虚拟专用网若干关键技术的研究及实践
|
摘要
随着网络通讯活动的日益频繁,Internet上传输的数据也面临着与日俱增的攻击手段的考验,在这种情况之下,许多保障网络数据传输安全的技术也应运而生,虚拟专用网VPN(Virtual Private Network)就是其中一种较为有效的方法。
基于VPN的成本、安全性及可扩展性的考虑,利用中间层驱动技术,通过在两个安全网关之间构建安全传输隧道,设计并实现了一个基于IPsec(Internet Protocol Security)的简易VPN系统IMD-VPN(Intermediate Driver VPN)。给出了IMD-VPN的体系结构,描述了系统的工作流程。给出了IMD-VPN中封装/解封装模块、加密/解密模块及验证模块的详细设计,并阐述了模块中验证、加密等功能实现的相关算法以及实现中需考虑的主要问题。
IMD-VPN系统结构清晰、简单,其VPN软件采用NDIS中间层驱动技术编写,便于对数据包结构进行修改,提高了系统的扩展性。同时,由于中间层驱动程序工作在底层,可以直接截获处理数据包,所有发送和接收的数据包必须经过VPN软件的处理,不能被跳过或忽略,进一步增强了系统的安全性。
实验结果表明,IMD-VPN在客户端成功的截获并重新封装要发送的数据包,在截获到数据包后,可按需要对数据包结构做必要的修改,为网络安全协议的加载提供了必要条件。同时服务端将解封装后的原始数据包转发到目的主机,实现了VPN的封装/解封装这一核心功能。
As the communication activity through Internet becomes more frequent, more and more attacks are threating the security of the data transported. To solve the problem, many techniques to protect the data are invented. VPN(Virtual Private Network) is one of the available choice.
In order to build a less expensive, more secure and more extendable VPN, the IMD technology is used. A simple VPN system named IMD-VPN(Intermediate Driver VPN) based on IPSec(Internet Protocol Security) is designed and implemented to build a secure tunnel between two secure gateways. The architecture of the system is designed and the flow of the system is described. A particular design of encapsulate/decapsulate module, encode/decode module and validate module is provided to describe the flow and functions of the system. Also, the main problems should be considered when implement the system are discussed.
IMD-VPN system has a simple structure which is easy to understand. The VPN software is coded with IMD technology, which allow the structure of the data to be changed. At the same time, because the IMD works at a low level of the operation system, it can capture and deal with the packet directly. No packet can jump over or ignore the software. As a result, an additional secure assurance is gained.
The result shows that, IMD-VPN can successfully capture and reencapsulate the packets to be sent at the client. Before packets are sent, they can be changed. The server can decapsulate the received packets and send it to the target computer. After these operations, the key function of VPN is implemented.
基于VPN的成本、安全性及可扩展性的考虑,利用中间层驱动技术,通过在两个安全网关之间构建安全传输隧道,设计并实现了一个基于IPsec(Internet Protocol Security)的简易VPN系统IMD-VPN(Intermediate Driver VPN)。给出了IMD-VPN的体系结构,描述了系统的工作流程。给出了IMD-VPN中封装/解封装模块、加密/解密模块及验证模块的详细设计,并阐述了模块中验证、加密等功能实现的相关算法以及实现中需考虑的主要问题。
IMD-VPN系统结构清晰、简单,其VPN软件采用NDIS中间层驱动技术编写,便于对数据包结构进行修改,提高了系统的扩展性。同时,由于中间层驱动程序工作在底层,可以直接截获处理数据包,所有发送和接收的数据包必须经过VPN软件的处理,不能被跳过或忽略,进一步增强了系统的安全性。
实验结果表明,IMD-VPN在客户端成功的截获并重新封装要发送的数据包,在截获到数据包后,可按需要对数据包结构做必要的修改,为网络安全协议的加载提供了必要条件。同时服务端将解封装后的原始数据包转发到目的主机,实现了VPN的封装/解封装这一核心功能。
As the communication activity through Internet becomes more frequent, more and more attacks are threating the security of the data transported. To solve the problem, many techniques to protect the data are invented. VPN(Virtual Private Network) is one of the available choice.
