使用SSL VPN架构企业信息系统
|
摘要
SSL VPN的发展对现有SSL应用是一个补充,它增加了公司执行访问控制和安全的级别和能力。SSL VPN还对那些因为使用远程访问应用系统而降低公司安全性的企业有所帮助。从属性上讲,拨号可以保证相对安全性,因为特定的电话线可以确认用户的身份。客户端/服务器和旧版本的VPN自身也拥有一定级别的安全保障能力,因为客户端软件是需要安装的。但是,以这样的安全策略和属性,不可否认,黑客入侵、安全威胁、身份欺诈呈增长趋势。现在,使用SSL VPN,安全特性已经发生了改变,人们可以通过浏览器访问应用程序。
SSL VPN的价值包括许多方面,最主要的是提高访问控制能力,安全易用以及高额的投资回报率。
访问控制SSL VPN对访问控制更加有效,因为实施了用户集中化管理。所有的远程访问都是通过SSL VPN控制台进行控管,这样可以更加有效的监控用户使用权限,这些用户可能是公司内部员工,合作伙伴或客户。所有访问被限制在应用层,而且可以将权限细分到一个URL或一个文件。而使用IPSec VPN,安全权限只局限到网络。
SSL VPN不需要复杂的客户端支撑,这就易于安装和配置,明显降低成本。IPSec VPN需要在远程终端用户一方安装特定设备,以建立安全隧道,而且很多情况下在外部(或非企业控制)设备中建立隧道相当困难。另外,这类复杂的客户端难于升级,对新用户来说面临的麻烦可能更多,如系统运行支撑问题、时间开销问题、管理问题等。IPSec解决方案初始成本较低,但运行支撑成本高。如今,已有SSL开发商能提供网络层支持,进行网络应用访问,就如同远程机器处于LAN中一样;同时提供应用层接入,进行Web应用和许多客户端/服务器应用访问。
总而言之,在关键任务环境中证明了该项技术的成熟性和可靠性。SSL VPN在企业应用中将起到无可估量的作用,但如何部署利用对于一般没有专业的技术人员的企业而言,又有些可望不可及,同时成本问题也是制约企业的一个重要因素。
本文设计并实现了一个这样一个软的SSL VPN系统。此系统是一个廉价的甚至于免费的系统,而且最重要的是此系统也是一个便于部署便于管理的SSL VPN系统。安装管理人员只需要有一般的SSL VPN知识即可进行安装(如同一般的WINDOWS软件安装程序)和部署,同时有标准的Windows图形界面用于管理SSL VPN系统。
本文的研究内容主要有以下了几个方面:
研究目前世界上流行的SSL VPN概念和内容,设计一个适合中国中小企业的,特别是中国中小企业在安装部署维护上能够承受的SSL VPN网络系统。研究目前国际中最新的开源项目OpenSSL和OpenVPN,利用这两个开源项目代码,构建一个软的SSL VPN系统。
最后结合以上两项成果,具体创建一个标准Windows软件用于管理配置SSL VPN系统。这是一个有标准Windows图形界面的软件,对于配置管理SSL VPN系统非常简单,便于普通的系统管理人员维护管理SSL VPN系统。
The development of SSL VPN to the existing SSL application is a supplement, it increased the company to carry out the access control and the safe rank and the ability. SSL VPN also have the help to there enterprise which reduce the company's secure enterprise because of uses the long-distance access application system. In the subordinate says, the digit dialing may guarantee the relative security, because the specific telephone line may confirm the user the status. The C/S system and old edition VPN oneself also has the certain rank the safety control ability, because customer end software is needs to install. But, by such security policy and the attribute, incontestable, the hacker invades, the safe threat, the status cheat assumes the growth tendency. Now, used SSL VPN, the security feature has already had the change, the people may through the browser visit application procedure.
SSL VPN's value including many aspects, most main sharpens the access control ability, the security, easy to use and the high investment repayment rate.
Access control of SSL VPN is more effective to the access control, because it has implemented the user centralization management. All long-distance access all are control bench carry on through SSL VPN control the tube, so that it can monitor user use authorities more effective, these users possibly be the company interior staff, the partner or the customer. All access are limited in the application level, moreover may subdivide the authorities to URL or a document.
