This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
With the development of the company, companies hope that the headquarters and branch offices, headquarters and partners can communication secure information at any time, and go out to office staff can access critical enterprise data, anytime, anywhere to share business information, improve efficiency. Some large multinational companies to solve this issue, this is between the various companies dedicated leased line carriers. Although this method can solve problem, but expensive, the small and medium-size enterprise cannot afford and VPN technology can solve this problem. According to company the needs of users, followed convenient and practical, efficient low-cost, safe and reliable network infrastructure and related principle, then decision using (ISA server) VPN security program.
2. Virtual Private Network
2.1 VPN Definition
VPN (Virtual Private Network) is defined through a public network (usually is Internet) to establish a temporary, secure connection, is a security, stability tunnel that through a confusion of the public network. Virtual Private Network is an extension of the intranet. VPN can help remote user, branches, business partner and provider connect to company intranet establish credible secure connection, and to ensure secure transmission of data. In addition, VPN also can protect existing network investment.
2.2 VPN Operating Principle
The Internet as a dedicated wide area network, we must overcome two major obstacles. First, network usually use multiple protocols such as IPX and NetBEUI to communicate, however, the Internet can only handle IP traffic. So, VPN will need to offer a method of non-IP protocol from one network to anther network. Secondly, online transmission of data packet transmitted in clear text format, thus, as long as see the internet flow, you can read the data contained in the bag. If company hope utilize the Internet transmission important business confidential information, that obvious is a big problem. VPN overcome these problem that is to use the tunnel technology: data package transmission is not open on the Internet, but first of all be encrypted to ensure security, and then encapsulated into IP packets from the VPN form of transmission line through the tunnel, shown in the figure 1,
Network VPN tunnels initiated device communication with the target network of the VPN tunnels initiated device. Both agree on the encryption scheme, and then the tunnels initiated device encryption on the package, to ensure safety.
Finally, VPN initiated device will encryption entire encryption package become IP packet. In the target network, VPN tunnels terminator receive the package, and then remove the IP information, then according to the agreed method of the package to decryption, later on obtained package distributed to the remote access server or the local router, they hide in the IPX packet send to the network, eventually sent to the appropriate destination.
2.3 VPN Technology
Based on the Figure 2, VPN can classify as remote access and site to site.
Dial belong to remote access, it also can be divided into Client initiated and NAS initiated. Remote mobile user through VPN technology can be anytime, anyplace using dial-up, ISDN, DSL, mobile IP and cable technology establish a secret tunnel connect with corporate headquarters, company intranet VPN device, to achieve access connection, this time the remote user terminal device must be installed appropriate VPN software.
Dedicated belong to site to site, that can be divided into IP Tunnel, Virtual Circuit and VPN Aware Network. IP tunnel that is can be based on the existing network through authentication, encryption and other technologies to achieve VPN, usually use router or some security appliance to achieve site to site. In reality, there are much large-scale equipment such as FR and ATM; they provide virtual circuit to achieve site to site. VPN Aware Network that usually can see in MPLS.
Tunneling is VPN supporting technology, so-called tunneling, actually it is a kind of encapsulation, is to a protocol (Protocol X) is encapsulated in another protocol (Protocol Y) in the transmission, thus protocol X to achieve the transparency of the public network. Over here, protocol X is called Encapsulated Protocol; protocol Y is called Encapsulation Protocol, package that usually with a specific tunnel control information, so the tunnel protocol general format is ((protocol Y) tunnel header (protocol X)). In the public network (Generally refers to Internet) transmission process, only have VPN port or gateway IP address exposed to the outside.
Tunnel solve private network and public network compatible problem, that advantage is able to hide the sender, the recipient's IP address and other protocol information. VPN tunneling technology to provide user with a seamless secure, point to point connectivity services to ensure the security of information resources.
