I. Proposal of requirements
With the increasing scale of enterprises, setting up branches and offices throughout the province and even throughout the country, enterprise informatization is a powerful tool for enterprises to compete in the market, ERP and OA automation systems are essential to achieve smooth flow of information such as people, finance, and things in enterprises. In the past, the use of leased line networking in China Telecom is very expensive and will bring a heavy burden to enterprises. VPN interconnection is an economic means with high security and no restrictions on regions, cost-effective and other features, very suitable for modern enterprise ERP interconnection and mobile office needs.
VPN uses tunneling technology to achieve secure data transmission. Tunneling is a way to transmit data between networks by using the infrastructure of an interconnected network. Tunnel transmission data or load) can be data frames or packets of different protocols. The tunnel protocol re-encapsulates the data packages or packages of these other protocols in the new header for sending. The new header provides routing information so that encapsulated load data can be transmitted through the interconnected network.
The encapsulated data packets are routed between the two endpoints of the tunnel through the public network. The logical path of the encapsulated data packet transmitted over the public network is called a tunnel. Once the network endpoint is reached, the data will be unwrapped and forwarded to the final destination. Note: tunneling refers to the entire process, including data encapsulation, transmission, and settlement.
SSL VPN
The SSL protocol is a Web application-based security protocol designed by Netscape. It specifies the application protocols (such as HTTP, Telnet, and FTP) and TCP/IP protocol for data exchange security mechanism, data Encryption, server authentication, and optional client authentication for TCP/IP connections are composed of the SSL record protocol, handshake protocol, key change protocol, and alarm protocol, they provide authentication, encryption, and tamper-proofing for application access connections. The SSL handshake protocol is mainly used for mutual authentication between the server and the customer. It is used to generate an encryption key sent in the SSL record through the negotiated encryption algorithm and the MAC (MessageAuthenticationCode) algorithm. The SSL record protocol provides basic security services for various high-level protocols. Its working mechanism is as follows: application messages are divided into manageable data blocks (you can choose to compress data ), and generate a MAC information, encrypt, insert a new file header, and finally transmit it in TCP. the receiving end decrypts the received data, perform authentication, decompress, and reorganize the datagram, and then send it to the top-level application for processing. The SSL key change protocol is composed of a message. It copies the uncertain state to the Current State and updates it to the key group of the current connection. The SSL warning protocol is used to send SSL-related alarms to peer entities, including alarms, critical alarms, and major alarms.
As an application layer protocol, SSL uses public key system And X.509 digital certificate technology to protect the confidentiality and integrity of information transmission. SSL security function components include three parts: authentication (verify the server at both ends of the connection or the server and client at the same time), encryption (encrypt the communication, only encrypted parties can exchange information and identify each other.) Integrity check (information content detection to prevent tampering ). The key step to ensure the security of the communication process is to authenticate the communication parties. The SSL handshake protocol processes the process. Figure 2 describes the message process of the SSL handshake protocol.
Technical Features of SSLVPN
IPSecVPN and SSLVPN are two different VPN architectures. IPSecVPN works at the network layer and provides all data protection at the network layer and transparent secure communication, ssl vpn works between the application layer (based on HTTP Protocol) and the TCP layer. From the overall security level, both can provide secure remote access. However, the IPSec VPN technology is designed to connect and protect data streams in a trusted network. Therefore, it is more suitable for providing communication security for different networks, because of the following technical features, ssl vpn is more suitable for the secure access of remote scattered mobile users.
(1) simple client support and maintenance
For most remote accesses that execute the SSL protocol, you do not need to install software on the remote client device. You only need to connect to the Internet through a standard Web browser, that is, you can access internal network resources of an enterprise through web pages. However, IPSecVPN needs to install specific software on the remote end user side to establish a security tunnel.
(2) enhanced remote secure access
IPSecVPN provides direct (non-proxy) Access by creating a secure tunnel between the two sites to achieve transparent access to the entire network. Once the tunnel is created, the user terminal is physically in the enterprise's internal LAN, which brings many security risks, especially when the access permission is too large. SSLVPN provides secure and proxy connections. Generally, SSLVPN is implemented by placing an SSL Proxy Server behind the enterprise's firewall. If you want to Securely connect to the company's network, when you enter a URL in the browser, the connection will be obtained by the SSL Proxy Server and verified by the user, then, the SSL Proxy Server maps the connection to different application servers.
