VPN explanation-SSL Basics

SSL BasicsWhen most of the current remote access solutions use a VPN Network Based on the IPSec security protocol, A new study shows that almost 90% of enterprises use VPN for Intranet and external network connections only for Internet access and email communication, in addition, 10% of users use non-Internet applications such as X11, chat protocols, and other private client applications. These 90% applications can use a simpler VPN technology-ssl vpn to provide more effective solutions. The VPN Remote Access Solution Based on the SSL protocol is easier to configure and manage, and the network configuration cost is much lower than the current mainstream IPSec VPN, therefore, many enterprises have begun to use the remote access technology based on SSL encryption protocol to implement VPN communication.
　　
　　 I. SSL Basics
　　
VPN technology can expand the enterprise's internal network so that employees and partners working outside the company can access their internal network through standard and public Internet. Compared with the traditional leased line network solution, the cost is greatly reduced. A leased line must have a physically closed network connection between the partner or remote employee and the company's headquarters, or use a remote dial-up access scheme or a digital leased line connection such as T1. VPN is a very practical technology that allows customers (including employees) and partners to use the standard Internet for cheap connections, it allows the use of IPSec Security Protocol solutions. In fact, VPN technology includes many encryption and security protocols. SSL is one of them, and IPSec is also one of the mainstream VPN applications. In general, IPSec VPN and ssl vpn are two equal solutions for VPN communication under two different security protocols. Therefore, the key to understanding ssl vpn is to understand the SSL security protocol.
　　
The full name of SSL is "Secure Sockets Layer". The Chinese name is "Secure Sockets Layer Protocol Layer", which is a Web application-based security protocol proposed by Netscape. The SSL protocol specifies a Data Security layering mechanism between the Application Protocol (such as HTTP, Telenet, nmtp, and FTP) and the TCP/IP protocol, it provides data encryption, server authentication, message integrity, and optional client authentication for TCP/IP connections.
　　
For e-commerce applications, the use of SSL can ensure the authenticity, integrity and confidentiality of information. However, because SSL does not digitally sign messages at the application layer, it cannot provide non-repudiation of transactions, which is the biggest disadvantage of SSL in e-commerce. In view of this, Netscape introduced a function called Form Signing in all browsers starting with communicator 4.04. in e-commerce, this function can be used to digitally sign the form containing the buyer's order information and payment instruction to ensure the non-repudiation of the transaction information. To sum up, it is not enough to use a single SSL protocol in e-commerce to ensure transaction security, however, the "SSL + form signature" mode can provide better security for e-commerce. Because it is an application layer protocol, SSL (Secure Socket Layer) Secure Sockets Layer Protocol usually uses public key system And X.509 digital certificate technology to protect the confidentiality and integrity of information transmission, it cannot guarantee the non-repudiation of information and is mainly applicable to point-to-point information transmission. It is commonly used in Web server mode.
　　
Like the IPSec security protocol, SSL also provides encryption and authentication security methods. However, in any case, the SSL protocol only encrypts the application channels of both parties, rather than the entire channel from one host to another. Because the vast majority of customer applications do not need to encrypt the entire channel from one system to another, it is more appropriate to encrypt only application data.
　　
Both "encryption" and "security" protocols are transmission protocols, which are used to ensure the safe transfer of important data. Encryption is the core technology of any security protocol. It has three advantages over plaintext encryption or non-encrypted data:
　　
· Data Privacy: data can be kept hidden during transmission without being viewed illegally;
· Data authenticity and integrity: Because technologies related to digital encryption and security protocols can ensure that data is not modified or damaged during transmission;
· Connection Reliability: Another mathematical feature of data encryption is to prove the occurrence of events. In the communication using the SSL protocol, each application is a secure and independent body. Unlike the IPSec protocol, the operation is out of touch with the application. To use the SSL protocol for VPN communication, the remote communication application must be able to identify the SSL technology. However, common applications can generally recognize the SSL technology, such as IE and Netscape browsers, outlook, Eudora mail application, etc.
　　
Currently, ssl vpn is mainly used for applications that use VPN to communicate with remote networks. It is mainly Web-based, these web applications are currently mainly used for internal webpage tours, emails, and other web-based queries.
　　
In ssl vpn communication, an SSL Proxy (SSL Proxy) technology is usually used to improve the communication performance of the VPN Server and the security verification capability. The main aspects are as follows:
　　
(1) Increase the performance of communication connections
　　
SSL itself is a very fast protocol. Like all encryption protocols, it must use a dedicated CPU to speed up mathematical operations before secure communication is established. One of these algorithms is RSA, which uses the SSL protocol to transmit keys on the client and server. Many modem dial-up Web servers receive about 75 new SSL connections per second, and each new connection RSA must complete translation and verification. If the system accepts more than 75 requests per second, the CPU usage will exceed the acceptable limit and the system stops responding to new network connection requests.
　　
To improve server acceptance, the SSL Proxy can adopt the SSL accelerator technology. An SSL accelerator is like a core processor on a 486sx/dxpc. The SSL accelerator can share the computing tasks of the server CPU. After acceleration, a server that can only accept 75 SSL connections per second can achieve the performance of accepting more than 800 connections per second.
　　
You may wonder why you still need an SSL Proxy if you have an SSL accelerator on your server. In fact, it is very simple to understand, but it is still a matter of saving money. For a large, medium-sized enterprise or network service provider, there may usually be multiple access servers. If there is no SSL Proxy technology, how many servers do you need an SSL accelerator, you need to invest a lot of money to configure the SSL accelerator s for each server. The advantage of SL proxy is that multiple servers can share an SSL accelerator.
　　
From a security proxy to a network proxy, for example, you can now activate 800 SSL connections per bill to access your resources. Instead, you only need to maintain an SSL Proxy connection for the backend server. Note that the Security Proxy can reduce the number of sll connections opened on the backend server, even though the number of server connections per second reaches 800. The advantage is that the SSL connection of your server will never exceed the load.
　　
(2) built-in Authentication
　　
Another advantage of commercial SSL is the built-in authentication method. The SSL authentication method includes the password authentication method on the server and client. In any case, all security is based on the theory that the private key and password of the client must be kept securely. If this key is damaged or lost, you cannot gain the customer's trust. In this way, you need to apply for a new authentication method in the SSL top-level authority, so that your users or customers can recognize your identity. In any case, the SSL Proxy can provide powerful authentication before the customer connects to the backend network resources. The SSL Proxy can perform more powerful authentication than the authentication methods of backend resources. Many Web servers do not support more powerful authentication methods than SSL.