Virtual Private Network Technology Introduction

Virtual Private Network (VPN) is defined as a temporary and secure connection established through a public Network (usually the Internet, is a secure and stable tunnel through the public network. Virtual Private Network is an extension of the enterprise intranet. It can help remote users, company branches, business partners and suppliers to establish trusted and secure connections with the company's intranet and ensure secure data transmission. The IETF organization interprets the IP-based VPN as a dedicated tunnel encryption technology to simulate a point-to-point leased line technology on the public data network. The so-called virtual means that users no longer need to own the actual long-distance data line, but use the Internet Public Data Network's long-distance data line. The so-called private network refers to a network that users can create for themselves to best meet their needs. Early private networks generally refer to the networks of Frame Relay, ATM, and other virtual fixed line (PVC) Services provided by telecom carriers, or build users' own private networks through the carrier's DDN leased line network. The current VPN is a temporary security dedicated virtual network established on the Internet. You can save the cost of renting a leased line. In addition to purchasing VPN devices or VPN software products, the enterprise pays only a certain amount of Internet access fees to the ISP in the region where the enterprise is located, and saves the long-distance telephone fee for customer contact in different regions. This is why VPN is cheaper. According to the OSI model, different VPN technologies can be implemented at different OSI protocol layers. Table below: VPN in OSI hierarchical VPN implementation technology application Layer ssl vpn Session Layer Socks5 VPN Network Layer IPSec VPN data link Layer PPTP and L2TP Application Layer VPNSSL Protocol: Secure Socket Layer (SSL) it is a high-level security mechanism and is widely used in Web browser programs and Web server programs. It provides peer-to-peer authentication and application data encryption. In SSL, identity authentication is based on certificates. Server-to-client authentication is required. In SSL version 3, client-to-server authentication is only optional, but is not widely used. An SSL session contains a handshake phase in which both parties exchange certificates, generate session keys, and negotiate the encryption algorithms used for future communication. After the handshake is completed, the application can transmit data securely for B/S applications without making significant changes, in addition to calling SSL APIs rather than traditional socket APIs during data transmission, the solution for C/S architecture applications is the same as that for the session layer VPN. SSL is an end-to-end Protocol and is implemented on the machine at the communication path endpoint (usually on the client and server ), it does not need to be implemented on intermediate nodes (such as routers or firewalls) of the communication path. Although theoretically SSL can be used to protect TCP/IP communication, in fact, SSL applications are almost limited to HTTP. In SSL communication, the server uses port 443, and the customer's port is optional. Session layer VPN Socks4 Protocol: Socks is in the Session Layer of the OSI model. In the Socks protocol, the client program initiates a connection through the firewall through port 1080 of the Socks client to establish a VPN tunnel to the Socks Server, then the proxy application client communicates with the application server. In this framework, the protocol can pass through the firewall securely and transparently, and the client program is invisible to the target host, thus hiding the target host. The key technology of SOCKS is to Socks client applications, add support for Socks protocol, and then parse Socks results on the server side. The Socks4 Protocol provides a non-authenticated firewall for client/server programs based on the TCP protocol (excluding UDP), such as TELNET, FTP, HTTP, WAIS, And GOPHER, a VPN tunnel without encrypted authentication is established. Socks5 Protocol: The Socks5 Protocol extends Socks4 to support IPv4, domain name resolution, and IPv6. To implement this Socks protocol, you usually need to re-compile or re-link the TCP-based client application to use the corresponding encryption functions in the Socks library, it also supports data transmission integrity and data packet compression. Network-layer VPN technology IPSec protocol: IPSec is also one of the standards supported by IETF. It differs from the first two in that it is Layer 3, that is, the encryption of the IP layer. IPSec is not a special encryption algorithm or authentication algorithm, nor does it specify a Special encryption algorithm or authentication algorithm in its data structure. It is just an open structure, it is defined in the IP packet format. Different encryption algorithms can be implemented during network data transmission using the architecture defined by IPSec. The IPSec protocol can be set to run in two modes: tunnel mode and transport mode. In tunneling mode, IPSec encapsulates IPv4 packets in Secure IP frames. The transmission mode is used to protect end-to-end security, that is, routing information is not hidden in this mode. The tunnel mode is the safest, but it brings about a large amount of system overhead. Link