基于手持智能终端的虚拟移动专网系统
|
摘要
手持智能终端越来越多地被应用于移动办公、移动金融、移动证券等领域,但是这些服务都要求较高的安全性和可靠性。因此,无线传输数据的安全通信保障越来越重要,为手持智能终端建立一个虚拟移动专用网系统是一个可行的解决方案。
通过对传统虚拟专用网技术的深入研究,提出了一个能够在手持智能终端上实现虚拟专用网的模型。该模型主要包括三大模块:虚拟移动专网客户端、安全策略服务器以及虚拟专网网关。
利用驱动程序构造出一个虚拟网卡,针对DHCP报文和ARP报文伪造应答报文进行回复,针对数据报文进行捕获。为了实现对虚拟网卡的收发报文缓存进行正确控制,设计了排他锁来实现资源管理。
为了降低对手持智能终端的系统资源消耗,增强系统的兼容性,提出了一种基于虚拟网卡的IPSec处理模型。该模型利用虚拟网卡从系统底层截获数据包并传送到操作系统应用模式中再对数据包进行分析和安全处理,使得以前必须在操作系统核心模式进行的复杂操作转移到了应用模式。
虚拟专用网的隧道仅仅保证了数据传输过程中的安全,为了杜绝不安全因素通过虚拟专用网传播,从数据源头上进行安全控制,提出了一种使用钩子技术对应用程序入口进行拦截的方法来对使用虚拟专用网的手持智能终端设备的运行环境进行实时监控。
最后通过实际的应用测试,验证了整体方案的可行性,实现了一个运行于Windows Mobile操作系统之上的手持智能终端虚拟移动专网系统。
Hand-hold intelligent terminals are more and more used for mobile office, mobile financial, mobile stock services and so on. However, these services demand highly security and reliability. Thus it is more and more important to protect the data transfer process by wireless. A virtual private network system can ensure the data security during mobile communications.
After the deep research about Virtual Private Network technology, a model that how to realize the technology on hand-hold intelligent terminals is established. The model contains three parts: the virtual mobile network client, the security policy server and the gateway of virtual mobile private network.
A virtual network adapter is created with hardware diver. It can send fake answer packets to respond DHCP and ARP packets. If the packets are data packets, it will capture them all. In order to control the cache of sending and receiving packets, the share-lock is designed to manage the resources.
In order to low down the occupation rate of the system’s resources and to enhance the system’s compatibility, the IPSec processing model, which is based on the virtual network adapter, is discussed. The virtual network adapter is used to capture data packets from the bottom of system kernel and send these packets to the unit in the user mode, which is used to analyze packets and process them with security policy. The detail implement of IPSec based on this is researched.
Virtual Private Network only guarantees the safety of the data transfer process. In order to prevent the threat from the Internet spreading by way of the virtual private network, as well as to deal with security control from the source of the data, the technology that to use HOOK to intercept the API can be used to monitor the system environment of the hand-hold intelligent terminal by real-time, when virtual private network is in use.
Finally, practical tests have been done to verify the feasibility of the solution. The realization based on Windows Mobile operating system is successful.
通过对传统虚拟专用网技术的深入研究,提出了一个能够在手持智能终端上实现虚拟专用网的模型。该模型主要包括三大模块:虚拟移动专网客户端、安全策略服务器以及虚拟专网网关。
利用驱动程序构造出一个虚拟网卡,针对DHCP报文和ARP报文伪造应答报文进行回复,针对数据报文进行捕获。为了实现对虚拟网卡的收发报文缓存进行正确控制,设计了排他锁来实现资源管理。
为了降低对手持智能终端的系统资源消耗,增强系统的兼容性,提出了一种基于虚拟网卡的IPSec处理模型。该模型利用虚拟网卡从系统底层截获数据包并传送到操作系统应用模式中再对数据包进行分析和安全处理,使得以前必须在操作系统核心模式进行的复杂操作转移到了应用模式。
虚拟专用网的隧道仅仅保证了数据传输过程中的安全,为了杜绝不安全因素通过虚拟专用网传播,从数据源头上进行安全控制,提出了一种使用钩子技术对应用程序入口进行拦截的方法来对使用虚拟专用网的手持智能终端设备的运行环境进行实时监控。
最后通过实际的应用测试,验证了整体方案的可行性,实现了一个运行于Windows Mobile操作系统之上的手持智能终端虚拟移动专网系统。
Hand-hold intelligent terminals are more and more used for mobile office, mobile financial, mobile stock services and so on. However, these services demand highly security and reliability. Thus it is more and more important to protect the data transfer process by wireless. A virtual private network system can ensure the data security during mobile communications.