But uses IPSec VPN, the authorities of security only limit the network.
SSL VPN does not need the complex client software, this is easy to install and the disposition, obviously reduces the cost. IPSec VPN needs in a remote terminal user installment specific equipment, to establish the security pipe, moreover in very many situations (or non-enterprise controls) in the equipment in exterior to establish the pipe to be quite difficult. Moreover, this kind of complex client software are difficulty with promotes. To the new user said faced with the trouble are possibly more, like system support question, time expenses question, and management question and so on. IPSec VPN's solution initial cost lower, but the movement strut cost is high. Now, had the SSL developer to be able to provide the network layer support, carries on the network application access, is similar to the long-distance machine to be in LAN to be same; simultaneously provides application layer turns on, carries on the Web application and many C/S applications access.
In brief, it is proven this technical maturation and the reliability in the essential duty environment. SSL VPN will play the role in the enterprise application which will not have may estimate. But to enterprise which does not have the specialized technical personnel, deployed the use regarding is too difficult. And the cost question also is restricts the enterprise a important reason.
I designed and realized this kind of soft SSL VPN system in this article. This system is an inexpensive even free system, most importantly moreover this system also is advantageous for the deployment to be advantageous for management SSL VPN system. The administrative personnel only needs to have general SSL VPN knowledge then to carry on the installment (to be similar to general Windows software installation procedure) and the deployment, simultaneously has the standard the Windows graphical interface to use in to manage SSL VPN system.
Below this article research content mainly had several aspects: Research at present in world popular SSL VPN concept and content, designs to suit mid- and small-scale enterprise China, specially mid-and small-scale enterprise China which can withstand in the installment deployment maintenance the SSL VPN network system.
Research at present international center newest opens source project OpenSSL and OpenVPN, uses these two open source project code, constructs soft SSL VPN system.
Finally unifies above two achievements, specifically founds standard Windows software to use in to manage and config SSL VPN system. This is a standard Windows graphical interface software, manages and config SSL VPN system to be extremely simple, it is advantageous for the ordinary system administration personnel to maintain manages SSL VPN system.
SSL VPN的价值包括许多方面,最主要的是提高访问控制能力,安全易用以及高额的投资回报率。
访问控制SSL VPN对访问控制更加有效,因为实施了用户集中化管理。所有的远程访问都是通过SSL VPN控制台进行控管,这样可以更加有效的监控用户使用权限,这些用户可能是公司内部员工,合作伙伴或客户。所有访问被限制在应用层,而且可以将权限细分到一个URL或一个文件。而使用IPSec VPN,安全权限只局限到网络。
SSL VPN不需要复杂的客户端支撑,这就易于安装和配置,明显降低成本。IPSec VPN需要在远程终端用户一方安装特定设备,以建立安全隧道,而且很多情况下在外部(或非企业控制)设备中建立隧道相当困难。另外,这类复杂的客户端难于升级,对新用户来说面临的麻烦可能更多,如系统运行支撑问题、时间开销问题、管理问题等。IPSec解决方案初始成本较低,但运行支撑成本高。如今,已有SSL开发商能提供网络层支持,进行网络应用访问,就如同远程机器处于LAN中一样;同时提供应用层接入,进行Web应用和许多客户端/服务器应用访问。
总而言之,在关键任务环境中证明了该项技术的成熟性和可靠性。SSL VPN在企业应用中将起到无可估量的作用,但如何部署利用对于一般没有专业的技术人员的企业而言,又有些可望不可及,同时成本问题也是制约企业的一个重要因素。
本文设计并实现了一个这样一个软的SSL VPN系统。此系统是一个廉价的甚至于免费的系统,而且最重要的是此系统也是一个便于部署便于管理的SSL VPN系统。安装管理人员只需要有一般的SSL VPN知识即可进行安装(如同一般的WINDOWS软件安装程序)和部署,同时有标准的Windows图形界面用于管理SSL VPN系统。
本文的研究内容主要有以下了几个方面:
研究目前世界上流行的SSL VPN概念和内容,设计一个适合中国中小企业的,特别是中国中小企业在安装部署维护上能够承受的SSL VPN网络系统。研究目前国际中最新的开源项目OpenSSL和OpenVPN,利用这两个开源项目代码,构建一个软的SSL VPN系统。
最后结合以上两项成果,具体创建一个标准Windows软件用于管理配置SSL VPN系统。这是一个有标准Windows图形界面的软件,对于配置管理SSL VPN系统非常简单,便于普通的系统管理人员维护管理SSL VPN系统。
The development of SSL VPN to the existing SSL application is a supplement, it increased the company to carry out the access control and the safe rank and the ability. SSL VPN also have the help to there enterprise which reduce the company's secure enterprise because of uses the long-distance access application system. In the subordinate says, the digit dialing may guarantee the relative security, because the specific telephone line may confirm the user the status. The C/S system and old edition VPN oneself also has the certain rank the safety control ability, because customer end software is needs to install. But, by such security policy and the attribute, incontestable, the hacker invades, the safe threat, the status cheat assumes the growth tendency. Now, used SSL VPN, the security feature has already had the change, the people may through the browser visit application procedure.