(3) More fine-grained access control
SSLVPN can segment encrypted tunnels so that end users can access the Internet and access intranet resources at the same time. In addition, SSLVPN can refine the access control function to provide user-level authentication and ensure that only authorized users can access specific internal network resources according to security policies, this precise access control function is almost impossible for remote access to IPSecVPN.
(4) Ability to traverse NAT and firewall Devices
SSLVPN works on the transport layer, so it can traverse all NAT devices and firewall devices, allowing users to remotely access the company's internal network from anywhere. While IPSecVPN works at the network layer, it is difficult to traverse firewalls and NAT devices, and it cannot resolve IP address conflicts.
(5) Better defense against external systems and virus attacks
SSL is a security protocol, and data is encrypted throughout the transmission process. In addition, because the SSL gateway isolates the Intranet server and the client, leaving only one Web browsing interface, most trojans on the client cannot infect the Intranet server. The traditional IPSecVPN implements IP-level access. Once a tunnel is created, the user terminal is physically located in the internal LAN of the enterprise, the application systems connected to the internal network can be detected, which provides an opportunity for hacker attacks and enables viruses that can be transmitted by the LAN to be transmitted through VPN.
(6) flexible and convenient network deployment
Generally, IPSecVPN is deployed at the Network Gateway. Therefore, you must consider the network topology. If you add new devices, you must change the network structure. SSLVPN is different. Generally, After deploying a firewall in the internal network, you can add servers that require VPN protection at any time as needed. Therefore, the original network structure does not need to be affected.
2. OA and mobile office systems
The OA Office Automation System is an important aspect of Enterprise Informatization developed for the company's daily office affairs. It realizes the transfer of information within the company, this includes document drafting, circulation, approval, archiving, and other aspects of the enterprise, implementing all aspects of the enterprise's daily operations. The process of circulation is accompanied by the company's capital flow and logistics. It can be said that the OA system plays an increasingly important role in improving the overall operational efficiency of enterprises. From the development of the OA system, most OA systems currently use Microsoft-based Exchange and IBM-based Lotus mail system platforms, using collaborative office kits and other collaborative tools, this module implements drafting, approval, transfer, announcement, archiving, and other processes of documents, and builds an information system based on the C/S or B/S architecture through the background database. The OA system has the characteristics of process transfer. It must pass the approval of each link before it can be transferred to the next link. However, if the company's leadership or other department leaders are on a business trip or going out to the public, the OA system will not be able to flow normally, affecting the company's daily operations. On the other hand, some group companies and their subsidiaries need to upload the relevant policy documents to the company, and they need to transfer the company's information in a timely manner. At present, it is far from enough to meet the needs of modern office, and the OA system can exert the advantages of high efficiency.
It can be seen that the OA system needs to use modern network and communication technology to realize the transmission of real-time and information flow, for the remote interconnection of the OA system, IROUTER company launched the MH-700 IPSEC + SSL integrated VPN security gateway, in terms of Application Support Branch and Headquarters LAN-TO-LAN and outgoing staff in PC-TO-LAN remote access. The former is mainly to solve the interconnection between the branch office and the office Office office system. Through VPN, the internal documents of the company can be securely transmitted, and other services of the Branch Office and the Headquarters can also be carried out, such as VOIP and video conferencing systems. The PC-TO-LAN is mainly to solve the problem of mobile office, out of the leadership or sales staff, you can through the ssl vpn dial into the headquarters network, establish a safe VPN tunnel, login OA system, the approval, recording, and remote mobile office of documents can be implemented under the configured permissions, which solves the shortcomings of the previous leaders' business trips and delays the approval of documents by the leaders, this greatly improves the efficiency of enterprises. Because ssl vpn uses WEB browsers and zero clients, it can greatly reduce the system maintenance workload and simplify the management of network administrators.