Comprehensive application of VPN Security Technology in site-to-site and client

Currently, VPN security technology is widely used. Here we mainly analyze the comprehensive application of VPN security technology on sites and clients. It is difficult to achieve network security, and the cost for achieving network security is very high. Due to the rapid development of commercial applications and business practices in the enterprise network infrastructure, every enterprise tries to understand and control the related risks, making the term network security more and more popular.

Although this situation is a bit worrying, it just tells the truth that absolute security does not exist. In terms of public network infrastructure, enterprises use VPN (virtual private network) to establish secure, end-to-end private network connections. With internal or external Optical Fiber devices and wide area networks, many enterprises have established private and trusted network infrastructures, and rely on physical security to provide a certain degree of confidentiality. When these enterprises switch from expensive, dedicated, and secure connections to a lower-cost Internet, they require secure communication over the Internet, which is generally considered insecure. VPN security technology can reduce the security risks of data transmission over the Internet. It can replace expensive dedicated leased lines. From the user's point of view, it is irrelevant to establish a physical network for a tunnel, because it seems that information is transmitted on a dedicated private network. VPN tunneling encapsulates data in IP packet groups to transmit information that requires additional security or does not comply with Internet addressing standards.

Site-to-site VPN

In an enterprise network environment, there are remote access to the virtual private network, internal virtual private network of the enterprise, and expanded internal virtual private network. A good security policy should describe the basic structure, Information Authentication mechanism, and access permissions of an enterprise in detail. In many cases, they will change with the change of enterprise resource access methods. For example, the authentication mechanism in remote access to a virtual private network is stricter than that in an enterprise's internal virtual private network or an extended internal virtual private network.

In some offices, information is required to be shared among multiple LANs. For example, the gateway devices in two offices share information over a secure VPN tunnel, site-to-site VPN establishes one-to-one endpoint association between the two networks through the VPN tunnel. A separate VPN tunnel protects communication between multiple hosts and file servers. The simplest form is to establish an encrypted IP channel between two servers or routers to ensure secure forwarding of packets to and from the Internet. The VPN tunnel endpoint device creates a logical point-to-point connection on the Internet. You can configure a router on each gateway device so that the packet group can select a route on the VPN link.

Client-to-site VPN

When the client requests access to internal site data from outside the LAN of the network, the client needs to initiate a VPN security technical connection from the client to the site. This ensures the security of the LAN path to the site. Client-to-site VPN is a collection of many tunnels. These tunnel egress is a shared endpoint on the LAN side. One or more clients can access the VPN Server to initiate a secure VPN security technical connection, the client obtains an IP address from the server for concurrent security access to internal data from an insecure remote location, so that the client looks like a member of the server's LAN.

Some VPN solutions from the client to the site use the client's isolation tunnel. These tunnels have many security branches, and remote clients can send data streams through the separated data path, instead of encrypted VPN tunnel forwarding, the information stream sent in plain text is determined by using a filter. However, you need to note that the isolated tunnel avoids the security of the VPN security technology, therefore, you must use this function with caution.

For example, many client-to-site VPNs often have a mechanism that allows laptop users to establish secure connections with enterprise offices. Some VPN does not require user authentication, and only depends on device authentication. Therefore, you must be especially careful to ensure the inability to secure these laptops and avoid any security-threatening situations.

Enterprise VPN Security Application

To ensure the security of VPN data streams, technologies such as identity recognition, tunnel, and encryption must be integrated. An IP-based VPN provides IP tunnels between two network devices. These tunnels are either from the site to the site or from the client to the site. The data sent between two devices is encrypted, so that a secure network path can be created on an existing IP network. Tunneling is a virtual path or point-to-point connection between two devices on the Internet. Most VPN implementations use tunnels to create a private network path between two devices.

Some VPN businesses are created by using Secure Shell tunneling, Secure Sockets Layer/Transport Layer Security, or other secure application protocols. These protocols provide secure end-to-end communication for specific applications and can sometimes be used together with the tunnel protocol discussed here. IPSec has two usage modes: transmission mode, which ensures the security of an existing IP packet group from the source to the destination; tunnel mode, which puts an existing IP packet into a new IP packet, the new IP packet group is sent to a tunnel endpoint in IPSec format. Both the transmission mode and tunnel mode can be encapsulated in the ESP or AH header.

The IP information flow between the two communication systems of the lost users provides end-to-end security assurance, such as ensuring the security of a TCP connection or a UDP datagram. The IPSec tunneling mode is mainly used to provide security assurance for intermediate nodes, routers, or gateways of the network, this ensures the security of the information flow from the private IP network connected to a public network or an untrusted IP network to other IP addresses in the tunnel of another private IP network. Both modes require a complex security negotiation between two computers through Internet Key Exchange.

When configuring an IPSec Policy, the endpoint computer uses IKE phase 1 to establish a VPN security technical channel and establishes a primary security association for all information flows between the communication parties. Here you need to use device authentication and generate a shared master key. Then, the system uses IKE Phase 2 to negotiate with another security association for the application information flow to be fully protected at this time, including generating a shared session key. Only the two computers know all the two keys. Data exchanged using security associations is well protected and may be modified or monitored by attackers on the network. The key is automatically updated according to the IPSec Policy and provides appropriate protection according to the policy defined by the Administrator.

The IPSec Tunneling Protocol Specification for Internet engineering tasks (IETF) does not contain a mechanism suitable for remote access to the VPN Client. The omitted features include user authentication options and Client IP Address Configuration, but have been corrected through the added Internet Draft. These drafts suggest defining standard methods for Extended user-based authentication and address allocation. However, before use, the interoperability between products of different vendors should be clarified, because all vendors choose to expand the Protocol in their own unique ways.

The IPSec transmission mode (AH or ESP) is only applicable to the sender and receiver of the information flow that hosts (that is, IPSec endpoints) need to protect. The IPSec tunneling mode applies to both the host and the security gateway, although the security gateway must use the tunneling mode. All site-to-site VPN and client-to-site VPN security technologies use a certain security gateway, so the IPSec tunnel mode is used for most VPN scheduling.