SSL VPN's value including many aspects, most main sharpens the access control ability, the security, easy to use and the high investment repayment rate.
Access control of SSL VPN is more effective to the access control, because it has implemented the user centralization management. All long-distance access all are control bench carry on through SSL VPN control the tube, so that it can monitor user use authorities more effective, these users possibly be the company interior staff, the partner or the customer. All access are limited in the application level, moreover may subdivide the authorities to URL or a document.
But uses IPSec VPN, the authorities of security only limit the network.
SSL VPN does not need the complex client software, this is easy to install and the disposition, obviously reduces the cost. IPSec VPN needs in a remote terminal user installment specific equipment, to establish the security pipe, moreover in very many situations (or non-enterprise controls) in the equipment in exterior to establish the pipe to be quite difficult. Moreover, this kind of complex client software are difficulty with promotes. To the new user said faced with the trouble are possibly more, like system support question, time expenses question, and management question and so on. IPSec VPN's solution initial cost lower, but the movement strut cost is high. Now, had the SSL developer to be able to provide the network layer support, carries on the network application access, is similar to the long-distance machine to be in LAN to be same; simultaneously provides application layer turns on, carries on the Web application and many C/S applications access.
In brief, it is proven this technical maturation and the reliability in the essential duty environment. SSL VPN will play the role in the enterprise application which will not have may estimate. But to enterprise which does not have the specialized technical personnel, deployed the use regarding is too difficult. And the cost question also is restricts the enterprise a important reason.
I designed and realized this kind of soft SSL VPN system in this article. This system is an inexpensive even free system, most importantly moreover this system also is advantageous for the deployment to be advantageous for management SSL VPN system. The administrative personnel only needs to have general SSL VPN knowledge then to carry on the installment (to be similar to general Windows software installation procedure) and the deployment, simultaneously has the standard the Windows graphical interface to use in to manage SSL VPN system.
Below this article research content mainly had several aspects: Research at present in world popular SSL VPN concept and content, designs to suit mid- and small-scale enterprise China, specially mid-and small-scale enterprise China which can withstand in the installment deployment maintenance the SSL VPN network system.
Research at present international center newest opens source project OpenSSL and OpenVPN, uses these two open source project code, constructs soft SSL VPN system.
Finally unifies above two achievements, specifically founds standard Windows software to use in to manage and config SSL VPN system. This is a standard Windows graphical interface software, manages and config SSL VPN system to be extremely simple, it is advantageous for the ordinary system administration personnel to maintain manages SSL VPN system.
引文
[1] John Girard. Gartner 公司 2004 年上半年 SSL VPN 市场厂商评估表. 2004 年 4 月
[2] John Girard. Gartner SSL VPN Magic Quadrant Report
[3] Bruce Davie Yakov Rekhter. MPLS:Technology and Applications
[4] 祝晓光. 网络安全设备与技术 清华大学出版社 2004.11.10
[5] 张晃峻. SSL VPN 的选择与配置. IT 世界. 2005.6.3
[6] Phifer, Lisa.VPN: Tunnel Vision.Information Security Magazine Online,July 26th 2004.
