动态密码VPN接入系统的设计和实现
|
摘要
虚拟专用网技术(VPN)是将物理分布在不同地点的网络通过公用骨干网,尤其是Internet连接而成的逻辑上的虚拟子网。为了保障信息的安全,VPN技术采用了鉴别、访问控制、保密性、完整性等措施,以防止信息被泄漏、篡改和复制。
本文主要提供了如何在公共数据网上为企业实现安全、可靠、高性能、可互操作、费用低的虚拟专用网(VPN),对于目前普遍使用的硬件VPN进行了扩展和改进,将Radius、LDAP、CMPP、反向代理、客户端请求等技术结合成一整套解决方案。同时也研究了相关的各种技术的实现机制。
传统的VPN技术存在用户管理功能单一、密码安全性低、无法实现与其他应用集成、投资过大等问题,本文则以山东移动帐务中心的具体业务需求为出发点,详细阐述了如何应用动态密码、手机短信、Radius认证服务、用户目录管理(LDAP)等技术实现对现有VPN设备局限性的扩展。针对实现的细节方面,本文还说明了整个方案的技术框架、系统环境搭建和应用部署情况,描述了客户端请求、动态密码生成、Radius密码验证和后台用户管理的设计说明。
此外,还研究了系统设计和实现所用到的UML统一建模语言、Eclipse等设计和开发工具。
A virtual private network (VPN) is a dedicated specific communications network tunneled through another network. It is virtual network that connects physically different locations, especially through the public Internet. To ensure the information security it uses all kinds of different technologies such as user authentication, access control and content encryption to prevent information eavesdropping, distortion and copy.
This paper focuses on how to provide a safe, reliable, high-performance, easy-operated and low-cost VPN to the enterprise clients via the public data network. It expands and improves existing VPN technologies which are currently widely used. It integrates Radius, LDAP, CMPP, Reverse Surrogate and Client Claim into a whole solution. It also studies on the implementation details of those technologies.
Traditional VPN technologies have some problems such as poor user management, low security on content encryption, huge amount investment and separation from other applications. This paper studies how to overcome and breakthrough the existing VPN limitation and expand its functionality. The study is based on the business requirement of the Shandong Mobil Accounting Center. It includes dynamic cipher, cell phone short message, Radius authentication and LDAP. It gives all the implementation details including an illustration of technological architecture, system environment and the application deployment. It also makes a detailed description on the client requirements, the dynamic cipher generation, the validation of the Radius cipher and back end user management.
UML and Eclipse are used for system design and solution development. This article also does some study on those tools.
本文主要提供了如何在公共数据网上为企业实现安全、可靠、高性能、可互操作、费用低的虚拟专用网(VPN),对于目前普遍使用的硬件VPN进行了扩展和改进,将Radius、LDAP、CMPP、反向代理、客户端请求等技术结合成一整套解决方案。同时也研究了相关的各种技术的实现机制。
传统的VPN技术存在用户管理功能单一、密码安全性低、无法实现与其他应用集成、投资过大等问题,本文则以山东移动帐务中心的具体业务需求为出发点,详细阐述了如何应用动态密码、手机短信、Radius认证服务、用户目录管理(LDAP)等技术实现对现有VPN设备局限性的扩展。针对实现的细节方面,本文还说明了整个方案的技术框架、系统环境搭建和应用部署情况,描述了客户端请求、动态密码生成、Radius密码验证和后台用户管理的设计说明。
此外,还研究了系统设计和实现所用到的UML统一建模语言、Eclipse等设计和开发工具。
A virtual private network (VPN) is a dedicated specific communications network tunneled through another network. It is virtual network that connects physically different locations, especially through the public Internet. To ensure the information security it uses all kinds of different technologies such as user authentication, access control and content encryption to prevent information eavesdropping, distortion and copy.
This paper focuses on how to provide a safe, reliable, high-performance, easy-operated and low-cost VPN to the enterprise clients via the public data network. It expands and improves existing VPN technologies which are currently widely used. It integrates Radius, LDAP, CMPP, Reverse Surrogate and Client Claim into a whole solution. It also studies on the implementation details of those technologies.
