As we all know, because VPN (Virtual Private Network) transmits private information, VPN users are concerned about data security. Currently, VPN uses four technologies to ensure security. These four technologies are Tunneling, Encryption and Decryption, and Key Management) user and device Authentication technology (Authentication ).
1. Tunneling Technology:
The tunneling technology is a basic VPN technology similar to the point-to-point connection technology. It establishes a data channel (Tunnel) in the public network to transmit data packets through this tunnel. Tunnel is formed by the tunnel protocol, which is divided into the second and third layer tunnel protocols. The second layer tunnel protocol encapsulates various network protocols into PPP, and then loads the entire data packet into the tunnel protocol. Data Packets formed by this double-layer encapsulation method are transmitted through the layer-2 protocol. L2 tunnel protocols include L2F, PPTP, and L2TP. The L2TP protocol is currently the IETF standard, formed by IETF's integration of PPTP and L2F.
The layer-3 tunnel protocol directly loads various network protocols into the tunnel protocol, and the formed data packets are transmitted according to the layer-3 protocol. Layer-3 tunneling protocols include VTP and IPSec. IPSec (IP Security) is composed of a group of RFC documents. It defines a system to provide Security protocol selection and Security algorithms, and determines whether the service uses keys and other services, to provide security at the IP layer.
2. encryption and decryption technology:
Encryption and decryption technology is a mature technology in Data Communication. VPN can directly use the existing technology.
3. Key Management Technology:
The main task of key management technology is to securely transmit keys on the public data network without being stolen. The current key management technology is divided into SKIP and ISAKMP/OAKLEY. SKIP uses the Diffie-Hellman algorithm to transmit keys over the network. In ISAKMP, both parties have two keys for public and private use.
4. User and device identity authentication technology:
User and device identity authentication is the most common method of user name and password or card authentication.
Block Security Vulnerabilities
Security is the core issue of VPN. At present, VPN security assurance is mainly implemented through firewall technology, router configuration using tunneling technology, encryption protocol and security key, which can ensure that enterprise employees can access the company's network safely.
However, if an enterprise's VPN needs to be extended to remote access, it should be noted that these direct or always online connections to the company's network will be the main target of hacker attacks. Remote employees can access the company's budget, strategic plans, Engineering Projects and other core contents through personal computers outside the firewall, which constitutes a weakness in the company's security defense system. Although employees can increase work efficiency and reduce the time spent on transportation, but it also provides countless opportunities for hackers, competitors, and commercial espionage to enter the company's core network.
However, enterprises do not pay enough attention to the security of long-distance work. Most companies believe that the company's network is safe after a network firewall, employees can dial into the system, and the firewall will reject all illegal requests; some network administrators believe that, it is safe to establish a firewall for the network and provide VPN for employees so that they can dial into the company network through an encrypted tunnel. These opinions are all incorrect.
Working at home is good, but from the security point of view, it is a great threat, because most of the security software used by the company does not provide protection for home computers. Some employees only access a home computer and follow it to access the company's network system through an authorized connection. Although the company's firewall can isolate intruders and ensure information security between the main office and home office VPN. But the problem is that the attacker can access the network through a trusted user. Therefore, the encrypted tunnel is secure and the connection is correct, but this does not mean that the home computer is secure.
Hackers need to detect IP addresses to intrude into employees' home computers. Statistics show that IP addresses using dial-up connections are scanned by hackers almost every day. Therefore, if the Home Office staff has an uninterrupted connection link such as DSL (usually this connection has a fixed IP address), it will make hacker intrusion easier. Because the dial-up connection is assigned different IP addresses each time it is accessed, although it can also be intruded, it is relatively difficult. Once a hacker intrude into a home computer, he can remotely run the employee's VPN Client software. Therefore, there must be corresponding solutions to block remote access to VPN security vulnerabilities, so that the connection between employees and the network can fully reflect the advantages of VPN, and will not become a security threat. Installing a personal firewall on a personal computer is an extremely effective solution that prevents illegal intruders from accessing the company's network.
Of course, there are some practical solutions for remote staff:
* All remote staff must be authorized to use VPN;
* All remote staff must have a personal firewall, which not only prevents computer intrusion, but also records the number of times the connection has been scanned;
* All remote staff should have an intrusion detection system and provide records of hacker attack information;
* Monitors the software installed in the remote system and limits it to work only;
* IT personnel need to perform the same booking check on these systems as office systems;
* Outgoing staff should encrypt sensitive files;
* Install the access control program that requires Password Input. If the password entered is incorrect, an alarm is sent to the system administrator through Modem;
* When selecting a DSL supplier, you should select a vendor that can provide security protection.
What is the most popular ssl vpn?
The security of ipsec vpn is based on the tunneling technology. The ciphertext is transmitted between tunnels. The plaintext is transmitted at both ends.