[7] 张学杰,李大兴 SSL 技术在构建 VPN 中的应用. 计算机应用. 2006年. 26(8)
[8] 邓小亚. 基于 SSL 的 VPN 技术研究. 甘肃科技. 2006 年. 22(7)
[9] 拂晓. 理想的 SSL VPN 解决方案. 通信世界 A. 2006 年. (6)
[10] 李之棠,贺济美,雷杰. SSL VPN 的安全漏洞及其解决方案. 计算机工程与科学. 2006. 28(8)
[11] Andrew Harding.SSL Virtual Private Networks[J].Computers and Security,2003,20(5):416-420.
[12] 杨兴良,华蓓,胡向辉等. 安全高效的 SSL VPN 构建方法研究. 计算机仿真. 2006. 23(8)
[13] 深信服科技. SSL VPN 的概念与选型. 信息安全与通信保密. 2006. (9)
[14] 罗俊. 应用安全与网络安全的完美结合-SSL VPN. 信息安全与通信保密. 2006. (10)
[15] 夏洪涛,周敬利,余胜生等. SSL VPN 的负载转移技术. 小型微型计算机系统. 2006. 27(1)
[16] 牛少彰,郭延玲. SSLVPN 原理及其优势. 通信市场. 2006. (10)
[17] 欧阳凯,周敬利,夏涛等. 基于虚拟服务的 SSL VPN 研究. 小型微型计算机系统. 2006. 27(2)
[18] 徐静,常朝稳,Xu Jing. SSL 协议的安全性分析. 微计算机信息. 2006. 22(9)
[19] 张勇,张凯,罗军勇. 软件SSL VPN设计与实现. 微计算机信息. 2006. (12)
[20] 设计安全的体系结构[M](美)Jay Ramachandran 著胡骏詹文军等译.机械工业出版社.
[21] 狄卫华. SSLVPN 方案设计. 科技资讯. 2006. (5)
[22] 海子. SSL VPN 与 ERP 的融合走势. 中国电子商务. 2005. (5)
[23] 中国社会科学院信息化研究中心. 调查 中小企业信息化的发展状况. 中国计算机报. 2006.1.9
[24] 炎焱. SSL VPN 用武移动办公. 每周电脑报. 2005.11.14
[25] 吴若松. 致力 SSL VPN 的应用推广. 信息安全与通信保密. 2006. (5)
[26] 胡幸忠,张淑芝,HU Xing-zhong 等. SSL VPN 的接入技术研究. 长沙通信职业技术学院学报. 2005. 4(4)
[27] 刘敬轩,戴英侠. 基于 SSL 的 VPN 网关的设计与实现. 计算机应用. 2005. 25(z1)
[28] 贾会娜,裘正定. SSL VPN 技术优势及前景. 计算机安全. 2005. (9)
[29] 艾武. 走出 SSL VPN 的认识误区. 计算机安全. 20056. (10)
[30] 王玲. VPN 及 SSL VPN 技术的实现和特点的研究. 长沙通信职业技术学院学报. 2005. 4(3)
[31] 沈建苗. SSL VPN:何时真正走向大众?. 计算机安全. 2005. (8)
[32] 唐如鸿. SSL VPN 与 IPSec VPN 技术比较. 计算机安全. 2004. (8)
[33] 黄陶明,蔡昭权,卢庆武等. IPSec VPN 与 SSL VPN 的技术探讨. 广东通信技术. 2005. 25(4)
[34] SafeNet 公司. SSL VPN 的五大亮点. 计算机安全. 2005. (2)
[35] 完美技术推进系统演进 --SSL VPN 技术成为推动 BOSS 向新一代演进的关键. 信息安全与通信保密. 2005. (6)
[36] 任秋安,李晖. SSL-VPN 系统的设计与应用. 电子科技. 2005. (6)
[2] John Girard. Gartner SSL VPN Magic Quadrant Report
[3] Bruce Davie Yakov Rekhter. MPLS:Technology and Applications
[4] 祝晓光. 网络安全设备与技术 清华大学出版社 2004.11.10
[5] 张晃峻. SSL VPN 的选择与配置. IT 世界. 2005.6.3
[6] Phifer, Lisa.VPN: Tunnel Vision.Information Security Magazine Online,July 26th 2004.