In order to build a less expensive, more secure and more extendable VPN, the IMD technology is used. A simple VPN system named IMD-VPN(Intermediate Driver VPN) based on IPSec(Internet Protocol Security) is designed and implemented to build a secure tunnel between two secure gateways. The architecture of the system is designed and the flow of the system is described. A particular design of encapsulate/decapsulate module, encode/decode module and validate module is provided to describe the flow and functions of the system. Also, the main problems should be considered when implement the system are discussed.
IMD-VPN system has a simple structure which is easy to understand. The VPN software is coded with IMD technology, which allow the structure of the data to be changed. At the same time, because the IMD works at a low level of the operation system, it can capture and deal with the packet directly. No packet can jump over or ignore the software. As a result, an additional secure assurance is gained.
The result shows that, IMD-VPN can successfully capture and reencapsulate the packets to be sent at the client. Before packets are sent, they can be changed. The server can decapsulate the received packets and send it to the target computer. After these operations, the key function of VPN is implemented.
引文
[1] 陆垂伟. 简析虚拟专用网技术. 黄石理工学院学报,2005,21(4):52~54
[2] 周运华,杨永忠,陈明浩. VPN 技术. 重庆工学院学报,2003,17(4):28~32
[3] 李琳. 浅论虚拟专用网. 科技情报开发与经济. 2005,15(14):226~227
[4] 林丽丽. VPN 初探. 沿海企业与科技,2005,(9):149,146
[5] 贺娇琳,张剑. 虚拟专用网简介. 网络与多媒体,2005,(16):12~13
[6] Knight. P., Lewis. C. Layer 2 and 3 virtual private networks: taxonomy, technology, and standardization efforts. Communications Magazine.IEEE. 2004,42(6):124~131
[7] Baukari, N.,Aljane, A. Security and auditing of VPN. Services in Distributed and Networked Environments, 1996., Proceedings of Third International Workshop on 3-4 .June.1996 :132~138
[8] Xin Guo,Kun Yang,Galis.A.,Xiaochun Cheng. A policy-based network management system for IP VPN in Communication Technology Proceedings, 2003. ICCT 2003. International Conference on Volume 2, 9-11 April 2003:1553~1557
[9] 黄世权. VPN 技术的实现与应用. 泰山学院学报,2005,27(6):49~52
[10] 兰力. 虚拟专用网络技术与应用. 红水河,2005,24(4):104~110
[11] 周树清. VPN 技术综述. 电信快报,2005(12):5~8
[12] 周彬,陈孟华. VPN 技术及其应用. 民航科技,2005(5):84~85
[13] 阙喜戎 , 孙锐 , 龚向阳等 . 信息安全原理及应用 . 第一版 . 清华大学出版社,2003.202~212,243~273
[14] 蔡皖东. 网络与信息安全.第一版. 西北工业大学出版社. 2004. 77~111,160~196
[15] Craig Shue, Youngsang Shin, Gupta, M. Analysis of IPSec overheads for VPN servers.Secure Network Protocols. Nov.2005:25~30
[16] Hamed, H., Al-Shaer. E., Marrero, W. Modeling and Verification of IPSec and VPNSecurity Policies. Network Protocols. Nov.2005:259~278
[17] Pena.C.J.C., Evans, J. Performance evaluation of software virtual private networks (VPN). Local Computer Networks, 2000. LCN 2000. Proceedings. 25th Annual IEEE Conference on.Nov.2000:522~523
[18] 易光华,傅光轩. IPSec VPN 的研究与实现. 贵州大学学报,2005,22(4):423~426
[19] 张剑,寇应展,蒋炎等. IPSec VPN 技术及其安全性. 福建电脑,(11):15~16