The security of ssl vpn is mainly based on the SSL protocol, and secret transmission is completed using the PKI certificate system.
SSL is very flexible and therefore popular. Today, almost all browsers have SSL functions. It is becoming a key protocol for enterprise applications, wireless access devices, Web Services, and secure access management.
SSL for efficient authentication and encryption
The SSL protocol layer includes two subprotocols: the SSL handshake protocol and the SSL record protocol. They provide authentication, encryption, and tamper-proofing for application access connections (mainly HTTP connections. SSL can seamlessly implement Internet protocol stack processing between TCP/IP and the application layer without any impact on other protocol layers. This seamless embedding feature of SSL can also use Internet-like applications, such as Intranet and exclusive access, secure application access, wireless applications, and Web services.
SSL enables secure data communication over the Internet: data is encrypted when it is sent from a browser and decrypted after it reaches the data center. Similarly, data is encrypted when it is sent back to the client, and then transmitted over the Internet. SSL sessions are composed of two parts: Connection and application session. During the connection phase, the client exchanges certificates with the server and Protocol security parameters. If the client accepts the server certificate, the master key is generated and all subsequent communications are encrypted. In the application session stage, the client and server securely transmit all kinds of information, such as authentication card numbers, stock transaction data, personal health status, and other sensitive or confidential data.
The SSL security function consists of three components: authentication, authentication on the server at both ends of the connection or verification on the server and client at the same time; encryption and communication encryption, only encrypted parties can exchange information and identify each other; integrity test, information content detection, to prevent tampering. A key step to ensure the security of the communication process is to authenticate the communication parties. The SSL handshake sub-protocol is responsible for processing this process: the client submits a valid certificate to the server, the server uses a public key algorithm to check the certificate information to confirm the legality of the end user.
In the early stages of development, many traditional network applications that adopt SSL, such as e-commerce, do not have the client authentication function. In addition to the SSL protocol, this type of function is implemented through combined information, such as name/authentication card number combination or data (such as passwords) provided by other clients. Nowadays, many enterprises adopt SSL in their data centers to implement client authentication for new applications. Ssl vpn is designed for end users with additional authentication. Client Authentication allows the server to confirm the user identity within the range of protocol functions, and the client can also use the same technology to authenticate the server.
Powerful ssl vpn Control
Compared with the traditional IPSec VPN, SSL allows the company to access more remote users in different locations, to access more network resources, and has low requirements on client devices, this reduces the configuration and operation support costs. Many enterprise users adopt ssl vpn as the remote secure access technology and focus on its access control function.
Ssl vpn provides enhanced remote secure access. IPSec VPN provides direct (non-proxy) Access by creating a tunnel between the two sites to achieve transparent access to the entire network. Once the tunnel is created, the user's PC is physically in the enterprise LAN. This brings a lot of security risks, especially when the access permissions of users are too large. Ssl vpn provides secure and proxy connections. Only authenticated users can access resources, which is much safer. Ssl vpn can segment the encrypted tunnel so that end users can access the Internet and access the internal enterprise network resources at the same time, that is, it has a controllable function. In addition, ssl vpn can refine the access control function to grant different access permissions to different users for scalable access; this precise access control function is almost impossible for remote access to IPSec VPN.
Ssl vpn is basically not restricted by access locations. It can access network resources from numerous Internet access devices and from any remote location. Ssl vpn communication is transmitted based on the standard TCP/UDP protocol. Therefore, it can traverse all NAT devices, proxy-based firewalls, and status detection firewalls. This allows users to access from anywhere, whether in a proxy-based firewall in another company's network or through broadband connections. IPSec VPN is difficult to implement in a slightly complex network structure because it is difficult to implement firewall and NAT traversal, and cannot resolve IP address conflicts. In addition, ssl vpn can be connected from manageable enterprise devices or non-managed devices, such as residential PCs or public Internet access sites, while IPSec VPN clients can only be connected from manageable or fixed devices. With the increasing demand for remote access, remote access to IPSec VPN is greatly challenged in terms of access control, and the management and operation support costs are high. It is the best solution to achieve point-to-point connection, however, to achieve remote secure access anywhere, ssl vpn is much more ideal.
Application Advantages
Ssl vpn does not require complex client support, which is easy to install and configure, significantly reducing costs. IPSec VPN needs to install a specific device on the remote end user side to establish a secure tunnel, and in many cases it is quite difficult to establish a tunnel in an external (or non-enterprise-controlled) device. In addition, such complex clients are difficult to upgrade, and new users may face more troubles, such as system operation support, time overhead, and management issues. The initial cost of the IPSec solution is low, but the operation support cost is high. Today, SSL developers can provide network-Layer Support for network application access, just as remote machines are in the LAN. At the same time, it provides application-layer access for Web applications and access to many client/server applications.