[7] 张学杰,李大兴 SSL 技术在构建 VPN 中的应用. 计算机应用. 2006年. 26(8)
[8] 邓小亚. 基于 SSL 的 VPN 技术研究. 甘肃科技. 2006 年. 22(7)
[9] 拂晓. 理想的 SSL VPN 解决方案. 通信世界 A. 2006 年. (6)
[10] 李之棠,贺济美,雷杰. SSL VPN 的安全漏洞及其解决方案. 计算机工程与科学. 2006. 28(8)
[11] Andrew Harding.SSL Virtual Private Networks[J].Computers and Security,2003,20(5):416-420.
[12] 杨兴良,华蓓,胡向辉等. 安全高效的 SSL VPN 构建方法研究. 计算机仿真. 2006. 23(8)
[13] 深信服科技. SSL VPN 的概念与选型. 信息安全与通信保密. 2006. (9)
[14] 罗俊. 应用安全与网络安全的完美结合-SSL VPN. 信息安全与通信保密. 2006. (10)
[15] 夏洪涛,周敬利,余胜生等. SSL VPN 的负载转移技术. 小型微型计算机系统. 2006. 27(1)
[16] 牛少彰,郭延玲. SSLVPN 原理及其优势. 通信市场. 2006. (10)
[17] 欧阳凯,周敬利,夏涛等. 基于虚拟服务的 SSL VPN 研究. 小型微型计算机系统. 2006. 27(2)
[18] 徐静,常朝稳,Xu Jing. SSL 协议的安全性分析. 微计算机信息. 2006. 22(9)
[19] 张勇,张凯,罗军勇. 软件SSL VPN设计与实现. 微计算机信息. 2006. (12)
[20] 设计安全的体系结构[M](美)Jay Ramachandran 著胡骏詹文军等译.机械工业出版社.
[21] 狄卫华. SSLVPN 方案设计. 科技资讯. 2006. (5)
[22] 海子. SSL VPN 与 ERP 的融合走势. 中国电子商务. 2005. (5)
[23] 中国社会科学院信息化研究中心. 调查 中小企业信息化的发展状况. 中国计算机报. 2006.1.9
[24] 炎焱. SSL VPN 用武移动办公. 每周电脑报. 2005.11.14
[25] 吴若松. 致力 SSL VPN 的应用推广. 信息安全与通信保密. 2006. (5)
[26] 胡幸忠,张淑芝,HU Xing-zhong 等. SSL VPN 的接入技术研究. 长沙通信职业技术学院学报. 2005. 4(4)
[27] 刘敬轩,戴英侠. 基于 SSL 的 VPN 网关的设计与实现. 计算机应用. 2005. 25(z1)
[28] 贾会娜,裘正定. SSL VPN 技术优势及前景. 计算机安全. 2005. (9)
[29] 艾武. 走出 SSL VPN 的认识误区. 计算机安全. 20056. (10)
[30] 王玲. VPN 及 SSL VPN 技术的实现和特点的研究. 长沙通信职业技术学院学报. 2005. 4(3)
[31] 沈建苗. SSL VPN:何时真正走向大众?. 计算机安全. 2005. (8)
[32] 唐如鸿. SSL VPN 与 IPSec VPN 技术比较. 计算机安全. 2004. (8)
[33] 黄陶明,蔡昭权,卢庆武等. IPSec VPN 与 SSL VPN 的技术探讨. 广东通信技术. 2005. 25(4)
[34] SafeNet 公司. SSL VPN 的五大亮点. 计算机安全. 2005. (2)
[35] 完美技术推进系统演进 --SSL VPN 技术成为推动 BOSS 向新一代演进的关键. 信息安全与通信保密. 2005. (6)
[36] 任秋安,李晖. SSL-VPN 系统的设计与应用. 电子科技. 2005. (6)