[20] 黄海清.IPSec 技术分析. 中国数据通信.2003,005(003):41~43
[21] 刘玉山.IPSec 原理及其在网络安全中的应用.山东电子.2004,000(001):39~41,44
[22] 张真. IPSec VPN 网关的改进. 中国科技信息,2006,(2):27,31
[23] 王文德,王敏. IPSec 协议相关问题探讨. 聊城大学学报,2005,18(4):87~89
[24] 严新,常黎. IPSec 研究及实现. 计算机工程与设计,2005,26(9):2458~2493
[25] 边倩,周骥. 基于 IPSec 技术的 VPN 实现方法. 石油仪器,2005,(10):16~19
[26] Duszenko.A. IP VPN networks. Wydawnictwo Politech. Slaskiej. 2003,24(2):307~317
[27] Hurley. H. VPN vital signs. PRIMEDIA Intertec, 2000,238(16): 36-38, 42, 46, 48, 50
[28] K.H.Cheung. On virtual private networks security design issues.Elsevier North-Holland,Inc.655.Avenue of the Americas New York, NY USA.2002, 38(2):165~179
[29] 张焕明. 基于IPSec的VPN关键技术研究. 微计算机信息,2006,22(3):56~58,130
[30] 龚静,田小梅.基于 IPSec 的虚拟专用的应用. 计算机应用,2006,25(1):46~49
[31] 徐峥. 基于三层隧道技术的 IPSec_VPN 技术基于三层隧道技术的 IPSec_VPN 技术. 网络与通信,2006,22(3):98~99,3
[32] Duncan Napier. Setting up a VPN gateway. Specialized Systems Consoltants.Inc. 2219 NW Market Street Seattle, WA USA. 2002,(93):1
[33] Qiu Xuesong,Xiong AO,Meng LuoMing. The Study and Implementation of the VPN Service Management System . IEEE Computer Society.July,2000:66
[34] JaeDeok Lim,MinHo Han,JeongNyeo Kim. Implementation of light-weight IKE protocol for IPsec VPN within router. Advanced Communication Technology, 2005, ICACT 2005. The 7th International Conference on Volume 1, 21-23 . Feb. 2005:81~84
[35] lan Zeichick. An inexpensive home office/small office firewall and VPN client. Specialized Systems Consultants, Inc. 2219 NW Market Street Seattle, WA USA,2002,(96):16
[36] C.J.C.Pena. Performance evaluation of software virtual private networks (VPN) . IEEE Computer Society. 1730 Massachusetts Ave., NW Washington, DC USA. 2000,(11):522
[37] 谢斌红.李东生.孙瑜.NDIS 驱动程序和虚拟专用网客户端的实现.太原理工大学学报.2004.035(004):452~455
[38] 刘元鼎. 来自 VPN 的 IPSec 隧道技术研究. 海南广播电视大学学报. 2005,(3):86~88
[39] 谭甲凡,张银河. 谈 VPN 中的隧道技术及其 IPSEC 安全机制. 湖南人文科技学院学报,2005,10(5):75~77
[40] 吴炜,谢冬青. 一种基于隧道性能分析的 VPN 分类方法. 计算技术与自动化,2005,24(1):82~84
[41] Friend, R. Making the gigabit IPsec VPN architecture secure.Computer. 2004, 37(6):54~60
[42] 韩静. 一种基于 IPSec 的 VPN 网关模型. 信息系统与网络,2006,36(1):10~12,54
[43] 张世永. 网络安全原理与应用.第一版. 科学出版社. 2003. 237~247,117~141
[2] 周运华,杨永忠,陈明浩. VPN 技术. 重庆工学院学报,2003,17(4):28~32
[3] 李琳. 浅论虚拟专用网. 科技情报开发与经济. 2005,15(14):226~227
[4] 林丽丽. VPN 初探. 沿海企业与科技,2005,(9):149,146
[5] 贺娇琳,张剑. 虚拟专用网简介. 网络与多媒体,2005,(16):12~13
[6] Knight. P., Lewis. C. Layer 2 and 3 virtual private networks: taxonomy, technology, and standardization efforts. Communications Magazine.IEEE. 2004,42(6):124~131
[7] Baukari, N.,Aljane, A. Security and auditing of VPN. Services in Distributed and Networked Environments, 1996., Proceedings of Third International Workshop on 3-4 .June.1996 :132~138
[8] Xin Guo,Kun Yang,Galis.A.,Xiaochun Cheng. A policy-based network management system for IP VPN in Communication Technology Proceedings, 2003. ICCT 2003. International Conference on Volume 2, 9-11 April 2003:1553~1557
[9] 黄世权. VPN 技术的实现与应用. 泰山学院学报,2005,27(6):49~52