After the deep research about Virtual Private Network technology, a model that how to realize the technology on hand-hold intelligent terminals is established. The model contains three parts: the virtual mobile network client, the security policy server and the gateway of virtual mobile private network.
A virtual network adapter is created with hardware diver. It can send fake answer packets to respond DHCP and ARP packets. If the packets are data packets, it will capture them all. In order to control the cache of sending and receiving packets, the share-lock is designed to manage the resources.
In order to low down the occupation rate of the system’s resources and to enhance the system’s compatibility, the IPSec processing model, which is based on the virtual network adapter, is discussed. The virtual network adapter is used to capture data packets from the bottom of system kernel and send these packets to the unit in the user mode, which is used to analyze packets and process them with security policy. The detail implement of IPSec based on this is researched.
Virtual Private Network only guarantees the safety of the data transfer process. In order to prevent the threat from the Internet spreading by way of the virtual private network, as well as to deal with security control from the source of the data, the technology that to use HOOK to intercept the API can be used to monitor the system environment of the hand-hold intelligent terminal by real-time, when virtual private network is in use.
Finally, practical tests have been done to verify the feasibility of the solution. The realization based on Windows Mobile operating system is successful.
引文
[1]高海英,薛元星,辛阳等. VPN技术.北京:机械工业出版社, 2004. 15~36
[2] W. Richard Stevens. TCP/IP详解卷1:协议.范建华,光辉,张涛译.北京:机械工业出版社, 2000. 111~116
[3] S. Bellovin. Problem Areas for the IP Security Protocols. In: Sang Hyuk Son ed. Proceedings of the 6th Usenix Unix Security Symposium. San Jose, CA: USENIX, 1996. 1~16
[4] T. Braun, M. Danzeisen. Secure mobile IP communication. In: Workshop on Wireless Local Networks at the 26th Annual IEEE Conference on Local Computer Networks. IEEE Press, 2001. 263~265
[5]李统林,刘天时.基于钩子技术的操作监控系统设计.淮阴工学院学报, 2008,17(03): 32~35
[6] Naganand Doraswamy. IPSec新一代因特网安全标准(第二版).京京工作室译.北京:机械工业出版社, 2000. 34~37
[7] S. Kent, R. Atkinson. IP Authentication Header. RFC2402, IETF, 1998: 1~15
[8] S. Kent, R. Atkinson. IP Encapsulation Security Payload. RFC2406, IETF, 1998: 1~20
[9]董洪伟,冯斌,杨开荞. VPN关键技术探讨.计算机工程, 2002, 28(11): 159~161
[10] J. F. Kurose, K. W. Boss.计算机网络自顶向下方法与Internet特色.第三版.译者:陈鸣.北京:机械工业出版社, 2005. 335~338, 341~355
[11] Gonzalez Jose, Paxson Vern. Enhancing network intrusion detection with integrated sampling and filtering. In: Proceedings lecture notes in computer science. 2006. 270~272
[12] B. Hari, S. Suri, G. Parulkar. Detecting and Resolving Packet Filter Conflicts. In: Proceeding of the 2000 Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies, IEEE Press, 2000. 1203~1212
[13]王维,幺洪波.浅谈NDIS技术在网络封包截获中的应用.唐山学院学报, 2008,22(02): 75~76
[14]王文联,侯整风,周先存.基于NDIS中间驱动程序的防火墙的研究与实现.安徽建筑工业学院学报(自然科学版), 2004, 12(01): 54~57
[15]谢斌红,李东生,孙瑜. NDIS驱动程序和虚拟专用网客户端的实现.太原理工大学学报, 2004, 35(4): 452~455
[16] Microsoft Corporation. Microsoft developer network MSDN library for Windows DDK[Z] .Microsoft Corporation, 2005: 267~275
[17]尤晋元,史美林,陈向群. Windows操作系统原理.北京:机械工业出版社, 2001. 18~39
[18]陈向群,王雷,马洪兵. Windows CE.NET系统分析及实验教程.第一版.北京:机械工业出版社, 2003. 127~129
[19]刘刚.移动无线场景下远程访问VPN系统研究:硕士学位论文.华中科技大学, 2007
[20] S. Kent, R. Atkinson. Security Architecture of the Internet Protocol. RFC2401, IETF, 1998: 10~15
[21] Andrew Mason. Cisco安全虚拟专用网络.李逢天,姜莹,张伟等译.北京:人民邮电出版社, 2002. 15~16
[22]韩智文,卿华,龚正虎.新一代互连网协议的安全机制.计算机工程与应用, 2000, 36(3): 687~690
[23] R. Atkinson. Implementation and Application of Virtual Private Network. RFC 1827, IETF, 1995: 1~65
[24] C. Pena, J. Evans. Performance Evaluation of Software Virtual Private Networks. In: Proceeding of the 25th Annual IEEE Conference on Local Computer Networks. IEEE Press, 2000: 522~523
[25] Casey Wilson, Peter Doak.虚拟专用网的创建与实现.钟鸣,魏允韬译.北京:机械工业出版社, 2000. 6~9
[26] D. Maughan, M. Schertler, M. Schneider. Internet security association and key management protocol. RFC2408. IETF, 1998: 57~86.