Tunnel is formed by the tunneling protocol. Tunneling protocol can classify as Second Layer and Third Layer Tunneling Protocol, the Second layer Tunneling Protocol such as L2TP, PPTP and L2F etc, and they are working in the second layer of OSI architecture (Data Link Layer); third layer tunneling protocol such as IPSec, GRE etc, they are working in the third layer of OSI architecture (Network Layer).
Second layer tunneling protocol is building on the site to site of the PPP protocol, fully utilize PPP protocol support the characteristics of multi-protocol, first encapsulate a variety of network protocol(such as IP, IPX etc.) to PPP frame, then put the entire data package into the tunneling protocol. PPTP (Point to Point Tunneling Protocol), and L2TP (Layer 2 Tunneling Protocol) are mainly used for remote access Virtual Private Network.
Third layer tunneling protocol is put a variety of network protocol directly into the tunneling protocol, the formation of data packets depend on network layer protocol for transmission. Whether in terms of scalability, or security, reliability, the third layer is better than the second layer tunneling protocol. IPSec that is IP security protocol is currently the best choice to achieve VPN function.
2.3.2 Encryption, Decryption and Authentication
Encryption and Decryption are another core technology of the VPN. For ensure the data security during transmission, users are not illegal to steal or tamper, generally are encrypted before transmission, then on the recipient side decrypt it.
The authentication is the problem of how you know who to open a tunnel and who not to open on VPN. Because the user or other remote connection or not connection to your LAN.
2.3.3 Access Control
VPN basic function is difference user with different access to the host or server is not the same. By the VPN service provider network with the ultimate provider of information resources jointly negotiated a particular user access to specific resources; follow that to achieve fine-grained access control based on user, and achieve maximum protection of information resources.
2.3.4 VPN major Security Protocol
PPTP is a Second Layer Protocol, which is going to PPP data frames encapsulated in IP datagram through the IP network, such as Internet transmission. PPTP also can used in dedicate local area network.
Microsoft and Cisco combine the advantages of the PPTP and L2F protocols to form the L2TP protocol. L2TP support multi-protocol, use public network encapsulate PPP frames, be able to achieve compatible with enterprise original non-IP network.
IPSec is IETF (Internet Engineer Task Force) safety standards are improving; it is the combination of several security technologies to form a more complete system, which has attracted attention and support by vendors. Through data encryption, integrity checks to ensure reliability of data transmission, private and confidential. IPSec formed form the IP Authentication Header, Encapsulated Security payload and Key Management Protocol.
VPN, there are many specific implementations. In ISA can use three protocol to establish VPN connection below:
IPSEC Tunneling modelï¼›
ï‚·L2TP over IPSec modelï¼›
Table 1 shown compares the three protocols:
IPSec Tunneling model
Connect to third-party VPN servers
This is the only can connect to non-Microsoft VPN server mode.
L2TP over IPSec
Connected to the ISA Server 2000, ISA Server 2004 or Windows VPN Server
Use RRAS which is more understand than IPSec tunnel mode, but requires the remote VPN server is the ISA Server or Windows VPN server.
Connected to the ISA Server 2000, ISA Server 2004 or Windows VPN Server
Using RRAS, with L2TIP have the same restrictions, but easier to configure. Since the use of IPSec encryption, L2TP also think it is more secure.
Three site all use ISA VPN as security gateway, L2TP over IPSec combines L2TP and IPSec of advantages, so here using L2TP over IPSec as a VPN implementation plan.
2.4.2 Plan to achieve the purpose
1) Between headquarters and branches and partners, make sure the security of data transmission.
2) Mission staff would like to connect back to headquarters and branch staff can use IPSec connect back to corporate networks.
3) Within the network based implementation of Internet access control, through the VPN device access control policy, access to the PC the strict access control.
4) The external network can withstand hackers, the role played Firewall. With control and limit the security mechanisms and measures, with features such as firewalls and anti-attack.
5) The deployment of flexible, easy to maintain, provide powerful management capabilities to reduce the amount of system maintenance to meet the need of large-scale networking.
2.4.3 VPN network set up program