[10] 兰力. 虚拟专用网络技术与应用. 红水河,2005,24(4):104~110
[11] 周树清. VPN 技术综述. 电信快报,2005(12):5~8
[12] 周彬,陈孟华. VPN 技术及其应用. 民航科技,2005(5):84~85
[13] 阙喜戎 , 孙锐 , 龚向阳等 . 信息安全原理及应用 . 第一版 . 清华大学出版社,2003.202~212,243~273
[14] 蔡皖东. 网络与信息安全.第一版. 西北工业大学出版社. 2004. 77~111,160~196
[15] Craig Shue, Youngsang Shin, Gupta, M. Analysis of IPSec overheads for VPN servers.Secure Network Protocols. Nov.2005:25~30
[16] Hamed, H., Al-Shaer. E., Marrero, W. Modeling and Verification of IPSec and VPNSecurity Policies. Network Protocols. Nov.2005:259~278
[17] Pena.C.J.C., Evans, J. Performance evaluation of software virtual private networks (VPN). Local Computer Networks, 2000. LCN 2000. Proceedings. 25th Annual IEEE Conference on.Nov.2000:522~523
[18] 易光华,傅光轩. IPSec VPN 的研究与实现. 贵州大学学报,2005,22(4):423~426
[19] 张剑,寇应展,蒋炎等. IPSec VPN 技术及其安全性. 福建电脑,(11):15~16
[20] 黄海清.IPSec 技术分析. 中国数据通信.2003,005(003):41~43
[21] 刘玉山.IPSec 原理及其在网络安全中的应用.山东电子.2004,000(001):39~41,44
[22] 张真. IPSec VPN 网关的改进. 中国科技信息,2006,(2):27,31
[23] 王文德,王敏. IPSec 协议相关问题探讨. 聊城大学学报,2005,18(4):87~89
[24] 严新,常黎. IPSec 研究及实现. 计算机工程与设计,2005,26(9):2458~2493
[25] 边倩,周骥. 基于 IPSec 技术的 VPN 实现方法. 石油仪器,2005,(10):16~19
[26] Duszenko.A. IP VPN networks. Wydawnictwo Politech. Slaskiej. 2003,24(2):307~317
[27] Hurley. H. VPN vital signs. PRIMEDIA Intertec, 2000,238(16): 36-38, 42, 46, 48, 50
[28] K.H.Cheung. On virtual private networks security design issues.Elsevier North-Holland,Inc.655.Avenue of the Americas New York, NY USA.2002, 38(2):165~179
[29] 张焕明. 基于IPSec的VPN关键技术研究. 微计算机信息,2006,22(3):56~58,130
[30] 龚静,田小梅.基于 IPSec 的虚拟专用的应用. 计算机应用,2006,25(1):46~49
[31] 徐峥. 基于三层隧道技术的 IPSec_VPN 技术基于三层隧道技术的 IPSec_VPN 技术. 网络与通信,2006,22(3):98~99,3
[32] Duncan Napier. Setting up a VPN gateway. Specialized Systems Consoltants.Inc. 2219 NW Market Street Seattle, WA USA. 2002,(93):1
[33] Qiu Xuesong,Xiong AO,Meng LuoMing. The Study and Implementation of the VPN Service Management System . IEEE Computer Society.July,2000:66
[34] JaeDeok Lim,MinHo Han,JeongNyeo Kim. Implementation of light-weight IKE protocol for IPsec VPN within router. Advanced Communication Technology, 2005, ICACT 2005. The 7th International Conference on Volume 1, 21-23 . Feb. 2005:81~84
[35] lan Zeichick. An inexpensive home office/small office firewall and VPN client. Specialized Systems Consultants, Inc. 2219 NW Market Street Seattle, WA USA,2002,(96):16
[36] C.J.C.Pena. Performance evaluation of software virtual private networks (VPN) . IEEE Computer Society. 1730 Massachusetts Ave., NW Washington, DC USA. 2000,(11):522
[37] 谢斌红.李东生.孙瑜.NDIS 驱动程序和虚拟专用网客户端的实现.太原理工大学学报.2004.035(004):452~455
[38] 刘元鼎. 来自 VPN 的 IPSec 隧道技术研究. 海南广播电视大学学报. 2005,(3):86~88
[39] 谭甲凡,张银河. 谈 VPN 中的隧道技术及其 IPSEC 安全机制. 湖南人文科技学院学报,2005,10(5):75~77
[40] 吴炜,谢冬青. 一种基于隧道性能分析的 VPN 分类方法. 计算技术与自动化,2005,24(1):82~84
[41] Friend, R. Making the gigabit IPsec VPN architecture secure.Computer. 2004, 37(6):54~60
[42] 韩静. 一种基于 IPSec 的 VPN 网关模型. 信息系统与网络,2006,36(1):10~12,54
[43] 张世永. 网络安全原理与应用.第一版. 科学出版社. 2003. 237~247,117~141