华.IPSec与MPLS结合增强VPN安全性.网络安全技术与应用.2005(9).36~38
[8] 李泽光,郝莉,徐晖.IPSec安全体系与实施.网络安全技术与应用.2005(2).38~41
[9] 杨华,钟文海.ISO/OSI网络体系结构中网络高层的安全防护.电脑学习.2005(5).20~22
[10] (英) 毛文博.现代密码学理论与实践(英文版).北京.电子工业出版社.2004年5月
[11] R.Perlman,C. Kaufman.Key Exchange in IPSec:Analysis of IKE. Intenet Computing,IEEE.2000.25~27
[12] 逯海军,祝跃平.一个基于离散对数、HASH函数和大数分解的访问控制协议.计算机工程与应用.2004(1).179~181.
[13] 高海曲,薛元星,辛阳等.VPN技术.北京.机械工业出版社.2004年4月
[14] R. Cohen. On the Establishment of an Access VPN in Broadband Access Networks. Communications Magazine,2003.121~123
[15] 高玉雷.中小型局域网组建与管理教程.北京.机械工业出版社.2004年10月
[16] Ivan Pepel njak,Jim Guichard,Jeff Apcar.MPLS和VPN体系结构(第2卷).卢泽新,朱培栋,齐宁译.北京.电子工业出版社.2004年3月.56~59
[17] Harding, Andrew. SSL Virtual Private Networks. Computer Networks, 2003.81~84
[18] A.Linna;S. A. Netcelo,Echirolles.Managing and Securing Web Services With VPNs.ICW S'04 conference,San Diego,California,2004.62~65
[19] C.J.Pena, J.Evans. Performance Evaluation of Software Virtual Private Networks. 25th Annual IEEE Conference,2000,Local Computer Networks,2000.96-102
[20] 曹利.基于第四层交换的SLB技术及在Cisco 4804G上的实现.计算机时代.2006(3).10~11
[21] 吴海燕,石磊,李清玲.网络信息安全技术综述.电脑知识与技术.2005(4).55~57
[22] 宁相军,桂志波.以端节点为中心的TCP拥塞控制研究.现代计算机.2006(3).31~33
[23] Axent. Companies Provide Firewall and VPN Solution.Network S ecurity,2000.141~144
[24] 司孟华,郭彦涛.计算机异地局域安全传输的研究应用.计算机与网络.2006(2).40~41
[25] 姜淑菊.Internet连接共享的设计与实现.电脑学习.2005(5).16~17
[26] 关桂霞等.网络系统集成教程.北京.电子工业出版社.2004年10月
[27] 李宏乔,杨峰等.宽带网络技术原理.北京.机械工业出版社.2002年6月
[28] 刘先锋,舒林,陈松乔,陈建二.基于Qos约束的多播路由研究.计算机工程与应用.2005(2).125~128
[29] 蔡昭权,吴莉娅,黄陶明.内网安全联动防护技术的研究与实现.微计算机应用.2006(2).168~170
[30] 臧卫玉,王国胜.ATM网络中的输入排队信元调度研究.计算机工程与应用.2004(11).252~256
[31] (美) Rrdjiv Ramaswami 等.光网络·下卷:组网技术分析(原书第2版).北京.机械工业出版社.2004年10月
[32] 蒋加伏,李广琼,唐贤瑛.基于小波包分析的ATM网分层传输.计算机工程与应用.2004(10).217~220
[33] 杨大全.计算机网络.沈阳.东北大学出版社.2004年2月
[34] F. Palmieri. VPN Scalability over High Performance Backbones Evaluating MPLS VPN Against Traditional Approaches.Computers and Communication,2003.77~79
[35] 张大陆,徐健.多业务网络总体设计与实现.计算机工程.2004(6).112~113
[36] 柳志宏.基于网络处理器防火墙的设计与实现.微计算机信息.2006(2).15~16
[37] 黎连业.网络综合布线系统与施工技术.北京.机械工业出版社.2003年1月
[38] 张旭东,平铃娣,潘雪增.基于SIP协议的分布式VOIP体系结构的设计与实现.计算机工程.2004(14).95~97
[39] 赵娜.IP网络视频会议的MCU的设计与实现.现代计算机.2005(10).41~44
[40] Karli Watson, Christian Nagel.C#入门经典.北京.清华大学出版社.2003年3月
[41] 甘登岱.Windows 2000组网教程.北京.电子工业出版社.2001年9月
[42] 刘志勇等.网络服务器配置详解.北京.电子工业出版社.2004年3月
[43] 程伍端.客户端/服务器体系结构的应用与发展.电脑知识与技术(学术交流).2005(12).79~80
[44] K.Schultz.Making the VPN Connection.www.infoworld.com.2004.69~71
[45] 马新文.利用Ping命令排除网络故障.电脑学习.2005(3).16~18
[46] 孔祥春,李春娟.路由器网络地址转换(NAT)的配置.电脑知识与技术.2005(6).41~44
[2] 华北工控供文.VPN的嵌入式应用.电子与电脑.2006(4).45-47
[3] 邵波等.计算机网络安全技术及应用.北京.电子工业出版社.2005年11月
[4] S.Broderick.VPN Security Policy.Information Security Technical Report.2001.32-35
[5] W Lee, R. Bhagavathula, N.Thanthry. MPLS-over-GRE based VPN Architecture: a Performance Comparison.Circuits and Systems,2002.77~80
[6] PKnight, C. Lewis. Layer 2 and 3 Virtual Private Networks. Communications Magazine.2004.19~23
[7] 杨煦,孙建华.IPSec与MPLS结合增强VPN安全性.网络安全技术与应用.2005(9).36~38
[8] 李泽光,郝莉,徐晖.IPSec安全体系与实施.网络安全技术与应用.2005(2).38~41
[9] 杨华,钟文海.ISO/OSI网络体系结构中网络高层的安全防护.电脑学习.2005(5).20~22
[10] (英) 毛文博.现代密码学理论与实践(英文版).北京.电子工业出版社.2004年5月
[11] R.Perlman,C. Kaufman.Key Exchange in IPSec:Analysis of IKE. Intenet Computing,IEEE.2000.25~27
[12] 逯海军,祝跃平.一个基于离散对数、HASH函数和大数分解的访问控制协议.计算机工程与应用.2004(1).179~181.