[27] D. Harkins, D. Carrel. The Internet Key Exchange. RFC2409. IETF, 1998: 1~26
[28]梅松,李之棠.一种新的高性能VPN系统的模型分析.小型微型计算机系统,2006, 27(5): 793~797
[29]肖凌,李之棠,梅松.一种基于虚拟网卡的Windows VPN体系结构研究.小型微型计算机系统, 2007, 28(09): 1586~1590
[30]符刚.移动VPN解决方案.见:范平志.无线及移动通信委员会学术年会论文集.北京:电子工业出版社, 2004. 128~132
[31] R. Cohen. On the establishment of an access VPN in broadband access networks. IEEE Communications Magazine, 2003, 41(2): 156~163
[32] W. STALLINGS. Cryptography and network security: principles and practice. New Jersey: Prentice Hall, 2006. 340~348
[33] A. Duszenko. IP VPN networks. Wydawnictwo Politech, 2003, 24(2): 307~317
[34] C. Pena, J. Evans. Performance evaluation of software virtual private networks. Local Computer Networks. In Proceedings of the 25th Annual IEEE Conference, 2000: 522~523
[35] Qiu Xuesong, Xiong Ao, Meng Luoming. The Study and Implementation of the VPN Service Management System. IEEE Computer Society. 2000, 48(3):66
[36] T. Dierks, C. Certicom. Transport layer security version 1.0. RFC2246, IETF, 1999: 28~52
[37]李文静.网络访问控制——NAC.互联网天地, 2005,6(11): 31
[38]石磊,赵慧然. Hook函数在监控记录系统中的应用.微计算机信息, 2006, 22(21): 251~253
[39]程彦,杨建召. Win32中API拦截技术及其应用.长春工业大学学报(自然科学版), 2006, 27(04): 69~71
[40]骆力明,符宇同,鲁悦.利用Hook技术实现进程控制.微计算机信息, 2007, 24(15): 40~42
[2] W. Richard Stevens. TCP/IP详解卷1:协议.范建华,光辉,张涛译.北京:机械工业出版社, 2000. 111~116
[3] S. Bellovin. Problem Areas for the IP Security Protocols. In: Sang Hyuk Son ed. Proceedings of the 6th Usenix Unix Security Symposium. San Jose, CA: USENIX, 1996. 1~16
[4] T. Braun, M. Danzeisen. Secure mobile IP communication. In: Workshop on Wireless Local Networks at the 26th Annual IEEE Conference on Local Computer Networks. IEEE Press, 2001. 263~265
[5]李统林,刘天时.基于钩子技术的操作监控系统设计.淮阴工学院学报, 2008,17(03): 32~35
[6] Naganand Doraswamy. IPSec新一代因特网安全标准(第二版).京京工作室译.北京:机械工业出版社, 2000. 34~37
[7] S. Kent, R. Atkinson. IP Authentication Header. RFC2402, IETF, 1998: 1~15
[8] S. Kent, R. Atkinson. IP Encapsulation Security Payload. RFC2406, IETF, 1998: 1~20
[9]董洪伟,冯斌,杨开荞. VPN关键技术探讨.计算机工程, 2002, 28(11): 159~161
[10] J. F. Kurose, K. W. Boss.计算机网络自顶向下方法与Internet特色.第三版.译者:陈鸣.北京:机械工业出版社, 2005. 335~338, 341~355
[11] Gonzalez Jose, Paxson Vern. Enhancing network intrusion detection with integrated sampling and filtering. In: Proceedings lecture notes in computer science. 2006. 270~272
[12] B. Hari, S. Suri, G. Parulkar. Detecting and Resolving Packet Filter Conflicts. In: Proceeding of the 2000 Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies, IEEE Press, 2000. 1203~1212