Traditional VPN technologies have some problems such as poor user management, low security on content encryption, huge amount investment and separation from other applications. This paper studies how to overcome and breakthrough the existing VPN limitation and expand its functionality. The study is based on the business requirement of the Shandong Mobil Accounting Center. It includes dynamic cipher, cell phone short message, Radius authentication and LDAP. It gives all the implementation details including an illustration of technological architecture, system environment and the application deployment. It also makes a detailed description on the client requirements, the dynamic cipher generation, the validation of the Radius cipher and back end user management.
UML and Eclipse are used for system design and solution development. This article also does some study on those tools.
引文
[1][美]SaadatMalik等著王宝生等译网络安全原理与实践人民邮电出版社2003
[2]Steven brown董晓宇,魏鸿,马洁等译构建虚拟专用网人民邮电出版社2001.11
[3]Stam,ss W虚拟专用网的创建与实现海洋出版社2002
[4]刘润东UML对象设计与编程北京希望电子出版社2003
[5]戴宗坤,唐三平VPN与网络安全电子工业出版2002
[6]中国移动通信集团公司移动梦网短信业务信令流程规范V3.0.0 2005
[3]石淑华用Windows 2000实现企业VPN的分析与研究微机发展2002(5)69-71
[7]张琳,李璇华著网络组建、原理与安全人民邮电出版社2000
[8]Mcqueny A著谈利群,胡爱民译组网用网:EISCO网络设备互联解决方案 电子工业出版社2001
[10]杨义先,林须端编码与密码学人民邮电出版社2004.
[11]张震VPN技术分析及安全模型研究微型机与应用2002(21)28-30
[12]龚义建 VPN技术及其解决方案的探讨计算机与数字工程2002(30)61-64
[13]中国移动通信集团公司山东有限公司山东移动管理信息系统开发规范v1.0 2006
[14]霍尔泽Eclipse集成开发工具东南大学出版社2005-10
[15]Eric Clayberg,Dan Rubel周良忠译Eclipse插件开发 人民邮电出版社2006
[16]孙卫琴李洪成Tomcat与Java Web开发技术详解 电子工业出版社2004
[17]张洪伟Tomcat Web开发及整合应用 清华大学出版社2006
[18]牛锦中李锦涛WWW服务器技术:Apache使用指南与实现原理 中国水利水电出版社2002
[19]Ryan B.Bloom 袁勤勇译Apache Server 2.0技术参考大全清华大学出版社2003
[2]Steven brown董晓宇,魏鸿,马洁等译构建虚拟专用网人民邮电出版社2001.11
[3]Stam,ss W虚拟专用网的创建与实现海洋出版社2002
[4]刘润东UML对象设计与编程北京希望电子出版社2003
[5]戴宗坤,唐三平VPN与网络安全电子工业出版2002
[6]中国移动通信集团公司移动梦网短信业务信令流程规范V3.0.0 2005
[3]石淑华用Windows 2000实现企业VPN的分析与研究微机发展2002(5)69-71
[7]张琳,李璇华著网络组建、原理与安全人民邮电出版社2000
[8]Mcqueny A著谈利群,胡爱民译组网用网:EISCO网络设备互联解决方案 电子工业出版社2001
[10]杨义先,林须端编码与密码学人民邮电出版社2004.
[11]张震VPN技术分析及安全模型研究微型机与应用2002(21)28-30
[12]龚义建 VPN技术及其解决方案的探讨计算机与数字工程2002(30)61-64
[13]中国移动通信集团公司山东有限公司山东移动管理信息系统开发规范v1.0 2006
[14]霍尔泽Eclipse集成开发工具东南大学出版社2005-10
[15]Eric Clayberg,Dan Rubel周良忠译Eclipse插件开发 人民邮电出版社2006
[16]孙卫琴李洪成Tomcat与Java Web开发技术详解 电子工业出版社2004
[17]张洪伟Tomcat Web开发及整合应用 清华大学出版社2006
[18]牛锦中李锦涛WWW服务器技术:Apache使用指南与实现原理 中国水利水电出版社2002
[19]Ryan B.Bloom 袁勤勇译Apache Server 2.0技术参考大全清华大学出版社2003