layer VPN technology PTP Protocol: PPTP (Point-to-point tunnel Protocol) is a point-to-point secure tunnel protocol developed by the PPTP forum. It provides secure VPN services for users who use telephone Internet access and became the IETF draft in 1996. PPTP is an extension of the PPP protocol. It provides a multi-protocol secure VPN communication method on the IP network. remote users can access the private network of an enterprise through any ISP that supports PPTP. PPTP provides secure communication between PPTP clients and PPTP servers. The PPTP client is the PC machine that runs the protocol, and the PPTP server is the server that runs the protocol. Through PPTP, the customer can access the public IP network by dialing. The dial-up customer first dials to the ISP's access server in the conventional way and establishes a PPP connection. On this basis, the customer performs a secondary dial to establish a connection to the PPTP server, which is called the PPTP tunnel. The PPTP tunnel is essentially another PPP connection based on the IP protocol. The IP packet can encapsulate Multiple protocol data, including TCP/IP, IPX, and NetBEUI. For customers directly connected to the IP network, they do not need the first PPP dial-up connection. They can directly establish a virtual path with the PPTP server. The biggest advantage of PPTP is Microsoft's support. Another advantage is its support of traffic control, which ensures no congestion between the client and the server and improves communication performance, minimize packet loss and resend. PPTP gives the customer the initiative to establish a tunnel, but the customer needs to configure PPTP on its PC. This will increase the user's workload and cause network security risks. In addition, PPTP only works on IP addresses and does not have the function of verifying the tunnel endpoint. It depends on user verification. L2F/L2TP protocol: The L2F (Layer 2 Forwarding) protocol is proposed by Cisco to establish a multi-protocol secure VPN communication mode on a variety of media (such as ATM, FR, IP. It encapsulates the link layer protocols (such as HDLC, PPP, and ASYNC) for transmission. Therefore, the link layer of the network is completely independent of the user's link layer protocols. The Protocol was submitted to the IETF on April 9, 1998 and became RFC2341. L2F remote users can access public IP networks through any dialing method. First, set up a PPP connection by dialing to the ISP's Access Server (NAS) in the conventional way. NAS initiates a second connection based on the user name and other information to call the user's network server. In this way, tunnel Configuration and establishment are completely transparent to users. L2F allows the dialing server to send PPP frames and connect to the L2F server over the WAN. The L2F server encapsulates the packages and connects them to the enterprise's own network. Unlike PPTP, L2F does not define customers. The main drawback of L2F is that it does not include the standard encryption method, so it has basically become an outdated tunnel protocol. VPN (Virtual Private Network) is defined as a temporary and secure connection established through a public Network (usually the Internet, is a secure and stable tunnel through the public network. Virtual Private Network is an extension of the enterprise intranet. It can help remote users, company branches, business partners and suppliers to establish trusted and secure connections with the company's intranet and ensure secure data transmission. A Virtual Private Network is an extension of a private network. It contains Internet-like shared or public network connections. Through VPN, data can be sent between two computers through a shared or public network through a simulated point-to-point dedicated link. What is the VPN named "Virtual Private Network? For example, for a flight from Beijing to Guangzhou, a VPN is like a temporary dedicated flight provided by the airport on many trunk flights for VIP access to Guangzhou. In addition, the existence of VPN does not affect the transmission of other information as usual, and can ensure the confidentiality, integrity and availability of internal information during public channel upload and transmission like the traditional private network. If it is more common, VPN is actually a "line in the line", type on the city Avenue "bus line", the difference is, A "line" composed of VPN does not exist physically, but is simulated by technical means, that is, "virtual. However, this virtual private network technology can establish a logical private "channel" for two computers on a public line, which is well confidential and not confidential, this allows both parties to establish a free and secure point-to-point connection. Therefore, it is widely concerned by network administrators. The Public Information Network is a public basic network open to the whole society. It features a wide coverage, fast speed, low cost, and convenient use. VPN technology is to use the public information network for transmission, just as in the vast Wan for users to pull a leased line. For users, the public network has achieved the "virtual private" effect. Through VPN, the network is dedicated to each user. That is to say, based on the user's identity and permissions, VPN directly accesses the user's information. Therefore, VPN is "dedicated" for each user, which should be the most significant change that VPN brings to users.