基于IPSec VPN的安全性研究
摘要
因特网技术和服务的迅速发展,为人们信息交换和共享提供了便利,但同时也带来了前所未有的安全隐患。IP协议的易操作性和规范性使之成为了因特网数据交换的标准协议,但由于它先天缺乏安全性保障,针对它缺陷产生的网络攻击层出不穷。
本文围绕五个基本安全特性(机密性、完整性、可用性、可控性、不可否认性)展开对IP安全的讨论。针对几种常见的攻击手段提出了相应的应对措施,特别是针对普通DoS攻击,提出了一种基于指数增长时间的冻结IP的方法。
IPSec协议有效地保证了IP通信的安全性,采用IPSec技术构筑的VPN系统提供了完善的数据加密、数据完整性验证、通信实体不可抵赖等服务。本文分析比较了几种主流的VPN隧道协议,详细论证了IPSec协议在安全性保障方面的重要性。
本文最主要的特色是在IPSec VPN的基础上引入分级防护思想:对数据进行安全等级分类,设置访问控制权限;防火墙采用历史相关的信誉度策略来提供访问控制服务,系统中各防火墙采用强度分级和逻辑调用的配置策略,提供了灵活高效的可控性防护,并采用添加标记头的方法解决了防火墙和IPSec的冲突问题。而这种思想也是遵循了PDRR模型。
The rapid development of Internet techniques and services provides conveniences in the exchange and sharing of information, but meanwhile it takes unprecedented hidden troubles to the security of network. The operability and normalization of IP(Internet Protocol) makes itself the standard of data exchange in Internet. But because of its inborn security vulnerabilities, it becomes the, target of kinds of network attacks.
According to the five basic elements of information security (confidentiality, integrality, availability, controllability, non-denial), this dissertation discusses the security of IP. It presents solutions to several most common network attacks, especially brings forward a general method towards the DoS attack, which freezes illegal IP addresses based on exponent increasing frozen time.
IPSec protocol provides efficient security assurance in the IP communications. IPSec VPN provides mature mechanism in data encryption, data-integrality validation, and non-denial of communicating entities. This dissertation makes a analysis and comparison between several main tunnel protocols, and particularly discusses the importance of IPsec in the aspect of security assurance.
This dissertation mainly develops an idea of classified protection based on IPSec VPN, which has the following characters: make a classification to the data according to different security requirements, set access limits to different people; use history interrelated credit policy to a single firewall, use intensity classification and logic call policy between firewalls, this kind of classified firewall mechanism to provider flexible and efficient protections; use tag method to make firework and IPSec compatible. All of this complies with the PDRR model.
本文围绕五个基本安全特性(机密性、完整性、可用性、可控性、不可否认性)展开对IP安全的讨论。针对几种常见的攻击手段提出了相应的应对措施,特别是针对普通DoS攻击,提出了一种基于指数增长时间的冻结IP的方法。
IPSec协议有效地保证了IP通信的安全性,采用IPSec技术构筑的VPN系统提供了完善的数据加密、数据完整性验证、通信实体不可抵赖等服务。本文分析比较了几种主流的VPN隧道协议,详细论证了IPSec协议在安全性保障方面的重要性。
本文最主要的特色是在IPSec VPN的基础上引入分级防护思想:对数据进行安全等级分类,设置访问控制权限;防火墙采用历史相关的信誉度策略来提供访问控制服务,系统中各防火墙采用强度分级和逻辑调用的配置策略,提供了灵活高效的可控性防护,并采用添加标记头的方法解决了防火墙和IPSec的冲突问题。而这种思想也是遵循了PDRR模型。
The rapid development of Internet techniques and services provides conveniences in the exchange and sharing of information, but meanwhile it takes unprecedented hidden troubles to the security of network. The operability and normalization of IP(Internet Protocol) makes itself the standard of data exchange in Internet. But because of its inborn security vulnerabilities, it becomes the, target of kinds of network attacks.
According to the five basic elements of information security (confidentiality, integrality, availability, controllability, non-denial), this dissertation discusses the security of IP. It presents solutions to several most common network attacks, especially brings forward a general method towards the DoS attack, which freezes illegal IP addresses based on exponent increasing frozen time.
IPSec protocol provides efficient security assurance in the IP communications. IPSec VPN provides mature mechanism in data encryption, data-integrality validation, and non-denial of communicating entities. This dissertation makes a analysis and comparison between several main tunnel protocols, and particularly discusses the importance of IPsec in the aspect of security assurance.
This dissertation mainly develops an idea of classified protection based on IPSec VPN, which has the following characters: make a classification to the data according to different security requirements, set access limits to different people; use history interrelated credit policy to a single firewall, use intensity classification and logic call policy between firewalls, this kind of classified firewall mechanism to provider flexible and efficient protections; use tag method to make firework and IPSec compatible. All of this complies with the PDRR model.