[13] 高海曲,薛元星,辛阳等.VPN技术.北京.机械工业出版社.2004年4月
[14] R. Cohen. On the Establishment of an Access VPN in Broadband Access Networks. Communications Magazine,2003.121~123
[15] 高玉雷.中小型局域网组建与管理教程.北京.机械工业出版社.2004年10月
[16] Ivan Pepel njak,Jim Guichard,Jeff Apcar.MPLS和VPN体系结构(第2卷).卢泽新,朱培栋,齐宁译.北京.电子工业出版社.2004年3月.56~59
[17] Harding, Andrew. SSL Virtual Private Networks. Computer Networks, 2003.81~84
[18] A.Linna;S. A. Netcelo,Echirolles.Managing and Securing Web Services With VPNs.ICW S'04 conference,San Diego,California,2004.62~65
[19] C.J.Pena, J.Evans. Performance Evaluation of Software Virtual Private Networks. 25th Annual IEEE Conference,2000,Local Computer Networks,2000.96-102
[20] 曹利.基于第四层交换的SLB技术及在Cisco 4804G上的实现.计算机时代.2006(3).10~11
[21] 吴海燕,石磊,李清玲.网络信息安全技术综述.电脑知识与技术.2005(4).55~57
[22] 宁相军,桂志波.以端节点为中心的TCP拥塞控制研究.现代计算机.2006(3).31~33
[23] Axent. Companies Provide Firewall and VPN Solution.Network S ecurity,2000.141~144
[24] 司孟华,郭彦涛.计算机异地局域安全传输的研究应用.计算机与网络.2006(2).40~41
[25] 姜淑菊.Internet连接共享的设计与实现.电脑学习.2005(5).16~17
[26] 关桂霞等.网络系统集成教程.北京.电子工业出版社.2004年10月
[27] 李宏乔,杨峰等.宽带网络技术原理.北京.机械工业出版社.2002年6月
[28] 刘先锋,舒林,陈松乔,陈建二.基于Qos约束的多播路由研究.计算机工程与应用.2005(2).125~128
[29] 蔡昭权,吴莉娅,黄陶明.内网安全联动防护技术的研究与实现.微计算机应用.2006(2).168~170
[30] 臧卫玉,王国胜.ATM网络中的输入排队信元调度研究.计算机工程与应用.2004(11).252~256
[31] (美) Rrdjiv Ramaswami 等.光网络·下卷:组网技术分析(原书第2版).北京.机械工业出版社.2004年10月
[32] 蒋加伏,李广琼,唐贤瑛.基于小波包分析的ATM网分层传输.计算机工程与应用.2004(10).217~220
[33] 杨大全.计算机网络.沈阳.东北大学出版社.2004年2月
[34] F. Palmieri. VPN Scalability over High Performance Backbones Evaluating MPLS VPN Against Traditional Approaches.Computers and Communication,2003.77~79
[35] 张大陆,徐健.多业务网络总体设计与实现.计算机工程.2004(6).112~113
[36] 柳志宏.基于网络处理器防火墙的设计与实现.微计算机信息.2006(2).15~16
[37] 黎连业.网络综合布线系统与施工技术.北京.机械工业出版社.2003年1月
[38] 张旭东,平铃娣,潘雪增.基于SIP协议的分布式VOIP体系结构的设计与实现.计算机工程.2004(14).95~97
[39] 赵娜.IP网络视频会议的MCU的设计与实现.现代计算机.2005(10).41~44
[40] Karli Watson, Christian Nagel.C#入门经典.北京.清华大学出版社.2003年3月
[41] 甘登岱.Windows 2000组网教程.北京.电子工业出版社.2001年9月
[42] 刘志勇等.网络服务器配置详解.北京.电子工业出版社.2004年3月
[43] 程伍端.客户端/服务器体系结构的应用与发展.电脑知识与技术(学术交流).2005(12).79~80
[44] K.Schultz.Making the VPN Connection.www.infoworld.com.2004.69~71
[45] 马新文.利用Ping命令排除网络故障.电脑学习.2005(3).16~18
[46] 孔祥春,李春娟.路由器网络地址转换(NAT)的配置.电脑知识与技术.2005(6).41~44