[13]王维,幺洪波.浅谈NDIS技术在网络封包截获中的应用.唐山学院学报, 2008,22(02): 75~76
[14]王文联,侯整风,周先存.基于NDIS中间驱动程序的防火墙的研究与实现.安徽建筑工业学院学报(自然科学版), 2004, 12(01): 54~57
[15]谢斌红,李东生,孙瑜. NDIS驱动程序和虚拟专用网客户端的实现.太原理工大学学报, 2004, 35(4): 452~455
[16] Microsoft Corporation. Microsoft developer network MSDN library for Windows DDK[Z] .Microsoft Corporation, 2005: 267~275
[17]尤晋元,史美林,陈向群. Windows操作系统原理.北京:机械工业出版社, 2001. 18~39
[18]陈向群,王雷,马洪兵. Windows CE.NET系统分析及实验教程.第一版.北京:机械工业出版社, 2003. 127~129
[19]刘刚.移动无线场景下远程访问VPN系统研究:硕士学位论文.华中科技大学, 2007
[20] S. Kent, R. Atkinson. Security Architecture of the Internet Protocol. RFC2401, IETF, 1998: 10~15
[21] Andrew Mason. Cisco安全虚拟专用网络.李逢天,姜莹,张伟等译.北京:人民邮电出版社, 2002. 15~16
[22]韩智文,卿华,龚正虎.新一代互连网协议的安全机制.计算机工程与应用, 2000, 36(3): 687~690
[23] R. Atkinson. Implementation and Application of Virtual Private Network. RFC 1827, IETF, 1995: 1~65
[24] C. Pena, J. Evans. Performance Evaluation of Software Virtual Private Networks. In: Proceeding of the 25th Annual IEEE Conference on Local Computer Networks. IEEE Press, 2000: 522~523
[25] Casey Wilson, Peter Doak.虚拟专用网的创建与实现.钟鸣,魏允韬译.北京:机械工业出版社, 2000. 6~9
[26] D. Maughan, M. Schertler, M. Schneider. Internet security association and key management protocol. RFC2408. IETF, 1998: 57~86.
[27] D. Harkins, D. Carrel. The Internet Key Exchange. RFC2409. IETF, 1998: 1~26
[28]梅松,李之棠.一种新的高性能VPN系统的模型分析.小型微型计算机系统,2006, 27(5): 793~797
[29]肖凌,李之棠,梅松.一种基于虚拟网卡的Windows VPN体系结构研究.小型微型计算机系统, 2007, 28(09): 1586~1590
[30]符刚.移动VPN解决方案.见:范平志.无线及移动通信委员会学术年会论文集.北京:电子工业出版社, 2004. 128~132
[31] R. Cohen. On the establishment of an access VPN in broadband access networks. IEEE Communications Magazine, 2003, 41(2): 156~163
[32] W. STALLINGS. Cryptography and network security: principles and practice. New Jersey: Prentice Hall, 2006. 340~348
[33] A. Duszenko. IP VPN networks. Wydawnictwo Politech, 2003, 24(2): 307~317
[34] C. Pena, J. Evans. Performance evaluation of software virtual private networks. Local Computer Networks. In Proceedings of the 25th Annual IEEE Conference, 2000: 522~523
[35] Qiu Xuesong, Xiong Ao, Meng Luoming. The Study and Implementation of the VPN Service Management System. IEEE Computer Society. 2000, 48(3):66
[36] T. Dierks, C. Certicom. Transport layer security version 1.0. RFC2246, IETF, 1999: 28~52
[37]李文静.网络访问控制——NAC.互联网天地, 2005,6(11): 31
[38]石磊,赵慧然. Hook函数在监控记录系统中的应用.微计算机信息, 2006, 22(21): 251~253
[39]程彦,杨建召. Win32中API拦截技术及其应用.长春工业大学学报(自然科学版), 2006, 27(04): 69~71
[40]骆力明,符宇同,鲁悦.利用Hook技术实现进程控制.微计算机信息, 2007, 24(15): 40~42