引文
[1] Internet Domain Survey Number of Intemet Hosts(http://www.isc.org). US. 2006.1
[2] CERT Coordination Center, CERT/CC Statistics 1988-2002, Pittsburgh, PA. 2003.1
[3] 李涛编著,网络安全概论,电子工业出版社,2004
[4] 新编网络安全教程,科学出版社出版,2005
[5] Infonetics Research Report, 2005
[6] http://www.jos.org.cn/1000-9825/14/1740.pdf, 卿斯汉,安全协议20年研究进展,软件学报,2003年10月第14期
[7] 张长青,宋丽娜,加密的天空会很美,电子信息网,2002
[8] (美)Charlie Kaufman等著,许剑卓等译,网络安全——公众世界中的秘密通信第二版,电子工业出版社,2004
[9] Shannon, The Communication Theory of Secret Systems, 1949
[10] Diffie&Hellman, New Direction in Cryptography, 1976
[11] 卿斯汉编著,安全协议,清华大学出版社,2005
[12] Laura A.Chappell,Ed Tittel著,马海军,吴华等译,TCP/IP协议原理与应用,清华大学出版社,2005
[13] http://infosec.pku.edu.cn/~hjbin/course/tool/courseware/tool2.ppt,北京大学软件学院网络攻击小组, 网络攻击技术
[14] 王达编著,虚拟专用网(VPN)精解,清华大学出版社,2004
[15] RFC2402, IP Authentication header(AH)[S]
[16] RFC2406, IP Encapsulating Security Payload(ESP)[S]
[17] RFC2409, The Intemet Key Exchange(IKE)[S]
[18] 邓亚平编著,计算机网络安全,人民邮电出版社,2004
[19] Dolev D, Yao A. On the security of public key protocols. IEEE Transactions on Information Theory, 1983, 29(2): 198~208.
[20] (美)Greg Holden著,王斌,孔璐译,防火墙与网络安全:入侵检测和VPNs,清华大学出版社,2004
[21] 汪赋,关于VPN的安全技术,中国科技信息,2005年第1期
[22] RFC2637, Point-to-point Tunneling Protocol[S]
[23] RFC2611, Layer 2 Tunneling Protocol[S]
[24] RFC2401, Security Architecture for the Interact Protocol[S]
[25] 张剑,寇应展,IPSec VPN技术及其安全性,福建电脑,2005年第11期
[26] GRE-RFC 1701, Generic Routing Encapsulation[S]
[27] RFC2764, Multi-protocol Label Switching[S]
[28] 史先琳,IPSec VPN和MPLS VPN技术分析及比较,四川测绘,第28卷第2期2005年6月
[29] 阎慧,王伟,宁宇鹏等,编著防火墙原理与技术,机械工业出版社,2004
[30] 王秋华,基于深层防护策略的IDS和IPS网络安全性分析,网络安全技术与应用,2005年9月
[2] CERT Coordination Center, CERT/CC Statistics 1988-2002, Pittsburgh, PA. 2003.1
[3] 李涛编著,网络安全概论,电子工业出版社,2004
[4] 新编网络安全教程,科学出版社出版,2005
[5] Infonetics Research Report, 2005
[6] http://www.jos.org.cn/1000-9825/14/1740.pdf, 卿斯汉,安全协议20年研究进展,软件学报,2003年10月第14期
[7] 张长青,宋丽娜,加密的天空会很美,电子信息网,2002
[8] (美)Charlie Kaufman等著,许剑卓等译,网络安全——公众世界中的秘密通信第二版,电子工业出版社,2004
[9] Shannon, The Communication Theory of Secret Systems, 1949
[10] Diffie&Hellman, New Direction in Cryptography, 1976
[11] 卿斯汉编著,安全协议,清华大学出版社,2005
[12] Laura A.Chappell,Ed Tittel著,马海军,吴华等译,TCP/IP协议原理与应用,清华大学出版社,2005
[13] http://infosec.pku.edu.cn/~hjbin/course/tool/courseware/tool2.ppt,北京大学软件学院网络攻击小组, 网络攻击技术
[14] 王达编著,虚拟专用网(VPN)精解,清华大学出版社,2004
[15] RFC2402, IP Authentication header(AH)[S]
[16] RFC2406, IP Encapsulating Security Payload(ESP)[S]
[17] RFC2409, The Intemet Key Exchange(IKE)[S]
[18] 邓亚平编著,计算机网络安全,人民邮电出版社,2004
[19] Dolev D, Yao A. On the security of public key protocols. IEEE Transactions on Information Theory, 1983, 29(2): 198~208.
[20] (美)Greg Holden著,王斌,孔璐译,防火墙与网络安全:入侵检测和VPNs,清华大学出版社,2004
[21] 汪赋,关于VPN的安全技术,中国科技信息,2005年第1期
[22] RFC2637, Point-to-point Tunneling Protocol[S]
[23] RFC2611, Layer 2 Tunneling Protocol[S]
[24] RFC2401, Security Architecture for the Interact Protocol[S]
[25] 张剑,寇应展,IPSec VPN技术及其安全性,福建电脑,2005年第11期
[26] GRE-RFC 1701, Generic Routing Encapsulation[S]
[27] RFC2764, Multi-protocol Label Switching[S]
[28] 史先琳,IPSec VPN和MPLS VPN技术分析及比较,四川测绘,第28卷第2期2005年6月
[29] 阎慧,王伟,宁宇鹏等,编著防火墙原理与技术,机械工业出版社,2004
[30] 王秋华,基于深层防护策略的IDS和IPS网络安全性分析,网络安全技术与应用,2005年9月